Towards Improving Fuzzer Efficiency for the MQTT Protocol

Abstract

MQTT's security has been a major concern because of its weak protocol implementations. Over the last few years, several fuzzing frameworks have been proposed to mitigate this issue. However, these frameworks lack sufficient knowledge of MQTT's specifications, requiring a considerable amount of network packets to cover all of its features and functionality. In this paper, we explain how to improve the efficiency of fuzzing frameworks for MQTT by using a grammar based on its specifications. Although defining a grammar is time-consuming and complex, these drawbacks are overshadowed by its benefits, such as deep state exploration and efficiency. Our improvements are implemented in MQTTGRAM, a new grammar-based fuzzer for MQTT. Due to these improvements, MQTTGRAM offers higher code coverage with significantly fewer packets than existing MQTT fuzzers. For instance, MQTTGRAM exchanges up to 9x fewer packets than its counterparts without reducing the line coverage.