Research On Security Vulnerability Discovering Based On Fuzzing And Related Attack & Defense Techniques

Security vulnerability is the flaws and deficiencies existing in information systems during the process of their design, implementation, operation and maintenance, which can be used by attackers to break systems’security strategies without authorization. It is the lifeline of security research and the essential problem of network attack and defense. With the rapid development and integration of mobile communication and internet techniques, information leakage, money loss and other issues caused by security vulnerability are becoming more and more serious. How to find potential vulnerabilities, how to fix the vulnerabilities and strengthen prevention measures have become hot research fields.This dissertation conducts a research on protocol vulnerability discovering and related security techniques on systems and applications from a security vulnerability perspective, and the main content is summarized as follows.The first part:First, a complete protocol vulnerability discovering system based on the Fuzzing technology is designed, which describes procedures and methods of find protocol vulnerabilities, including investigating known vulnerabilities and tested targets, test case generation, test, monitoring, debugging, bug analysis and vulnerability exploit, vulnerability report, vulnerability fixing and so on. This system will provide theoretical guidance and methodology for the studies and analyses of protocol vulnerability discovering. Second, directing against the problems existing in current all-purpose protocol Fuzzing frameworks including single and single-dimension test case construction strategy, no or not applied monitors and debuggers and so forth, a general protocol vulnerability discovering framework called GPVDF based on the system is developed and an algorithm called GTFTCG(General Three-stage Fuzzing Test Case Generator) is proposed for constructing test cases and testing targets. Compared with other related work, the algorithm adopts manual analysis, generation and mutation multiple-dimension strategy to construct test cases, which improves the deficiencies of single and single-dimension strategies. Furthermore, the knowledge got by analyzing manually RFC documents and known vulnerabilities will be offered to construct test cases before a test. During the test, a module for calculating the checksums of test cases is used, which helps to improve greatly test cases’ acceptance ratio and validity. Meanwhile, manual analysis and test are adopted, which can detect some vulnerabilities that the Fuzzing technique can’t find. In addition, a public malformed database is designed to provide a malformed data source for constructing protocols’or file formats’ test cases.The second part:To solve the prolems existing in router security research work including single and single-dimension test case construction strategy, no or not applied monitors and debuggers, poor versatility, high test cost and so on, a system architecture based on GPVD is designed for discovering protocol vulnerabilities existing in network devices and applications, and a tooled called GRPFuzzer(General Router Protocol Fuzzer) is developed to test router systems and applications. First, the historical knowledge is got by investigating target protocols and the related vulnerabilities. Then, construct test cases based on the algorithm GTFTCG and test targets. Second, during the testing process, network devices like routers will be simulated by Dynamips, which can reduce hardware costs significantly. Third, routers and applications’ abnormal behaviors are detected by a variety of ways including sending data packets, monitoring CPU utilization and logs and so on, which can detect the denial of service vulnerabilities, router reboot, zombie processes and so on, and improve the detection rate. Furthermore, the debugger uses "Dynamips GDB Debugger" and "OllyDBG" respectively to debug routers and applications, which expands the testing scope. Finally, aimed at the SNMP(Simple Network Management Protocol) protocol, a test case database for SNMP is constructed by analyzing each field and the known vulnerabilities. Cisco router, Huawei router, Wireshark and Cola network analysis system are selected for testing, many DoS vulnerabilities on the protocol SNMP are found.The third part:Concerning the problems in NFC(Near Field Communication) security research work including low automatization, single data construction strategy, no or single monitor, poor portability and so forth, a system called GNFCVulFinder is developed based on GPVD to discover NFC application security vulnerabilities. The algorithm GTFTCG is adopted in GNFCVulFinder to construct test cases and test targets, which optimizes the construction strategy and solves the single and single-dimension strategy problems. During data construction, reverse analysis on packets and sniffing packets are adopted to analyze and construct data messages in an auxiliary way, which are helpful to analyze the tested protocol fields, verify their correctness and consistency, improve the efficiency of test case construction. In the testing process, NFC Reader(ACR ACS 122U) is used to simulate NFC tags, process operation is adopted to simulate "touch" operation, which make test process automatically and support multiple operating system platforms that solve the problem about poor portability. GNFCVulFinder monitors the tested targets by monitoring processes and logs based on logcat/Xapspy to obtain detailed logs and exceptional status, which solve the problem about monitoring for behavior anomalies. Aimed at the protocol NDEF(NFC Data Exchange Format) used in mobile operating systems and applications, a public test case database for NDEF is constructed for testing, which is available for reuse to test NFC applications across a variety of platforms.This database is able to save the time overhead of test case construction and human costs. Finally, by testing smart terminal operating systems and applications such as Android, Windows Phone and so on, a lot of security vulnerabilities are discovered including opening bluetooth or wifi automatically, crashing NFC service, opening the torch automatically, parsing messages errors in third-party applications. At the same time, the corresponding advice and measures are put forward for these vulnerabilities.The fourth part:For the known and unknown vulnerabilities found, the different ways for exploiting and fixing vulnerabilities are proposed, and a new attacking scheme and the corresponding defense systems are designed and developed on the basis of the NFC technology. For SNMP vulnerabilities, exploit programs aimed at router and applications are written by the socket technology, the responding fixing measures are proposed including filtering special characters, limiting port speed, closing network port, access control lists and so on. For NDEF vulnerabilities, three ways are put forward to exploit the vulnerabilities including loading directly by NFC tested applications, writing into NFC tags by NFC applications, writing into NFC simulated tags by the libnfc library. The responding fixing measures are proposed according to different vulnerability types such as protocol parsing, design flaw, data packet flooding and so on. Furthermore, a new attacking scheme and model are proposed to execute remotely arbitrary code based on the "URL jump" vulnerability, Android system design flaw and the "WebView" vulnerability. Aimed at this new attack model, viewed from the passive defense strategy, the responding measures are used to fix these vulnerabilities; Viewed from the active defense strategy, an active defense architecture is designed for detecting malicious URLs, a tool based on the architecture with the classification algorithm SVM(Support Vector Machine) is developed for detecting URLs before executing operations in NFC tags, which guarantees the near field communication security effectively.The fifth part:In view of the problem that the URL detect tool in the fourth part can’t detect malicious behaviors in Android applications, a new algorithm is proposed for detection Android malicious behaviors. The algorithm characterizes Android applications’behaviors with system calls and control flow sequences, of which system calls can resist confusion and encryption attacks in a certain extent, control flow sequences can reduce false positives caused by malicious behaviors which are not triggered. With known Android sample sets, a malware feature base and a threshold value are trained to detect malicious behaviors, which can reduce time and times, improve the detection speed and efficiency, and the similarity during Andorid applications are compared with the algorithm NCD(Normalized Compression Distance) to detect malicious applications. Finally, a malicious behavior detection system based on the algorithm called SCADet is developed and a lot of experiments on Huawei U8860 are done, which proves the effectiveness of the algorithm.