Karin Kernegger

Christian Schanes, Stefan Taber, Karin Popp, Florian Fankhauser and Thomas Grechenig. Security test approach for automated detection of vulnerabilities of sip-based voip softphones. International Journal On Advances in Security, 4, 95–105 (September 2011). IEEE Computer Society Press.
<sub>Voice over Internet Protocol based systems replace phone lines in many scenarios and are in wide use today. Automated security tests of such systems are required to detect implementation and configuration mistakes early and in an efficient way. In this paper we present a plugin for our fuzzer framework fuzzolution to automatically detect security vulnerabilities in Session Initiation Protocol based Voice over Internet Protocol softphones, which are examples for endpoints in such telephone systems. The presented approach automates the interaction with the Graphical User Interface of the softphones during test execution and also observes the behavior of the softphones using multiple metrics. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented plugin for our fuzzing framework.

Keywords: Software testing; Computer network security; Graphical user interfaces; Internet telephony; Fuzzing</sub>