Security testing of session initiation protocol implementations




The mechanisms which enable the vast majority of computer attacks are based on design and programming errors in networked applications. The growing use of voice over IP (VOIP) phone technology makes these phone applications potential targets. We present a tool to perform security testing of VOIP applications to identify security vulnerabilities which can be exploited by an attacker. Session Initiation Protocol (SIP) is the widespread standard for establishing and ending VOIP communication sessions. Our tool generates an input sequence for a SIP phone which is designed to reveal security vulnerabilities in the SIP phone application. The input sequence includes SIP messages and external graphical user interface (GUI) events which might contribute to triggering vulnerability. The input sequence is generated to perform a random walk through the state space of the protocol. The generation of external GUI events is critical to testing a stateful protocol such as SIP because GUI interaction is required to explore a significant portion of the state space. We have used our security testing tool to identify a previously unknown vulnerability in an existing open source SIP phone.


[1] CERT/CC Statistics 1988-2006, October 2006. stats.html.

[2] Paul F. Roberts. Major Card Vendors Stay Mum on Data Breach, 2005.

[3] Mark Trumbull. AOL Security Breach PutsWeb on Notice. The Christian Science Monitor, August 11 2006.

[4] The University of Texas at Austin Responds to Data Theft, April 2006.

[5] Rebecca Trounson. Major Breach of UCLA's Computer Files. Los Angeles Times, December 12 2006.

[6] A. Householder, K. Houle, and C. Dougherty. Computer Attack Trends Challenge Internet Security. Internet Security (Supplement to Computer Magazine), 35(4):5-7, 2002.

[7] John Markhoff. Attack of the Zombie Computers is a Growing Threat, Experts Say. New York Times, January 7 2007.

[8] Brad Stone. Spam Doubles, Finding New Ways to Deliver Itself. New York Times, December 6 2006.

[9] Nicholas Ianelli and Aaron Hackworth. Botnets as a Vehicle for Online Crime. Technical report, CERT Coordination Center, 2005.

[10] Frank Piessens. A Taxonomy of Causes of Software Vulnerabilities in Internet Software. In Proceedings of the International Symposium on Software Reliability Engineering (ISSRE), pages 47-52, 2002.

[11] Sam Weber, Paul A. Karger, and Amit Paradkar. A Software Flaw Taxonomy: Aiming Tools at Security. ACM SIGSOFT Software Engineering Notes, 30(4):1-7, 2005.

[12] OWASP. The Ten Most Critical Web Application Security Vulnerabilities. Technical report, 2004. The OpenWeb Application Security Project.

[13] U. Lindqvist and E. Jonsson. How to Systematically Classify Computer Security Intrusions. In Proceedings of the IEEE Symposium on Security and Privacy, pages 154-163, Oakland, CA, USA, 1997.

[14] Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi. A Taxonomy of Computer Program Security Flaws. ACM Computing Surveys, 26(3):211-254, 1994.

[15] Premkumar T. Devanbu and Stuart G. Stub-blebine. Software Engineering for Security: a Roadmap. In Proceedings of the International Conference on Software Engineering, pages 227-239, 2000.

[16] Brian Krebs. Microsoft's Security Push Rolls on. Washington Post, October 6 2005.

[17] John Markhoff. Security Experts Say Risky Flaws Exist in New Microsoft System. New York Times, December 25 2006.

[18] P. Oehlert. Violating Assumptions with Fuzzing. IEEE Security and Privacy Magazine, 3(2):58-62, 2005.

[19] KPhone SIP Softphone.

[20] H. Srinivasan and K. Sarac. A SIP Security Testing Framework. In Proceedings of the IEEE Consumer Communications and Networking Conference, pages 1-5, Las Vegas, Nevada, USA, 2009.

[21] Humberto Abdelnur, Olivier Festor, and Radu State. KiF: a Stateful SIP Fuzzer. In Proceedings of the 1st ACM International Conference on Principles, Systems and Applications of IP Telecommunications, pages 47-56, New York, USA, 2007. ACM Press.

[22] C. Wieser, M. Laakso, and H. Schulzrinne. Security Testing of SIP Implementations. Technical report, Columbia University, Department of Computer Science, 2003.

[23] G. Banks, M. Cova, V. Felmetsger, K. Almeroth, R. Kemmerer, and G. Vigna. SNOOZE: toward a Stateful NetwOrk prOtocol fuzZEr. In Proceedings of the 9th International Conference on Information Security, volume 4176 of Lecture Notes in Computer Science (LNCS), Samos Island, Greece, 2006. Springer.

[24] Voiper Security Toolkit.

[25] Brian Chess and Gary McGraw. Static Analysis for Security. IEEE Security and Privacy, 2(6): 32-35, 2004.

[26] John Viega, J. T. Bloch, Tadayoshi Kohno, and Gary McGraw. ITS4: A Static Vulnerability Scanner for C and C++ Code. In Proceedings of the 16th Annual Conference on Computer Security Applications, pages 257-267, New Orleans, LA, USA, 2000.

[27] David A. Wheeler. Flawfinder.

[28] Secure Software Inc. RATS.

[29] David Evans and David Larochelle. Improving Security using Extensible Lightweight Static Analysis. IEEE Software, 19(1):42-51, 2002.

[30] David Larochelle and David Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities.

In Proceedings of the 10th Usenix Security Symposium, Washington, DC, USA, 2001.

[31] Brian V. Chess. Improving Computer Security using Extended Static Checking. In Proceedings of the IEEE Symposium on Security and Privacy, pages 160-173, Berkeley, CA, USA, 2002.

[32] K. Ashcraft and D. Engler. Using Programmer Written Compiler Extensions to Catch Security Holes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 143-159, Berkeley, CA, USA, 2002.

[33] Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 10th USENIX Security Symposium, pages 201-220, Washington, DC, USA, 2001.

[34] J. Foster, T. Terauchi, and A. Aiken. Flow Sensitive Type Qualifiers. ACM SIGPLAN Notices, 37(5):1-12, 2002.

[35] David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium, pages 3-17, San Diego, CA, USA, 2000.

[36] H. Chen and D. Wagner. MOPS: An Infrastructure for Examining Security Properties of Software. In Proceedings of the ACM Conference on Computer and Communications Security, pages 235-244, Washington, DC, USA, 2002.

[37] Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer Overflow Attacks. In Proceedings of the USENIX Security Conference, pages 63-78, San Antonio, Texas, USA, 1998.

[38] T. Chiueh and F. Hsu. RAD: A Compile-Time Solution to Buffer Overflow Attacks. In Proceedings of the IEEE 21st International Conference on Distributed Computing Systems, pages 409-417, Mesa, AZ, USA, 2001.

[39] Mike Frantzen and Mike Shuey. StackGhost: Hardware Facilitated Stack Protection. In Proceedings of the 10th USENIX Security Symposium, pages 55-66, Washington, DC, USA, 2001.

[40] Crispin Cowan, Matt Baringer, Steve Beattie, Greg Kroah-Hartman, Mike Frantzen, and Jaime Lokier. FormatGuard: Automatic Protection from printf Format String Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 191-200, Washington, DC, USA, 2001.

[41] Crispin Cowan, Steve Beattie, Chris Wright, and Greg Kroah-Hartman. RaceGuard: Kernel Protection from Temporary File Race Vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, pages 165-172, Washington, DC, USA, 2001.

[42] R. Jones and P. Kelly. Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs. In Proceedings of the International Workshop on Automatic Debugging, pages 13-26, 1997.

[43] A. Baratloo, N. Singh, and T. Tsai. Libsafe: Protecting Critical Elements of Stacks. White paper, 1999.

[44] Arash Baratloo, Navjot Singh, and Timothy Tsai. Transparent Run-Time Defense Against Stack Smashing Attacks. In Proceedings of the USENIX Annual Technical Conference, pages 251-262, San Diego, CA, USA, 2000.

[45] Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 6th USENIX Security Symposium, pages 1-13, San Jose, CA, USA, 1996.

[46] George C. Necula, Scott McPeak, and Westley Weimer. CCured: Type-Safe Retrofitting of Legacy Code. In Proceedings of the Symposium on Principles of Programming Languages, pages 128-139, 2002.

[47] T. Jim, G. Morrisett, D. Grossman, and M. Hicks. Cyclone: A Safe Dialect of C. In Proceedings of the USENIX Annual Technical Conference, Monterey, CA, USA, 2002.

[48] Dan S. Wallach and Edward W. Felten. Understanding Java Stack Inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 52-63, Oakland, CA, USA, 1998.

[49] Ulfar Erlingsson and Fred B. Schneider. IRM Enforcement of Java Stack Inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 246-255, Berkeley, CA, USA, 2000.

[50] Jared DeMott. The Evolving Art of Fuzzing. In DefCon, 2006.

[51] B.P. Miller, L. Fredriksen, and B. So. An Empirical Study of the Reliability of Unix Utilities. Communications of the ACM, 33(12), 1990.

[52] B.P. Miller, D. Koski, C.P. Lee, V. Maganty, R. Murthy, A. Natarajan, and J. Steidl. Fuzz revisited: A re-examination of the reliability of unix utilities and services. Technical report, University of Wisconsin-Madison, Department of Computer Science, 1995.

[53] J.E. Forrester and B.P. Miller. An Empirical Study of the Robustness of Windows NT Applications using Random Testing. In Proceedings of the 4th USENIX Windows Systems Symposium, pages 59-68, Seattle, Washington, USA, 2000.

[54] B.P. Miller, G. Cooksey, and F. Moore. An Empirical Study of the Robustness of MacOS Applications using Random Testing. ACM SIGOPS Operating Systems Review, 41(1):78-86, 2007.

[55] Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. Web Application Security Assessment by Fault Injection and Behavior Monitoring. In Proceedings of the 12th International Conference on World Wide Web, pages 148-159, Budapest, Hungary, 2003.

[56] Leon Juranic. Using Fuzzing to Detect Security Vulnerabilities. Technical report, Infingo IS, 2006.

[57] Request for Comments 3261, Session Initiation Protocol. RFC Editor Database,

[58] X11::GUITest Libraries, Version 0.21.