Protection of systems against fuzzing attacks - Archive ouverte HAL Access content directly
Conference Papers Year :

Protection of systems against fuzzing attacks

Protection des systèmes face aux attaques par fuzzing

(1) , (2, 3) , (1)
1
2
3

Abstract

A fuzzing attack enables an attacker to gain access to restricted resources by exploiting a wrong specification implementation. Fuzzing attack consists in sending commands with parameters out of their specification range. This study aims at protecting Java Card applets against such attacks. To do this, we detect prior to deployment an unexpected behavior of the application without any knowledge of its specification. Our approach is not based on a fuzzing technique. It relies on a static analysis method and uses an unsupervised machine-learning algorithm on source codes. For this purpose, we have designed a front end tool fetchVuln that helps the developer to detect wrong implementations. It relies on a back end tool Chucky-ng which we have adapted for Java. In order to validate the approach, we have designed a mutant applet generator based on LittleDar-win. The tool chain has successfully detected the expected missing checks in the mutant applets. We evaluate then the tool chain by analyzing five applets which implement the OpenPGP specification. Our tool has discovered both vulnerabil-ities and optimization problems. These points are then explained and corrected.
Fichier principal
Vignette du fichier
paper_32 (1).pdf (1.11 Mo) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-01976753 , version 1 (10-01-2019)

Identifiers

Cite

Léopold Ouairy, Hélène Le Bouder, Jean-Louis Lanet. Protection of systems against fuzzing attacks. FPS 2018 - 11th International Symposium on Foundations & Practice of Security, Nov 2018, Montréal, Canada. p.156-172, ⟨10.1007/978-3-030-18419-3_11⟩. ⟨hal-01976753⟩
206 View
325 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More