Nowadays the most serious security problems are imperfection in the implementations of network protocols. This imperfection can bring a lot of vulnerabilities such as could allow malicious user to attack the systems remotely using the network protocols over the internet. That is why developers value software security phases involving review of code, risk analysis, testing with penetration, and Fuzzing. In case of Fuzz testing, the main aim is to find vulnerabilities in the software/application by sending inputs which are not expected to the target. Then they monitor the situation of the target. Many applications in Internet of things (IoT) (http://en.wikipedia.org/wiki/Internet_of_Things "http://en.wikipedia.org/wiki/Internet_of_Things" TargetType) environments are working with File Transfer Protocol (FTP) based applications. In this study, we present a fuzzing framework, which is applied to test network protocol implementations. It is extendable, man-in-the-middle, smart, and mostly deterministic. Our tool, like AutoFuzz (Gorbunov and Rosenbloom in AutoFuzz: automated network protocol fuzzing framework, Department of Mathematical and Computation Sciences, University of Toronto Mississauga, Canada L5L 1C6, 2010), has the ability to learn a given protocol implementation by building a finite state automaton from records of communication traces between a client and the server. Additionally, this tool has the ability to learn syntax of individual messages at a lower level using the techniques of bioinformatics (Beddoe in Network protocol analysis using bioinformatics algorithms, http://www.4tphi.net/awalters/PI/pi.pdf). At last, this framework can fuzz a given server protocol specification by changing the communication traces between the server and client. We applied it to multiple implementations of FTP server, with result of finding new and known vulnerabilities.

• 出版日期2017-3