1. Technical Field
The present invention relates generally to a system and method for fuzzing a network application program and, more particularly, to a system and method that perform fuzzing by injecting a random value into a packet during the transmission of the packet using a captured packet upon conducting a fuzz testing on a network application program.
2. Description of the Related Art
Fuzzing denotes a technique for searching for security vulnerabilities in software by repeatedly inputting random data to software and by causing systematic failures in software.
A fuzzing technique is based on fault injection that transmits various input values to an analysis target system so as to detect security vulnerabilities.
The principal advantages of such a fuzzing technique are that, in a procedure for detecting security vulnerabilities, simplicity, efficiency, automation, and speed may be improved, and the fuzzing technique is usefully used to test a plurality of applications.
Such a conventional technology requires the analysis of protocols for packets that are exchanged between a client and a server upon fuzzing a network application program, and needs the production of a separate program depending on the analysis of protocols. Since this is a procedure requiring a lot of manpower and time, the manpower and time are regarded as costs required for fuzzing. Further, in a situation in which detailed analysis forms for the protocols of network application programs that are targets to be fuzzed are not present, the analysis of protocols and the production of programs require much higher costs.
As related preceding technology, Korean Patent Application Publication No. 10-2008-0043209 is disclosed. In this technology, a socket Application Programming Interface (API) hooking function is inserted into a network program running on a Microsoft (MS) Windows operating system via Dynamic Linked Library injection (hereinafter referred to as “DLL injection”), so that a network program intercepts a packet, transmitted or received to or from a counterpart network program using a socket API function, fabricates the corresponding packet or deforms the packet into an abnormal packet by adding various fuzzing data sets to the data of the packet, and transmits the abnormal packet, thus performing network fuzzing on unknown protocols as well as universal protocols.