Abstract
Nowadays the most serious security problems are imperfection in the implementations of network protocols. This imperfection can bring a lot of vulnerabilities such as could allow malicious user to attack the systems remotely using the network protocols over the internet. That is why developers value software security phases involving review of code, risk analysis, testing with penetration, and Fuzzing. In case of Fuzz testing, the main aim is to find vulnerabilities in the software/application by sending inputs which are not expected to the target. Then they monitor the situation of the target. Many applications in Internet of things (IoT) (http://en.wikipedia.org/wiki/Internet_of_Things) environments are working with File Transfer Protocol (FTP) based applications. In this study, we present a fuzzing framework, which is applied to test network protocol implementations. It is extendable, man-in-the-middle, smart, and mostly deterministic. Our tool, like AutoFuzz (Gorbunov and Rosenbloom in AutoFuzz: automated network protocol fuzzing framework, Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6, 2010), has the ability to learn a given protocol implementation by building a finite state automaton from records of communication traces between a client and the server. Additionally, this tool has the ability to learn syntax of individual messages at a lower level using the techniques of bioinformatics (Beddoe in Network protocol analysis using bioinformatics algorithms, http://www.4tphi.net/~awalters/PI/pi.pdf). At last, this framework can fuzz a given server protocol specification by changing the communication traces between the server and client. We applied it to multiple implementations of FTP server, with result of finding new and known vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Han, X., Wen, Q., & Zhang, Z. (2012). A mutation-based fuzz testing approach for network protocol vulnerability detection. Beijing University of Posts and Telecommunications, Beijing, 100876, China.
Takanen, A., DeMott, J., & Miller, C. (2008). Fuzzing for software security testing and quality assurance. Norwood, MA: Artech House Inc.
The ProxyFuzz Project. http://theartoffuzzing.com/.
Internet of Things (IoT). http://en.wikipedia.org/wiki/Internet_of_Things.
Beddoe, M. A. (2005). Network protocol analysis using bioinformatics algorithms. http://www.4tphi.net/~awalters/PI/pi.pdf.
Hsu, Y., Shu, G., & Lee, D. (2008). A model-based approach to security flaw detection of network protocol implementation. In IEEE ICNP.
Comparetti, P. M., Wondracek, G., Kruegel, C., & Kirda, E. (2009). Prospex: Protocol specification extraction. In Proceedings of the 2009 30th IEEE symposium on security and privacy (pp.110–125).
Gorbunov, S., & Rosenbloom, R. (2010). AutoFuzz: Automated network protocol fuzzing framework. Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6.
SOCKS Server http://en.wikipedia.org/wiki/SOCKS.
JAVA SOCKS Server. http://jsocks.sourceforge.net/.
Kitagawa, T., Hanaoka, M., & Kono, K. (2010). AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. Department of Information and Computer Science, Keio University, 3-14-1, Yokohama, Japan.
The JAVA Swing Library. http://java.sun.com/javase/6/docs/api/javax/swing/package-summary.html.
The Java Universal Network/Graph Framework (JUNG). http://jung.sourceforge.net/.
Needleman, S. B., & Wunsch, C. D. (1970). A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology, 48, 444–453.
Postel, J., & Reynolds, J. (1985). Request for Comments: 959. Network Working Group. http://www.faqs.org/rfcs/rfc959.html.
Open & Compact FTP Server. http://sourceforge.net/projects/open-ftpd/.
Wing FTP Server. http://www.wftpserver.com/.
Windows Proxifier. http://www.proxifier.com/.
Acknowledgments
This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (2015R1A1A1A05001238).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Munea, T.L., Luk Kim, I. & Shon, T. Design and Implementation of Fuzzing Framework Based on IoT Applications. Wireless Pers Commun 93, 365–382 (2017). https://doi.org/10.1007/s11277-016-3322-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-016-3322-9