Skip to main content
SpringerLink
Log in

Design and Implementation of Fuzzing Framework Based on IoT Applications

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Nowadays the most serious security problems are imperfection in the implementations of network protocols. This imperfection can bring a lot of vulnerabilities such as could allow malicious user to attack the systems remotely using the network protocols over the internet. That is why developers value software security phases involving review of code, risk analysis, testing with penetration, and Fuzzing. In case of Fuzz testing, the main aim is to find vulnerabilities in the software/application by sending inputs which are not expected to the target. Then they monitor the situation of the target. Many applications in Internet of things (IoT) (http://en.wikipedia.org/wiki/Internet_of_Things) environments are working with File Transfer Protocol (FTP) based applications. In this study, we present a fuzzing framework, which is applied to test network protocol implementations. It is extendable, man-in-the-middle, smart, and mostly deterministic. Our tool, like AutoFuzz (Gorbunov and Rosenbloom in AutoFuzz: automated network protocol fuzzing framework, Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6, 2010), has the ability to learn a given protocol implementation by building a finite state automaton from records of communication traces between a client and the server. Additionally, this tool has the ability to learn syntax of individual messages at a lower level using the techniques of bioinformatics (Beddoe in Network protocol analysis using bioinformatics algorithms, http://www.4tphi.net/~awalters/PI/pi.pdf). At last, this framework can fuzz a given server protocol specification by changing the communication traces between the server and client. We applied it to multiple implementations of FTP server, with result of finding new and known vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

References

  1. Han, X., Wen, Q., & Zhang, Z. (2012). A mutation-based fuzz testing approach for network protocol vulnerability detection. Beijing University of Posts and Telecommunications, Beijing, 100876, China.

  2. Takanen, A., DeMott, J., & Miller, C. (2008). Fuzzing for software security testing and quality assurance. Norwood, MA: Artech House Inc.

    MATH  Google Scholar 

  3. The ProxyFuzz Project. http://theartoffuzzing.com/.

  4. http://en.wikipedia.org/wiki/UTF-8.

  5. http://en.wikipedia.org/wiki/File_Transfer_Protocol.

  6. Internet of Things (IoT). http://en.wikipedia.org/wiki/Internet_of_Things.

  7. Beddoe, M. A. (2005). Network protocol analysis using bioinformatics algorithms. http://www.4tphi.net/~awalters/PI/pi.pdf.

  8. Hsu, Y., Shu, G., & Lee, D. (2008). A model-based approach to security flaw detection of network protocol implementation. In IEEE ICNP.

  9. Comparetti, P. M., Wondracek, G., Kruegel, C., & Kirda, E. (2009). Prospex: Protocol specification extraction. In Proceedings of the 2009 30th IEEE symposium on security and privacy (pp.110–125).

  10. Gorbunov, S., & Rosenbloom, R. (2010). AutoFuzz: Automated network protocol fuzzing framework. Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6.

  11. SOCKS Server http://en.wikipedia.org/wiki/SOCKS.

  12. JAVA SOCKS Server. http://jsocks.sourceforge.net/.

  13. Kitagawa, T., Hanaoka, M., & Kono, K. (2010). AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. Department of Information and Computer Science, Keio University, 3-14-1, Yokohama, Japan.

  14. The JAVA Swing Library. http://java.sun.com/javase/6/docs/api/javax/swing/package-summary.html.

  15. The Java Universal Network/Graph Framework (JUNG). http://jung.sourceforge.net/.

  16. Needleman, S. B., & Wunsch, C. D. (1970). A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology, 48, 444–453.

    Article  Google Scholar 

  17. Postel, J., & Reynolds, J. (1985). Request for Comments: 959. Network Working Group. http://www.faqs.org/rfcs/rfc959.html.

  18. https://wiki.filezilla-project.org/Character_Set.

  19. Open & Compact FTP Server. http://sourceforge.net/projects/open-ftpd/.

  20. Wing FTP Server. http://www.wftpserver.com/.

  21. Windows Proxifier. http://www.proxifier.com/.

Download references

Acknowledgments

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (2015R1A1A1A05001238).

Author information

Authors and Affiliations

  1. Ajou University, Yeongtong-gu, Suwon-City, Gyeonggi-do, 443-749, South Korea

    Tewodros Legesse Munea & Taeshik Shon

  2. Department of Computer Science, Purdue University, West Lafayette, IA, 47907, USA

    I. Luk Kim

Authors
  1. Tewodros Legesse Munea
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. I. Luk Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Taeshik Shon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Taeshik Shon.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Munea, T.L., Luk Kim, I. & Shon, T. Design and Implementation of Fuzzing Framework Based on IoT Applications. Wireless Pers Commun 93, 365–382 (2017). https://doi.org/10.1007/s11277-016-3322-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-016-3322-9

Keywords

Search

Navigation