Analysing Protocol Implementations

  • Anders Moen Hagalisletto
  • Lars Strand
  • Wolfgang Leister
  • Arne-Kristian Groven
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5451)

Abstract

Many protocols running over the Internet are neither formalised, nor formally analysed. The amount of documentation for tele- communication protocols used in real-life applications is huge, while the available analysis methods and tools require precise and clear-cut protocol clauses. A manual formalisation of the Session Initiation Protocol (SIP) used in Voice over IP (VoIP) applications is not feasible. Therefore, by combining the information retrieved from the specification documents published by the IETF, and traces of real world SIP traffic we craft a formal specification of the protocol in addition to an implementation of the protocol. In the course of our work we detected several weaknesses, both of SIP call setup and in the Asterisk implementation of the protocol. These weaknesses could be exploited and pose as a threat for authentication and non-repudiation of VoIP calls.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Arkko, J., Torvinen, V., Camarillo, G., Niemi, A., Haukka, T.: Security Mechanism Agreement for the Session Initiation Protocol (SIP). RFC 3329 (Proposed Standard) (January 2003)Google Scholar
  2. 2.
    Diab, W.B., Tohme, S., Bassil, C.: VPN analysis and new perspective for securing voice over VPN networks. ICNS 0, 73–78 (2008)Google Scholar
  3. 3.
    Dolev, D., Yao, A.C.-C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–207 (1983)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Endler, D., Collier, M.: Hacking Exposed VoIP: Voice over IP Security Secrets and Solutions. McGraw-Hill Osborne Media, New York (2006)Google Scholar
  5. 5.
    Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617 (Draft Standard) (June 1999)Google Scholar
  6. 6.
    Geneiatakis, D., Kambourakis, G., Dagiuklas, T., Lambrinoudakis, C., Gritzalis, S.: SIP Security Mechanisms: A state-of-the-art review. In: Proceedings of the Fifth International Network Conference (INC 2005), pp. 147–155 (July 2005)Google Scholar
  7. 7.
    Gupta, P., Shmatikov, V.: Security Analysis of Voice-over-IP Protocols. In: 20th IEEE Computer Security Foundations Symposium, 2007. CSF 2007, pp. 49–63 (2007)Google Scholar
  8. 8.
    Hagalisletto, A.M.: Automated Support for the Design and Analysis of Security Protocols. PhD thesis, University of Oslo (December 2007)Google Scholar
  9. 9.
    Hagalisletto, A.M., Strand, L.: Formal modeling of authentication in SIP registration. In: Second International Conference on Emerging Security Information, Systems and Technologies SECURWARE 2008, pp. 16–21 (August 2008)Google Scholar
  10. 10.
    Kuhn, D.R., Walsh, T.J., Fries, S.: Security Consideration for Voice over IP Systems. Sp 800-58, National Institute of Standards and Technology (NIST) (January 2005)Google Scholar
  11. 11.
    Meggelen, J., Smith, J., Madsen, L.: Asterisk: The Future of Telephony. O’Reilly Media, Sebastopol (2005)Google Scholar
  12. 12.
    Persky, D.: VoIP Security Vulnerabilities. Technical report, SANS Institute (2007)Google Scholar
  13. 13.
    Porter, T.: Practical VoIP Security. Syngress (March 2006)Google Scholar
  14. 14.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol. RFC 3261 (Proposed Standard), Updated by RFCs 3265, 3853, 4320, 4916 (June 2002)Google Scholar
  15. 15.
    Salsano, S., Veltri, L., Papalilo, D.: SIP security issues: The SIP authentication procedure and its processing load. IEEE Network 16, 38–44 (2002)CrossRefGoogle Scholar
  16. 16.
    Sinnreich, H., Johnston, A.B.: Internet communications using SIP: Delivering VoIP and multimedia services with Session Initiation Protocol, 2nd edn. John Wiley & Sons, Inc., New York (2006)Google Scholar
  17. 17.
    Xin, J.: Security issues and countermeasure for VoIP. Technical report, SANS Institute (2007)Google Scholar
  18. 18.
    Zhang, R., Wang, X., Yang, X., Jiang, X.: Billing Attacks on SIP-Based VoIP Systems. In: USENIX, First USENIX Workshop on Offensive Technologies (WOOT 2007) (August 2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Anders Moen Hagalisletto
    • 1
  • Lars Strand
    • 1
  • Wolfgang Leister
    • 1
  • Arne-Kristian Groven
    • 1
  1. 1.Norwegian Computing CenterNorway

Personalised recommendations