Exploring the Possibilities of Robustness Testing of CoAP Implementations Using Evolutionary Fuzzing

Abstract: Internet of Things (IoT) is a widely used expression to denote the connection of physical objects in the internet. IoT devices are attractive targets for malicious actors as they are often deployed in large numbers with the same software. Such software is important to test in order to prevent malicious abuse. An effective robustness testing technique is called fuzzy testing (fuzzing) and involves automatically exposing software to a multitude of generated inputs to hopefully discover errors in the application before an attacker can exploit them. The Constrained Application Protocol (CoAP) is a relatively new application protocol designed for use in IoT devices whose implementations could contain vulnerabilities. Fuzzing of CoAP applications has been done with success in a previous study but there is room for improvements and further development of CoAP testing techniques.In this report an exploratory study is performed on the possibility of using evolutionary algorithms to strengthen the effectiveness of regular fuzzing on CoAP server implementations. For this, an evolutionary fuzzer was developed that attempts to increase the code coverage of fuzzy input in hopes of unveiling bugs not found with more primitive forms of fuzzing. Three open source CoAP server applications were tested with varying degrees of success. The overall code coverage measurements and number of bugs encountered did not show enough progression to support the technique as an effective tool to use when fuzzing CoAP applications. Further research opportunities exist as this research only tested a subset of available evolutionary algorithms and little investigation had been made on the contributing factors for the technique’s practical ineffectiveness.