Robustness Testing of CoAP Server-side Implementations through Black-box Fuzzing Techniques

  • Bruno da S. Melo UNICAMP
  • Paulo Lício de Geus UNICAMP


This paper presents the current status of our research on the robustness of CoAP server-side implementations. We discuss the importance of the CoAP protocol as an enabler of the Internet of Things (IoT) vision, and also the current state of CoAP implementations available out there. Then, we proceed to test those implementations using fuzzing techniques previously used in the literature in areas such as Web Service and Network Protocol security testing, namely Random, Mutational and Generational Fuzzing, both "dumb" and "smart". Finally, we provide preliminary results and analysis regarding i) how robust the CoAP implementations studied are and ii) how the different fuzzing techniques used compare to each other.


Antunes, N. and Vieira, M. (2016). Designing vulnerability testing tools for web services: approach, components, and tools. International Journal of Information Security, pages 1–23.

Atzori, L., Iera, A., and Morabito, G. (2010). The internet of things: A survey. Computer Networks, 54(15):2787–2805.

Granjal, J., Monteiro, E., and Sa Silva, J. (2015). Security for the internet of things: A survey of existing protocols and open research issues. IEEE Communications Surveys & Tutorials, 17(3):1294–1312.

Martins, R. d. J., Schaurich, V. G., Knob, L. A. D., Wickboldt, J. A., Filho, A. S., Granville, L. Z., and Pias, M. (2016). Performance analysis of 6lowpan and coap for secure communications in smart homes. In 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA), pages 1027–1034.

Mohsen Nia, A. and Jha, N. K. (2016). A comprehensive study of security of internet-of-things. IEEE Transactions on Emerging Topics in Computing, 6750(c):1–1.

Oehlert, P. (2005). Violating assumptions with fuzzing. IEEE Security and Privacy Magazine, 3(2):58–62.

Offutt, J. and Xu, W. (2004). Generating test cases for web services using data perturbation. ACM SIGSOFT Software Engineering Notes, 29(5):1.

Palattella, M. R., Accettura, N., Vilajosana, X., Watteyne, T., Grieco, L. A., Boggia, G., and Dohler, M. (2013). Standardized protocol stack for the internet of (important) things. IEEE Communications Surveys & Tutorials, 15(3):1389–1406.

Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., and Chen, H. (2014). Uninvited connections: A study of vulnerable devices on the internet of things (iot). 2014 IEEE Joint Intelligence and Security Informatics Conference, pages 232–235.

Raza, S., Shafagh, H., Hewage, K., Hummen, R., and Voigt, T. (2013). Lithe: Lightweight secure coap for the internet of things. IEEE Sensors Journal, 13(10):3711–3720.

Shelby, Z., Hartke, K., and Bormann, C. (2014). Rfc7252 the constrained application protocol (coap).
MELO, Bruno da S.; GEUS, Paulo Lício de. Robustness Testing of CoAP Server-side Implementations through Black-box Fuzzing Techniques. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2017 . p. 533-540. DOI:


1 2 3 > >>