An architecture for automated security test case generation for MQTT systems

Autoren Hannes Sochor
Flavio Ferrarotti
Rudolf Ramler
Editoren Gabriele Kotsis
A Min Tjoa
Ismail Khali
Lukas Fischer
Bernhard A. Moser
Atif Mashkoor
Johannes Sametinger
Anna Fensel
Jorge Martínez Gil
Titel An architecture for automated security test case generation for MQTT systems
Buchtitel DEXA 2020: Database and Expert Systems Applications
Typ in Konferenzband
Verlag Springer
Serie Communications in Computer and Information Science
Band 1285
ISBN 978-3-030-59027-7
DOI 10.1007/978-3-030-59028-4_5
Monat September
Jahr 2020
Seiten 48-62
SCCH ID# 20059

Message Queuing Telemetry Transport (MQTT) protocol is among the preferred publish/subscribe protocols used for Machine-to-Machine (M2M) communication and Internet of Things (IoT). Although the MQTT protocol itself is quite simple, the concurrent iteration of brokers and clients and its intrinsic non-determinism, coupled with the diversity of platforms and programming languages in which the protocol is implemented and run, makes the necessary task of security testing challenging. We address precisely this problem by proposing an architecture for security test generation for systems relying on the MQTT protocol. This architecture enables automated test case generation to reveal vulnerabilities and discrepancies between different implementations. As a desired consequence, when implemented, our architectural design can be used to uncover erroneous behaviours that entail latent security risks in MQTT broker and client implementations. In this paper we describe the key components of our architecture, our prototypical implementation using a random test case generator, core design decisions and the use of security attacks in testing. Moreover, we present first evaluations of the architectural design and the prototypical implementation with encouraging initial results.