Title :
Using Attack Injection to Discover New Vulnerabilities
Author :
Neves, Nuno ; Antunes, João ; Correia, Miguel ; Veríssimo, Paulo ; Neves, Rui
Author_Institution :
Fac. de Ciencias, Univ. de Lisboa, Lisbon
Abstract :
Due to our increasing reliance on computer systems, security incidents and their causes are important problems that need to be addressed. To contribute to this objective, the paper describes a new tool for the discovery of security vulnerabilities on network connected servers. The AJECT tool uses a specification of the server´s communication protocol to automatically generate a large number of attacks accordingly to some predefined test classes. Then, while it performs these attacks through the network, it monitors the behavior of the server both from a client perspective and inside the target machine. The observation of an incorrect behavior indicates a successful attack and the potential existence of a vulnerability. To demonstrate the usefulness of this approach, a considerable number of experiments were carried out with several IMAP servers. The results show that AJECT can discover several kinds of vulnerabilities, including a previously unknown vulnerability
Keywords :
client-server systems; computer network reliability; telecommunication security; transport protocols; AJECT tool; attack injection; network connected servers; security vulnerability discovery; server communication protocol; Application software; Automatic testing; Communication system security; Computer bugs; Computer security; Network servers; Protocols; Software quality; Software testing; Time to market;
Conference_Titel :
Dependable Systems and Networks, 2006. DSN 2006. International Conference on
Conference_Location :
Philadelphia, PA
Print_ISBN :
0-7695-2607-1
DOI :
10.1109/DSN.2006.72
