Security testing of session initiation protocol implementations

Authors

Abstract:

The mechanisms which enable the vast majority of computer attacks are based on design and programming errors in networked applications. The growing use of voice over IP (VOIP) phone technology makes these phone applications potential targets. We present a tool to perform security testing of VOIP applications to identify security vulnerabilities which can be exploited by an attacker. Session Initiation Protocol (SIP) is the widespread standard for establishing and ending VOIP communication sessions. Our tool generates an input sequence for a SIP phone which is designed to reveal security vulnerabilities in the SIP phone application. The input sequence includes SIP messages and external graphical user interface (GUI) events which might contribute to triggering vulnerability. The input sequence is generated to perform a random walk through the state space of the protocol. The generation of external GUI events is critical to testing a stateful protocol such as SIP because GUI interaction is required to explore a significant portion of the state space. We have used our security testing tool to identify a previously unknown vulnerability in an existing open source SIP phone.

Upgrade to premium to download articles

Sign up to access the full text

Already have an account?login

similar resources

SIP: Session Initiation Protocol

The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants. These sessions include Internet multimedia conferences, Internet telephone calls and multimedia distribution. Members in a session can communicate via multicast or via a mesh of unicast relations, or a combination of these. SI...

full text

Security Mechanism Agreement for the Session Initiation Protocol (SIP)

Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This document defines new functi...

full text

Example Call Flows Using Session Initiation Protocol (SIP) Security Mechanisms

This document shows example call flows demonstrating the use of Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail Extensions (S/MIME) in Session Initiation Protocol (SIP). It also provides information that helps implementers build interoperable SIP software. To help facilitate interoperability testing, it includes certificates used in the example call flows and processes to ...

full text

Session Initiation Protocol

Session Initiation Protocol (SIP) is a new and emerging protocol that is used to establish and release the connmsction between two end systems. It is used in preference to the older H323 protocol. Both protocols provide a similar set of services hut SIP is much simpler because it has less logical components. This paper describes the implementation of a VoIP applicationusing SIP as the handshaki...

full text

Session Initiation Protocol

Session Initiation Protocol, SIP, provides controlplane signaling for the IP networks. SIP enables initiating, modifying and terminating sessions for a user, while maintaining neutrality to physical media capabilities and using other protocols to negotiate these. SIP assumes that the transport layer is inherently unreliable and as such provides transport layer mechanisms. For target device disc...

full text

Security testing of SIP implementations

The Session Initiation Protocol (SIP) is a signaling protocol for Internet telephony, multimedia conferencing and instant messaging. Although SIP implementations have not yet been widely deployed, the product portfolio is expanding rapidly. We describe a method to assess the robustness of SIP implementation by describing a tool to find vulnerabilities. We prepared the test material and carried ...

full text

My Resources

Save resource for easier access later

Save to my library Already added to my library

{@ msg_add @}


Journal title

volume 1  issue 2

pages  91- 103

publication date 2009-07-25

By following a journal you will be notified via email when a new issue of this journal is published.

Hosted on Doprax cloud platform doprax.com

copyright © 2015-2023