DICOM-Fuzzer: Research on DICOM Vulnerability Mining Based on Fuzzing Technology

  • Zhiqiang Wang
  • Quanqi Li
  • Qian Liu
  • Biao LiuEmail author
  • Jianyi ZhangEmail author
  • Tao Yang
  • Qixu Liu
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 312)


In recent years, the medical equipment and related information systems show the characteristics of mobility, networking, intelligence. At the same time, security incidents caused by medical equipment emerge in an endless stream, which brings a huge threat to the information security of users and causes serious harm. Most medical devices use open source protocol library, which brings great security risks to the digitalization and informatization of medical devices. Therefore, in the face of growing security threats and challenges, it is urgent to study the security of medical equipment. In this paper, the vulnerability mining of DICOM was studied, the most commonly used communication standard for high-performance medical devices, and a vulnerability mining model based on Fuzzing technology was proposed. This model constructed a vulnerability mining environment by simulating PACS system, and implemented a prototype system DICOM-Fuzzer. The system includes initialization, test case generation and other modules, which can complete large-scale automatic testing and exception monitoring. Then, three different versions of the open source library were selected to test the 1000 test cases generated respectively. It was found that when the received file data was greater than 7080 lines, the overflow would occur, resulting in the denial of service of the system. Finally, the security suggestions and repair measures were put forward, and the future research was described.





This research was financially supported by the National Key Research and Development Plan (2018YFB1004101), Key Lab of Information Network Security, Ministry of Public Security (C19614), Special fund on education and teaching reform of Besti (jy201805), the Fundamental Research Funds for the Central Universities (328201804, 328201910), key laboratory of network assessment technology of Institute of Information Engineering, Chinese Academy of Sciences.


  1. 1.
    Duggal, A.: Hl7 2.x security. In: The 8th Annual HITB Security Conference (2017)Google Scholar
  2. 2.
    Blazona, B., Koncar, M.: Hl7 and DICOM based integration of radiology departments with healthcare enterprise information systems. Int. J. Med. Inform. 76, S425–S432 (2007) CrossRefGoogle Scholar
  3. 3.
    Chen, Y., Wang, Z.: Progress in fuzzy testing. Comput. Appl. Softw. 28(7), 291–293 (2011)Google Scholar
  4. 4.
    Dolin, R.H., et al.: Hl7 clinical document architecture, release 2. J. Am. Med. Inform. Assoc. 13(1), 30–39 (2006)CrossRefGoogle Scholar
  5. 5.
    Farhadi, A., Ahmadi, M.: The information security needs in radiological information systems–an insight on state hospitals of Iran, 2012. J. Digit. Imaging 26(6), 1040–1044 (2013)CrossRefGoogle Scholar
  6. 6.
    Gutiérrez-Martínez, J., Núñez-Gaona, M.A., Aguirre-Meneses, H.: Business model for the security of a large-scale PACS, compliance with ISO/27002: 2013 standard. J. Digit. Imaging 28(4), 481–491 (2015) CrossRefGoogle Scholar
  7. 7.
    Hasman, A., et al.: Hl7 RIM: an incoherent standard. In: Ubiquity: Technologies for Better Health in Aging Societies, Proceedings of Mie 2006, vol. 124, p. 133 (2006)Google Scholar
  8. 8.
    Liu, Q., Zhang, Y.: TFTP vulnerability mining technology based on fuzzing. Comput. Eng. 33(20), 142–144 (2007)Google Scholar
  9. 9.
    Luo, Y.: Design and implementation of network security vulnerability scanning system. Ph.D. thesis, National University of Defense Science and Technology, ChangSha (2007)Google Scholar
  10. 10.
    Elrod, T., Morris, S.: I’m not a doctor but i play one on your network (2011)Google Scholar
  11. 11.
    Nagy, P., Bowers, G., Reiner, B.I., Siegel, E.L.: Defining the pacs profession: an initial survey of skills, training, and capabilities for PACS administrators. J. Digit. Imaging 18(4), 252–259 (2005)CrossRefGoogle Scholar
  12. 12.
    Pianykh, O.S.: Digital Imaging and Communications in Medicine (DICOM): A Practical Introduction and Survival Guide. Springer, Heidelberg (2009)Google Scholar
  13. 13.
    US Food and Drug Administration: Content of premarket submissions for management of cybersecurity in medical devices: draft guidance for industry and food and drug administration staff (2013). Accessed 1 May 2014Google Scholar
  14. 14.
    Vossberg, M., Tolxdorff, T., Krefting, D.: DICOM image communication in globus-based medical grids. IEEE Trans. Inf. Technol. Biomed. 12(2), 145–153 (2008)CrossRefGoogle Scholar
  15. 15.
    Wiese, M., Beck, K., Tschöpel, E., Reindl, P., Carl, P.: PACS-picture archiving and communication system. Der Urologe B 39(3), 237–244 (1999)CrossRefGoogle Scholar
  16. 16.
    Xu, Y.: Research and implementation of fuzzing test technology for streaming media protocol. Ph.D. thesis, Beijing University of Posts and Telecommunications (2009)Google Scholar
  17. 17.
    Zhang, B., Zhang, Y., Xu, Y.: Exploring network protocol vulnerabilities based on fuzzy testing. J. Tsinghua Univ.: Nat. Sci. Ed. S2, 2113–2118 (2009)Google Scholar
  18. 18.
    Zhang, G., Shi, X., Li, R., Ren, J.: Fuzzy test optimization scheme for NFC protocol. Hebei Ind. Sci. Technol. 34(3), 155–161 (2017)Google Scholar
  19. 19.
    Zhang, X., He, Y.: Overview of software testing methods. Sci-tech horizon (4), 35–37 (2012)Google Scholar
  20. 20.
    Zhang, Y., Wang, Z., Liu, Q., Lou, J., Yao, D.: Research progress and development trend of near-field communication technology security. J. Comput. Sci. 39(6), 1190–1207 (2016) Google Scholar
  21. 21.
    Zhuang, T.: The Application of Computer in Biomedicine. Science Press, Beijing (2000)Google Scholar
  22. 22.
    Zou, Q., et al.: From automation to intelligence: advances in software vulnerability mining technology (2018)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020

Authors and Affiliations

  1. 1.Beijing Electronic Science and Technology InstituteBeijingChina
  2. 2.State Information CenterBeijingChina
  3. 3.Key Lab of Information Network Security, Ministry of Public SecurityShanghaiChina
  4. 4.Key Laboratory of Network Assessment Technology, Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations