AspFuzz: A state-aware protocol fuzzer based on application-layer protocols

Takahisa Kitagawa, Miyuki Hanaoka, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

13 Citations (Scopus)

Abstract

In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most of the previously reported attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. It then sends the generated messages in both anomalous orders and correct orders. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers.

Original languageEnglish
Title of host publicationIEEE Symposium on Computers and Communications, ISCC 2010
Pages202-208
Number of pages7
DOIs
Publication statusPublished - 2010 Sep 17
Event15th IEEE Symposium on Computers and Communications, ISCC 2010 - Riccione, Italy
Duration: 2010 Jun 222010 Jun 25

Publication series

NameProceedings - IEEE Symposium on Computers and Communications
ISSN (Print)1530-1346

Other

Other15th IEEE Symposium on Computers and Communications, ISCC 2010
CountryItaly
CityRiccione
Period10/6/2210/6/25

    Fingerprint

Keywords

  • Fuzzing
  • Software vulnerability testing

ASJC Scopus subject areas

  • Software
  • Signal Processing
  • Mathematics(all)
  • Computer Science Applications
  • Computer Networks and Communications

Cite this

Kitagawa, T., Hanaoka, M., & Kono, K. (2010). AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. In IEEE Symposium on Computers and Communications, ISCC 2010 (pp. 202-208). [5546704] (Proceedings - IEEE Symposium on Computers and Communications). https://doi.org/10.1109/ISCC.2010.5546704