Abstract
Vulnerabilities in network protocol software have been problematic since Internet infrastructure was deployed. These vulnerabilities damage the reliability of network software and create security holes in computing environment. Many critical security vulnerabilities exist in application network services of which specification or description has not been published. In this paper, we propose a security assessment methodology based on fault injection techniques to improve reliability of the application network services with no specifications published. We also implement a tool for security testing based on the proposed methodology. Windows RPC network services are chosen as an application network service considering its unknown protocol specification and are validated by the methodology. It turns out that the tool detects unknown vulnerabilities in Windows network module.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Microsoft Security Bulletin MS03-026. Microsoft (2003), http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Microsoft Security Bulletin MS04-011. Microsoft (2004), http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Voas, J.M., McGraw, G.: Software Fault Injection: Innoculating Programs Against Errors. Wiley, Chichester (1997)
Fabre, J.C., et al.: Building dependable COTS microkernel-based systems using MAFALDA. In: Pacific Rim International Symposium on Dependable Computing (PRDC’00), pp. 85–92 (2000)
Miller, B.P., Fredriksen, L., So, B.: An Empirical Study of the Reliability of UNIX Utilities. Communications of the ACM 33(12), 32–44 (1990)
Koopman, P., et al.: Comparing operating systems using robustness benchmarks. In: 16th IEEE Symposium on Reliable Distributed Systems, October 1997, pp. 72–79 (1997)
Kropp, N.P., Koopman, P.J., Siewiorek, D.P.: Automated Robustness Testing of Off-the-Shelf Software Components. In: 28th International Symposium on Fault- Tolerant Computing, pp. 464–468 (1998)
Forrester, J.E., Miller, B.P.: An empirical study of the robustness of windows NT applications using random testing, http://www.cs.wisc.edu/_bart/fuzz/fuzz.html
Aitel, D.: The advantages of block-based protocol analysis for security testing (2002), http://www.immunitysec.com/resources-papers.shtml
SPIKE Development Homepage, http://www.immunitysec/spike.html
PROTOS: Security Testing of Protocol Implementation, http://www.ee.oulu.fi/research/ouspg/protos
Handley, M., et al.: SIP: Session Initiation Protocol. RFC 2543
Leighton, L.K.C.: DCE/RPC over SMB: Samba and Windows NT Domain Internals. Macmillan Technical Publishing, Basingstoke (Dec. 1999)
Ethereal, http://www.ethereal.com/
WinDBG, http://www.microsoft.com/whdc/devtools/debugging/default.mspx
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Kang, H., Lee, D.H. (2007). Security Assessment for Application Network Services Using Fault Injection. In: Yang, C.C., et al. Intelligence and Security Informatics. PAISI 2007. Lecture Notes in Computer Science, vol 4430. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71549-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-71549-8_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-71548-1
Online ISBN: 978-3-540-71549-8
eBook Packages: Computer ScienceComputer Science (R0)