The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Dalam menghadapi serangan berniat jahat yang berterusan terhadap sistem perisian yang berkaitan dengan rangkaian, kelemahan perisian perlu ditemui pada awal fasa pembangunan. Dalam makalah ini, kami membentangkan AspFuzz, pengkabur protokol yang sedar keadaan berdasarkan spesifikasi protokol lapisan aplikasi. AspFuzz secara automatik menjana mesej anomali yang mengeksploitasi kemungkinan kelemahan. Pemerhatian utama di sebalik AspFuzz ialah kebanyakan mesej serangan melanggar spesifikasi ketat protokol lapisan aplikasi. Contohnya, mereka tidak mematuhi format atau sintaks tegar yang diperlukan bagi setiap mesej. Di samping itu, sesetengah mesej serangan mengabaikan keadaan protokol dan mempunyai susunan mesej yang salah. AspFuzz secara automatik menjana sejumlah besar mesej anomali yang sengaja melanggar spesifikasi protokol lapisan aplikasi. Untuk menunjukkan keberkesanan AspFuzz, kami menjalankan eksperimen dengan pelayan POP3 dan HTTP. Dengan AspFuzz, kami boleh menemui 20 kelemahan yang dilaporkan dan 1 yang tidak diketahui sebelum ini untuk pelayan POP3 dan 25 kelemahan yang dilaporkan untuk pelayan HTTP. Dua kelemahan di antara ini boleh ditemui oleh kesedaran negeri AspFuzz. Ia juga boleh mencari kelemahan berkaitan keadaan SIP.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Salinan
Takahisa KITAGAWA, Miyuki HANAOKA, Kenji KONO, "A State-Aware Protocol Fuzzer Based on Application-Layer Protocols" in IEICE TRANSACTIONS on Information,
vol. E94-D, no. 5, pp. 1008-1017, May 2011, doi: 10.1587/transinf.E94.D.1008.
Abstract: In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers. Two vulnerabilities among these can be discovered by the state-awareness of AspFuzz. It can also find a SIP state-related vulnerability.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.E94.D.1008/_p
Salinan
@ARTICLE{e94-d_5_1008,
author={Takahisa KITAGAWA, Miyuki HANAOKA, Kenji KONO, },
journal={IEICE TRANSACTIONS on Information},
title={A State-Aware Protocol Fuzzer Based on Application-Layer Protocols},
year={2011},
volume={E94-D},
number={5},
pages={1008-1017},
abstract={In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers. Two vulnerabilities among these can be discovered by the state-awareness of AspFuzz. It can also find a SIP state-related vulnerability.},
keywords={},
doi={10.1587/transinf.E94.D.1008},
ISSN={1745-1361},
month={May},}
Salinan
TY - JOUR
TI - A State-Aware Protocol Fuzzer Based on Application-Layer Protocols
T2 - IEICE TRANSACTIONS on Information
SP - 1008
EP - 1017
AU - Takahisa KITAGAWA
AU - Miyuki HANAOKA
AU - Kenji KONO
PY - 2011
DO - 10.1587/transinf.E94.D.1008
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E94-D
IS - 5
JA - IEICE TRANSACTIONS on Information
Y1 - May 2011
AB - In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers. Two vulnerabilities among these can be discovered by the state-awareness of AspFuzz. It can also find a SIP state-related vulnerability.
ER -