Automated Security Test Approach for SIP based VoIP Softphones

Abstract

Robustness of applications used for Voice over Internet Protocol based systems against attacks is a critical part to secure such systems. Automatic security testing is required to detect security vulnera- bilities in an efficient way. This enables to harden the applications early during the development phase. In the paper we present a fuzzer framework to detect security vulnerabilities in Voice over IP (VoIP) Softphones which implement Session Initiation Protocol (SIP). The pre- sented approach automates the Graphical User Interface (GUI) interaction for softphones during fuzzing and also observes the behavior of the softphone GUIs to automatically detect application errors. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented fuzzer and some vulnerabilities were found that are only detectable by using GUI observation.

Publication
Talk: The Second International Conference on Advances in System Testing and Validation Lifecycle, Nice, France; 08-22-2010 - 08-27-2010; in: “Proceedings of The Second International Conference on Advances in System Testing and Validation Lifecycle”, IEEE Computer Society Press, (2010), ISBN: 978-0-7695-4146-4; 114 - 119
Thomas Grechenig
Thomas Grechenig
Ao.Univ.Prof. Dipl.-Ing. Dr.techn.