The present invention relates to automated delivery of attacks for security analysis of hardware and/or software.
Computerized communication, whether it occurs at the application level or at the network level, generally involves the exchange of data or messages in a known, structured format (a “protocol”). Software applications and hardware devices that rely on these formats can be vulnerable to various attacks that are generally known as “protocol abuse.” Protocol abuse consists of sending messages that are invalid or malformed with respect to a particular protocol (“protocol anomalies”) or sending messages that are well-formed but inappropriate based on a system's state. Messages whose purpose is to attack a system are commonly known as malicious network traffic.
One way to identify the vulnerability of a system to the malicious network traffic is to analyze a system ahead of time to discover or identify any vulnerabilities. This way, the vulnerabilities can be addressed before the system is deployed or released to customers. This process, which is known as “security analysis,” can be performed using various methodologies. One methodology for analyzing the security of a device-under-analysis (DUA) is to treat the DUA as a black box. Under this methodology, the DUA is analyzed via the interfaces that it presents to the outside world. As a result, it is not necessary to access the source code or object code comprising the DUA.
For example, a security analyzer sends one or more messages (test messages) to the DUA, and the DUA's response is observed. A response can include, for example, registering an error or generating a message (response message). The DUA can then send the response message to the security analyzer. Depending on the analysis being performed, the security analyzer might send another test message to the DUA upon receiving the response message from the DUA. The test messages and response messages can be analyzed to determine whether the DUA operated correctly.
However, in order for the test message (also referred to as an attack) to reach and be processed by the DUA, it normally must be routed to the DUA in a manner that complies with protocols supported by the DUA (and the network path to the DUA). Also, because the specification for a protocol may allow significant choice in its actual implementation, the attack may fail to reach the DUA if it does not comply with the specific protocol implementation and configuration used by the DUA (collectively known as the “protocol deployment”).
In addition, a DUA often supports multiple protocols. Each of the protocols can be designed using several protocol layers (see, e.g., the Open Systems Interconnection (OSI) Reference Model, which has seven layers). The protocols can share one or more lower-layer protocols. These structural interdependencies and relationships between protocols and their implementations dramatically increase the number of paths by which an attack can reach a DUA and also are themselves potential vulnerabilities of the DUA.
Therefore, it is important to discover the different combinations of requirements that would allow a message to successfully reach a DUA (which shall be referred to as a message-delivery precondition), to test the vulnerability of the DUA by delivering attacks via these different combinations and to identify vulnerabilities in the combinations themselves.