When performing any type of protocol fuzzing, one must obtain three key pieces of information about the target protocol: structure, state and semantics. The structure of a network protocol is the format of the messages, which contains a series of fields which, at the simplest level, are integers and strings. When dealing with any protocol with public specifications, this information is easily obtained. However, what is one to do when the specs are not publicly available, say in the case of a proprietary industrial control and automation protocol?
Archive for Research
O.O.M.P.H.
Object Oriented Mutations for Protocol Hardening.
Seriously though, I want to write about the process through which we create mutations and how ultimately it gets linked up in an assorted set of seemingly unrelated protocols. The take aways (for the impatient) are that mutations are really unit-tests, but have their origins in the following:
- Protocol specification
- Code reviews
- Known vulnerabilities that other people have found
- Expertise
- Structure
- Semantics
- State
Categories: Mutations
