search

zubairhamed / canopus

CoAP Client/Server implementing RFC 7252 for the Go Language
Apache License 2.0
155 stars 41 forks source link

[Potential] Security Vulnerabilities within canopus #100

Open bsmelo opened 6 years ago

bsmelo commented 6 years ago

Hello developers of canopus,

My name is Bruno, and I'm an MSc. student in Brazil within the Institute of Computing from the University of Campinas. As part of my research on the application of fuzzing techniques for robustness and security black-box testing of CoAP implementations, I've tested your library. The sample used in my research was compiled from distribution/commit e374f5b @ 2018-02-07. The application used to test it was examples/server/server.go.

I'm contacting you because the application mentioned above was one of the samples for which our tool was able to detect robustness and/or security issues. In a broad sense, every failure we found can actually be classified as a security vulnerability, because they impact availability --- the application either aborts or needs forceful restart in order to restore servicing CoAP requests. However, we didn't go as far as performing a thorough root-cause analysis for those failures, since it would be unfeasible for us (more than 100 failures were detected across 25 samples, each one using a different CoAP library, spanning 8 programming languages) and thus out-of-scope of this particular research.

We think that one of our main contributions is the opportunity to make a real-world impact on IoT security by reporting those failures to CoAP libraries' maintainers, with a comprehensible and easy way to replicate them so developers can further investigate and fix those failures. So, in order to follow up with a responsible disclosure process, we ask for a proper e-mail address (or any other form of contact) so we can send you:

We expect a reply anytime soon. Please let us know if which form of contact should we use --- or if it's ok to use this channel.

Thanks & Regards, Bruno Melo.

bsmelo commented 6 years ago

One more thing I forgot: The application targeted during tests is at https://github.com/bsmelo/canopus/commit/4a79a8d63bea1512d03876962ba5a4805f1d7498. It's just a copy-and-paste of snippets from simple, block1 and observe so we could have it all in the same sample, for simplicity.