Brute Force Vulnerability Testing Technology Based on Data Mutation

Protocol plays a profound role among networked computers in security issues. With the development of computer network engineering, protocol has become increasingly intricate in both data format and interaction behavior, which means that more potential defects exist in protocol software implementations. These factors make protocol vulnerable to malicious attacks and raise the security requirements to an ever high level. After over ten-year progress, however, the vulnerability testing methods have not been unified to an agreement. Especially, the problems in automated test cases generation remain to be solved. This paper proposes a novel brute force vulnerability testing technique, generating test data by mutating captured protocol messages. And to formalize the perturbing process, regular expression is introduced into the approach for constructing test case templates. In addition, a multi-protocol test tool called PVD is developed to implement the test system architecture. Finally, the authors carry on a complete vulnerability testing campaign on Asterisk 1.4 SIP (Session Initiation Protocol) server, as the result, finding a number of protocol defects and achieving fairly efficient test results.