Abstract
Many protocols running over the Internet are neither formalised, nor formally analysed. The amount of documentation for tele- communication protocols used in real-life applications is huge, while the available analysis methods and tools require precise and clear-cut protocol clauses. A manual formalisation of the Session Initiation Protocol (SIP) used in Voice over IP (VoIP) applications is not feasible. Therefore, by combining the information retrieved from the specification documents published by the IETF, and traces of real world SIP traffic we craft a formal specification of the protocol in addition to an implementation of the protocol. In the course of our work we detected several weaknesses, both of SIP call setup and in the Asterisk implementation of the protocol. These weaknesses could be exploited and pose as a threat for authentication and non-repudiation of VoIP calls.
This research is funded by the EUX2010SEC project in the VERDIKT framework of the Norwegian Research Council. The authors would like to thank Jørn Inge Vestgaarden, Lothar Fritsch, Einar W. Høst, Svetlana Boudko, and Truls Fretland for comments on earlier drafts of this paper.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Arkko, J., Torvinen, V., Camarillo, G., Niemi, A., Haukka, T.: Security Mechanism Agreement for the Session Initiation Protocol (SIP). RFC 3329 (Proposed Standard) (January 2003)
Diab, W.B., Tohme, S., Bassil, C.: VPN analysis and new perspective for securing voice over VPN networks. ICNS 0, 73–78 (2008)
Dolev, D., Yao, A.C.-C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–207 (1983)
Endler, D., Collier, M.: Hacking Exposed VoIP: Voice over IP Security Secrets and Solutions. McGraw-Hill Osborne Media, New York (2006)
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617 (Draft Standard) (June 1999)
Geneiatakis, D., Kambourakis, G., Dagiuklas, T., Lambrinoudakis, C., Gritzalis, S.: SIP Security Mechanisms: A state-of-the-art review. In: Proceedings of the Fifth International Network Conference (INC 2005), pp. 147–155 (July 2005)
Gupta, P., Shmatikov, V.: Security Analysis of Voice-over-IP Protocols. In: 20th IEEE Computer Security Foundations Symposium, 2007. CSF 2007, pp. 49–63 (2007)
Hagalisletto, A.M.: Automated Support for the Design and Analysis of Security Protocols. PhD thesis, University of Oslo (December 2007)
Hagalisletto, A.M., Strand, L.: Formal modeling of authentication in SIP registration. In: Second International Conference on Emerging Security Information, Systems and Technologies SECURWARE 2008, pp. 16–21 (August 2008)
Kuhn, D.R., Walsh, T.J., Fries, S.: Security Consideration for Voice over IP Systems. Sp 800-58, National Institute of Standards and Technology (NIST) (January 2005)
Meggelen, J., Smith, J., Madsen, L.: Asterisk: The Future of Telephony. O’Reilly Media, Sebastopol (2005)
Persky, D.: VoIP Security Vulnerabilities. Technical report, SANS Institute (2007)
Porter, T.: Practical VoIP Security. Syngress (March 2006)
Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), Updated by RFCs 3265, 3853, 4320, 4916 (June 2002)
Salsano, S., Veltri, L., Papalilo, D.: SIP security issues: The SIP authentication procedure and its processing load. IEEE Network 16, 38–44 (2002)
Sinnreich, H., Johnston, A.B.: Internet communications using SIP: Delivering VoIP and multimedia services with Session Initiation Protocol, 2nd edn. John Wiley & Sons, Inc., New York (2006)
Xin, J.: Security issues and countermeasure for VoIP. Technical report, SANS Institute (2007)
Zhang, R., Wang, X., Yang, X., Jiang, X.: Billing Attacks on SIP-Based VoIP Systems. In: USENIX, First USENIX Workshop on Offensive Technologies (WOOT 2007) (August 2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hagalisletto, A.M., Strand, L., Leister, W., Groven, AK. (2009). Analysing Protocol Implementations. In: Bao, F., Li, H., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2009. Lecture Notes in Computer Science, vol 5451. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00843-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-00843-6_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00842-9
Online ISBN: 978-3-642-00843-6
eBook Packages: Computer ScienceComputer Science (R0)