Automated security test generation for MQTT using attack patterns

The dramatic increase of attacks and malicious activities has made security a major concern in the development of interconnected cyber-physical systems and raised the need to address this concern also in testing. The goal of security testing is to discover vulnerabilities in the system under test so that they can be fixed before an attacker finds and abuses them. However, testing for security issues faces the challenge of systematically exploring a potentially non-tractable number of interaction scenarios that have to include also invalid inputs and possible harmful interaction attempts. In this paper, we describe an approach for automated generation of test cases for security testing, which are based on attack patterns. These patterns are blueprints that can be used for exploiting common vulnerabilities. The approach combines random test case generation with attack patterns implemented for the Message Queuing Telemetry Transport (MQTT) protocol. We have applied the proposed testing approach to five popular and widely available MQTT brokers, generating 1,804 interaction sequences in form of executable test cases which resulted in numerous test failures, unhandled exceptions and crashes. A detailed manual analysis of these cases have revealed 28 security-relevant issues and critical shortcomings in the tested MQTT broker implementations.

[1]  Myra B. Cohen,et al.  An orchestrated survey of methodologies for automated software test case generation , 2013, J. Syst. Softw..

[2]  Alireza Esfahani,et al.  A Lightweight Authentication Mechanism for M2M Communications in Industrial IoT Environment , 2019, IEEE Internet of Things Journal.

[3]  SeongHan Shin,et al.  A security framework for MQTT , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[4]  Ricardo Neisse,et al.  Enforcement of security policy rules for the Internet of Things , 2014, 2014 IEEE 10th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[5]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[6]  Rudolf Ramler,et al.  Adapting automated test generation to GUI testing of industry applications , 2018, Inf. Softw. Technol..

[7]  James A. Whittaker How to Break Software : A Practical Guide to Testing , 2002 .

[8]  Klaus Wehrle,et al.  Security Challenges in the IP-based Internet of Things , 2011, Wirel. Pers. Commun..

[9]  Raquel Lacuesta,et al.  MQTT Security: A Novel Fuzzing Approach , 2018, Wirel. Commun. Mob. Comput..

[10]  Bernhard K. Aichernig,et al.  Model-Based Testing IoT Communication via Active Automata Learning , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[11]  Vasileios Mavroeidis,et al.  Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence , 2017, 2017 European Intelligence and Security Informatics Conference (EISIC).

[12]  Anne-Marie Kermarrec,et al.  The many faces of publish/subscribe , 2003, CSUR.

[13]  Mohsen Guizani,et al.  Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications , 2015, IEEE Communications Surveys & Tutorials.