AspFuzz

A state-aware protocol fuzzer based on application-layer protocols

Takahisa Kitagawa, Miyuki Hanaoka, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

12 Citations (Scopus)

Abstract

In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most of the previously reported attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. It then sends the generated messages in both anomalous orders and correct orders. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers.

Original languageEnglish
Title of host publicationProceedings - IEEE Symposium on Computers and Communications
Pages202-208
Number of pages7
DOIs
Publication statusPublished - 2010
Event15th IEEE Symposium on Computers and Communications, ISCC 2010 - Riccione, Italy
Duration: 2010 Jun 222010 Jun 25

Other

Other15th IEEE Symposium on Computers and Communications, ISCC 2010
CountryItaly
CityRiccione
Period10/6/2210/6/25

Fingerprint

Vulnerability
Network protocols
Anomalous
HTTP
Servers
Server
Attack
Violate
Specification
Specifications
Software System
Unknown
Software
Demonstrate
Experiment
Experiments

Keywords

  • Fuzzing
  • Software vulnerability testing

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Software
  • Mathematics(all)
  • Signal Processing

Cite this

Kitagawa, T., Hanaoka, M., & Kono, K. (2010). AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. In Proceedings - IEEE Symposium on Computers and Communications (pp. 202-208). [5546704] https://doi.org/10.1109/ISCC.2010.5546704

AspFuzz : A state-aware protocol fuzzer based on application-layer protocols. / Kitagawa, Takahisa; Hanaoka, Miyuki; Kono, Kenji.

Proceedings - IEEE Symposium on Computers and Communications. 2010. p. 202-208 5546704.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kitagawa, T, Hanaoka, M & Kono, K 2010, AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. in Proceedings - IEEE Symposium on Computers and Communications., 5546704, pp. 202-208, 15th IEEE Symposium on Computers and Communications, ISCC 2010, Riccione, Italy, 10/6/22. https://doi.org/10.1109/ISCC.2010.5546704
Kitagawa T, Hanaoka M, Kono K. AspFuzz: A state-aware protocol fuzzer based on application-layer protocols. In Proceedings - IEEE Symposium on Computers and Communications. 2010. p. 202-208. 5546704 https://doi.org/10.1109/ISCC.2010.5546704
Kitagawa, Takahisa ; Hanaoka, Miyuki ; Kono, Kenji. / AspFuzz : A state-aware protocol fuzzer based on application-layer protocols. Proceedings - IEEE Symposium on Computers and Communications. 2010. pp. 202-208
@inproceedings{7bba319ebdb748bd8485a2098424f13c,
title = "AspFuzz: A state-aware protocol fuzzer based on application-layer protocols",
abstract = "In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most of the previously reported attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. It then sends the generated messages in both anomalous orders and correct orders. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers.",
keywords = "Fuzzing, Software vulnerability testing",
author = "Takahisa Kitagawa and Miyuki Hanaoka and Kenji Kono",
year = "2010",
doi = "10.1109/ISCC.2010.5546704",
language = "English",
isbn = "9781424477555",
pages = "202--208",
booktitle = "Proceedings - IEEE Symposium on Computers and Communications",

}

TY - GEN

T1 - AspFuzz

T2 - A state-aware protocol fuzzer based on application-layer protocols

AU - Kitagawa, Takahisa

AU - Hanaoka, Miyuki

AU - Kono, Kenji

PY - 2010

Y1 - 2010

N2 - In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most of the previously reported attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. It then sends the generated messages in both anomalous orders and correct orders. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers.

AB - In the face of constant malicious attacks to network-connected software systems, software vulnerabilities need to be discovered early in the development phase. In this paper, we present AspFuzz, a state-aware protocol fuzzer based on the specifications of application-layer protocols. AspFuzz automatically generates anomalous messages that exploit possible vulnerabilities. The key observation behind AspFuzz is that most of the previously reported attack messages violate the strict specifications of application-layer protocols. For example, they do not conform to the rigid format or syntax required of each message. In addition, some attack messages ignore the protocol states and have incorrect orders of messages. AspFuzz automatically generates a large number of anomalous messages that deliberately violate the specifications of application-layer protocols. It then sends the generated messages in both anomalous orders and correct orders. To demonstrate the effectiveness of AspFuzz, we conducted experiments with POP3 and HTTP servers. With AspFuzz, we can discover 20 reported and 1 previously unknown vulnerabilities for POP3 servers and 25 reported vulnerabilities for HTTP servers.

KW - Fuzzing

KW - Software vulnerability testing

UR - http://www.scopus.com/inward/record.url?scp=77956540790&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77956540790&partnerID=8YFLogxK

U2 - 10.1109/ISCC.2010.5546704

DO - 10.1109/ISCC.2010.5546704

M3 - Conference contribution

SN - 9781424477555

SP - 202

EP - 208

BT - Proceedings - IEEE Symposium on Computers and Communications

ER -