A simple MQTT fuzzing tool available

638 views
Skip to first unread message

Antti Vähä-Sipilä

unread,
May 8, 2015, 4:32:14 AM5/8/15
to mq...@googlegroups.com
We published a small tool for fuzz testing MQTT servers/brokers: https://github.com/F-Secure/mqtt_fuzz

It's very quick and dirty, and it does not even pretend to know about MQTT as a protocol. Instead, it plays back recorded MQTT messages, fuzzing them once in a while. It uses the Radamsa fuzzer to provide fuzz data. Even with this simple approach, I managed to find the first crash bug in five minutes.

As there might well be more findings hiding in the MQTT implementations out there, we're releasing the tool hoping that people would try to run it against their own implementations and perhaps this would increase the overall robustness of MQTT stacks. Specifically implementations in C/C++, or those have dependencies to components written in C/C++, would probably be good candidates to test.

If anyone can contribute more example MQTT messages - specifically those that are currently missing, or messages that have application-level payloads, I'd be happy to add them to the valid cases set. For example, if you can sniff a real-life MQTT session and add an issue on the GitHub project that has a pointer to the pcap file (including a written permission to publicly release and licence the data in the project), the coverage could be extended. A direct pull request to the project would also be happily accepted.

Cheers,

Antti

Raphael Cohn

unread,
May 8, 2015, 5:55:22 AM5/8/15
to mq...@googlegroups.com
Thank you very much!

Raphael Cohn
Chief Architect, stormmq
Co-Chair, OASIS MQTT Standard
Secretary, OASIS AMQP Standard
raphae...@stormmq.com

UK Office:
Hamblethorpe Farm, Crag Lane, Bradley BD20 9DB, North Yorkshire, United Kingdom
Telephone: +44 845 3712 567

Registered office:
16 Anchor Street, Chelmsford, Essex, CM2 0JY, United Kingdom
StormMQ Limited is Registered in England and Wales under Company Number 07175657
StormMQ.com

--
To learn more about MQTT please visit http://mqtt.org
---
You received this message because you are subscribed to the Google Groups "MQTT" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mqtt+uns...@googlegroups.com.
To post to this group, send email to mq...@googlegroups.com.
Visit this group at http://groups.google.com/group/mqtt.
For more options, visit https://groups.google.com/d/optout.

André Fatton

unread,
May 10, 2015, 4:28:04 PM5/10/15
to mq...@googlegroups.com
A surprisingly useful way of testing an implementation…ran it against our broker on the weekend.
+1 Thanks!
André
--
andré fatton . co-founder erl.io
//// erl.io GmbH . Launchlabs . Dornacherstrasse 192 . 4053 Basel
//// Erlang & Distributed Systems Consulting

Shawn McAllister

unread,
May 10, 2015, 8:42:28 PM5/10/15
to <mqtt@googlegroups.com>
We've been running it as well - great tool - thanks!

mcghdykjb

unread,
Apr 15, 2021, 8:05:58 AM4/15/21
to MQTT

Thank you. it is very good tool. 
but  we are seeing this pb when we start the test
subprocess.CalledProcessError: Command '['radamsa', '-o', '/tmp/tmpw7zwiby_/%n.fuzz', '-n', '500', '-r', 'valid-cases/connect']' returned non-zero exit status 126.
radamsa is installed
Reply all
Reply to author
Forward
0 new messages