KIT | KIT-Bibliothek | Impressum | Datenschutz

Cluster Crash: Learning from Recent Vulnerabilities in Communication Stacks

Borcherding, Anne 1; Takacs, Philipp 1; Beyerer, Jürgen 2
1 Fraunhofer-Institut für Optronik, Systemtechnik und Bildauswertung (IOSB)
2 Fakultät für Informatik – Lehrstuhl IES Beyerer: Interaktive Echtzeitsysteme (Lehrstuhl IES Beyerer: Interaktive Echtzeitsysteme), Karlsruher Institut für Technologie (KIT)

Abstract (englisch):

To ensure functionality and security of network stacks in industrial device, thorough testing is necessary. This
includes blackbox network fuzzing, where fields in network packets are filled with unexpected values to test
the device’s behavior in edge cases. Due to resource constraints, the tests need to be efficient and such the
input values need to be chosen intelligently. Previous solutions use heuristics based on vague knowledge from
previous projects to make these decisions. We aim to structure existing knowledge by defining Vulnerabil-
ity Anti-Patterns for network communication stacks based on an analysis of the recent vulnerability groups
Ripple20, Amnesia:33, and Urgent/11. For our evaluation, we implement fuzzing test scripts based on the
Vulnerability Anti-Patterns and run them against 8 industrial device from 5 different device classes. We show
(I) that similar vulnerabilities occur in implementations of the same protocol as well as in different protocols,
(II) that similar vulnerabilities also spread over different device classes, and (III) that test scripts based on the
Vulnerability Anti-Patterns help to identify these vulnerabilities.


Verlagsausgabe §
DOI: 10.5445/IR/1000149509
Veröffentlicht am 05.08.2022
Originalveröffentlichung
DOI: 10.5220/0010806300003120
Dimensions
Zitationen: 1
Cover der Publikation
Zugehörige Institution(en) am KIT Institut für Informationssicherheit und Verlässlichkeit (KASTEL)
KIT-Bibliothek (BIB)
Fakultät für Informatik – Lehrstuhl IES Beyerer: Interaktive Echtzeitsysteme (Lehrstuhl IES Beyerer: Interaktive Echtzeitsysteme)
Publikationstyp Proceedingsbeitrag
Publikationsjahr 2022
Sprache Englisch
Identifikator ISBN: 978-9897585531
KITopen-ID: 1000149509
HGF-Programm 46.23.04 (POF IV, LK 01) Engineering Security for Production Systems
Erschienen in Proceedings of the 8th International Conference on Information Systems Security and Privacy
Veranstaltung 8th International Conference on Information Systems Security and Privacy (ICISSP 2022), Online, 09.02.2022 – 11.02.2022
Verlag SciTePress
Seiten 334–344
Nachgewiesen in Scopus
Dimensions
Globale Ziele für nachhaltige Entwicklung Ziel 9 – Industrie, Innovation und Infrastruktur
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
KITopen Landing Page