The present invention relates to automated generation of attacks for security analysis of hardware and software.
Computerized communication, whether it occurs at the application level or at the network level, generally involves the exchange of data or messages in a known, structured format (a “protocol”). Software applications and hardware devices that rely on these formats can be vulnerable to various attacks that are generally known as “protocol abuse.” Protocol abuse consists of sending messages that are invalid or malformed with respect to a particular protocol (“protocol anomalies”) or sending messages that are well-formed but inappropriate based on a system's state. Messages whose purpose is to attack a system are commonly known as malicious network traffic.
Various systems have been developed that identify or detect attacks when they occur. This functionality, which is known as intrusion detection, can be implemented by a system that is either passive or active. A passive intrusion detection system (IDS) will merely detect an attack, while an active IDS will attempt to thwart the attack. Note that an IDS reacts to an actual attack. While an IDS might be able to detect an attack, it does not change the fact that an attack has occurred and might have damaged the underlying system.
A proactive solution to the attack problem is to analyze a system ahead of time to discover or identify any vulnerabilities. This way, the vulnerabilities can be addressed before the system is deployed or released to customers. This process, which is known as “security analysis,” can be performed using various methodologies. One methodology for analyzing the security of a device-under-analysis (DUA) is to treat the DUA as a black box. Under this methodology, the DUA is analyzed via the interfaces that it presents to the outside world. As a result, it is not necessary to access the source code or object code comprising the DUA.
For example, a security analyzer sends one or more messages (test messages) to the DUA, and the DUA's response is observed. A response can include, for example, registering an error or generating a message (response message). The DUA can then send the response message to the security analyzer. Depending on the analysis being performed, the security analyzer might send another test message to the DUA upon receiving the response message from the DUA. The test messages and response messages can be analyzed to determine whether the DUA operated correctly.
Some protocols involve a series of message exchanges between two endpoints (e.g., a client and a server). Ideally, an endpoint would receive a first message from another endpoint, process the first message correctly, and transmit a proper second message to the other endpoint. In order to analyze whether one endpoint (the DUA) is operating correctly, the other endpoint is modified to process the first message incorrectly and/or transmit an improper second message to the DUA. This testing method requires the other endpoint to be completely re-implemented, which takes a long time to prototype and test.