AMQP Standard Validation and Testing

Sammanfattning: As large-scale applications (such as the Internet of Things) become more common, the need to scale applications over multiple physical servers in- creases. One way of doing so is by utilizing middleware, a technique that breaks down a larger application into specific parts that each can run inde- pendently. Different middleware solutions use different protocols and mod- els. One such solution, AMQP (the Advanced Message Queueing Protocol), has become one of the most used middleware protocols as of late and mul- tiple open-source implementations of both the server and client side exists. In this thesis, a security and compatibility analysis of the wire-level protocol is performed against five popular AMQP libraries. Compatibility towards the official AMQP specification and variances between different implementa- tions are investigated. Multiple differences between libraries and the formal AMQP specification were found. Many of these differences are the same in all of the tested libraries, suggesting that they were developed using empir- ical development rather than following the specification. While these differ- ences were found to be subtle and generally do not pose any critical security, safety or stability risks, it was also shown that in some circumstances, it is possible to use these differences to perform a data injection attack, allowing an adversary to arbitrarily modify some aspects of the protocol. The protocol testing is performed using a software tester, AMQPTester. The tester is released alongside the thesis and allows for easy decoding/encoding of the protocol. Until the release of this thesis, no other dedicated AMQP testing tools existed. As such, future research will be made significantly easier.