-
- KITAGAWA Takahisa
- Keio University
-
- HANAOKA Miyuki
- Keio University
-
- KONO Kenji
- Keio University CREST, Japan Science and Technology Agency
この論文をさがす
抄録
In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers. Two vulnerabilities among these can be discovered by the state-awareness of AspFuzz. It can also find a SIP state-related vulnerability.
収録刊行物
-
- IEICE Transactions on Information and Systems
-
IEICE Transactions on Information and Systems E94-D (5), 1008-1017, 2011
一般社団法人 電子情報通信学会
- Tweet
詳細情報 詳細情報について
-
- CRID
- 1390001204379887104
-
- NII論文ID
- 10029507015
-
- NII書誌ID
- AA10826272
-
- ISSN
- 17451361
- 09168532
-
- 本文言語コード
- en
-
- データソース種別
-
- JaLC
- Crossref
- CiNii Articles
-
- 抄録ライセンスフラグ
- 使用不可