Design and Implementation of Fuzzing Framework Based on IoT Applications
Nowadays the most serious security problems are imperfection in the implementations of network protocols. This imperfection can bring a lot of vulnerabilities such as could allow malicious user to attack the systems remotely using the network protocols over the internet. That is why developers value software security phases involving review of code, risk analysis, testing with penetration, and Fuzzing. In case of Fuzz testing, the main aim is to find vulnerabilities in the software/application by sending inputs which are not expected to the target. Then they monitor the situation of the target. Many applications in Internet of things (IoT) (http://en.wikipedia.org/wiki/Internet_of_Things) environments are working with File Transfer Protocol (FTP) based applications. In this study, we present a fuzzing framework, which is applied to test network protocol implementations. It is extendable, man-in-the-middle, smart, and mostly deterministic. Our tool, like AutoFuzz (Gorbunov and Rosenbloom in AutoFuzz: automated network protocol fuzzing framework, Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6, 2010), has the ability to learn a given protocol implementation by building a finite state automaton from records of communication traces between a client and the server. Additionally, this tool has the ability to learn syntax of individual messages at a lower level using the techniques of bioinformatics (Beddoe in Network protocol analysis using bioinformatics algorithms, http://www.4tphi.net/~awalters/PI/pi.pdf). At last, this framework can fuzz a given server protocol specification by changing the communication traces between the server and client. We applied it to multiple implementations of FTP server, with result of finding new and known vulnerabilities.
KeywordsFuzzing Fuzz-testing Network protocol fuzzing Fuzz testing framework on FTP Fuzzing framework based on IoT applications
This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (2015R1A1A1A05001238).
- 1.Han, X., Wen, Q., & Zhang, Z. (2012). A mutation-based fuzz testing approach for network protocol vulnerability detection. Beijing University of Posts and Telecommunications, Beijing, 100876, China.Google Scholar
- 3.The ProxyFuzz Project. http://theartoffuzzing.com/.
- 6.Internet of Things (IoT). http://en.wikipedia.org/wiki/Internet_of_Things.
- 7.Beddoe, M. A. (2005). Network protocol analysis using bioinformatics algorithms. http://www.4tphi.net/~awalters/PI/pi.pdf.
- 8.Hsu, Y., Shu, G., & Lee, D. (2008). A model-based approach to security flaw detection of network protocol implementation. In IEEE ICNP.Google Scholar
- 9.Comparetti, P. M., Wondracek, G., Kruegel, C., & Kirda, E. (2009). Prospex: Protocol specification extraction. In Proceedings of the 2009 30th IEEE symposium on security and privacy (pp.110–125).Google Scholar
- 10.Gorbunov, S., & Rosenbloom, R. (2010). AutoFuzz: Automated network protocol fuzzing framework. Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6.Google Scholar
- 11.SOCKS Server http://en.wikipedia.org/wiki/SOCKS.
- 12.JAVA SOCKS Server. http://jsocks.sourceforge.net/.
- 13.Kitagawa, T., Hanaoka, M., & Kono, K. (2010). AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. Department of Information and Computer Science, Keio University, 3-14-1, Yokohama, Japan.Google Scholar
- 14.The JAVA Swing Library. http://java.sun.com/javase/6/docs/api/javax/swing/package-summary.html.
- 15.The Java Universal Network/Graph Framework (JUNG). http://jung.sourceforge.net/.
- 17.Postel, J., & Reynolds, J. (1985). Request for Comments: 959. Network Working Group. http://www.faqs.org/rfcs/rfc959.html.
- 19.Open & Compact FTP Server. http://sourceforge.net/projects/open-ftpd/.
- 20.Wing FTP Server. http://www.wftpserver.com/.
- 21.Windows Proxifier. http://www.proxifier.com/.