Security Testing of Session Initiation Protocol Implementations

The mechanisms which enable the vast majority of computer attacks are basedon design and programming errors in networked applications. The growinguse of voice over IP (VOIP) phone technology makes these phone applicationspotential targets. We present a tool to perform security testing of VOIP applications to identify security vulnerabilities which can be exploited by an attacker. Session Initiation Protocol (SIP) is the widespread standard forestablishing and ending VOIP communication sessions. Our tool generates an input sequence for a SIP phone which is designed to reveal security vulnerabilities in the SIP phone application. The input sequence includes SIP messages and external graphical user interface (GUI) events which might contribute to triggering a vulnerability. The input sequence is generated to perform a random walk through the state space of the protocol. The generation of external GUI events is critical to testing a stateful protocol such as SIP because GUI interaction is required to explore a signicant portion of the state space. We have used our security testing tool to identify a previously unknown vulnerability in an existing open source SIP phone.