MQueez: Specification-Driven Fuzzing for MQTT Broker (Registered Report)

Recently, the MQTT protocol, favored for its lightweight nature, has emerged as a preferred choice for IoT communications. However, MQTT brokers—the critical components responsible for message routing— are vulnerable to memory corruption, posing significant security risks. Although several fuzzers have been proposed to uncover memory corruption in brokers, their effectiveness is constrained by two fundamental limitations. First, existing fuzzers struggle to satisfy MQTT's complex constraints when generating valid test cases. Second, the protocol's extensive field variations across different packets complicate the mutation process, as existing black-box fuzzers cannot prioritize high-risk fields, leading to blind mutations.