Automated Security Test Approach for SIP based VoIP Softphones

Stefan Taber, Christian Schanes, Clemens Hlauschek, Florian Fankhauser, Thomas Grechenig
DB

Abstract

Robustness of applications used for Voice over Internet Protocol based systems against attacks is a critical part to secure such systems. Automatic security testing is required to detect security vulnera- bilities in an efficient way. This enables to harden the applications early during the development phase. In the paper we present a fuzzer framework to detect security vulnerabilities in Voice over IP (VoIP) Softphones which implement Session Initiation Protocol (SIP). The pre- sented approach automates the Graphical User Interface (GUI) interaction for softphones during fuzzing and also observes the behavior of the softphone GUIs to automatically detect application errors. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented fuzzer and some vulnerabilities were found that are only detectable by using GUI observation.

Type
Conference paper
Publication
Talk: The Second International Conference on Advances in System Testing and Validation Lifecycle, Nice, France; 08-22-2010 - 08-27-2010; in: “Proceedings of The Second International Conference on Advances in System Testing and Validation Lifecycle”, IEEE Computer Society Press, (2010), ISBN: 978-0-7695-4146-4; 114 - 119
Christian Schanes
Projektass. Dipl.-Ing. Dr.techn.
Florian Fankhauser
Projektass. Dipl.-Ing.
Thomas Grechenig
Thomas Grechenig
Ao.Univ.Prof. Dipl.-Ing. Dr.techn.