Skip to Main content Skip to Navigation
Conference papers

Protection of systems against fuzzing attacks

Léopold Ouairy 1 Hélène Le Bouder 2, 3 Jean-Louis Lanet 1
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
2 OCIF - Objets communicants pour l'Internet du futur
IMT Atlantique - IMT Atlantique Bretagne-Pays de la Loire, IRISA-D2 - RÉSEAUX, TÉLÉCOMMUNICATION ET SERVICES
Abstract : A fuzzing attack enables an attacker to gain access to restricted resources by exploiting a wrong specification implementation. Fuzzing attack consists in sending commands with parameters out of their specification range. This study aims at protecting Java Card applets against such attacks. To do this, we detect prior to deployment an unexpected behavior of the application without any knowledge of its specification. Our approach is not based on a fuzzing technique. It relies on a static analysis method and uses an unsupervised machine-learning algorithm on source codes. For this purpose, we have designed a front end tool fetchVuln that helps the developer to detect wrong implementations. It relies on a back end tool Chucky-ng which we have adapted for Java. In order to validate the approach, we have designed a mutant applet generator based on LittleDar-win. The tool chain has successfully detected the expected missing checks in the mutant applets. We evaluate then the tool chain by analyzing five applets which implement the OpenPGP specification. Our tool has discovered both vulnerabil-ities and optimization problems. These points are then explained and corrected.
Document type :
Conference papers
Complete list of metadatas

Cited literature [16 references]  Display  Hide  Download

https://hal.inria.fr/hal-01976753
Contributor : Léopold Ouairy <>
Submitted on : Thursday, January 10, 2019 - 11:43:03 AM
Last modification on : Wednesday, August 5, 2020 - 3:45:41 AM

File

paper_32 (1).pdf
Files produced by the author(s)

Identifiers

Citation

Léopold Ouairy, Hélène Le Bouder, Jean-Louis Lanet. Protection of systems against fuzzing attacks. FPS 2018 - 11th International Symposium on Foundations & Practice of Security, Nov 2018, Montréal, Canada. p.156-172, ⟨10.1007/978-3-030-18419-3_11⟩. ⟨hal-01976753⟩

Share

Metrics

Record views

275

Files downloads

279