Home » Eclipse Projects » Eclipse Titan » Using Titan as a fuzzing engine part 2(Fuzzing MQTT)
| Using Titan as a fuzzing engine part 2 [message #1758559] |
Thu, 30 March 2017 03:04  |
Eclipse User |
|
|
|
It will not come as a surprise to you , dear reader, that there are great security concerns regarding deployment and configuration of IOT devices.
One of the frequently used techniques in security investigations is protocol fuzzing, hence we have chosen a popular IOT protocol to experiment on.
To illustrate the principle described in the previous post , let's look into a simple example of fuzzing MQTT messages.
The MQTT protocol module was written initially with an external codec (see http://git.eclipse.org/c/titan/titan.ProtocolModules.MQTT.git/)
The reason for this was that the variable length encoding of remLength cannot be directly handled by RAW alone; some external assistance is needed;
A new protocol module has been written (based on the RAW codec-see attached archive), which can handle both encoding and decoding directions, so the test
defaults to the first messaging/fuzzing architecture presented in teh previous post. Mqtt_v3_1_1_IPL4SizeFunction.ttcn and Mqtt_v3.1.1_Size.cc were lifted from the original protocol module.
The code is for illustration purposes only and it fuzzes nothing else but a CONNECT message sent by the client:
Titan(MQTT Client) Paho(MQTT broker)
+ +
| CONNNECT |
| |
+------------------------------------------->
| |
| CONNACK |
<-------------------------------------------+
| |
| : |
| |
| |
| CONNNECT |
+------------------------------------------->
| |
| : |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
+ +
but it can be taken to the next level by walking through the state machine and in each relevant state fuzz a different message.
The test case basically just resends the CONNECT message anumber of times, each time with a different distorsion set by @update.
//******************************************************************
testcase tc_connect() runs on MTC_CT
//******************************************************************
{
map(self:p, system:p);
log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
f_sendConnnect();
log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------
@update(t_F_connect)
with {
erroneous (msg.connect_msg.protocol_level) "value := 6 "
}
f_sendConnnect();
log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------
@update(t_F_connect)
with {
erroneous (msg.connect_msg.nameLength) "value(raw) := '000ABC'O "
erroneous (msg.connect_msg.name) "value := ""pQTTxxxxxxxx"" "
}
f_sendConnnect();
log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------
f_twoParams(1,v_os,v_str); //Fuzzing logic
@update(t_F_connect)
with {
erroneous (msg.connect_msg.nameLength) "value(raw) := v_os ";
erroneous (msg.connect_msg.name) "value := v_str ";
}
f_sendConnnect();
log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------
@update(t_F_connect) with {
erroneous (msg.connect_msg.nameLength) "value := omit "
}
f_sendConnnect();
log("<----------------------------------------------------------------------------------------------------------------------------------------------->\r\n\r\n")
//----------------------------------------------------------------
@update(t_F_connect)
with {
erroneous (msg.connect_msg.nameLength) "value := f_genOS(4096) "
}
f_sendConnnect();
@update(t_F_connect) with {
erroneous (msg.connect_msg.payload.client_identifier.stringItem) "value := ""myclientidAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"" "
}
f_sendConnnect();
@update(t_F_connect) with {
erroneous (msg.connect_msg.payload.client_identifier.stringLength) "value := 0 "
}
f_sendConnnect();
@update(t_F_connect) with {
erroneous (msg.connect_msg.payload.client_identifier.stringLength) "value := 25 "
}
f_sendConnnect();
log("<--------------------------------------------------------END------------------------------------------------------------------------------------>\r\n\r\n")
unmap(self:p, system:p);
}
f_sendConnnect() is opening a TCP connection, sends the (fuzzed) CONNECT message,
waits for an answer or timeout, then closes the TCP connection.
Before sending , an attempt is made to decode the fuzzed message;
the results of this decoding are not completely reliable; besides, there's no gurantee the fuzzed message is decodable;if decoding is unsuccesful,
a raw message is extracted as default.
The generated simplified log file:
13:36:54.149273 USER MQTT_Test.ttcn:185(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->
13:36:54.150031 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101900044D51545404020000000D6D79636C69656E7469645F3130'O
13:36:54.150568 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
msg := {
connect_msg := {
header := {
packetType := '0001'B,
flags := '0000'B,
remLength := '00000098'O
},
nameLength := 4,
name := "MQTT",
protocol_level := 4,
flags := {
user_name_flag := '0'B,
password_flag := '0'B,
will_retain := '0'B,
will_qos := AT_MOST_ONCE_DELIVERY (0),
will_flag := '0'B,
clean_session := '1'B,
reserved := '0'B
},
keep_alive := 0,
payload := {
client_identifier := {
stringLength := 13,
stringItem := "myclientid_10"
},
will_topic := omit,
will_message := omit,
user_name := omit,
password := omit
}
}
}
}
13:36:54.154245 USER MQTT_Test.ttcn:152(function:f_sendConnnect) mqtt connect result <---------------------{
msg := {
connack := {
header := {
packetType := '0010'B,
flags := '0000'B,
remLength := '00000040'O
},
session_present_flag := 0,
connect_return_code := 0
}
}
}
13:36:54.154388 USER MQTT_Test.ttcn:189(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->
13:36:54.154490 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101900044D51545406020000000D6D79636C69656E7469645F3130'O
13:36:54.154677 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
msg := {
connect_msg := {
header := {
packetType := '0001'B,
flags := '0000'B,
remLength := '00000098'O
},
nameLength := 4,
name := "MQTT",
protocol_level := 6,
flags := {
user_name_flag := '0'B,
password_flag := '0'B,
will_retain := '0'B,
will_qos := AT_MOST_ONCE_DELIVERY (0),
will_flag := '0'B,
clean_session := '1'B,
reserved := '0'B
},
keep_alive := 0,
payload := {
client_identifier := {
stringLength := 13,
stringItem := "myclientid_10"
},
will_topic := omit,
will_message := omit,
user_name := omit,
password := omit
}
}
}
}
13:36:54.159383 USER MQTT_Test.ttcn:152(function:f_sendConnnect) mqtt connect result <---------------------{
msg := {
connack := {
header := {
packetType := '0010'B,
flags := '0000'B,
remLength := '00000040'O
},
session_present_flag := 0,
connect_return_code := 128
}
}
}
13:36:54.159509 USER MQTT_Test.ttcn:201(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->
13:36:54.159737 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '1022000ABC70515454787878787878787804020000000D6D79636C69656E7469645F3130'O
13:36:54.159918 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
msg := {
connect_msg := {
header := {
packetType := '0001'B,
flags := '0000'B,
remLength := '00000044'O
},
nameLength := 10,
name := "pQTTxxxxx",
protocol_level := 120,
flags := {
user_name_flag := '0'B,
password_flag := '1'B,
will_retain := '1'B,
will_qos := RESERVED (3),
will_flag := '0'B,
clean_session := '0'B,
reserved := '0'B
},
keep_alive := 8222,
payload := {
client_identifier := {
stringLength := 512,
stringItem := char(0, 0, 0, 0) & char(0, 0, 0, 0) & "\rmyclientid_10"
},
will_topic := omit,
will_message := omit,
user_name := omit,
password := omit
}
}
}
}
13:36:54.167314 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent !!!-------------{
connClosed := {
connId := 3,
remName := "127.0.0.1",
remPort := 1883,
locName := "127.0.0.1",
locPort := 48183,
proto := {
tcp := { }
},
userData := 0
}
}
13:36:54.167390 USER MQTT_Test.ttcn:213(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->
13:36:54.167598 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101900015A51545404020000000D6D79636C69656E7469645F3130'O
13:36:54.167758 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
msg := {
connect_msg := {
header := {
packetType := '0001'B,
flags := '0000'B,
remLength := '00000098'O
},
nameLength := 1,
name := "Z",
protocol_level := 81,
flags := {
user_name_flag := '0'B,
password_flag := '1'B,
will_retain := '0'B,
will_qos := EXACTLY_ONE_DELIVERY (2),
will_flag := '1'B,
clean_session := '0'B,
reserved := '0'B
},
keep_alive := 8234,
payload := {
client_identifier := {
stringLength := 512,
stringItem := char(0, 0, 0, 0) & char(0, 0, 0, 0) & "\rmyclientid_10"
},
will_topic := omit,
will_message := omit,
user_name := omit,
password := omit
}
}
}
}
13:36:54.169933 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent !!!-------------{
connClosed := {
connId := 4,
remName := "127.0.0.1",
remPort := 1883,
locName := "127.0.0.1",
locPort := 52954,
proto := {
tcp := { }
},
userData := 0
}
}
13:36:54.169995 USER MQTT_Test.ttcn:227(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->
13:36:54.170212 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '10174D51545404020000000D6D79636C69656E7469645F3130'O
13:36:54.170379 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
raw_message := '10000000174D51545404020000000D6D79636C69656E7469645F3130'O
}
13:36:54.171447 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent !!!-------------{
connClosed := {
connId := 5,
remName := "127.0.0.1",
remPort := 1883,
locName := "127.0.0.1",
locPort := 34105,
proto := {
tcp := { }
},
userData := 0
}
}
13:36:54.171506 USER MQTT_Test.ttcn:235(testcase:tc_connect) <----------------------------------------------------------------------------------------------------------------------------------------------->
13:36:54.173186 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101018AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D51545404020000000D6D79636C69656E7469645F3130'O
13:36:54.178135 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
raw_message := '1000001018AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4D51545404020000000D6D79636C69656E7469645F3130'O
}
13:36:54.342190 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent !!!-------------{
connClosed := {
connId := 6,
remName := "127.0.0.1",
remPort := 1883,
locName := "127.0.0.1",
locPort := 56004,
proto := {
tcp := { }
},
userData := 0
}
}
13:36:54.342582 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '10008500044D515454040200006D79636C69656E74696441414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141'O
13:36:54.342904 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
msg := {
connect_msg := {
header := {
packetType := '0001'B,
flags := '0000'B,
remLength := '000000A1'O
},
nameLength := 4,
name := "MQTT",
protocol_level := 4,
flags := {
user_name_flag := '0'B,
password_flag := '0'B,
will_retain := '0'B,
will_qos := AT_MOST_ONCE_DELIVERY (0),
will_flag := '0'B,
clean_session := '1'B,
reserved := '0'B
},
keep_alive := 0,
payload := {
client_identifier := {
stringLength := 28025,
stringItem := "clientidAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
},
will_topic := omit,
will_message := omit,
user_name := omit,
password := omit
}
}
}
}
13:36:54.344035 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent !!!-------------{
connClosed := {
connId := 7,
remName := "127.0.0.1",
remPort := 1883,
locName := "127.0.0.1",
locPort := 46568,
proto := {
tcp := { }
},
userData := 0
}
}
13:36:54.344273 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101800044D51545404020000006D79636C69656E7469645F3130'O
13:36:54.344515 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
msg := {
connect_msg := {
header := {
packetType := '0001'B,
flags := '0000'B,
remLength := '00000018'O
},
nameLength := 4,
name := "MQTT",
protocol_level := 4,
flags := {
user_name_flag := '0'B,
password_flag := '0'B,
will_retain := '0'B,
will_qos := AT_MOST_ONCE_DELIVERY (0),
will_flag := '0'B,
clean_session := '1'B,
reserved := '0'B
},
keep_alive := 0,
payload := {
client_identifier := {
stringLength := 109,
stringItem := "yclientid_10"
},
will_topic := omit,
will_message := omit,
user_name := omit,
password := omit
}
}
}
}
13:36:54.346496 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent !!!-------------{
connClosed := {
connId := 8,
remName := "127.0.0.1",
remPort := 1883,
locName := "127.0.0.1",
locPort := 48955,
proto := {
tcp := { }
},
userData := 0
}
}
13:36:54.346619 USER MQTT_Test.ttcn:141(function:f_sendConnnect) MQTT Encoded: '101800044D51545404020000196D79636C69656E7469645F3130'O
13:36:54.346757 USER MQTT_Test.ttcn:142(function:f_sendConnnect) mqtt connect ---------------------------> :{
msg := {
connect_msg := {
header := {
packetType := '0001'B,
flags := '0000'B,
remLength := '00000018'O
},
nameLength := 4,
name := "MQTT",
protocol_level := 4,
flags := {
user_name_flag := '0'B,
password_flag := '0'B,
will_retain := '0'B,
will_qos := AT_MOST_ONCE_DELIVERY (0),
will_flag := '0'B,
clean_session := '1'B,
reserved := '0'B
},
keep_alive := 0,
payload := {
client_identifier := {
stringLength := 6509,
stringItem := "yclientid_10"
},
will_topic := omit,
will_message := omit,
user_name := omit,
password := omit
}
}
}
}
13:36:54.348942 USER MQTT_Test.ttcn:160(function:f_sendConnnect) ---------------Unexpected ASPEvent !!!-------------{
connClosed := {
connId := 9,
remName := "127.0.0.1",
remPort := 1883,
locName := "127.0.0.1",
locPort := 57620,
proto := {
tcp := { }
},
userData := 0
}
}
13:36:54.349002 USER MQTT_Test.ttcn:267(testcase:tc_connect) <--------------------------------------------------------END------------------------------------------------------------------------------------>
It can be seen that some CONNECT messages are met with an "Unexpected ASPEvent" which means closing the TCP connection on the broker side.
As SUT a Paho broker written in Python was used; see below the log generated on the broker console:
python3 ./paho.mqtt.testing/interoperability/startbroker.py
INFO 20170323 140800 MQTT 3.1.1 Paho Test Broker
INFO 20170323 140800 Optional behaviour, publish on pubrel: True
INFO 20170323 140800 Optional behaviour, single publish on overlapping topics: True
INFO 20170323 140800 Optional behaviour, drop QoS 0 publications to disconnected clients: True
INFO 20170323 140800 Optional behaviour, support zero length clientids: True
INFO 20170323 140800 Starting the MQTT server on port 1883
INFO 20170323 140805 Starting communications for socket 6
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
INFO 20170323 140805 [MQTT-3.1.3-3] Clientid must be present, and first field
INFO 20170323 140805 [MQTT-3.1.3-4] Clientid must be Unicode, and between 0 and 65535 bytes long
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
INFO 20170323 140805 [MQTT-3.1.2-18] username must not be in payload if user name flag is 0
INFO 20170323 140805 [MQTT-3.1.2-20] password must not be in payload if password flag is 0
INFO 20170323 140805 in: Connects(DUP=False, QoS=0, Retain=False, ProtocolName=MQTT, ProtocolVersion=4, CleanSession=True, WillFlag=False, KeepAliveTimer=0, ClientId=myclientid_10, usernameFlag=False, passwordFlag=False)
INFO 20170323 140805 [MQTT-3.1.3-5] Clientids of 1 to 23 chars and ascii alphanumeric must be allowed
INFO 20170323 140805 [MQTT-4.1.0-1] server must store data for at least as long as the network connection lasts
INFO 20170323 140805 [MQTT-4.7.3-1] all topic names and filters must be at least 1 char
INFO 20170323 140805 [MQTT-4.7.3-3] all topic names and filters must be <= 65535 bytes long
INFO 20170323 140805 [MQTT-4.7.1-2] # must be last, and next to /
INFO 20170323 140805 [MQTT-4.7.1-3] + can be used at any complete level
INFO 20170323 140805 [MQTT-3.2.0-1] the first response to a client must be a connack
INFO 20170323 140805 out: Connacks(DUP=False, QoS=0, Retain=False, Session present=False, ReturnCode=0)
INFO 20170323 140805 Starting communications for socket 7
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 [MQTT-3.14.4-2] Client must not send any more packets after disconnect
INFO 20170323 140805 [MQTT-3.1.2-6] broker must discard the session data for client myclientid_10
INFO 20170323 140805 [MQTT-4.7.3-1] all topic names and filters must be at least 1 char
INFO 20170323 140805 [MQTT-4.7.3-3] all topic names and filters must be <= 65535 bytes long
INFO 20170323 140805 [MQTT-4.7.1-2] # must be last, and next to /
INFO 20170323 140805 [MQTT-4.7.1-3] + can be used at any complete level
INFO 20170323 140805 Finishing communications for socket 6
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
INFO 20170323 140805 [MQTT-3.1.3-3] Clientid must be present, and first field
INFO 20170323 140805 [MQTT-3.1.3-4] Clientid must be Unicode, and between 0 and 65535 bytes long
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
INFO 20170323 140805 [MQTT-3.1.2-18] username must not be in payload if user name flag is 0
INFO 20170323 140805 [MQTT-3.1.2-20] password must not be in payload if password flag is 0
INFO 20170323 140805 in: Connects(DUP=False, QoS=0, Retain=False, ProtocolName=MQTT, ProtocolVersion=6, CleanSession=True, WillFlag=False, KeepAliveTimer=0, ClientId=myclientid_10, usernameFlag=False, passwordFlag=False)
ERROR 20170323 140805 [MQTT-3.1.2-2] Wrong protocol version 6
INFO 20170323 140805 out: Connacks(DUP=False, QoS=0, Retain=False, Session present=False, ReturnCode=1)
INFO 20170323 140805 [MQTT-3.2.2-5] must close connection after non-zero connack
INFO 20170323 140805 [MQTT-3.14.4-2] Client must not send any more packets after disconnect
INFO 20170323 140805 [MQTT-3.1.4-5] When rejecting connect, no more data must be processed
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 [MQTT-3.14.4-2] Client must not send any more packets after disconnect
INFO 20170323 140805 Finishing communications for socket 7
INFO 20170323 140805 Starting communications for socket 7
INFO 20170323 140805 Waiting for request
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 268, in unpack
self.ProtocolName = readUTF(buffer[curlen:], packlen - curlen)
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 178, in readUTF
buf = buffer[2:2+length].decode("utf-8")
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xbc in position 0: invalid start byte
ERROR 20170323 140805 [MQTT-1.4.0-1] Unicode field encoding error
INFO 20170323 140805 Finishing communications for socket 7
INFO 20170323 140805 Starting communications for socket 6
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 270, in unpack
assert self.ProtocolName == "MQTT", "Wrong protocol name %s" % self.ProtocolName
AssertionError: Wrong protocol name Z
ERROR 20170323 140805 Wrong protocol name Z
INFO 20170323 140805 Finishing communications for socket 6
INFO 20170323 140805 Starting communications for socket 7
INFO 20170323 140805 Waiting for request
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 268, in unpack
self.ProtocolName = readUTF(buffer[curlen:], packlen - curlen)
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 177, in readUTF
raise MQTTException("Length delimited string too long")
mqtt.formats.MQTTV311.MQTTException: Length delimited string too long
ERROR 20170323 140805 Length delimited string too long
INFO 20170323 140805 Finishing communications for socket 7
INFO 20170323 140805 Starting communications for socket 6
INFO 20170323 140805 Waiting for request
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 268, in unpack
self.ProtocolName = readUTF(buffer[curlen:], packlen - curlen)
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 177, in readUTF
raise MQTTException("Length delimited string too long")
mqtt.formats.MQTTV311.MQTTException: Length delimited string too long
ERROR 20170323 140805 Length delimited string too long
INFO 20170323 140805 Finishing communications for socket 6
INFO 20170323 140805 Starting communications for socket 6
INFO 20170323 140805 Waiting for request
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 268, in unpack
self.ProtocolName = readUTF(buffer[curlen:], packlen - curlen)
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 174, in readUTF
raise MQTTException("Not enough data to read string length")
mqtt.formats.MQTTV311.MQTTException: Not enough data to read string length
ERROR 20170323 140805 Not enough data to read string length
INFO 20170323 140805 Finishing communications for socket 6
INFO 20170323 140805 Starting communications for socket 6
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
INFO 20170323 140805 [MQTT-3.1.3-3] Clientid must be present, and first field
INFO 20170323 140805 [MQTT-3.1.3-4] Clientid must be Unicode, and between 0 and 65535 bytes long
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 295, in unpack
self.ClientIdentifier = readUTF(buffer[curlen:], packlen - curlen)
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 177, in readUTF
raise MQTTException("Length delimited string too long")
mqtt.formats.MQTTV311.MQTTException: Length delimited string too long
ERROR 20170323 140805 Length delimited string too long
INFO 20170323 140805 Finishing communications for socket 6
INFO 20170323 140805 Starting communications for socket 7
INFO 20170323 140805 Waiting for request
INFO 20170323 140805 [MQTT-4.7.3-2] topic names and filters not include null
INFO 20170323 140805 [MQTT-3.1.3-3] Clientid must be present, and first field
INFO 20170323 140805 [MQTT-3.1.3-4] Clientid must be Unicode, and between 0 and 65535 bytes long
ERROR 20170323 140805 [MQTT-3.1.4-1] server must validate connect packet and close connection without connack if it does not conform
Traceback (most recent call last):
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 295, in unpack
self.ClientIdentifier = readUTF(buffer[curlen:], packlen - curlen)
File "/home/ethlel/IoT_FT/sut/paho.mqtt.testing/interoperability/mqtt/formats/MQTTV311.py", line 177, in readUTF
raise MQTTException("Length delimited string too long")
mqtt.formats.MQTTV311.MQTTException: Length delimited string too long
ERROR 20170323 140805 Length delimited string too long
INFO 20170323 140805 Finishing communications for socket 7
Our experiments went only as far as to check if errors can be triggered in the broker. We did not investigate the nature of the errors
or whether closing the TCP connection is in line with the standard or it can be considered unexpected behaviour.
The code is attached; it has to be unpacked , compiled (make) ,
the broker started ( python3 ./paho.mqtt.testing/interoperability/startbroker.py --requires Python 3.4 or higher ),
the TTCN-3 part executed (ttcn3_start ./MQTT_Test MQTT.cfg).
To compile it you will need to build Titan from scratch from github source, as the @update feature was not yet present in the last release (6.1.pl0).
Best regards
Elemer
|
|
| | | | | | | | | |
| Re: Using Titan as a fuzzing engine part 2 [message #1765325 is a reply to message #1765316] |
Thu, 08 June 2017 08:52  |
| Eclipse User |
|
|
|
Hi Elemer,
with your explanation that makes perfect sense.
As I already mentioned I decided to exclude the protocol module for positive testing completely and use only the one for negative testing.
While trying it out and observing the sent messages with Wireshark, I noticed an unexpected behavior as Wireshark was not able anymore to decode the messages correctly. After an investigation, I figured out that the remLength field is somehow incorrect. Indeed calling f_MQTT_encode(..) does adjust the length of the remLength field as described in the standard but the RAW encoding f_MQTT_enc(..) does not set the field. I was surprised by that because I assumed that this field is set automatically in the codec.
To verify that behavior I did the following:
var octetstring v_encoded_raw := f_MQTT_enc(valueof(v_conMsg)); // raw decoding without adjusting remLength
var octetstring v_encoded_01 := f_MQTT_encode(valueof(v_conMsg)); // raw decoding with adjusting remLength
var octetstring v_encoded_02 := f_adjustLength(f_calcRemLength(v_encoded_raw)); // raw decoding with calculating and adjusting remLength
// encoding logs
log(">>> Encoded RAW: ", lengthof(v_encoded_raw), " Bytes\n", v_encoded_raw, "\n");
log(">>> Encoded 001: ", lengthof(v_encoded_01), " Bytes\n", v_encoded_01, "\n");
log(">>> Encoded 002: ", lengthof(v_encoded_02), " Bytes\n", v_encoded_02, "\n");
// decoding with RAW
var MQTT_v3_1_1_Message v_decoded_raw := f_MQTT_decode(v_encoded_raw);
var MQTT_v3_1_1_Message v_decoded_01 := f_MQTT_decode(v_encoded_01);
var MQTT_v3_1_1_Message v_decoded_02 := f_MQTT_decode(v_encoded_02);
log("<<< Decoded RAW: ", v_decoded_raw.msg);
log("<<< Decoded 001: ", v_decoded_01.msg);
log("<<< Decoded 002: ", v_decoded_02.msg);
While v_encoded_raw and v_decode_raw are obviously not quite correct (as the codec uses always 4 bytes for remLength) I expected v_encoded_01 and v_decoded_01 to be correct instead the remLength was adjusted but remained 0. To achieve a correct remLength I implemented f_calcRemLength(..) (v_encoded_02) as a workaround. The following extract shows the encoding logs:
>>> Encoded RAW: 33 Bytes '100000000000044D5154540402140000106D79436C69656E745F4D5154545F4944'O
>>> Encoded 001: 30 Bytes '100000044D5154540402140000106D79436C69656E745F4D5154545F4944'O
>>> Encoded 002: 30 Bytes '101C00044D5154540402140000106D79436C69656E745F4D5154545F4944'O
As one can see the second octet which should contain the remLength is '00000000'O in the first example and '00'O after f_adjustLength(..) in the second example.
I attached RemLength_Tester.ttcn which reproduces this behavior.
Best Regards,
Alexander
|
|
| | |
| Re: Using Titan as a fuzzing engine part 2 [message #1765343 is a reply to message #1765338] |
Thu, 08 June 2017 10:55 |
| Eclipse User |
|
|
|
Hi Alexander,
the problem can be traced back to the shortcomings of the RAW codec which cannot currently
handle remLength. For the moment we will have to live with this workaround.
In the long term we will try to amend the RAW codec accordingly, if architecturally possible.
Best regards
Elemer
|
|
|
Goto Forum:
Current Time: Wed Jul 23 09:58:17 EDT 2025
Powered by FUDForum. Page generated in 0.14169 seconds |
Home