e-mail:
stefan.taber@inso-world.com
Fingerprint GPG Key:
5719 0AC2 AB34 FB24 DCCE CC33 F0B3 91CF 8DAA 9069
Office Location:
Wiedner Hauptstraße 76/2/2
1040 Vienna
Austria
Office Hours:
Monday 04.30-05.30PM
(ESSE Office Hours: please write an e-mail to check whether I will be there myself)
Office Hours during holidays:
by appointment
Since a few years I'm involved in teaching several lectures about IT security, including
Currently I'm working on a framework to perform automated security tests on applications with a graphical user interface. More details about the framework can be found here.
Christian Schanes, Stefan Taber, Karin Popp, Florian Fankhauser and Thomas Grechenig. Security test approach for automated detection of vulnerabilities of sip-based voip softphones. International Journal On Advances in Security, 4, 95–105 (September 2011). IEEE Computer Society Press.
Voice over Internet Protocol based systems replace phone lines in many scenarios and are in wide use today. Automated security tests of such systems are required to detect implementation and configuration mistakes early and in an efficient way. In this paper we present a plugin for our fuzzer framework fuzzolution to automatically detect security vulnerabilities in Session Initiation Protocol based Voice over Internet Protocol softphones, which are examples for endpoints in such telephone systems. The presented approach automates the interaction with the Graphical User Interface of the softphones during test execution and also observes the behavior of the softphones using multiple metrics. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented plugin for our fuzzing framework.
Keywords: Software testing; Computer network security; Graphical user interfaces; Internet telephony; Fuzzing
Markus Gruber, Florian Fankhauser, Stefan Taber, Christian Schanes and Thomas Grechenig. Security status of voip based on the observation of real-world attacks on a honeynet. In The third ieee international conference on information privacy, security, risk and trust (passat) (October 2011a).
VoIP (Voice over IP) systems more and more replacing PSTN (Public Switched Telephone Network) infrastructures what increases dependency of available and secure VoIP systems for successful business. Attacks against VoIP systems are becoming more imaginative and many attacks can cause damage, e.g., gain money for attackers or create costs for the victim. Therefore, in this paper the current security status of VoIP systems are described with observations of VoIP attacks in a honeynet. The achieved results can help to adapt existing prevention system to avoid the recognized and analyzed attacks in a productive environment.
Keywords: Security, Internet telephony, Intrusion detection, Communication system security
Christian Schanes, Florian Fankhauser, Stefan Taber and Thomas Grechenig. Generic data format approach for generation of security test data. In The third international conference on advances in system testing and validation lifecycle, october 2011, barcelona, spain (October 2011). IEEE Computer Society Press.
Security testing is an important and at the same time also expensive task for developing robust and secure systems. Test automation can reduce costs of security tests and increase test coverage and, therefore, increase the number of detected security issues during development. A common data format as the basis for specific test cases ensures that the implementation of the generation logic for security test data is only needed once and can be used for various data formats by transforming the data to the common data format, generating the test data and transforming back to the original data format. The introduced approach enables to generate test data for various formats using a single implementation of the generation algorithm and applying the results for specific test cases in different data formats.
Keywords: Software testing; Computer network security; Fuzzing
Markus Gruber, Florian Fankhauser, Stefan Taber, Christian Schanes and Thomas Grechenig. Trapping and analyzing malicious voip traffic using a honeynet approach. In The 6th international conference on internet technology and secured transactions (icitst) (December 2011b).
Since several years the number of VoIP (Voice over IP) infrastructures increases and, consequently, the number of VoIP users increases too. Under these circumstances VoIP systems get more and more attractive for attackers, since the probability of successful attacks increases and attackers gain benefits, e.g., money with fee-based telephone numbers. Therefore, this paper describes a solution to capture, monitor and report VoIP attacks to gain more knowledge on current and new VoIP attacks.
Keywords: Security, Internet telephony, Intrusion detection, Communication system security
Stefan Taber, Christian Schanes, Clemens Hlauschek, Florian Fankhauser and Thomas Grechenig. Automated security test approach for sip-based voip softphones. In The second international conference on advances in system testing and validation lifecycle, august 2010, nice, france (August 2010). IEEE Computer Society Press. [ DOI: https://doi.org/10.1109/VALID.2010.20 ]
Voice over Internet Protocol based systems become more and more part of business critical IT infrastructures. To increase the robustness of voice applications, automated security testing is required to detect security vulnerabilities in an efficient way. In this paper we present a fuzzer framework to detect security vulnerabilities in Voice over Internet Protocol Softphones, which implement Session Initiation Protocol. The presented approach automates the Graphical User Interface interaction for softphones during fuzzing and also observes the behavior of the softphone Graphical User Interfaces to automatically detect application errors. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented fuzzer and some vulnerabilities were found that are only detectable by using Graphical User Interface observation.
Keywords: ESSE, Software testing; Computer network security; Graphical user interfaces; Internet telephony; Fuzzing