Browse > Article
http://dx.doi.org/10.3837/tiis.2013.08.014

RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing  

Wang, Zhiqiang (State Key Laboratory of Integrated Services Networks, Xidian University)
Zhang, Yuqing (State Key Laboratory of Integrated Services Networks, Xidian University)
Liu, Qixu (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.7, no.8, 2013 , pp. 1989-2009 More about this Journal
Abstract
How to discover router vulnerabilities effectively and automatically is a critical problem to ensure network and information security. Previous research on router security is mostly about the technology of exploiting known flaws of routers. Fuzzing is a famous automated vulnerability finding technology; however, traditional Fuzzing tools are designed for testing network applications or other software. These tools are not or partly not suitable for testing routers. This paper designs a framework of discovering router protocol vulnerabilities, and proposes a mathematical model Two-stage Fuzzing Test Cases Generator(TFTCG) that improves previous methods to generate test cases. We have developed a tool called RPFuzzer based on TFTCG. RPFuzzer monitors routers by sending normal packets, keeping watch on CPU utilization and checking system logs, which can detect DoS, router reboot and so on. RPFuzzer' debugger based on modified Dynamips, which can record register values when an exception occurs. Finally, we experiment on the SNMP protocol, find 8 vulnerabilities, of which there are five unreleased vulnerabilities. The experiment has proved the effectiveness of RPFuzzer.
Keywords
router security; fuzzing; TFTCG; protocol vulnerability discovering;
Citations & Related Records
연도 인용수 순위
  • Reference
1 A. Pilosov and T. Kapela, "Stealing the internet: An internet-scale man in the middle attack," in Defcon 16, Las Vegas, USA, August, 2008.
2 National Vulnerability Database, http://nvd.nist.gov/, June-December, 2011.
3 Felix Lindner, "Cisco vulnerabilities-yesterday, today and tomorrow," in Proc. of BlackHat, Virginia, USA, September 29-October 2, 2007.
4 Felix Linder, "Cisco IOS attack and defense the state of art," in Proc. of 25th Chaos Communication Congress (25C3), Berlin, Germany, December, 2009.
5 Gyan Chawdhary and Varun Uppal, "Cisco IOS shellcode," in Proc. of BlackHat, Las Vecas, USA, August, 2008.
6 Groundworks technologies, dynamips gdb server mod project, http://www.groundworkstech.com/projects/dynamipsgdb-mod, June-December, 2011.
7 B.P. Miller, L. Fredriksen and B. So, "An empirical study of the reliability of unix utilities," Communications of the ACM, 33(12):32-44, 1990.   DOI
8 Felix Linder, "Cisco IOS router exploitation," in BlackHat, Las Vecas, USA, July, 2009.
9 A. Cui, J. Kataria and S.J. Stolfo, "Killing the myth of Cisco IOS diversity," in Proc. of USENIX Worshop on Offensive Technologies, San Francisco, CA, USA, August, 2011.
10 S. Muniz and A. Ortega, "Fuzzing and debugging Cisco IOS," in Proc. of BlackHat, Barcelona, Spain, March, 2011.
11 P. Oehlert, "Violating assumptions with fuzzing," Security & Privacy, IEEE, 3(2):58-62, 2005.
12 Ai-Fen Sui, Wen Tang, Jian Jun Hu and Ming Zhu Li, "An effective fuzz input generation method for protocol testing," in Proc. of IEEE 13th International Conference on Communication Technology (ICCT), pages 728-731, IEEE, September, 2011.
13 X. Zhu, Z. Wu and J.W. Atwood. "A new fuzzing method using multi data samples combination," Journal of Computers, 6(5):881-888, 2011.
14 Z. Wu, J.W. Atwood and X. Zhu, "A new fuzzing technique for software vulnerability mining," in Proc. of the IEEE CONSEG, Chennai, India, December, 2009.
15 SPIKE, http://www.immunityinc.com/resourcesfreesoftware.shtml, June, 2010-November, 2011.
16 F. Linder, "Routing and tunneling protocol attacks," in Proc. of BlackHat briefings, Amsterdam, Holland, November, 2001.
17 M. Lynn, "The holy grail: Cisco IOS shellcode and exploitation techniques," in Proc. of BlackHat, Las Vegas, USA. July, 2005.
18 PEACH, http://peachfuzzer.com/, June, 2010-November, 2011.
19 Sulley, http://code.google.com/p/sulley/, June, 2010-November, 2011.
20 AutoDafe, http://autodafe.sourceforge.net/, June, 2010-November, 2011.
21 GPF, http://www.vdalabs.com/tools/efs gpf.html, June, 2010-November, 2011.
22 Common Vulnerabilities and Exposures, http://cve.mitre.org/, June-December, 2011.
23 M. Sutton, A. Greene and P. Amini, Fuzzing: brute force vulnerabilty discovery, 1st Edition, Addison-Wesley Professional, New Jersey, 2007.
24 B. ZHANG, C. ZHANG, and Y. XU, "Network protocol vulnerability discovery based on fuzzy testing," Journal of Tsinghua University (Science and Technology), pages S2, 51-56, 2009.
25 IDA, http://www.hexrays.com/products/ida/index.shtml, June-December, 2011.
26 G. Banks, M.Cova, V.Felmetsger, K.Almeroth, R.Kemmerer and G.Vigna, "Snooze: toward a stateful network protocol fuzzer," Information Security, pages 343-358, 2006.
27 Qixu Liu and Yuqing Zhang, "TFTP vulnerability finding technique based on fuzzing," Computer Communications, 31(14):3420-3426, 2008.   DOI   ScienceOn
28 GDB, The GNU Project Debugger, http://sources.redhat.com/gdb/, June-December, 2011.
29 J.Case, M.Fedor, M.Schoffstall and J.Davin, RFC 1157: A Simple Network Management Protocol (SNMP), 1990.
30 SNMPv2 Working Group et al, RFC 1902: Structure of management information for version 2 of the simple network management protocol (SNMPv2), 1996.
31 R.Mundy, D.Partain and B.Stewart, "Introduction to SNMPv3," Technical report, RFC 2570, April, 1999.
32 O.Tal, S.Knight and T.Dean, "Syntax-based vulnerability testing of frame-based network protocols," in Proc. of 2nd Annual Conference on Privacy, Security and Trust, pages 155-160. Citeseer, 2004.