Advertisement

Wireless Personal Communications

, Volume 93, Issue 2, pp 365–382 | Cite as

Design and Implementation of Fuzzing Framework Based on IoT Applications

  • Tewodros Legesse Munea
  • I. Luk Kim
  • Taeshik Shon
Article

Abstract

Nowadays the most serious security problems are imperfection in the implementations of network protocols. This imperfection can bring a lot of vulnerabilities such as could allow malicious user to attack the systems remotely using the network protocols over the internet. That is why developers value software security phases involving review of code, risk analysis, testing with penetration, and Fuzzing. In case of Fuzz testing, the main aim is to find vulnerabilities in the software/application by sending inputs which are not expected to the target. Then they monitor the situation of the target. Many applications in Internet of things (IoT) (http://en.wikipedia.org/wiki/Internet_of_Things) environments are working with File Transfer Protocol (FTP) based applications. In this study, we present a fuzzing framework, which is applied to test network protocol implementations. It is extendable, man-in-the-middle, smart, and mostly deterministic. Our tool, like AutoFuzz (Gorbunov and Rosenbloom in AutoFuzz: automated network protocol fuzzing framework, Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6, 2010), has the ability to learn a given protocol implementation by building a finite state automaton from records of communication traces between a client and the server. Additionally, this tool has the ability to learn syntax of individual messages at a lower level using the techniques of bioinformatics (Beddoe in Network protocol analysis using bioinformatics algorithms, http://www.4tphi.net/~awalters/PI/pi.pdf). At last, this framework can fuzz a given server protocol specification by changing the communication traces between the server and client. We applied it to multiple implementations of FTP server, with result of finding new and known vulnerabilities.

Keywords

Fuzzing Fuzz-testing Network protocol fuzzing Fuzz testing framework on FTP Fuzzing framework based on IoT applications 

Notes

Acknowledgments

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (2015R1A1A1A05001238).

References

  1. 1.
    Han, X., Wen, Q., & Zhang, Z. (2012). A mutation-based fuzz testing approach for network protocol vulnerability detection. Beijing University of Posts and Telecommunications, Beijing, 100876, China.Google Scholar
  2. 2.
    Takanen, A., DeMott, J., & Miller, C. (2008). Fuzzing for software security testing and quality assurance. Norwood, MA: Artech House Inc.zbMATHGoogle Scholar
  3. 3.
    The ProxyFuzz Project. http://theartoffuzzing.com/.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    Beddoe, M. A. (2005). Network protocol analysis using bioinformatics algorithms. http://www.4tphi.net/~awalters/PI/pi.pdf.
  8. 8.
    Hsu, Y., Shu, G., & Lee, D. (2008). A model-based approach to security flaw detection of network protocol implementation. In IEEE ICNP.Google Scholar
  9. 9.
    Comparetti, P. M., Wondracek, G., Kruegel, C., & Kirda, E. (2009). Prospex: Protocol specification extraction. In Proceedings of the 2009 30th IEEE symposium on security and privacy (pp.110–125).Google Scholar
  10. 10.
    Gorbunov, S., & Rosenbloom, R. (2010). AutoFuzz: Automated network protocol fuzzing framework. Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6.Google Scholar
  11. 11.
  12. 12.
    JAVA SOCKS Server. http://jsocks.sourceforge.net/.
  13. 13.
    Kitagawa, T., Hanaoka, M., & Kono, K. (2010). AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. Department of Information and Computer Science, Keio University, 3-14-1, Yokohama, Japan.Google Scholar
  14. 14.
  15. 15.
    The Java Universal Network/Graph Framework (JUNG). http://jung.sourceforge.net/.
  16. 16.
    Needleman, S. B., & Wunsch, C. D. (1970). A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology, 48, 444–453.CrossRefGoogle Scholar
  17. 17.
    Postel, J., & Reynolds, J. (1985). Request for Comments: 959. Network Working Group. http://www.faqs.org/rfcs/rfc959.html.
  18. 18.
  19. 19.
    Open & Compact FTP Server. http://sourceforge.net/projects/open-ftpd/.
  20. 20.
    Wing FTP Server. http://www.wftpserver.com/.
  21. 21.
    Windows Proxifier. http://www.proxifier.com/.

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Tewodros Legesse Munea
    • 1
  • I. Luk Kim
    • 2
  • Taeshik Shon
    • 1
  1. 1.Ajou UniversitySuwon-CitySouth Korea
  2. 2.Department of Computer SciencePurdue UniversityWest LafayetteUSA

Personalised recommendations