The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.03 - May/June (2010 vol.36)
pp: 357-370
João Antunes , University of Lisboa, Lisboa
Nuno Neves , University of Lisboa, Lisboa
Miguel Correia , University of Lisboa, Lisboa
Paulo Verissimo , University of Lisboa, Lisboa
Rui Neves , Technical University of Lisbon, Lisboa
ABSTRACT
The increasing reliance put on networked computer systems demands higher levels of dependability. This is even more relevant as new threats and forms of attack are constantly being revealed, compromising the security of systems. This paper addresses this problem by presenting an attack injection methodology for the automatic discovery of vulnerabilities in software components. The proposed methodology, implemented in AJECT, follows an approach similar to hackers and security analysts to discover vulnerabilities in network-connected servers. AJECT uses a specification of the server's communication protocol and predefined test case generation algorithms to automatically create a large number of attacks. Then, while it injects these attacks through the network, it monitors the execution of the server in the target system and the responses returned to the clients. The observation of an unexpected behavior suggests the presence of a vulnerability that was triggered by some particular attack (or group of attacks). This attack can then be used to reproduce the anomaly and to assist the removal of the error. To assess the usefulness of this approach, several attack injection campaigns were performed with 16 publicly available POP and IMAP servers. The results show that AJECT could effectively be used to locate vulnerabilities, even on well-known servers tested throughout the years.
INDEX TERMS
Testing and debugging, software engineering, test design, testing tools, experimental evaluation, fault injection, attack injection.
CITATION
João Antunes, Nuno Neves, Miguel Correia, Paulo Verissimo, Rui Neves, "Vulnerability Discovery with Attack Injection", IEEE Transactions on Software Engineering, vol.36, no. 3, pp. 357-370, May/June 2010, doi:10.1109/TSE.2009.91
REFERENCES
[1] P. Verissimo, N. Neves, C. Cachin, J. Poritz, D. Powell, Y. Deswarte, R. Stroud, and I. Welch, "Intrusion-Tolerant Middleware: The Road to Automatic Security," IEEE Security and Privacy, vol. 4, no. 4, pp. 54-62, July/Aug. 1996.
[2] B. Beizer, Software Testing Techniques, second ed. Van Nostrand Reinhold, 1990.
[3] N. Neves, J. Antunes, M. Correia, P. Verissimo, and R. Neves, "Using Attack Injection to Discover New Vulnerabilities," Proc. Int'l Conf. Dependable Systems and Networks, June 2006.
[4] J. Myers and M. Rose, "Post Office Protocol—Version 3," RFC 1939 (Standard), updated by RFCs 1957, 2449, http://www. ietf.org/rfcrfc1939.txt, May 1996.
[5] M. Crispin, "Internet Message Access Protocol—Version 4rev1," Internet Eng. Task Force, RFC 3501, Mar. 2003.
[6] J. Arlat, A. Costes, Y. Crouzet, J.-C. Laprie, and D. Powell, "Fault Injection and Dependability Evaluation of Fault-Tolerant Systems," IEEE Trans. Computers, vol. 42, no. 8, pp. 913-923, Aug. 1993.
[7] M.-C. Hsueh and T.K. Tsai, "Fault Injection Techniques and Tools," Computer, vol. 30, no. 4, pp. 75-82, Apr. 1997.
[8] J. Carreira, H. Madeira, and J.G. Silva, "Xception: Software Fault Injection and Monitoring in Processor Functional Units," Proc. Int'l Working Conf. Dependable Computing for Critical Applications, pp. 135-149, http://citeseer.ist.psu.edu54044.html; http://dsg.dei.uc.pt/Papersdcca95.ps.Z, Jan. 1995.
[9] T.K. Tsai and R.K. Iyer, "Measuring Fault Tolerance with the FTAPE Fault Injection Tool," Proc. Int'l Conf. Modeling Techniques and Tools for Computer Performance Evaluation, pp. 26-40, http://portal.acm.orgcitation.cfm?id=746851&dl=ACM&coll= &CFID=15151515&CFTOKEN=6184618 , Sept. 1995.
[10] J. Christmansson and R. Chillarege, "Generation of an Error Set That Emulates Software Faults," Proc. Int'l Symp. Fault-Tolerant Computing, pp. 304-313, June 1996.
[11] J. Durães and H. Madeira, "Definition of Software Fault Emulation Operators: A Field Data Study," Proc. Int'l Conf. Dependable Systems and Networks, pp. 105-114, June 2003.
[12] P. Koopman and J. DeVale, "Comparing the Robustness of POSIX Operating Systems," Proc. Int'l Symp. Fault-Tolerant Computing, pp. 30-37, June 1999.
[13] M. Mendonça and N. Neves, "Robustness Testing of the Windows DDK," Proc. Int'l Conf. Dependable Systems and Networks, pp. 554-564, June 2007.
[14] B.P. Miller, L. Fredriksen, and B. So, "An Empirical Study of the Reliability of UNIX Utilities," Comm. ACM, vol. 33, no. 12, pp. 32-44, 1990.
[15] P. Oehlert, "Violating Assumptions with Fuzzing," IEEE Security and Privacy, vol. 3, no. 2, pp. 58-62, http://ieeexplore.ieee.org/xplsabs_all.jsp?arnumber=1423963 , Mar./Apr. 2005.
[16] Univ. of Oulu, "PROTOS—Security Testing of Protocol Implementations," http://www.ee.oulu.fi/research/ouspgprotos /, 1999-2003.
[17] M. Sutton, "FileFuzz," http://labs.idefense.comlabs-software. php?show=3 , Sept. 2005.
[18] M. Sutton, A. Greene, and P. Amini, Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley, 2007.
[19] Tenable Network Security, "Nessus Vulnerability Scanner," http:/www.nessus.org, 2008.
[20] Saint Corp., "SAINT Network Vulnerability Scanner," http:/www.saintcorporation.com, 2008.
[21] Qualys, Inc., "QualysGuard Enterprise," http:/www.qualys. com, 2008.
[22] D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken, "A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities," Proc. Network and Distributed System Security Symp., Feb. 2000.
[23] E. Haugh and M. Bishop, "Testing C Programs for Buffer Overflow Vulnerabilities," Proc. Symp. Networked and Distributed System Security, pp. 123-130, Feb. 2003.
[24] J. Durães and H. Madeira, "A Methodology for the Automated Identification of Buffer Overflow Vulnerabilities in Executable Software without Source-Code," Proc. Second Latin-Am. Symp. Dependable Computing, Oct. 2005.
[25] M. Bishop and M. Dilger, "Checking for Race Conditions in File Accesses," Computing Systems, vol. 9, no. 2, pp. 131-152, Spring 1996.
[26] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. USENIX Security Conf., pp. 63-78, https://db.usenix.org/publications/library/ proceedings/sec98 cowan.html , Jan. 1998.
[27] C. Cowan, S. Beattie, J. Johansen, and P. Wagle, "PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities," Proc. USENIX Security Symp., pp. 91-104, http://www.usenix.org/publications/library/ proceedings/sec03/techcowan.html, Aug. 2003.
[28] J. Wilander and M. Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention," Proc. Network and Distributed System Security Symp., pp. 149-162, Feb. 2003.
[29] Microsoft, Corp., "A Detailed Description of the Data Execution Prevention (DEP) Feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003," http://support.microsoft.com/kb875352, Sept. 2006.
[30] "PaX," http:/pax.grsecurity.net/, 2009.
[31] T. Tsai and N. Singh, "Libsafe 2.0: Detection of Format String Vulnerability Exploits," white paper, Avaya Labs, 2001.
[32] S. Garg, A.V. Moorsel, K. Vaidyanathan, and K.S. Trivedi, "A Methodology for Detection and Estimation of Software Aging," Proc. Int'l Symp. Software Reliability Eng., p. 283, 1998.
[33] K. Vaidyanathan and K.S. Trivedi, "A Comprehensive Model for Software Rejuvenation," IEEE Trans. Dependable and Secure Computing, vol. 2, no. 2, pp. 124-137, Apr.-June 2005.
13 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool