KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing

  • Wang, Zhiqiang (State Key Laboratory of Integrated Services Networks, Xidian University) ;
  • Zhang, Yuqing (State Key Laboratory of Integrated Services Networks, Xidian University) ;
  • Liu, Qixu (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences)
  • Received : 2012.12.27
  • Accepted : 2013.06.06
  • Published : 2013.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

How to discover router vulnerabilities effectively and automatically is a critical problem to ensure network and information security. Previous research on router security is mostly about the technology of exploiting known flaws of routers. Fuzzing is a famous automated vulnerability finding technology; however, traditional Fuzzing tools are designed for testing network applications or other software. These tools are not or partly not suitable for testing routers. This paper designs a framework of discovering router protocol vulnerabilities, and proposes a mathematical model Two-stage Fuzzing Test Cases Generator(TFTCG) that improves previous methods to generate test cases. We have developed a tool called RPFuzzer based on TFTCG. RPFuzzer monitors routers by sending normal packets, keeping watch on CPU utilization and checking system logs, which can detect DoS, router reboot and so on. RPFuzzer' debugger based on modified Dynamips, which can record register values when an exception occurs. Finally, we experiment on the SNMP protocol, find 8 vulnerabilities, of which there are five unreleased vulnerabilities. The experiment has proved the effectiveness of RPFuzzer.

Keywords

References

  1. F. Linder, "Routing and tunneling protocol attacks," in Proc. of BlackHat briefings, Amsterdam, Holland, November, 2001.
  2. M. Lynn, "The holy grail: Cisco IOS shellcode and exploitation techniques," in Proc. of BlackHat, Las Vegas, USA. July, 2005.
  3. A. Pilosov and T. Kapela, "Stealing the internet: An internet-scale man in the middle attack," in Defcon 16, Las Vegas, USA, August, 2008.
  4. Gyan Chawdhary and Varun Uppal, "Cisco IOS shellcode," in Proc. of BlackHat, Las Vecas, USA, August, 2008.
  5. Groundworks technologies, dynamips gdb server mod project, http://www.groundworkstech.com/projects/dynamipsgdb-mod, June-December, 2011.
  6. National Vulnerability Database, http://nvd.nist.gov/, June-December, 2011.
  7. Felix Lindner, "Cisco vulnerabilities-yesterday, today and tomorrow," in Proc. of BlackHat, Virginia, USA, September 29-October 2, 2007.
  8. Felix Linder, "Cisco IOS attack and defense the state of art," in Proc. of 25th Chaos Communication Congress (25C3), Berlin, Germany, December, 2009.
  9. Felix Linder, "Cisco IOS router exploitation," in BlackHat, Las Vecas, USA, July, 2009.
  10. A. Cui, J. Kataria and S.J. Stolfo, "Killing the myth of Cisco IOS diversity," in Proc. of USENIX Worshop on Offensive Technologies, San Francisco, CA, USA, August, 2011.
  11. S. Muniz and A. Ortega, "Fuzzing and debugging Cisco IOS," in Proc. of BlackHat, Barcelona, Spain, March, 2011.
  12. B.P. Miller, L. Fredriksen and B. So, "An empirical study of the reliability of unix utilities," Communications of the ACM, 33(12):32-44, 1990. https://doi.org/10.1145/96267.96279
  13. P. Oehlert, "Violating assumptions with fuzzing," Security & Privacy, IEEE, 3(2):58-62, 2005.
  14. Ai-Fen Sui, Wen Tang, Jian Jun Hu and Ming Zhu Li, "An effective fuzz input generation method for protocol testing," in Proc. of IEEE 13th International Conference on Communication Technology (ICCT), pages 728-731, IEEE, September, 2011.
  15. X. Zhu, Z. Wu and J.W. Atwood. "A new fuzzing method using multi data samples combination," Journal of Computers, 6(5):881-888, 2011.
  16. Z. Wu, J.W. Atwood and X. Zhu, "A new fuzzing technique for software vulnerability mining," in Proc. of the IEEE CONSEG, Chennai, India, December, 2009.
  17. SPIKE, http://www.immunityinc.com/resourcesfreesoftware.shtml, June, 2010-November, 2011.
  18. PEACH, http://peachfuzzer.com/, June, 2010-November, 2011.
  19. Sulley, http://code.google.com/p/sulley/, June, 2010-November, 2011.
  20. AutoDafe, http://autodafe.sourceforge.net/, June, 2010-November, 2011.
  21. GPF, http://www.vdalabs.com/tools/efs gpf.html, June, 2010-November, 2011.
  22. M. Sutton, A. Greene and P. Amini, Fuzzing: brute force vulnerabilty discovery, 1st Edition, Addison-Wesley Professional, New Jersey, 2007.
  23. B. ZHANG, C. ZHANG, and Y. XU, "Network protocol vulnerability discovery based on fuzzy testing," Journal of Tsinghua University (Science and Technology), pages S2, 51-56, 2009.
  24. G. Banks, M.Cova, V.Felmetsger, K.Almeroth, R.Kemmerer and G.Vigna, "Snooze: toward a stateful network protocol fuzzer," Information Security, pages 343-358, 2006.
  25. Common Vulnerabilities and Exposures, http://cve.mitre.org/, June-December, 2011.
  26. Qixu Liu and Yuqing Zhang, "TFTP vulnerability finding technique based on fuzzing," Computer Communications, 31(14):3420-3426, 2008. https://doi.org/10.1016/j.comcom.2008.05.041
  27. GDB, The GNU Project Debugger, http://sources.redhat.com/gdb/, June-December, 2011.
  28. IDA, http://www.hexrays.com/products/ida/index.shtml, June-December, 2011.
  29. J.Case, M.Fedor, M.Schoffstall and J.Davin, RFC 1157: A Simple Network Management Protocol (SNMP), 1990.
  30. SNMPv2 Working Group et al, RFC 1902: Structure of management information for version 2 of the simple network management protocol (SNMPv2), 1996.
  31. R.Mundy, D.Partain and B.Stewart, "Introduction to SNMPv3," Technical report, RFC 2570, April, 1999.
  32. O.Tal, S.Knight and T.Dean, "Syntax-based vulnerability testing of frame-based network protocols," in Proc. of 2nd Annual Conference on Privacy, Security and Trust, pages 155-160. Citeseer, 2004.

Cited by

  1. Resetting Your Password Is Vulnerable: A Security Study of Common SMS-Based Authentication in IoT Device vol.2018, pp.None, 2013, https://doi.org/10.1155/2018/7849065
  2. Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface vol.2019, pp.None, 2019, https://doi.org/10.1155/2019/5076324
  3. Automated Vulnerability Discovery and Exploitation in the Internet of Things vol.19, pp.15, 2013, https://doi.org/10.3390/s19153362
  4. SVTester: Finding DoS Vulnerabilities of Virtual Switches vol.29, pp.None, 2013, https://doi.org/10.2197/ipsjjip.29.581
  5. GNFCVulFinder: NDEF Vulnerability Discovering for NFC-Enabled Smart Mobile Devices Based on Fuzzing vol.2021, pp.None, 2013, https://doi.org/10.1155/2021/9946022