KR102635486B1 - Apparatus and method for performing fuzzing - Google Patents

Abstract

A method for performing fuzzing in a computing device including a processor according to some embodiments of the present disclosure, wherein the method is based on whether pairing is required for each of at least one port included in the device. selecting a first port from among at least one port; In order to enter the first port into a predetermined first state, transmitting to the first port a first state transition packet in which a command corresponding to the predetermined first state is mapped; determining a first current state of the first port based on a first response packet to the first state transition packet received from the first port; When the first current state of the first port corresponds to the predetermined first state, generating a first test packet in which at least one field included in the command corresponding to the predetermined first state is mutated. steps; and performing a fuzzing test of the first port using the first test packet.

Description

Method and apparatus for performing fuzzing {APPARATUS AND METHOD FOR PERFORMING FUZZING}

The present disclosure relates to a method and apparatus for performing fuzzing, and more specifically, to a method and apparatus for performing fuzzing on a port of a device.

Bluetooth is an industry standard for personal short-range wireless communication for digital communication devices (e.g., smart phones, tablet PCs, etc.). Bluetooth uses 2.4GHz, which is included in the ISM band, and can be used to exchange information between devices up to 100m away.

Bluetooth is managed through the Bluetooth Special Interest Group (SIG), and in order to be certified as a Bluetooth device, it must meet the Bluetooth standards established by the SIG. Companies that manufacture telecommunication, computer, network, and home appliance-related devices can implement the Bluetooth protocol stack by referring to the Bluetooth document released by SIG.

Devices that use Bluetooth can utilize fuzzing to effectively detect vulnerabilities in the Bluetooth protocol stack.

Fuzzing can be a technique to verify whether abnormal behavior is output by injecting random values to find unknown but possible vulnerabilities in software. Therefore, a device using Bluetooth can use a fuzzing test to detect problems that may occur in the Bluetooth protocol stack.

Republic of Korea registered patent 10-2190727 (registered on December 8, 2020)

This disclosure was made in response to the above-described background technology, and is intended to perform fuzzing on a port of a device.

The technical problems of the present disclosure are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the description below.

According to some embodiments of the present disclosure for solving the problems described above, a method for performing fuzzing in a computing device including a processor, pairing each of at least one port included in the device. selecting a first port from among the at least one port based on whether pairing is required; In order to enter the first port into a predetermined first state, transmitting to the first port a first state transition packet in which a command corresponding to the predetermined first state is mapped; determining a first current state of the first port based on a first response packet to the first state transition packet received from the first port; When the first current state of the first port corresponds to the predetermined first state, generating a first test packet in which at least one field included in the command corresponding to the predetermined first state is mutated. steps; and performing a fuzzing test of the first port using the first test packet.

Alternatively, selecting the first port may include requesting the pairing from among the at least one port, and selecting the first port capable of communication while ignoring the pairing request. there is.

Alternatively, selecting the first port may include selecting the first port that does not require pairing from among the at least one port.

Alternatively, before transmitting the first state transition packet to the first port, classifying a plurality of states into a plurality of groups based on a job and according to a communication protocol of the device. ; and mapping a command corresponding to each of the plurality of groups.

Alternatively, the at least one field included in the instruction may be a fixed field containing data that is fixed and cannot be changed; a dependent field containing data that is dependent on another field; and a mutable field containing mutable data.

Alternatively, the modification field may include: a core field containing data related to at least one of a communication channel or port of the device; and an application field containing data related to application software.

Alternatively, when the first current state of the first port corresponds to the predetermined first state, the at least one field included in the instruction corresponding to the predetermined first state is mutated. The step of generating test packet 1 includes, when the first current state of the first port corresponds to the predetermined first state, generating the first test packet in which a key field included in the command is modified; may include.

Alternatively, performing a fuzzing test of the first port using the first test packet may include transmitting the first test packet to the first port; and determining whether a vulnerability exists in the first port based on a second response packet to the first test packet received from the first port.

Alternatively, the step of determining whether a vulnerability of the first port is expressed based on a second response packet to the first test packet received from the first port may include the second response packet and a pre-stored normal response packet. If these values are different from each other, determining that a vulnerability caused by the first test packet is present in the first port; and generating information about the revealed vulnerability.

Alternatively, in order to enter the first port into a predetermined second state that is different from the first state, a second state transition packet in which a command corresponding to the predetermined second state is mapped transmitting to the first port; determining a second current state of the first port based on a third response packet to the second state transition packet received from the first port; When the second current state of the first port corresponds to the predetermined second state, generating a second test packet in which at least one field included in the command corresponding to the predetermined second state is mutated. steps; and performing a fuzzing test of the first port using the second test packet.

Alternatively, a computer program stored on a computer-readable storage medium, the computer program comprising instructions for causing a processor of a computing device to perform fuzzing, the steps comprising: selecting a first port from among the at least one port based on whether pairing is required for each of the at least one port included in; In order to enter the first port into a predetermined first state, transmitting to the first port a first state transition packet in which a command corresponding to the predetermined first state is mapped; determining a first current state of the first port based on a first response packet to the first state transition packet received from the first port; When the first current state of the first port corresponds to the predetermined first state, generating a first test packet in which at least one field included in the command corresponding to the predetermined first state is mutated. steps; and performing a fuzzing test of the first port using the first test packet.

Alternatively, a computing device for performing fuzzing, comprising: a processor including at least one core; a memory storing a computer program executable by the processor; and a network unit, wherein the processor selects a first port from among the at least one port based on whether pairing is required for each of the at least one port included in the device, and the first port is selected from the at least one port. 1 In order to enter port into a predetermined first state, a first state transition packet in which a command corresponding to the predetermined first state is mapped is transmitted to the first port, and the first port A first current state of the first port is determined based on a first response packet to the first state transition packet received from, and the first current state of the first port is the predetermined first state. If it corresponds to, generate a first test packet in which at least one field included in the command corresponding to the predetermined first state is mutated, and use the first test packet to test the first port. A fuzzing test can be performed.

A technique according to an embodiment of the present disclosure can perform fuzzing on a port of a device.

The effects that can be obtained from the present disclosure are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the description below. .

Various aspects will now be described with reference to the drawings, where like reference numerals are used to collectively refer to like elements. In the following examples, for purposes of explanation, numerous specific details are set forth to provide a comprehensive understanding of one or more aspects. However, it will be clear that such aspect(s) may be practiced without these specific details.
1 is a diagram schematically showing a system for performing fuzzing according to some embodiments of the present disclosure.
Figure 2 is a diagram schematically showing the structure of instructions according to some embodiments of the present disclosure.
FIG. 3 is a diagram illustrating a process of generating a test packet by a computing device for performing fuzzing according to some embodiments of the present disclosure.
FIG. 4 is a diagram illustrating state coverage of a program of a computing device and conventional techniques for performing fuzzing according to some embodiments of the present disclosure.
Figure 5 is a diagram illustrating a method for performing fuzzing according to some embodiments of the present disclosure.
6 shows a brief, general schematic diagram of an example computing environment in which embodiments of the present disclosure may be implemented.

Various embodiments are now described with reference to the drawings. In this specification, various descriptions are presented to provide an understanding of the disclosure. However, it is clear that these embodiments may be practiced without these specific descriptions.

As used herein, the terms “component,” “module,” “system,” and the like refer to a computer-related entity, hardware, firmware, software, a combination of software and hardware, or an implementation of software. For example, a component may be, but is not limited to, a process running on a processor, a processor, an object, a thread of execution, a program, and/or a computer. For example, both an application running on a computing device and the computing device can be a component. One or more components may reside within a processor and/or thread of execution. A component may be localized within one computer. A component may be distributed between two or more computers. Additionally, these components can execute from various computer-readable media having various data structures stored thereon. Components can transmit signals, for example, with one or more data packets (e.g., data and/or signals from one component interacting with other components in a local system, a distributed system, to other systems and over a network such as the Internet). Depending on the data being transmitted, they may communicate through local and/or remote processes.

Additionally, the term “or” is intended to mean an inclusive “or” and not an exclusive “or.” That is, unless otherwise specified or clear from context, “X utilizes A or B” is intended to mean one of the natural implicit substitutions. That is, either X uses A; X uses B; Or, if X uses both A and B, “X uses A or B” can apply to either of these cases. Additionally, the term “and/or” as used herein should be understood to refer to and include all possible combinations of one or more of the related listed items.

Additionally, the terms “comprise” and/or “comprising” should be understood to mean that the corresponding feature and/or element is present. However, the terms “comprise” and/or “comprising” should be understood as not excluding the presence or addition of one or more other features, elements and/or groups thereof. Additionally, unless otherwise specified or the context is clear to indicate a singular form, the singular terms herein and in the claims should generally be construed to mean “one or more.”

And, the term “at least one of A or B” should be interpreted to mean “if it contains only A,” “if it contains only B,” or “if it is a combination of A and B.”

Those skilled in the art will additionally recognize that the various illustrative logical blocks, components, modules, circuits, means, logic, and algorithm steps described in connection with the embodiments disclosed herein may be implemented using electronic hardware, computer software, or a combination of both. It must be recognized that it can be implemented with To clearly illustrate the interchangeability of hardware and software, various illustrative components, blocks, configurations, means, logics, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented in hardware or software will depend on the specific application and design constraints imposed on the overall system. A skilled technician can implement the described functionality in a variety of ways for each specific application. However, such implementation decisions should not be construed as causing a departure from the scope of the present disclosure.

The description of the presented embodiments is provided to enable anyone skilled in the art to use or practice the present invention. Various modifications to these embodiments will be apparent to those skilled in the art. The general principles defined herein may be applied to other embodiments without departing from the scope of the disclosure. Therefore, the present invention is not limited to the embodiments presented herein. The present invention is to be interpreted in the broadest scope consistent with the principles and novel features presented herein.

The description of the presented embodiments is provided to enable anyone skilled in the art to use or practice the present invention. Various modifications to these embodiments will be apparent to those skilled in the art. The general principles defined herein may be applied to other embodiments without departing from the scope of the disclosure. Therefore, the present invention is not limited to the embodiments presented herein. The present invention is to be interpreted in the broadest scope consistent with the principles and novel features presented herein.

In the present disclosure, terms represented by N, such as first, second, or third, are used to distinguish a plurality of entities. For example, the entities expressed as first and second may be the same or different from each other. Terms expressed as 1-1, 1-2, and 2-1, 2-2 may also be used to distinguish a plurality of entities.

In the present disclosure, fuzzing and/or fuzz testing may refer to a technique for verifying whether abnormal behavior is output by injecting random values and/or predetermined attack patterns to find unknown but possible vulnerabilities in software. there is.

The communication protocol in this disclosure may include a Bluetooth protocol stack. For example, the communication protocol may include the Bluetooth L2CAP protocol.

Packets in the present disclosure may include data in a format used in a communication protocol. For example, the packet may contain data in the format used in the Bluetooth L2CAP protocol.

1 is a diagram schematically showing a system for performing fuzzing according to some embodiments of the present disclosure.

Referring to FIG. 1, a system for performing fuzzing may include a computing device 100, a device 200, a network, etc.

The configuration of the system shown in Figure 1 is only a simplified example. In one embodiment of the present disclosure, the system may include different configurations for performing fuzzing, and only some of the disclosed configurations may configure the system.

The computing device 100 may include a processor 110, a memory 130, and a network unit 150. For example, computing device 100 may include a server, a user terminal, etc.

The processor 110 may be composed of one or more cores, and may include a central processing unit (CPU), a general purpose graphics processing unit (GPGPU), and a tensor processing unit (TPU) of a computing device. unit) may include a processor for data analysis and processing. The processor 110 may read the computer program stored in the memory 130 and perform data analysis and processing according to an embodiment of the present disclosure.

The processor 110 may typically control the overall operation of the computing device 100. The processor 110 processes signals, data, information, etc. input or output through components included in the computing device 100 or runs an application program stored in the memory 130, providing information and/or functions appropriate to the user. may be provided and/or processed.

The processor 110 may control at least some of the components of the computing device 100 to run an application program stored in the memory 130. Furthermore, the processor 110 may operate in combination with at least two or more of the components included in the computing device 100 to run an application program.

According to one embodiment of the present disclosure, the memory 130 may store any type of information generated or determined by the processor 110 and/or any type of information received by the network unit 150.

According to an embodiment of the present disclosure, the memory 130 is a flash memory type, hard disk type, multimedia card micro type, or card type memory (e.g. (e.g. SD or -Only Memory), magnetic memory, magnetic disk, and/or optical disk may include at least one type of storage medium. The computing device 100 may operate in connection with web storage that performs a storage function of the memory 130 on the Internet. The description of the memory described above is merely an example, and the present disclosure is not limited thereto.

The network unit 150 according to an embodiment of the present disclosure may include any wired or wireless communication network capable of transmitting and receiving arbitrary types of data and signals, etc., as expressed in the present disclosure. The techniques described herein can be used in the networks mentioned above, as well as other networks.

The processor 110 may select a first port from among at least one port based on whether pairing is required for each of at least one port included in the device 200.

At least one port may be a virtual logical communication connection used by applications to communicate with each other in a communication protocol. For example, at least one port may include a service port provided by the device 200.

Pairing may mean registering identification information (e.g., hardware information, network information, user information, etc. of the device wanting to connect) for a wireless connection. A request for pairing may mean requesting registration of identification information between a device or a port included in the device and a device wishing to connect. For example, device 200 (and/or a port of device 200) may request pairing from computing device 100 for wireless connection with computing device 100. When the computing device 100 is paired with the device 200 (and/or the port of the device 200) requesting pairing, the device 200 (and/or the port of the device 200) and the computing device ( 100) can each register identification information and connect wirelessly to each other.

According to some embodiments of the present disclosure, the processor 110 may request pairing among at least one port, and select a first port capable of communication while ignoring the pairing request. The processor 110 may ignore the pairing request and determine a port capable of communication among ports requesting pairing as the first port. Among the ports requesting pairing, if there are a plurality of ports capable of communication while ignoring the pairing request, the processor 110 determines the number of ports based on predetermined criteria (e.g., ascending (or descending) order of port numbers assigned to the ports, searched ports, etc.). Based on the time order, etc.), the first port capable of communicating while ignoring the pairing request can be determined among the ports requesting pairing.

According to some other embodiments of the present disclosure, the processor 110 may select a first port that does not require pairing from among at least one port. If there are multiple ports that do not require pairing, the processor 110 does not request pairing based on predetermined criteria (e.g., ascending (or descending) order of port numbers assigned to the ports, searched time order, etc.). The first port that is not used can be determined.

When the processor 110 connects to a port requesting pairing, it can obtain permission to take control of the device (eg, device 200) through the port. However, in general, attacks on ports can be performed without permission. Therefore, performing fuzzing while already authorized may not be appropriate for discovering valid vulnerabilities. Therefore, the processor 110 can acquire an effective vulnerability of the port by performing fuzzing by connecting to a port that does not require pairing or a port that is capable of communication, ignoring even if there is a request for pairing.

The processor 110 may classify a plurality of predetermined states into a plurality of groups according to the communication protocol of the device 200 based on the job.

A job can be a set of programs related to work to be done on a computer. Tasks may include events, functions, and actions. An event may be a set of programs related to events that occur by a packet received from a transmitting device (e.g., computing device 100) at a receiving device (e.g., device 200). A function can be a set of programs involved in handling events. An action may be a set of programs related to sending a response to a packet from a receiving device (eg, device 200) to a transmitting device (eg, computing device 100). For example, tasks include Closed to end a specific task, Connection to connect a specific task, Creation to create a specific task, Configuration to arrange a specific task, Disconnect to stop a specific task, and move a specific task. It can include Move to do something, Open to start a specific task, etc. However, the type of work is not limited to this.

A plurality of predetermined states may be conditions or methods set to perform certain tasks on a system or program. Accordingly, the state may change depending on how the device 200 operates in its communication protocol. A plurality of groups can be classified as shown in Table 1 below.

Job States Closed {CLOSED} Connection {WAIT CONNECT, WAIT CONNECT RSP} Creation {WAIT CREATE, WAIT CREATE RSP} Configuration {WAIT CONFIG, WAIT CONFIG RSP, WAIT CONFIG REQ, WAIT CONFIG REQ RSP, WAIT SEND CONFIG, WAIT IND FINAL RSP, WAIT FINAL RSP, WAIT CONTROL IND} Disconnection {WAIT DISCONNECT} Move {WAIT MOVE, WAIT MOVE RSP, WAIT MOVE CONFIRM, WAIT CONFIRM RSP} Open {OPEN}

Referring to Table 1, the state corresponding to the task Closed may be a group of {CLOSED}. The state corresponding to the task Connection can be a group of {WAIT CONNECT, WAIT CONNECT RSP}. The state corresponding to the task Creation can be a group of {WAIT CREATE, WAIT CREATE RSP}. The status corresponding to the task configuration may be one group as {WAIT CONFIG, WAIT CONFIG RSP, WAIT CONFIG REQ, WAIT CONFIG REQ RSP, WAIT SEND CONFIG, WAIT IND FINAL RSP, WAIT FINAL RSP, WAIT CONTROL IND}. The state corresponding to the task Disconnection can be a group of {WAIT DISCONNECT}. The state corresponding to the task Move may be one group as {WAIT MOVE, WAIT MOVE RSP, WAIT MOVE CONFIRM, WAIT CONFIRM RSP}. The state corresponding to the task Open may be a group of {OPEN}.

The processor 110 may map instructions corresponding to each of the plurality of groups. Commands corresponding to each of the plurality of groups can be mapped as shown in Table 2 below.

Job Valid commands Closed All commands Connection ConnectReq/Rsp Creation Create Channel Req/Rsp Configuration ConfigReq/Rsp Disconnection DisconnectReq/Rsp Move Move Channel Req/Rsp,Move Channel Confirmation Req/Rsp Open All commands

Referring to Table 2, the command corresponding to the task Closed may be All commands. The command corresponding to the task Connection can be Connect Req or Rsp. The command corresponding to the task Creation may be Create Channel Req or Rsp. The command corresponding to task configuration may be Config Req or Rsp. The command corresponding to the task Disconnection may be Disconnect Req or Rsp. The command corresponding to the task Move may be Move Channel Req or Rsp, Move Channel Confirmation Req or Rsp. The command corresponding to the task Open may be All commands.

In order to enter the first port into a predetermined first state, the processor 110 may transmit to the first port a first state transition packet in which an instruction corresponding to the predetermined first state is mapped. .

For example, if the predetermined first state is {WAIT DISCONNECT}, the processor 110 may transmit a first state transition packet to the first port to which Disconnect Req or Rsp, which is a command corresponding to {WAIT DISCONNECT}, is mapped. there is.

A state transition packet may be a packet that changes the state of a communication protocol. For example, the first state transition packet may be a packet that changes the state of the first port from the current {CLOSED} to {WAIT DISCONNECT}.

The first port may receive a first state transition packet. The first port may transition to the first state by a first state transition packet.

The processor 110 may determine the first current state of the first port based on the first response packet to the first state transition packet received from the first port.

A response packet is a packet generated in response to a received packet and may include information about the current status of the received device. For example, the first response packet may be a packet generated in response to the first state transition packet at the first port of the device 200. The first response packet may include information about the first current state of the first port of the device 200. Accordingly, the processor 110 may determine the first current state of the first port based on the information about the first current state of the first port included in the first response packet.

When the first current state of the first port corresponds to a predetermined first state, the processor 110 generates a first test packet in which at least one field included in an instruction corresponding to the predetermined first state is mutated. can be created.

A command may be data that performs at least one operation in a programming language. A command may include at least one field for performing at least one operation.

At least one field may include a fixed field, dependent field, mutable field, etc.

Fixed fields can contain immutable data. For example, fixed fields may include a HEADER CID field, etc.

A dependent field may contain data that is dependent on another field. Data included in a dependent field may be determined based on data in other fields. For example, dependent fields may include a PAYLOAD LEN field, CODE field, ID field, DATA LEN field, etc.

A mutable field may contain mutable data. Data included in the modified field may be determined based on pre-stored field reference data. Data included in the modification field can be determined by the user. For example, transformation fields may include core fields, application fields, etc.

The core field may include data related to at least one of the communication channels or ports of the device 200. For example, core fields may include a PSM field, SCID field, DCID field, ICID field, CONT ID field, etc.

The application field may include data related to application software. For example, application fields include REASON field, RESULT field, STATUS field, FLAGS field, TYPE field, INTERVAL field, LATENCY field, TIMEOUT field, SPSM field, MTU field, CREDIT field, MPS field, OPT field, QoS field, etc. It can be included.

The test packet may be a packet in which at least one field included in the command is modified for fuzzing. For example, the first test packet may be a packet in which at least one field included in a command corresponding to a predetermined first state is modified.

The test packet may be a packet in which key fields responsible for core functions of the protocol are modified among the fields included in the command. For example, the first test packet may be a packet in which a core field responsible for the core function of the protocol is modified among the fields included in the command corresponding to the predetermined first state.

A test packet (eg, a first test packet) may be a packet in which key fields are modified based on pre-stored field reference data. Pre-stored field reference data may include available data for each field included in the communication protocol.

Modified data may be inserted into the core field of the test packet (e.g., the first test packet), and a default value may be inserted into the application field of the test packet (e.g., the first test packet). there is. Accordingly, the processor 110 may insert modified data into the core field of the test packet (eg, the first test packet) and insert a default value into the application field of the test packet. According to some embodiments of the present disclosure, the processor 110 may additionally insert a garbage value into a test packet (eg, a first test packet). By additionally inserting garbage values into the test packet (eg, the first test packet), the probability of vulnerability occurrence at the target port may be increased.

According to some embodiments of the present disclosure, when the first current state of the first port corresponds to the predetermined first state, the processor 110 may generate a first test packet in which a key field included in the instruction is modified. there is. According to some other embodiments of the present disclosure, when there are a plurality of core fields included in the instruction, the processor 110 may generate a first test packet in which at least one of the plurality of core fields included in the instruction is modified. . Accordingly, the processor 110 may generate a test packet that is not rejected by the port that is the target of the fuzzing test by generating a test packet (eg, a first test packet) in which key fields are modified.

The processor 110 may perform a fuzzing test of the first port using the first test packet.

For example, the processor 110 may transmit the first test packet to the first port. Since the first test packet is a packet in which only the core fields of the command corresponding to the first state are modified, it may not be rejected by the first port.

The processor 110 may determine whether a vulnerability exists in the first port based on the second response packet to the first test packet received from the first port.

For example, if the second response packet and the pre-stored normal response packet are different from each other, the processor 110 may determine that a vulnerability caused by the first test packet has appeared in the first port. The pre-stored normal response packet may include a response packet received when each port (eg, first port, second port, etc.) is in a normal state. The pre-stored normal response packet may include a response packet received by transmitting a normal packet in advance for each port. The pre-stored normal response packet may include packets collected while communicating in a communication protocol. The pre-stored normal response packet may include packets that are previously determined to be normal for each port.

As another example, if the second response packet includes an error message and/or a crash dump, the processor 110 may determine that a vulnerability caused by the first test packet has appeared in the first port. The error message may be a message containing content different from the normal message included in the pre-stored normal response packet. For example, error messages include “Connection lost” or “No response.” It may include contents such as: A crash dump may contain status information related to when a specific program terminated abnormally. For example, a crash dump may include program information, processor information, memory information, etc. at the point when a specific program terminates abnormally. Crash dumps can be created when a specific program terminates abnormally. Accordingly, the processor 110 can acquire program vulnerabilities by analyzing the crash dump.

The processor 110 may generate information about vulnerabilities expressed by the first test packet. Information about the vulnerability expressed by the first test packet may include the vulnerability, the cause of the vulnerability, the test packet that created the vulnerability, the port where the vulnerability occurred, and the time when the vulnerability occurred.

The processor 110 may store information about the created vulnerability in the memory 130. According to some embodiments of the present disclosure, the processor 110 may transmit information about the created vulnerability to the device 200. Accordingly, the user of the device 200 can check information about vulnerabilities and devise countermeasures.

In order to enter the first port into a predetermined second state that is different from the first state, the processor 110 sends a second state transition packet in which an instruction corresponding to the predetermined second state is mapped to the first state. It can be transmitted to the port.

For example, if the predetermined second state is {WAIT CONNECT}, the processor 110 may transmit a second state transition packet to the first port to which Connect Req or Rsp, which is a command corresponding to {WAIT CONNECT}, is mapped. there is.

The second state transition packet may be a packet that changes the state of the second port from the current {CLOSED} to {WAIT CONNECT}.

The first port may receive a second state transition packet. The first port may transition to the second state by a second state transition packet.

The processor 110 may determine the second current state of the first port based on the third response packet to the second state transition packet received from the first port.

The third response packet may be a packet generated in response to the second state transition packet at the first port of the device 200. The third response packet may include information about the second status of the first port of the device 200. Accordingly, the processor 110 may determine the second current state of the first port based on the information about the second current state included in the third response packet.

When the second current state of the first port corresponds to the predetermined second state, the processor 110 generates a second test packet in which at least one field included in the instruction corresponding to the predetermined second state is mutated. can be created.

The second test packet may be a packet in which at least one field included in a command corresponding to a predetermined second state is modified. The second test packet may be a packet in which a core field responsible for the core function of the protocol is modified among the fields included in the command corresponding to the predetermined second state.

The second test packet may be a packet in which key fields are modified based on pre-stored field reference data. Pre-stored field reference data may include field-specific usage data presented in the communication protocol.

Modified data may be inserted into the core field of the second test packet, and a default value may be inserted into the application field of the second test packet. Accordingly, the processor 110 may insert modified data into the core field of the second test packet and insert a default value into the application field of the second test packet. According to some embodiments of the present disclosure, the processor 110 may additionally insert a garbage value into the second test packet. By additionally inserting garbage values into the second test packet, the probability of vulnerability occurrence at the target port may increase.

According to some embodiments of the present disclosure, when the second current state of the first port corresponds to the predetermined second state, the processor 110 may generate a second test packet in which key fields included in the instruction are modified. there is. According to some other embodiments of the present disclosure, when there are a plurality of core fields included in the instruction, the processor 110 may generate a second test packet in which at least one of the plurality of core fields included in the instruction is modified. . Accordingly, the processor 110 can generate a test packet that is not rejected by the port that is the target of the fuzzing test by generating a test packet with modified key fields.

The processor 110 may perform a fuzzing test of the first port using the second test packet.

For example, processor 110 may transmit a second test packet to the first port. Since the second test packet is a packet in which only the core fields of the command corresponding to the first state are modified, it may not be rejected by the first port.

The processor 110 may determine whether a vulnerability exists in the first port based on the fourth response packet to the second test packet received from the first port.

For example, if the fourth response packet and the pre-stored normal response packet are different from each other, the processor 110 may determine that a vulnerability caused by the second test packet has appeared in the first port. The pre-stored normal response packet may include a response packet received when each port (eg, first port, second port, etc.) is in a normal state.

Processor 110 may generate information about vulnerabilities expressed by the second test packet. Information about the vulnerability expressed by the second test packet may include the vulnerability, the cause of the vulnerability, the test packet that created the vulnerability, the port where the vulnerability occurred, and the time when the vulnerability occurred.

The processor 110 may store information about the created vulnerability in the memory 130. According to some embodiments of the present disclosure, the processor 110 may transmit information about the created vulnerability to the device 200. Accordingly, the user of the device 200 can check information about vulnerabilities and devise countermeasures.

The processor 110 may select a second port that is different from the first port among at least one port based on whether pairing is requested for each of at least one port included in the device 200.

In order to enter the second port into a predetermined third state, the processor 110 may transmit to the second port a third state transition packet in which a command corresponding to the predetermined third state is mapped. .

The processor 110 may determine the third current state of the second port based on the fifth response packet to the third state transition packet received from the second port.

When the third current state of the second port corresponds to the predetermined first state, the processor 110 generates a third test packet in which at least one field included in the instruction corresponding to the predetermined third state is mutated. can be created.

The processor 110 may perform a fuzzing test of the second port using the third test packet.

As described above, the processor 110 may perform a fuzzing test on each of the selected ports based on whether pairing is required for each of at least one port included in the device 200.

Device 200 may refer to any type of device in a system that has a mechanism for communication with the computing device 100. For example, device 200 may transmit and/or receive packets through computing device 100 and a network. According to some embodiments of the present disclosure, when computing device 100 includes device 200, device 200 may or may not use computing device 100 and a network to internally transmit and/or You can receive it. Device 200 may process information based on packets received from computing device 100.

The device 200 may include a Bluetooth protocol stack as a communication protocol. For example, device 200 may include the Bluetooth L2CAP protocol. Computing device 100 and/or device 200 may each include a device for Bluetooth communication. For example, the computing device 100 and/or the device 200 may each include or be separately equipped with a device (eg, dongle, etc.), circuit, etc. for Bluetooth communication.

The network may include any wired or wireless communication network through which the computing device 100 and the device 200 can transmit and receive data and signals of any type to each other. For example, computing device 100 may transmit packets to device 200 wired and/or wirelessly over a network. As another example, computing device 100 may receive packets from device 200 wired and/or wirelessly through a network.

Figure 2 is a diagram schematically showing the structure of instructions according to some embodiments of the present disclosure.

Referring to Figure 2, the command may include a PAYLOAD LEN field (10), HEADER CID field (20), CODE field (30), ID field (40), DATA LEN field (50), DATA field (60), etc. You can.

The PAYLOAD LEN field 10 is included in the dependent fields and contains data determined based on the length of the information payload (CODE field 30, ID field 40, DATA LEN field 50, and DATA field 60). It can be included. The PAYLOAD LEN field 10 may contain data regarding the length of the information payload.

The HEADER CID field 20 is included in the fixed field and may include specific predetermined data. For example, the specific predetermined data may be “0x0001” used in ACL-U logical links.

The CODE field 30 is included in the dependent field and may include data determined by a valid command code.

ID field 40 is included in the dependent field and may include data dynamically assigned by the device (e.g., computing device 100, device 200, etc.).

It is included in the DATA LEN field 50 dependent field and may include data determined by the length of the data included in the DATA field 60.

The DATA field 60 is included in the transformation field and may include a core field 61 and an application field 62.

The core field 61 may include a PSM field, SCID field, DCID field, ICID field, CONT ID field, etc. The PSM field can be used for port settings. The SCID field, DCID field, ICID field, and CONT ID field can be used to set a channel endpoint.

The application field 62 includes the REASON field, RESULT field, STATUS field, FLAGS field, TYPE field, INTERVAL field, LATENCY field, TIMEOUT field, SPSM field, MTU field, CREDIT field, MPS field, OPT field, QoS field, etc. can do.

Each field included in the application field 62 may include application data for a command. Each field included in the application field 62 may be a field for transmitting data without affecting port or channel management.

FIG. 3 is a diagram illustrating a process of generating a test packet by a computing device for performing fuzzing according to some embodiments of the present disclosure.

Referring to FIG. 3, a normal packet includes a PAYLOAD LEN field (10a), a HEADER CID field (20a), a CODE field (30a), an ID field (40a), a DATA LEN field (50a), and a core field (e.g., DCID field, etc.) 61a, and an application field (e.g., MTU field, etc.) 62a.

The processor 110 uses fixed or dependent fields such as the PAYLOAD LEN field 10b, the HEADER CID field 20b, and the CODE field to generate a test packet (e.g., a first test packet, a second test packet, etc.) 30b), a value corresponding to a normal packet can be inserted into the ID field 40b and the DATA LEN field 50b, respectively.

Processor 110 based on field reference data pre-stored in key fields (e.g., DCID field, etc.) 61b to generate test packets (e.g., first test packet, second test packet, etc.) “8F7B”, which is modified data that is different from the core field (61a) of the normal packet, can be inserted.

The processor 110 enters the application field (e.g., MTU field, etc.) 62b with a default value of “ 00 00 00 00 00 00” can be inserted.

The processor 110 may insert a garbage value 70 determined to be random or a predetermined value to generate a test packet (e.g., a first test packet, a second test packet, etc.). there is.

[Experimental Example 1]

A program (hereinafter referred to as L2Fuzz) generated and stored by the computing device 100 for performing fuzzing according to some embodiments of the present disclosure may be implemented with approximately 1200 lines of Python code, excluding external libraries. For example, L2Fuzz can be implemented using the Scapy library (v2.4.4), an interactive packet manipulation program for packet modification. L2Fuzz can be run on a virtual machine with Ubuntu 18.04.4 LTS, 8GB memory, Intel Core i5-7500 CPU @ 3.40GHz × 4, 50GB disk and Billionton Bluetooth Class 1 dongle.

The devices under test can be selected from eight real-world test devices that can represent universal Bluetooth protocol stacks, including BlueZ (Linux), BlueDroid (Android), Apple BT stack, and Windows BT stack. The eight actual test devices may be as shown in Table 3 below.

When evaluating the effectiveness of L2Fuzz, the results of L2Fuzz were compared with those of the prior art techniques Defensics, BFuzz, and BSS. Other related technologies were excluded because they do not support L2CAP vulnerability detection or are not publicly available. Using test device D2 (see Table 3), the transformation efficiency and state coverage of L2Fuzz can be compared to baseline fuzzers (e.g., Defensics, BFuzz, and BSS). D2 could be a device that follows the Bluetooth standard with little customization. Therefore, D2 can be used for evaluation.

Since most Bluetooth stacks except BlueZ and BlueDroid are closed source, the Bluetooth fuzzer is closer to a black box fuzzer. Therefore, evaluation metrics used for white-box or gray-box fuzzing, such as source code coverage, are difficult to use. Therefore, mutation efficiency and state coverage, which can be measured only through packet traces, can be used as evaluation indicators for evaluating Bluetooth fuzzers.

Modification efficiency may be the minimum percentage of malformed packets (e.g., test packets) transmitted without rejection. The transformation efficiency can be calculated through Equation 1 below.

MP Ratio can be the ratio of malformed packets. PR Ratio may be a packet rejection rate. MP Ratio can be calculated through Equation 2 below.

MP Ratio may be the number of transmitted malformed packets divided by the total number of transmitted packets.

PR Ratio can be calculated through Equation 3 below.

The PR Ratio may be a value obtained by dividing the number of rejection packets received from the target (eg, the first port, the second port, etc. of the device 200) by the number of packets received from the target.

State coverage may mean the number of L2CAP states covered. Since vulnerabilities are likely to occur in the state transition process and the functions of each state, the more L2CAP states are covered, the higher the possibility of vulnerability detection. State coverage can be measured through a protocol reverse engineering tool.

The results of the fuzzing test performed using L2Fuzz, Defensics, BFuzz, and BSS respectively are described later with reference to FIG. 4.

FIG. 4 is a diagram illustrating state coverage of a program of a computing device and conventional techniques for performing fuzzing according to some embodiments of the present disclosure.

Referring to the state coverage according to the experimental results in Figure 4, L2Fuzz can cover 13 states. The prior art Defensics can cover 7 states. BFuzz, a prior art, can cover six states. BSS, a conventional technology, can cover three states. Therefore, L2Fuzz, a program created and stored by the computing device 100 for performing fuzzing according to some embodiments of the present disclosure, covers more states compared to conventional techniques, thereby increasing the possibility of detecting vulnerabilities compared to conventional techniques. It can be seen that it is higher compared to .

The deformation efficiency according to the experimental results can be shown in Table 4 below.

Referring to Table 4, the transformation efficiency of L2Fuzz can be 47.22%. The strain efficiency of the prior art Defensics can be 2.33%. The deformation efficiency of the prior art BFuzz may be 0.12%. The transformation efficiency of conventional technology BSS may be 0%. Therefore, L2Fuzz, a program created and stored by the computing device 100 for performing fuzzing according to some embodiments of the present disclosure, has a higher transformation efficiency compared to conventional techniques, so that the efficiency of the attack is greater than that of conventional techniques. You can see that it is higher than the fields.

Figure 5 is a diagram illustrating a method for performing fuzzing according to some embodiments of the present disclosure.

The processor 110 may select a first port among the at least one port based on whether pairing is required for each of the at least one port included in the device 200 (S110).

The processor 110 may request pairing from at least one port, and select a first port capable of communication while ignoring the pairing request.

The processor 110 may select a first port that does not require pairing from among at least one port.

In order to enter the first port into a predetermined first state, the processor 110 may transmit to the first port a first state transition packet in which an instruction corresponding to the predetermined first state is mapped. (S120).

Before transmitting the first state transition packet to the first port (S120), the processor 110 divides a plurality of predetermined states into a plurality of groups according to the communication protocol of the device 200 based on the job. Can be classified. The processor 110 may map instructions corresponding to each of the plurality of groups.

The processor 110 may determine the current state (e.g., first current state) of the first port based on the first response packet to the first state transition packet received from the first port (S130 ).

When the current state (e.g., first current state) of the first port corresponds to the predetermined first state, the processor 110 modifies at least one field included in the instruction corresponding to the predetermined first state. A mutated first test packet can be generated (S140).

At least one field included in the command is a fixed field containing data that is fixed and cannot be changed, a dependent field containing data dependent on another field, and a mutable field containing mutable data. field) may be included.

The modification field may include a core field containing data related to at least one of the communication channels or ports of the device 200 and an application field containing data related to application software.

If the first current state of the first port corresponds to the predetermined first state, the processor 110 may generate a first test packet in which key fields included in the command are modified.

The processor 110 may perform a fuzzing test of the first port using the first test packet (S150).

The processor 110 may transmit the first test packet to the first port. The processor 110 may determine whether a vulnerability exists in the first port based on the second response packet to the first test packet received from the first port.

If the second response packet and the pre-stored normal response packet are different from each other, the processor 110 may determine that a vulnerability caused by the first test packet has appeared in the first port. The processor 110 may generate information about developed vulnerabilities.

In order to enter the first port into a predetermined second state that is different from the first state, the processor 110 sends a second state transition packet in which an instruction corresponding to the predetermined second state is mapped to the first state. It can be transmitted to the port.

The processor 110 may determine the second current state of the first port based on the third response packet to the second state transition packet received from the first port.

When the second current state of the first port corresponds to the predetermined second state, the processor 110 generates a second test packet in which at least one field included in the instruction corresponding to the predetermined second state is mutated. can be created.

The processor 110 may perform a fuzzing test of the first port using the second test packet.

The steps shown in FIG. 5 are exemplary steps. Accordingly, it will also be apparent to those skilled in the art that some of the steps in FIG. 5 may be omitted or additional steps may be present without departing from the scope of the present disclosure. Additionally, specific details regarding the components depicted in FIG. 5 (eg, computing device 100, device 200, etc.) may be replaced with the details previously described with reference to FIGS. 1 to 4.

As described above with reference to FIGS. 1 to 5, the computing device 100 for performing fuzzing according to the present disclosure performs a test without pairing with the port that is the target of the test, thereby generating a packet that can be attacked without pairing. and can be detected.

In addition, the computing device 100 for performing fuzzing according to the present disclosure changes the state of the port and generates a test packet modified around key fields in the command corresponding to the state of the port, thereby raising the possibility of port vulnerability. can increase.

In addition, the computing device 100 for performing fuzzing according to the present disclosure generates information about the vulnerability expressed by the test packet and stores it or transmits it to the device 200 of the port where the vulnerability is expressed, so that the computing device 100 ) Alternatively, the user of the device 200 can check information about vulnerabilities and devise countermeasures.

6 is a brief, general schematic diagram of an example computing environment in which embodiments of the present disclosure may be implemented.

Although the present disclosure has generally been described above as being capable of being implemented by a computing device, those skilled in the art will understand that the present disclosure can be implemented in combination with computer-executable instructions and/or other program modules that can be executed on one or more computers and/or in hardware and software. It will be well known that it can be implemented as a combination.

Typically, program modules include routines, programs, components, data structures, etc. that perform specific tasks or implement specific abstract data types. Additionally, those skilled in the art will understand that the methods of the present disclosure are applicable to single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, handheld computing devices, microprocessor-based or programmable consumer electronics, etc. It will be appreciated that each of these may be implemented in other computer system configurations, including those capable of operating in conjunction with one or more associated devices.

The described embodiments of the disclosure can also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

Computers typically include a variety of computer-readable media. Computer-readable media can be any medium that can be accessed by a computer, and such computer-readable media includes volatile and non-volatile media, transitory and non-transitory media, removable and non-transitory media. Includes removable media. By way of example, and not limitation, computer-readable media may include computer-readable storage media and computer-readable transmission media. Computer-readable storage media refers to volatile and non-volatile media, transient and non-transitory media, removable and non-removable, implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Includes media. Computer readable storage media may include RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage, magnetic cassette, magnetic tape, magnetic disk storage or other magnetic storage. This includes, but is not limited to, a device, or any other medium that can be accessed by a computer and used to store desired information.

A computer-readable transmission medium typically implements computer-readable instructions, data structures, program modules, or other data on a modulated data signal, such as a carrier wave or other transport mechanism. Includes all information delivery media. The term modulated data signal refers to a signal in which one or more of the characteristics of the signal have been set or changed to encode information within the signal. By way of example, and not limitation, computer-readable transmission media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above are also intended to be included within the scope of computer-readable transmission media.

An example environment 1100 is shown that implements various aspects of the present disclosure, including a computer 1102, which includes a processing unit 1104, a system memory 1106, and a system bus 1108. do. System bus 1108 couples system components, including but not limited to system memory 1106, to processing unit 1104. Processing unit 1104 may be any of a variety of commercially available processors. Dual processors and other multiprocessor architectures may also be used as processing unit 1104.

System bus 1108 may be any of several types of bus structures that may further be interconnected to a memory bus, peripheral bus, and local bus using any of a variety of commercial bus architectures. System memory 1106 includes read only memory (ROM) 1110 and random access memory (RAM) 1112. The basic input/output system (BIOS) is stored in non-volatile memory 1110, such as ROM, EPROM, and EEPROM, and is a basic input/output system that helps transfer information between components within the computer 1102, such as during startup. Contains routines. RAM 1112 may also include high-speed RAM, such as static RAM, for caching data.

Computer 1102 may also include an internal hard disk drive (HDD) 1114 (e.g., EIDE, SATA)—the internal hard disk drive 1114 may also be configured for external use within a suitable chassis (not shown). Yes - a magnetic floppy disk drive (FDD) 1116 (e.g., for reading from or writing to a removable diskette 1118), and an optical disk drive 1120 (e.g., a CD-ROM for reading the disk 1122 or reading from or writing to other high-capacity optical media such as DVDs). Hard disk drive 1114, magnetic disk drive 1116, and optical disk drive 1120 are connected to system bus 1108 by hard disk drive interface 1124, magnetic disk drive interface 1126, and optical drive interface 1128, respectively. ) can be connected to. The interface 1124 for implementing an external drive includes at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies.

These drives and their associated computer-readable media provide non-volatile storage of data, data structures, computer-executable instructions, and the like. For computer 1102, drive and media correspond to storing any data in a suitable digital format. Although the description of computer-readable media above refers to removable optical media such as HDDs, removable magnetic disks, and CDs or DVDs, those skilled in the art will also recognize removable optical media such as zip drives, magnetic cassettes, flash memory cards, cartridges, etc. It will be appreciated that other types of computer-readable media, such as the like, may also be used in the example operating environment and that any such media may contain computer-executable instructions for performing the methods of the present disclosure.

A number of program modules may be stored in drives and RAM 1112, including an operating system 1130, one or more application programs 1132, other program modules 1134, and program data 1136. All or portions of the operating system, applications, modules and/or data may also be cached in RAM 1112. It will be appreciated that the present disclosure may be implemented on various commercially available operating systems or combinations of operating systems.

A user may enter commands and information into computer 1102 through one or more wired/wireless input devices, such as a keyboard 1138 and a pointing device such as mouse 1140. Other input devices (not shown) may include microphones, IR remote controls, joysticks, game pads, stylus pens, touch screens, etc. These and other input devices are connected to the processing unit 1104 through an input device interface 1142, which is often connected to the system bus 1108, but may also include a parallel port, an IEEE 1394 serial port, a game port, a USB port, an IR interface, It can be connected by other interfaces, etc.

A monitor 1144 or other type of display device is also connected to system bus 1108 through an interface, such as a video adapter 1146. In addition to monitor 1144, computers typically include other peripheral output devices (not shown) such as speakers, printers, etc.

Computer 1102 may operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 1148, via wired and/or wireless communications. Remote computer(s) 1148 may be a workstation, computing device computer, router, personal computer, portable computer, microprocessor-based entertainment device, peer device, or other conventional network node, and is generally connected to computer 1102. For simplicity, only memory storage device 1150 is shown, although it includes many or all of the components described. The logical connections depicted include wired/wireless connections to a local area network (LAN) 1152 and/or a larger network, such as a wide area network (WAN) 1154. These LAN and WAN networking environments are common in offices and companies and facilitate enterprise-wide computer networks, such as intranets, all of which can be connected to a worldwide computer network, such as the Internet.

When used in a LAN networking environment, computer 1102 is connected to local network 1152 through wired and/or wireless communication network interfaces or adapters 1156. Adapter 1156 may facilitate wired or wireless communication to LAN 1152, which also includes a wireless access point installed thereon for communicating with wireless adapter 1156. When used in a WAN networking environment, the computer 1102 may include a modem 1158 or be connected to a communicating computing device on the WAN 1154 or to establish communications over the WAN 1154, such as via the Internet. Have other means. Modem 1158, which may be internal or external and a wired or wireless device, is coupled to system bus 1108 via serial port interface 1142. In a networked environment, program modules described for computer 1102, or portions thereof, may be stored in remote memory/storage device 1150. It will be appreciated that the network connections shown are exemplary and that other means of establishing a communications link between computers may be used.

Computer 1102 may be associated with any wireless device or object deployed and operating in wireless communications, such as a printer, scanner, desktop and/or portable computer, portable data assistant (PDA), communications satellite, wirelessly detectable tag. Performs actions to communicate with any device or location and telephone. This includes at least Wi-Fi and Bluetooth wireless technologies. Accordingly, communication may be a predefined structure as in a conventional network or may simply be ad hoc communication between at least two devices.

Wi-Fi (Wireless Fidelity) enables connection to the Internet, etc. without wires. Wi-Fi is a wireless technology, like cell phones, that allows these devices, such as computers, to send and receive data indoors and outdoors, anywhere within the coverage area of a base station. Wi-Fi networks use wireless technology called IEEE 802.11 (a, b, g, etc.) to provide secure, reliable, and high-speed wireless connections. Wi-Fi can be used to connect computers to each other, the Internet, and wired networks (using IEEE 802.3 or Ethernet). Wi-Fi networks can operate in the unlicensed 2.4 and 5 GHz wireless bands, for example, at data rates of 11 Mbps (802.11a) or 54 Mbps (802.11b), or in products that include both bands (dual band). .

Those skilled in the art will understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, values, symbols and chips that may be referenced in the above description include voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields. or particles, or any combination thereof.

Those skilled in the art will understand that the various illustrative logical blocks, modules, processors, means, circuits and algorithm steps described in connection with the embodiments disclosed herein may be used in electronic hardware, (for convenience) It will be understood that it may be implemented by various forms of program or design code (referred to herein as software) or a combination of both. To clearly illustrate this interoperability of hardware and software, various illustrative components, blocks, modules, circuits and steps have been described above generally with respect to their functionality. Whether this functionality is implemented as hardware or software depends on the specific application and design constraints imposed on the overall system. A person skilled in the art of this disclosure may implement the described functionality in various ways for each specific application, but such implementation decisions should not be construed as departing from the scope of this disclosure.

The various embodiments presented herein may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques. The term article of manufacture includes a computer program, carrier, or media accessible from any computer-readable storage device. For example, computer-readable storage media include magnetic storage devices (e.g., hard disks, floppy disks, magnetic strips, etc.), optical disks (e.g., CDs, DVDs, etc.), smart cards, and flash. Includes, but is not limited to, memory devices (e.g., EEPROM, cards, sticks, key drives, etc.). Additionally, various storage media presented herein include one or more devices and/or other machine-readable media for storing information.

It is to be understood that the specific order or hierarchy of steps in the processes presented is an example of illustrative approaches. It is to be understood that the specific order or hierarchy of steps in processes may be rearranged within the scope of the present disclosure, based on design priorities. The appended method claims present elements of the various steps in a sample order but are not meant to be limited to the particular order or hierarchy presented.

The description of the presented embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments without departing from the scope of the disclosure. Thus, the present disclosure is not limited to the embodiments presented herein but is to be interpreted in the broadest scope consistent with the principles and novel features presented herein.

Claims (12)

A method for performing fuzzing in a computing device including a processor, comprising:
selecting a first port among the at least one port based on whether pairing is required for each of the at least one port included in the device;
In order to enter the first port into a predetermined first state, transmitting to the first port a first state transition packet in which a command corresponding to the predetermined first state is mapped;
determining a first current state of the first port based on a first response packet to the first state transition packet received from the first port;
When the first current state of the first port corresponds to the predetermined first state, generating a first test packet in which at least one field included in the command corresponding to the predetermined first state is mutated. steps;
transmitting the first test packet to the first port; and
determining whether a vulnerability exists in the first port based on a second response packet to the first test packet received from the first port;
Including,
method.
According to claim 1,
The step of selecting the first port is,
requesting the pairing from among the at least one port, and selecting the first port capable of communication while ignoring the pairing request;
Including,
method.
According to claim 1,
The step of selecting the first port is,
selecting the first port that does not require pairing from among the at least one port;
Including,
method.
According to claim 1,
Before transmitting the first state transition packet to the first port,
Classifying a plurality of predetermined states into a plurality of groups according to a communication protocol of the device based on a job; and
mapping a command corresponding to each of the plurality of groups;
Including,
method.
According to claim 1,
At least one field included in the command is:
A fixed field contains data that is fixed and cannot be changed;
a dependent field containing data that is dependent on another field; and
A mutable field containing mutable data;
Including,
method.
According to claim 5,
The deformation field is,
a core field containing data related to at least one of the device's communication channels or ports; and
an application field containing data related to application software;
Including,
method.
According to claim 6,
When the first current state of the first port corresponds to the predetermined first state, a first test packet in which the at least one field included in the command corresponding to the predetermined first state is mutated The steps to create are:
If the first current state of the first port corresponds to the predetermined first state, generating the first test packet with a key field included in the command modified;
Including,
method.
delete According to claim 1,
The step of determining whether a vulnerability exists in the first port based on a second response packet to the first test packet received from the first port includes:
If the second response packet and the pre-stored normal response packet are different from each other, determining that a vulnerability caused by the first test packet is present in the first port; and
generating information about the developed vulnerability;
Including,
method.
According to claim 1,
In order to enter the first port into a predetermined second state that is different from the first state, a second state transition packet in which a command corresponding to the predetermined second state is mapped is sent to the first port. Transferring to;
determining a second current state of the first port based on a third response packet to the second state transition packet received from the first port;
When the second current state of the first port corresponds to the predetermined second state, generating a second test packet in which at least one field included in the command corresponding to the predetermined second state is mutated. steps; and
performing a fuzzing test of the first port using the second test packet;
Containing more,
method.
A computer program stored on a computer-readable storage medium, the computer program comprising instructions for causing a processor of a computing device to perform fuzzing, the steps comprising:
selecting a first port among the at least one port based on whether pairing is required for each of the at least one port included in the device;
In order to enter the first port into a predetermined first state, transmitting to the first port a first state transition packet in which a command corresponding to the predetermined first state is mapped;
determining a first current state of the first port based on a first response packet to the first state transition packet received from the first port;
When the first current state of the first port corresponds to the predetermined first state, generating a first test packet in which at least one field included in the command corresponding to the predetermined first state is mutated. steps;
transmitting the first test packet to the first port; and
determining whether a vulnerability exists in the first port based on a second response packet to the first test packet received from the first port;
Including,
A computer program stored on a computer-readable storage medium.
In a computing device for performing fuzzing,
A processor including at least one core;
a memory storing a computer program executable by the processor; and
network department;
Including,
The processor,
Selecting a first port among the at least one port based on whether pairing is required for each of the at least one port included in the device,
In order to enter the first port into a predetermined first state, a first state transition packet in which a command corresponding to the predetermined first state is mapped is transmitted to the first port,
Determine a first current state of the first port based on a first response packet to the first state transition packet received from the first port,
When the first current state of the first port corresponds to the predetermined first state, generating a first test packet in which at least one field included in the command corresponding to the predetermined first state is mutated. do,
transmit the first test packet to the first port, and
Determining whether a vulnerability exists in the first port based on a second response packet to the first test packet received from the first port,
Computing device.

Images