Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Titan » Using Titan as a fuzzing engine part 2(Fuzzing MQTT)
Using Titan as a fuzzing engine part 2 [message #1758559] Thu, 30 March 2017 07:04 Go to next message
Elemer Lelik is currently offline Elemer LelikFriend
Messages: 853
Registered: January 2015
Senior Member
It will not come as a surprise to you , dear reader, that there are great security concerns regarding deployment and configuration of IOT devices.
One of the frequently used techniques in security investigations is protocol fuzzing, hence we have chosen a popular IOT protocol to experiment on.


To illustrate the principle described in the previous post , let's look into a simple example of fuzzing MQTT messages.
The MQTT protocol module was written initially with an external codec (see http://git.eclipse.org/c/titan/titan.ProtocolModules.MQTT.git/)

The reason for this was that the variable length encoding of remLength cannot be directly handled by RAW alone; some external assistance is needed;
A new protocol module has been written (based on the RAW codec-see attached archive), which can handle both encoding and decoding directions, so the test
defaults to the first messaging/fuzzing architecture presented in teh previous post. Mqtt_v3_1_1_IPL4SizeFunction.ttcn and Mqtt_v3.1.1_Size.cc were lifted from the original protocol module.

The code is for illustration purposes only and it fuzzes nothing else but a CONNECT message sent by the client:



Titan(MQTT Client)                              Paho(MQTT broker)
       +                                           +
       |               CONNNECT                    |
       |                                           |
       +------------------------------------------->
       |                                           |
       |               CONNACK                     |
       <-------------------------------------------+
       |                                           |
       |                  :                        |
       |                                           |
       |                                           |
       |               CONNNECT                    |
       +------------------------------------------->
       |                                           |
       |                  :                        |
       |                                           |
       |                                           |
       |                                           |
       |                                           |
       |                                           |
       |                                           |
       |                                           |
       |                                           |
       |                                           |
       |                                           |
       +                                           +

but it can be taken to the next level by walking through the state machine and in each relevant state fuzz a different message.

The test case basically just resends the CONNECT message anumber of times, each time with a different distorsion set by @update.


//******************************************************************
testcase tc_connect() runs on MTC_CT
//******************************************************************
{
    map(self:p, system:p); 

log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")

f_sendConnnect(); 

 log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------


 @update(t_F_connect)
with {

erroneous (msg.connect_msg.protocol_level) "value := 6 "

}

f_sendConnnect(); 
 log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------
 @update(t_F_connect)
with {

erroneous (msg.connect_msg.nameLength) "value(raw) := '000ABC'O "
erroneous (msg.connect_msg.name)        "value := ""pQTTxxxxxxxx"" "

}

f_sendConnnect();  

 log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")

//----------------------------------------------------------------
f_twoParams(1,v_os,v_str);  //Fuzzing logic

 @update(t_F_connect)
with {

erroneous (msg.connect_msg.nameLength) "value(raw) := v_os ";
erroneous (msg.connect_msg.name)        "value := v_str ";

}

f_sendConnnect(); 
 log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------

@update(t_F_connect) 	with {
erroneous (msg.connect_msg.nameLength) "value := omit "
}

f_sendConnnect();  
 log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------
@update(t_F_connect) 
	with {
erroneous (msg.connect_msg.nameLength) "value := f_genOS(4096) "
}

f_sendConnnect();  


@update(t_F_connect) 	with {
erroneous (msg.connect_msg.payload.client_identifier.stringItem) "value := ""myclientidAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"" "
}
f_sendConnnect(); 



@update(t_F_connect) 	with {
erroneous (msg.connect_msg.payload.client_identifier.stringLength) "value := 0 "
}
f_sendConnnect(); 


@update(t_F_connect) 	with {
erroneous (msg.connect_msg.payload.client_identifier.stringLength) "value := 25 "
}
f_sendConnnect(); 


 log("<--------------------------------------------------------END------------------------------------------------------------------------------------>\r\n\r\n")


 unmap(self:p, system:p); 
}
	  



f_sendConnnect() is opening a TCP connection, sends the (fuzzed) CONNECT message,
waits for an answer or timeout, then closes the TCP connection.
Before sending , an attempt is made to decode the fuzzed message;
the results of this decoding are not completely reliable; besides, there's no gurantee the fuzzed message is decodable;if decoding is unsuccesful,
a raw message is extracted as default.




The generated simplified log file:

13:36:54.149273 USER MQTT_Test.ttcn:185(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->


13:36:54.150031 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101900044D51545404020000000D6D79636C69656E7469645F3130'O
13:36:54.150568 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    msg := {
        connect_msg := {
            header := {
                packetType := '0001'B,
                flags := '0000'B,
                remLength := '00000098'O
            },
            nameLength := 4,
            name := "MQTT",
            protocol_level := 4,
            flags := {
                user_name_flag := '0'B,
                password_flag := '0'B,
                will_retain := '0'B,
                will_qos := AT_MOST_ONCE_DELIVERY (0),
                will_flag := '0'B,
                clean_session := '1'B,
                reserved := '0'B
            },
            keep_alive := 0,
            payload := {
                client_identifier := {
                    stringLength := 13,
                    stringItem := "myclientid_10"
                },
                will_topic := omit,
                will_message := omit,
                user_name := omit,
                password := omit
            }
        }
    }
}
13:36:54.154245 USER MQTT_Test.ttcn:152(function:f_sendConnnect) mqtt connect result <---------------------{
    msg := {
        connack := {
            header := {
                packetType := '0010'B,
                flags := '0000'B,
                remLength := '00000040'O
            },
            session_present_flag := 0,
            connect_return_code := 0
        }
    }
}
13:36:54.154388 USER MQTT_Test.ttcn:189(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->


13:36:54.154490 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101900044D51545406020000000D6D79636C69656E7469645F3130'O
13:36:54.154677 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    msg := {
        connect_msg := {
            header := {
                packetType := '0001'B,
                flags := '0000'B,
                remLength := '00000098'O
            },
            nameLength := 4,
            name := "MQTT",
            protocol_level := 6,
            flags := {
                user_name_flag := '0'B,
                password_flag := '0'B,
                will_retain := '0'B,
                will_qos := AT_MOST_ONCE_DELIVERY (0),
                will_flag := '0'B,
                clean_session := '1'B,
                reserved := '0'B
            },
            keep_alive := 0,
            payload := {
                client_identifier := {
                    stringLength := 13,
                    stringItem := "myclientid_10"
                },
                will_topic := omit,
                will_message := omit,
                user_name := omit,
                password := omit
            }
        }
    }
}
13:36:54.159383 USER MQTT_Test.ttcn:152(function:f_sendConnnect) mqtt connect result <---------------------{
    msg := {
        connack := {
            header := {
                packetType := '0010'B,
                flags := '0000'B,
                remLength := '00000040'O
            },
            session_present_flag := 0,
            connect_return_code := 128
        }
    }
}
13:36:54.159509 USER MQTT_Test.ttcn:201(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->


13:36:54.159737 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '1022000ABC70515454787878787878787804020000000D6D79636C69656E7469645F3130'O
13:36:54.159918 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    msg := {
        connect_msg := {
            header := {
                packetType := '0001'B,
                flags := '0000'B,
                remLength := '00000044'O
            },
            nameLength := 10,
            name := "pQTTxxxxx",
            protocol_level := 120,
            flags := {
                user_name_flag := '0'B,
                password_flag := '1'B,
                will_retain := '1'B,
                will_qos := RESERVED (3),
                will_flag := '0'B,
                clean_session := '0'B,
                reserved := '0'B
            },
            keep_alive := 8222,
            payload := {
                client_identifier := {
                    stringLength := 512,
                    stringItem := char(0, 0, 0, 0) & char(0, 0, 0, 0) & "\rmyclientid_10"
                },
                will_topic := omit,
                will_message := omit,
                user_name := omit,
                password := omit
            }
        }
    }
}
13:36:54.167314 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent  !!!-------------{
    connClosed := {
        connId := 3,
        remName := "127.0.0.1",
        remPort := 1883,
        locName := "127.0.0.1",
        locPort := 48183,
        proto := {
            tcp := { }
        },
        userData := 0
    }
}
13:36:54.167390 USER MQTT_Test.ttcn:213(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->


13:36:54.167598 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101900015A51545404020000000D6D79636C69656E7469645F3130'O
13:36:54.167758 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    msg := {
        connect_msg := {
            header := {
                packetType := '0001'B,
                flags := '0000'B,
                remLength := '00000098'O
            },
            nameLength := 1,
            name := "Z",
            protocol_level := 81,
            flags := {
                user_name_flag := '0'B,
                password_flag := '1'B,
                will_retain := '0'B,
                will_qos := EXACTLY_ONE_DELIVERY (2),
                will_flag := '1'B,
                clean_session := '0'B,
                reserved := '0'B
            },
            keep_alive := 8234,
            payload := {
                client_identifier := {
                    stringLength := 512,
                    stringItem := char(0, 0, 0, 0) & char(0, 0, 0, 0) & "\rmyclientid_10"
                },
                will_topic := omit,
                will_message := omit,
                user_name := omit,
                password := omit
            }
        }
    }
}
13:36:54.169933 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent  !!!-------------{
    connClosed := {
        connId := 4,
        remName := "127.0.0.1",
        remPort := 1883,
        locName := "127.0.0.1",
        locPort := 52954,
        proto := {
            tcp := { }
        },
        userData := 0
    }
}
13:36:54.169995 USER MQTT_Test.ttcn:227(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->


13:36:54.170212 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '10174D51545404020000000D6D79636C69656E7469645F3130'O
13:36:54.170379 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    raw_message := '10000000174D51545404020000000D6D79636C69656E7469645F3130'O
}
13:36:54.171447 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent  !!!-------------{
    connClosed := {
        connId := 5,
        remName := "127.0.0.1",
        remPort := 1883,
        locName := "127.0.0.1",
        locPort := 34105,
        proto := {
            tcp := { }
        },
        userData := 0
    }
}
13:36:54.171506 USER MQTT_Test.ttcn:235(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->


13:36:54.173186 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101018AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D51545404020000000D6D79636C69656E7469645F3130'O
13:36:54.178135 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    raw_message := '1000001018AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D51545404020000000D6D79636C69656E7469645F3130'O
}
13:36:54.342190 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent  !!!-------------{
    connClosed := {
        connId := 6,
        remName := "127.0.0.1",
        remPort := 1883,
        locName := "127.0.0.1",
        locPort := 56004,
        proto := {
            tcp := { }
        },
        userData := 0
    }
}
13:36:54.342582 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '10008500044D515454040200006D79636C69656E74696441414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141'O
13:36:54.342904 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    msg := {
        connect_msg := {
            header := {
                packetType := '0001'B,
                flags := '0000'B,
                remLength := '000000A1'O
            },
            nameLength := 4,
            name := "MQTT",
            protocol_level := 4,
            flags := {
                user_name_flag := '0'B,
                password_flag := '0'B,
                will_retain := '0'B,
                will_qos := AT_MOST_ONCE_DELIVERY (0),
                will_flag := '0'B,
                clean_session := '1'B,
                reserved := '0'B
            },
            keep_alive := 0,
            payload := {
                client_identifier := {
                    stringLength := 28025,
                    stringItem := "clientidAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
                },
                will_topic := omit,
                will_message := omit,
                user_name := omit,
                password := omit
            }
        }
    }
}
13:36:54.344035 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent  !!!-------------{
    connClosed := {
        connId := 7,
        remName := "127.0.0.1",
        remPort := 1883,
        locName := "127.0.0.1",
        locPort := 46568,
        proto := {
            tcp := { }
        },
        userData := 0
    }
}
13:36:54.344273 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101800044D51545404020000006D79636C69656E7469645F3130'O
13:36:54.344515 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    msg := {
        connect_msg := {
            header := {
                packetType := '0001'B,
                flags := '0000'B,
                remLength := '00000018'O
            },
            nameLength := 4,
            name := "MQTT",
            protocol_level := 4,
            flags := {
                user_name_flag := '0'B,
                password_flag := '0'B,
                will_retain := '0'B,
                will_qos := AT_MOST_ONCE_DELIVERY (0),
                will_flag := '0'B,
                clean_session := '1'B,
                reserved := '0'B
            },
            keep_alive := 0,
            payload := {
                client_identifier := {
                    stringLength := 109,
                    stringItem := "yclientid_10"
                },
                will_topic := omit,
                will_message := omit,
                user_name := omit,
                password := omit
            }
        }
    }
}
13:36:54.346496 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent  !!!-------------{
    connClosed := {
        connId := 8,
        remName := "127.0.0.1",
        remPort := 1883,
        locName := "127.0.0.1",
        locPort := 48955,
        proto := {
            tcp := { }
        },
        userData := 0
    }
}
13:36:54.346619 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101800044D51545404020000196D79636C69656E7469645F3130'O
13:36:54.346757 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect --------------------------->  :{
    msg := {
        connect_msg := {
            header := {
                packetType := '0001'B,
                flags := '0000'B,
                remLength := '00000018'O
            },
            nameLength := 4,
            name := "MQTT",
            protocol_level := 4,
            flags := {
                user_name_flag := '0'B,
                password_flag := '0'B,
                will_retain := '0'B,
                will_qos := AT_MOST_ONCE_DELIVERY (0),
                will_flag := '0'B,
                clean_session := '1'B,
                reserved := '0'B
            },
            keep_alive := 0,
            payload := {
                client_identifier := {
                    stringLength := 6509,
                    stringItem := "yclientid_10"
                },
                will_topic := omit,
                will_message := omit,
                user_name := omit,
                password := omit
            }
        }
    }
}
13:36:54.348942 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent  !!!-------------{
    connClosed := {
        connId := 9,
        remName := "127.0.0.1",
        remPort := 1883,
        locName := "127.0.0.1",
        locPort := 57620,
        proto := {
            tcp := { }
        },
        userData := 0
    }
}
13:36:54.349002 USER MQTT_Test.ttcn:267(testcase:tc_connect) <--------------------------------------------------------END------------------------------------------------------------------------------------>




It can be seen that some CONNECT messages are met with an "Unexpected ASPEvent" which means closing the TCP connection on the broker side.


As SUT a Paho broker written in Python was used; see below the log generated on the broker console:



python3 ./paho.mqtt.testing/interoperability/startbroker.py

INFO 20170323 140800 MQTT 3.1.1 Paho Test Broker                                                         
INFO 20170323 140800 Optional behaviour, publish on pubrel: True                                         
INFO 20170323 140800 Optional behaviour, single publish on overlapping topics: True                      
INFO 20170323 140800 Optional behaviour, drop QoS 0 publications to disconnected clients: True           
INFO 20170323 140800 Optional behaviour, support zero length clientids: True                             
INFO 20170323 140800 Starting the MQTT server on port 1883                                               
INFO 20170323 140805 Starting communications for socket 6                                                
INFO 20170323 140805 Waiting for request                                                                 
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null                             
INFO 20170323 140805 [MQTT-3.1.3-3] Clientid must be present, and first field                            
INFO 20170323 140805 [MQTT-3.1.3-4] Clientid must be Unicode, and between 0 and 65535 bytes long         
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null                             
INFO 20170323 140805 [MQTT-3.1.2-18] username must not be in payload if user name flag is 0              
INFO 20170323 140805 [MQTT-3.1.2-20] password must not be in payload if password flag is 0               
INFO 20170323 140805 in: Connects(DUP=False, QoS=0, Retain=False, ProtocolName=MQTT, ProtocolVersion=4, CleanSession=True, WillFlag=False, KeepAliveTimer=0, ClientId=myclientid_10, usernameFlag=False, passwordFlag=False)                                                                                                                
INFO 20170323 140805 [MQTT-3.1.3-5] Clientids of 1 to 23 chars and ascii alphanumeric must be allowed                                                                 
INFO 20170323 140805 [MQTT-4.1.0-1] server must store data for at least as long as the network connection lasts                                                       
INFO 20170323 140805 [MQTT-4.7.3-1] all topic names and filters must be at least 1 char                                                                               
INFO 20170323 140805 [MQTT-4.7.3-3] all topic names and filters must be <= 65535 bytes long                                                                           
INFO 20170323 140805 [MQTT-4.7.1-2] # must be last, and next to /                                                                                                     
INFO 20170323 140805 [MQTT-4.7.1-3] + can be used at any complete level                                                                                               
INFO 20170323 140805 [MQTT-3.2.0-1] the first response to a client must be a connack                                                                                  
INFO 20170323 140805 out: Connacks(DUP=False, QoS=0, Retain=False, Session present=False, ReturnCode=0)                                                               
INFO 20170323 140805 Starting communications for socket 7                                                                                                             
INFO 20170323 140805 Waiting for request                                                                                                                              
INFO 20170323 140805 Waiting for request                                                                                                                              
INFO 20170323 140805 [MQTT-3.14.4-2] Client must not send any more packets after disconnect                                                                           
INFO 20170323 140805 [MQTT-3.1.2-6] broker must discard the session data for client myclientid_10                                                                     
INFO 20170323 140805 [MQTT-4.7.3-1] all topic names and filters must be at least 1 char                                                                               
INFO 20170323 140805 [MQTT-4.7.3-3] all topic names and filters must be <= 65535 bytes long                                                                           
INFO 20170323 140805 [MQTT-4.7.1-2] # must be last, and next to /                                                                                                     
INFO 20170323 140805 [MQTT-4.7.1-3] + can be used at any complete level                                                                                               
INFO 20170323 140805 Finishing communications for socket 6                                                                                                            
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null                                                                                          
INFO 20170323 140805 [MQTT-3.1.3-3] Clientid must be present, and first field                                                                                         
INFO 20170323 140805 [MQTT-3.1.3-4] Clientid must be Unicode, and between 0 and 65535 bytes long                                                                      
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null                                                                                          
INFO 20170323 140805 [MQTT-3.1.2-18] username must not be in payload if user name flag is 0                                                                           
INFO 20170323 140805 [MQTT-3.1.2-20] password must not be in payload if password flag is 0                                                                            
INFO 20170323 140805 in: Connects(DUP=False, QoS=0, Retain=False, ProtocolName=MQTT, ProtocolVersion=6, CleanSession=True, WillFlag=False, KeepAliveTimer=0, ClientId=myclientid_10, usernameFlag=False, passwordFlag=False)                                                                                                                
ERROR 20170323 140805 [MQTT-3.1.2-2] Wrong protocol version 6                                                                                                         
INFO 20170323 140805 out: Connacks(DUP=False, QoS=0, Retain=False, Session present=False, ReturnCode=1)                                                               
INFO 20170323 140805 [MQTT-3.2.2-5] must close connection after non-zero connack                                                                                      
INFO 20170323 140805 [MQTT-3.14.4-2] Client must not send any more packets after disconnect                                                                           
INFO 20170323 140805 [MQTT-3.1.4-5] When rejecting connect, no more data must be processed                                                                            
INFO 20170323 140805 Waiting for request                                                                                                                              
INFO 20170323 140805 [MQTT-3.14.4-2] Client must not send any more packets after disconnect                                                                           
INFO 20170323 140805 Finishing communications for socket 7                                                                                                            
INFO 20170323 140805 Starting communications for socket 7                                                                                                             
INFO 20170323 140805 Waiting for request                                                                                                                              
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform                                  
Traceback (most recent call last):                                                                                                                                    
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 268, in unpack                                                     
    self.ProtocolName = readUTF(buffer[curlen:], packlen - curlen)                                                                                                    
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 178, in readUTF                                                    
    buf = buffer[2:2+length].decode("utf-8")                                                                                                                          
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xbc in position 0: invalid start byte                                                                            
ERROR 20170323 140805 [MQTT-1.4.0-1] Unicode field encoding error                                                                                                     
INFO 20170323 140805 Finishing communications for socket 7                                                                                                            
INFO 20170323 140805 Starting communications for socket 6                                                                                                             
INFO 20170323 140805 Waiting for request                                                                                                                              
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null                                                                                          
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform                                  
Traceback (most recent call last):                                                                                                                                    
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 270, in unpack                                                     
    assert self.ProtocolName == "MQTT", "Wrong protocol name %s" % self.ProtocolName                                                                                  
AssertionError: Wrong protocol name Z                                                                                                                                 
ERROR 20170323 140805 Wrong protocol name Z                                                                                                                           
INFO 20170323 140805 Finishing communications for socket 6                                                                                                            
INFO 20170323 140805 Starting communications for socket 7                                                                                                             
INFO 20170323 140805 Waiting for request                                                                                                                              
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform                                  
Traceback (most recent call last):                                                                                                                                    
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 268, in unpack                                                     
    self.ProtocolName = readUTF(buffer[curlen:], packlen - curlen)                                                                                                    
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 177, in readUTF                                                    
    raise MQTTException("Length delimited string too long")                                                                                                           
mqtt.formats.MQTTV311.MQTTException: Length delimited string too long                                                                                                 
ERROR 20170323 140805 Length delimited string too long                                                                                                                
INFO 20170323 140805 Finishing communications for socket 7                                                                                                            
INFO 20170323 140805 Starting communications for socket 6                                                                                                             
INFO 20170323 140805 Waiting for request                                                                                                                              
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform                                  
Traceback (most recent call last):                                                                                                                                    
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 268, in unpack                                                     
    self.ProtocolName = readUTF(buffer[curlen:], packlen - curlen)                                                                                                    
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 177, in readUTF                                                    
    raise MQTTException("Length delimited string too long")                                                                                                           
mqtt.formats.MQTTV311.MQTTException: Length delimited string too long                                                                                                 
ERROR 20170323 140805 Length delimited string too long                                                                                                                
INFO 20170323 140805 Finishing communications for socket 6                                                                                                            
INFO 20170323 140805 Starting communications for socket 6                                                                                                             
INFO 20170323 140805 Waiting for request                                                                                                                              
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform                                  
Traceback (most recent call last):                                                                                                                                    
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 268, in unpack                                                     
    self.ProtocolName = readUTF(buffer[curlen:], packlen - curlen)
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 174, in readUTF
    raise MQTTException("Not enough data to read string length")
mqtt.formats.MQTTV311.MQTTException: Not enough data to read string length
ERROR 20170323 140805 Not enough data to read string length
INFO 20170323 140805 Finishing communications for socket 6
INFO 20170323 140805 Starting communications for socket 6
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
INFO 20170323 140805 [MQTT-3.1.3-3] Clientid must be present, and first field
INFO 20170323 140805 [MQTT-3.1.3-4] Clientid must be Unicode, and between 0 and 65535 bytes long
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 295, in unpack
    self.ClientIdentifier = readUTF(buffer[curlen:], packlen - curlen)
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 177, in readUTF
    raise MQTTException("Length delimited string too long")
mqtt.formats.MQTTV311.MQTTException: Length delimited string too long
ERROR 20170323 140805 Length delimited string too long
INFO 20170323 140805 Finishing communications for socket 6
INFO 20170323 140805 Starting communications for socket 7
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
INFO 20170323 140805 [MQTT-3.1.3-3] Clientid must be present, and first field
INFO 20170323 140805 [MQTT-3.1.3-4] Clientid must be Unicode, and between 0 and 65535 bytes long
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 295, in unpack
    self.ClientIdentifier = readUTF(buffer[curlen:], packlen - curlen)
  File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 177, in readUTF
    raise MQTTException("Length delimited string too long")
mqtt.formats.MQTTV311.MQTTException: Length delimited string too long
ERROR 20170323 140805 Length delimited string too long
INFO 20170323 140805 Finishing communications for socket 7




Our experiments went only as far as to check if errors can be triggered in the broker. We did not investigate the nature of the errors
or whether closing the TCP connection is in line with the standard or it can be considered unexpected behaviour.



The code is attached; it has to be unpacked , compiled (make) ,
the broker started ( python3 ./paho.mqtt.testing/interoperability/startbroker.py --requires Python 3.4 or higher ),
the TTCN-3 part executed (ttcn3_start ./MQTT_Test MQTT.cfg).
To compile it you will need to build Titan from scratch from github source, as the @update feature was not yet present in the last release (6.1.pl0).




Best regards

Elemer
  • Attachment: MQTTFDemo.tgz
    (Size: 752.69KB, Downloaded 92 times)
Re: Using Titan as a fuzzing engine part 2 [message #1764473 is a reply to message #1758559] Tue, 30 May 2017 11:17 Go to previous messageGo to next message
Alexander Kaiser is currently offline Alexander KaiserFriend
Messages: 18
Registered: May 2017
Junior Member
Hello Elemer,

while playing around with the attached protocol module and running some tests against mosquitto, I figured out that the Connack responses had some fields with unexpected values, although the responses were correct when analyzed with Wireshark.

Changing the Bitorder from msb to lsb for the session_present_flag and connect_return_code in the Connack type definition seem to fix that problem. Considering the Connack Variable Header that makes somehow sense to me. But I'm still surprised about that because all the other fields are ordered as msb and they seem to encode and decode correctly.

I'm not sure about this "fix" because to me it does not seem to be a good idea to mix msb and lsb inside of a single protocol module.

Best regards
Alexander
Re: Using Titan as a fuzzing engine part 2 [message #1764474 is a reply to message #1764473] Tue, 30 May 2017 11:28 Go to previous messageGo to next message
Elemer Lelik is currently offline Elemer LelikFriend
Messages: 853
Registered: January 2015
Senior Member
Hi Alexander,

we are preparing an official protocol module version for negative testing (including fuzzing). I'll defer your feedback to the colleague who is working with this,
he'll investigate.


Best regards

Elemer



Re: Using Titan as a fuzzing engine part 2 [message #1765045 is a reply to message #1758559] Tue, 06 June 2017 06:38 Go to previous messageGo to next message
Bence Janos Szabo is currently offline Bence Janos SzaboFriend
Messages: 9
Registered: April 2017
Junior Member
Hi Alexander,

You are right about changing the msb to lsb for the fields session_present_flag and connect_return_code.

As I can see in the MQTT standard the bits in a byte datatype are encoded as lsb.

The updated MQTT protocol module which supports fuzzing and also corrects this issue will be uploaded soon by Elemér.

Best regards,
Bence
Re: Using Titan as a fuzzing engine part 2 [message #1765082 is a reply to message #1765045] Tue, 06 June 2017 12:55 Go to previous messageGo to next message
Elemer Lelik is currently offline Elemer LelikFriend
Messages: 853
Registered: January 2015
Senior Member
Hi Alexander,

I have committed the protocol modules to be sued for negative testing of MQTT and CoAP

see:

git://git.eclipse.org/gitroot/titan/titan.ProtocolModules.CoAP.git
git://git.eclipse.org/gitroot/titan/titan.ProtocolModules.MQTT.git


under src/negative_testing

Please take a look;
the main features are that:

-structures are exposed for maximum detail, there are no hidden fields with assumed values
-encoding can be done either by RAW or by external function, while decoding is based on an external function,
so a RAW encoding can be done for negative testing , while responses can be decoded by the external function to the same structure


Best regards
Elemer

Re: Using Titan as a fuzzing engine part 2 [message #1765172 is a reply to message #1765082] Wed, 07 June 2017 08:36 Go to previous messageGo to next message
Alexander Kaiser is currently offline Alexander KaiserFriend
Messages: 18
Registered: May 2017
Junior Member
Hi Elemer and Bence,

thank you for the notification and your effort on this update.

Edit:
I pulled the MQTT Protocol Module from git and updated it in my workspace. Unfortunately, the compiler now complains about ambiguous module names because the modules MQTT_v3_1_1_Types and Mqtt_v3_1_1_IPL4SizeFunction are present twice.
Do I still need the "normal" type definitions? If so, how can I help the compiler to distinguish between these modules?

Thank you in advance and best regards,
Alexander

[Updated on: Wed, 07 June 2017 09:31]

Report message to a moderator

Re: Using Titan as a fuzzing engine part 2 [message #1765293 is a reply to message #1765172] Thu, 08 June 2017 08:06 Go to previous messageGo to next message
Naum Spaseski is currently offline Naum SpaseskiFriend
Messages: 81
Registered: February 2016
Location: Sophia Antipolis
Member

Hi Alexander,

As far as I know, the "Mqtt_v3_1_1_IPL4SizeFunction" is the same in both cases (so you can use only one file), and "MQTT_v3_1_1_Types" is the same too, except if you use "MQTT_v3_1_1_FTypes", but in that case you must decide which type declaration file you want to keep.

Best regards,
Naum
Re: Using Titan as a fuzzing engine part 2 [message #1765295 is a reply to message #1765293] Thu, 08 June 2017 08:30 Go to previous messageGo to next message
Elemer Lelik is currently offline Elemer LelikFriend
Messages: 853
Registered: January 2015
Senior Member
HI Alexander, Naum,

sorry , yes , it might be a bit confusing:

-for positive testing one needs the content of the src except the content of negative_testing.
-for negative testing one needs the content of negative_testing only

So there are two stand-alone (not complementing) protocol modules , with different usages.

I hope this clarifies it.

BR

Elemer




Re: Using Titan as a fuzzing engine part 2 [message #1765314 is a reply to message #1765295] Thu, 08 June 2017 10:47 Go to previous messageGo to next message
Alexander Kaiser is currently offline Alexander KaiserFriend
Messages: 18
Registered: May 2017
Junior Member
Hi Elemer,

I figured out yesterday, that it's sufficient to exclude one of these protocol modules from the build state.
But this raised the question whether I really need both protocol modules? According to my understanding, the protocol module for negative testing covers the same functionality as the one for positive testing with additional features. Hence, wouldn't it be sufficient to use only the one for negative testing for both purposes?

Best Regards,
Alexander
Re: Using Titan as a fuzzing engine part 2 [message #1765316 is a reply to message #1765314] Thu, 08 June 2017 10:51 Go to previous messageGo to next message
Elemer Lelik is currently offline Elemer LelikFriend
Messages: 853
Registered: January 2015
Senior Member
Hi Alexander,

you are right , the one for negative testing can be used for positive tests also.

But for compatibility, we wanted to keep the old one too; so if one already built some code around it will not be forced to re-write.
Besides , the old one it's a tad more convenient to use as you don't have to care about some parameters.

So users have more choices, even if this might be confusing .... :)


Best regards

Elemer


Re: Using Titan as a fuzzing engine part 2 [message #1765325 is a reply to message #1765316] Thu, 08 June 2017 12:52 Go to previous messageGo to next message
Alexander Kaiser is currently offline Alexander KaiserFriend
Messages: 18
Registered: May 2017
Junior Member
Hi Elemer,

with your explanation that makes perfect sense.

As I already mentioned I decided to exclude the protocol module for positive testing completely and use only the one for negative testing.
While trying it out and observing the sent messages with Wireshark, I noticed an unexpected behavior as Wireshark was not able anymore to decode the messages correctly. After an investigation, I figured out that the remLength field is somehow incorrect. Indeed calling f_MQTT_encode(..) does adjust the length of the remLength field as described in the standard but the RAW encoding f_MQTT_enc(..) does not set the field. I was surprised by that because I assumed that this field is set automatically in the codec.

To verify that behavior I did the following:
var octetstring v_encoded_raw := f_MQTT_enc(valueof(v_conMsg));   // raw decoding without adjusting remLength
var octetstring v_encoded_01 := f_MQTT_encode(valueof(v_conMsg));   // raw decoding with adjusting remLength
var octetstring v_encoded_02 := f_adjustLength(f_calcRemLength(v_encoded_raw));   // raw decoding with calculating and adjusting remLength

// encoding logs
log(">>> Encoded RAW: ", lengthof(v_encoded_raw), " Bytes\n", v_encoded_raw, "\n");
log(">>> Encoded 001: ",  lengthof(v_encoded_01), " Bytes\n", v_encoded_01, "\n");
log(">>> Encoded 002: ",  lengthof(v_encoded_02), " Bytes\n", v_encoded_02, "\n");

// decoding with RAW 
var MQTT_v3_1_1_Message v_decoded_raw := f_MQTT_decode(v_encoded_raw);
var MQTT_v3_1_1_Message v_decoded_01 := f_MQTT_decode(v_encoded_01);
var MQTT_v3_1_1_Message v_decoded_02 := f_MQTT_decode(v_encoded_02);

log("<<< Decoded RAW: ", v_decoded_raw.msg);
log("<<< Decoded 001: ", v_decoded_01.msg);
log("<<< Decoded 002: ", v_decoded_02.msg);


While v_encoded_raw and v_decode_raw are obviously not quite correct (as the codec uses always 4 bytes for remLength) I expected v_encoded_01 and v_decoded_01 to be correct instead the remLength was adjusted but remained 0. To achieve a correct remLength I implemented f_calcRemLength(..) (v_encoded_02) as a workaround. The following extract shows the encoding logs:

>>> Encoded RAW: 33 Bytes '100000000000044D5154540402140000106D79436C69656E745F4D5154545F4944'O
>>> Encoded 001: 30 Bytes '100000044D5154540402140000106D79436C69656E745F4D5154545F4944'O
>>> Encoded 002: 30 Bytes '101C00044D5154540402140000106D79436C69656E745F4D5154545F4944'O


As one can see the second octet which should contain the remLength is '00000000'O in the first example and '00'O after f_adjustLength(..) in the second example.

I attached RemLength_Tester.ttcn which reproduces this behavior.

Best Regards,
Alexander
Re: Using Titan as a fuzzing engine part 2 [message #1765331 is a reply to message #1765325] Thu, 08 June 2017 13:41 Go to previous messageGo to next message
Bence Janos Szabo is currently offline Bence Janos SzaboFriend
Messages: 9
Registered: April 2017
Junior Member
Hi Alexander,

The remLength field could be calculated automatically, but it would be the opposite what we were trying to achieve with this protocol module for negative testing.

The remLength field must be set manually to be able to send correct or incorrect values.
If we would calculate the remLength field automatically, it would be impossible to send incorrect values of remLength, and we could not test how the SUT would react to erroneous remLength values.

If you calculate the remLength manually and encode the v_conMsg template with RAW, and then call the f_adjustLength function on the output of the RAW encoding, you will get the correctly encoded octetstring.

If you would like to calculate the remLength automatically then your workaround seems to work. But is was intentional to not calculate the remLength field automatically.

Best regards,
Bence
Re: Using Titan as a fuzzing engine part 2 [message #1765338 is a reply to message #1765331] Thu, 08 June 2017 14:22 Go to previous messageGo to next message
Alexander Kaiser is currently offline Alexander KaiserFriend
Messages: 18
Registered: May 2017
Junior Member
Hi Bence,

probably that is one point, as Elemer already mentioned, where the "normal" protocol module is more convenient. But being forced to calculate remLength for each message by hand seems for me to be pretty inconvenient and error prone for several reasons.

(1) Testcases which will fuzz the remLength field will probably add up to a fraction of all testcases but you will still need to calculate this field for all testcases by hand.
(2) While calculating the remLength from an octetstring is quite easy (as I did in f_calcRemLength(..)), calculating the remLength field from a given MQTT_v3_1_1_Message / TTCN-3 record seems not be that trivial. I didn't find any feasible solution to determine the final remLength before encoding the structure.
(3) As far as I can judge the workaround would make the @update feature inapplicable for the remLength field because the workaround and f_adjustLength modify the octetstring after encoding.

Wouldn't it be the most convenient way if the codec would calculate the remLength field and one would still have the option to manipulate this field with @update like described by Elemer in the initial post?

Best regards,
Alexander
Re: Using Titan as a fuzzing engine part 2 [message #1765343 is a reply to message #1765338] Thu, 08 June 2017 14:55 Go to previous message
Elemer Lelik is currently offline Elemer LelikFriend
Messages: 853
Registered: January 2015
Senior Member
Hi Alexander,

the problem can be traced back to the shortcomings of the RAW codec which cannot currently
handle remLength. For the moment we will have to live with this workaround.

In the long term we will try to amend the RAW codec accordingly, if architecturally possible.

Best regards

Elemer
Previous Topic:Stacking ports
Next Topic:XML Decoder order problem
Goto Forum:
  


Current Time: Thu Nov 15 02:35:35 GMT 2018

Powered by FUDForum. Page generated in 0.02531 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top