| Storing method for information is changing from traditional paper-writing intonetwork server storage along with the rapid evolution of computer science and thewide spread of Internet. Fast transport of Information and data makes the wholesociety run much more effectively. Enterprises deploy servers to store and deal withbusiness data, colleges conduct teaching and researching through multimedianetworks, and customers use different kinds of applications for social communication,all of which are commonly seen today. Behind information digitization is all thenetwork protocols acting as the supporter. These network protocols each have uniquefunctions and work together to standardize and support all the data transport andcommunication actions through Internet. When one type of network service isdeployed, the corresponding protocol is then settled at the same time.Certain vulnerability may exist in some protocols, which causes bad resultsranging from poor service quality to server collapse, or even unsafe authorization anddata loss. So it is necessary that we should conduct tests for network protocols usedby the server to discover vulnerability and defend against potential attacks.First of all this thesis sums up several common types of vulnerability, describesbehavior and features of safety vulnerabilities, and use a mature Fuzzing frame namedPeach along with scripts as an example to explain how a Fuzzing procedure isconducted. Afterwards a point of view that ready-to-use frames like Peach still hastheir shortcomings in actual use, and that currently there is no one Fuzzing toolefficient and suitable for all purpose, so design and develop tools just aiming at theresearch object itself seems more reasonable. Then an overview on general features of network protocols is given. Knowledge of HTTP, FTP and SMTP, which are verypopular and common used among all protocols, is shown up, with details such as thestructure of their package and meanings of their commands and so on. Based onFuzzing s working principles, this thesis shows up an extensible suite of Fuzzingtoolkit targeting on network protocols. By using this toolkit, a security test processplan is given, mentioning from generating Fuzzing data to monitoring the procedure,and to assess the finding vulnerability.Such process is applied in actual deployed servers and launched for testingseveral kinds of products of WEB service, FTP service, and SMTP mail service.During the test,6security vulnerabilities are discovered, including2HTTPservice-related,1SMTP service-related and3FTP service-related. Throughassessment, some vulnerability could cause that service into denial of service type, ormake the application aborted abnormally. Later, patterns of malicious data are codedinto the script and sent to the server application. This script fools the server;furthermore let attackers grab some important control authorization of the server.Result of the Fuzzing test proves the toolkit and process designed forFuzzing-based network protocol security test is practicable. |
PDF Full Text Request