Tanganelli
commented
6 years ago Hi Bruno, it is totally fine to use github. I already know that there are some unhandled exceptions in the coap server, and everything could be fixed by adding a simple try - catch to the main loop. However, if you find some others issues, please let me know.
BR, Giacomo
2018-04-10 4:32 GMT+02:00 Bruno Melo notifications@github.com:
Hello developers of CoAPthon,
My name is Bruno, and I'm an MSc. student in Brazil within the Institute of Computing from the University of Campinas. As part of my research on the application of fuzzing techniques for robustness and security black-box testing of CoAP implementations, I've tested your library. The sample used in my research was compiled from distribution/commit b6983fb https://github.com/Tanganelli/CoAPthon/commit/b6983fbf48399bc5687656be55ac5b9cce4f4718 @ 2017-07-06. The application used to test it was coapserver.py.
I'm contacting you because the application mentioned above was one of the samples for which our tool was able to detect robustness and/or security issues. In a broad sense, every failure we found can actually be classified as a security vulnerability, because they impact availability --- the application either aborts or needs forceful restart in order to restore servicing CoAP requests. However, we didn't go as far as performing a thorough root-cause analysis for those failures, since it would be unfeasible for us (more than 100 failures were detected across 25 samples, each one using a different CoAP library, spanning 8 programming languages) and thus out-of-scope of this particular research.
We think that one of our main contributions is the opportunity to make a real-world impact on IoT security by reporting those failures to CoAP libraries' maintainers, with a comprehensible and easy way to replicate them so developers can further investigate and fix those failures. So, in order to follow up with a responsible disclosure process, we ask for a proper e-mail address (or any other form of contact) so we can send you:
A script to reproduce the failures; A pcap file used by the script, containing the packets causing the failures; A logfile with the stacktraces we got for each reported failure. We expect a reply anytime soon. Please let us know if which form of contact should we use --- or if it's ok to use this channel.
Thanks & Regards, Bruno Melo.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Tanganelli/CoAPthon/issues/109, or mute the thread https://github.com/notifications/unsubscribe-auth/AGb2-irw4uom004R0j7Z8yI_FYwQ3bf8ks5tnBmigaJpZM4TNgd- .
bsmelo
Hello developers of CoAPthon,
My name is Bruno, and I'm an MSc. student in Brazil within the Institute of Computing from the University of Campinas. As part of my research on the application of fuzzing techniques for robustness and security black-box testing of CoAP implementations, I've tested your library. The sample used in my research was compiled from distribution/commit b6983fb @ 2017-07-06. The application used to test it was
coapserver.py.I'm contacting you because the application mentioned above was one of the samples for which our tool was able to detect robustness and/or security issues. In a broad sense, every failure we found can actually be classified as a security vulnerability, because they impact availability --- the application either aborts or needs forceful restart in order to restore servicing CoAP requests. However, we didn't go as far as performing a thorough root-cause analysis for those failures, since it would be unfeasible for us (more than 100 failures were detected across 25 samples, each one using a different CoAP library, spanning 8 programming languages) and thus out-of-scope of this particular research.
We think that one of our main contributions is the opportunity to make a real-world impact on IoT security by reporting those failures to CoAP libraries' maintainers, with a comprehensible and easy way to replicate them so developers can further investigate and fix those failures. So, in order to follow up with a responsible disclosure process, we ask for a proper e-mail address (or any other form of contact) so we can send you:
A script to reproduce the failures; A pcap file used by the script, containing the packets causing the failures; A logfile with the stacktraces we got for each reported failure. We expect a reply anytime soon. Please let us know if which form of contact should we use --- or if it's ok to use this channel.
Thanks & Regards, Bruno Melo.