Browse > Article
http://dx.doi.org/10.13089/JKIISC.2007.17.2.51

A Design and Implementation of ROAD(RPC Object vulnerability Automatic Detector)  

Yang, Jin-Seok (National Security Research Institute)
Kim, Tae-Ghyoon (National Security Research Institute)
Kim, Hyoung-Chun (National Security Research Institute)
Hong, Soon-Jwa (National Security Research Institute)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.17, no.2, 2007 , pp. 51-59 More about this Journal
Abstract
Software testing is the process of analyzing a software item to detect the differences between existing and required conditions and to evaluate the features of the software item. A traditional testing focuses on proper functionality, not security testing. Fuzzing is a one of many software testing techniques and security testing. Fuzzing methodology has advantage that low-cost, efficiency and so on. But fuzzing has defects such as intervening experts. Also, if there is no specification, fuzzing is impossible. ROAD Tool is automated testing tool for RPC(Remote Procedure Call) based protocol and software without specification. Existing tools are semi-automated. Therefore we must modify these tools. In this paper, we design and implement ROAD tool. Also we verify utility in testing results.
Keywords
Software testing; Fuzzing; Fuzzer; RPC; Windows XP SP2; Vulnerability;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Dave Aitel, 'An Introduction to SPIKE, the Fuzzer Creation Kit', immunity inc. white paper, Jan. 2004
2 IEEE Standard 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology
3 Greg hoglund, SMUDGE: protocol fault injector in python, http://www.rootkit.com/newsread.php?newsid=113, Apr. 2004
4 John P. Devale, Philip J. Koopman, David J. Guttendorf, 'The Ballista Software Robustness Testing Service,' Testing Computer Software Conference, Nov. 1999
5 Dave Aitel, 'Advanced Windows Exploitation,' immunity inc. white paper, May 2003
6 Onestat 닷컴 홈페이지, 'Microsoft's Windows dominates the OS market on the web according to OneStat.com', Onestat 닷컴, 2006년 8월
7 원격 데스크톱 프로토콜의 취약점으로 인한 서비스 거부 문제점, http://www.microsoft.com/korea/technet/security/bulletin/MS05-041.mspx, 마이크로소프트, 2005년 8월
8 국가사이버안전센타, '2006년 국가정보보호백서', 2006년 5월
9 Matthew Franz, Fuzzing Tools, http://www.scadasec.net/secwiki/FuzzingTools, Nov. 2006
10 Charles Shelton, Philip Koopman and Kobey DeVale, 'Robustness Testing of the Microsoft Win32 API,' DSN2000, Jun. 25, 2000
11 Ivan Medvedev, 'Security Tools for Software Development', microsoft corp. white paper. Apr. 2005
12 빌게이츠, '마이크로소프트의 보안기술 발전에 대한 보고', 마이크로소프트, 2004년 3월
13 SMB의 잘못된 핸들 취약점, http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2374, Common Vulnerabilities and Exposures, May 2006
14 Jack Koziol, 'Fuzzers: The ultimate list,' http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html, Dec. 2005
15 Bloomer, Power Programming with RPC, O'Reilly & Associates, Feb. 1992
16 인쇄스풀러 서비스의 취약점으로 인한 원격 코드 실행 문제점, http://www.microsoft.com/korea/technet/security/bulletin/MS05-043.mspx, 마이크로소프트, 2005년 8월