TELKOM
NIKA
, Vol. 11, No. 8, August 2013, pp. 48
3
2
~4
840
e-ISSN: 2087
-278X
4832
Re
cei
v
ed Ap
ril 4, 2013; Re
vised Ma
y 27
, 2013; Accep
t
ed Jun
e
6, 2013
Wi-Fi Protocol Vulnerability Discovery based on Fuzzy
Testing
Kunhu
a Zhu
*
1
, Guohong
Zhu
2
1
School of Infor
m
ation En
gi
ne
erin
g Hen
an In
stitute of Scien
c
e and T
e
chno
log
y
Xi
n
x
i
ang 4
5
3
0
03, Hen
an, Ch
i
n
a
2
Colle
ge of Co
mputer an
d Informatio
n
Engi
n
eeri
ng He
na
n Normal U
n
iv
ersit
y
Xi
n
x
i
ang 4
5
3
0
02, Hen
an, Ch
i
n
a
*Corres
p
o
ndi
n
g
author, e-ma
i
l
: z
w
kh
10
0@1
63.com
A
b
st
r
a
ct
T
o
detect the
w
i
reless n
e
t
w
ork equi
p
m
e
n
t w
hether
th
ere is
protoc
o
l
vul
nera
b
il
ity, usin
g th
e
meth
od
of mo
d
u
lar d
e
si
gn a
n
d
i
m
pl
e
m
ent
ati
on of a n
e
w
suitabl
e for W
i
-F
i protocol v
u
ln
e
r
abil
i
ty discov
e
ry
fu
zz
y
test framew
ork. It can
be in
de
pen
de
n
t
of
its transmi
ssion
me
diu
m
,
produc
e defor
mity p
a
cket an
d
implementation of the
attack
on the tar
get
system
.
The
author
firstly describes the
wireless network
protoco
l
vuln
er
abil
i
ty discov
e
r
y
and fu
zz
y
te
st in this pape
r
,
then focuse
d on the test frame tech
nic
a
l
sche
m
e, deta
i
l
ed techn
i
ca
l reali
z
a
t
io
n an
d so on, an
d its appl
icatio
n ar
e ana
ly
z
e
d. In
the experi
m
e
n
ta
l
stage th
e fu
zzy test is a
ppl
ie
d to a
w
i
reless
netw
o
rks
g
a
te
w
a
y, the test results sh
ow
th
at the fu
zz
y
te
st
framew
ork ca
n
be w
e
ll ap
pli
e
d to the w
i
reles
s
net
w
o
rk equi
pment agr
ee
ment loo
p
h
o
le
mi
nin
g
w
o
rk.
Ke
y
w
ords
:
Wi-Fi protocol, fu
zz
y
testin
g, vuln
erab
ility disc
ov
ery
Copy
right
©
2013 Un
ive
r
sita
s Ah
mad
Dah
l
an
. All rig
h
t
s r
ese
rved
.
1. Introduc
tion
With the
wi
de ap
plicatio
n of wi
rele
ss net
wo
rk, wirel
e
ss
n
e
twork proto
c
o
l
se
cu
rity
probl
em i
s
b
e
comi
ng m
o
re and m
o
re
attracte
d peo
ple's
attentio
n. Wi-Fi i
s
wirele
ss
netwo
rk
protocol IEEE 802.11b's
nicknam
e, is a short
-range wireless t
r
ansmi
ssi
on technology,
can
sup
port Inte
rnet acce
ss radio si
gnal i
n
the hun
dre
d
s of feet ra
nge. With th
e develop
me
nt o
f
technology, now the IEEE 802.11
stand
ard has been co
llectively referred to as
Wi-Fi. Since the
emergen
ce
o
f
its techn
o
lo
gy in 199
9, Wi-Fi i
s
wide
ly used i
n
m
any are
a
s, i
s
developi
ng
very
rapidly, an
d greatly chan
g
ed the way of people'
s
life
and working.
At prese
n
t, Wi-Fi i
s
u
s
ed
in
the Bluetooth
hea
dset, radi
o, printe
r,
ca
mera,
note
b
o
o
k; eve
n
b
e
in
g u
s
ed
in the
manufa
c
tu
re
of
mosq
uito net, drug delive
r
y in vitro, do wirele
ss gl
asse
s, mobile dev
ice
s
over the past two yea
r
s
also
uses a l
o
t of intelligent operating
system, a
nd
has the functi
on of
Wi-Fi,
billions of dollars
each yea
r
th
e ma
rket. Ho
wever,
the
Wi-Fi of
the
ne
w
proto
c
ol
a
nd
new
a
ppli
c
ation
is
seld
om
considered in terms of security
, there i
s
much vulnerability, and
Wi-Fi protocol continues
to
expand, th
e
more
the
nu
mber of the
relevant a
g
r
e
e
m
ent, the a
g
reement i
s
m
o
re
co
mplex,
it is
the invasi
on
and
sp
read
o
f
hacke
rs
and
virus
creat
e
s
conve
n
ient
condition
s. Co
mpared
with the
traditional
wi
red net
wo
rk, f
r
om a
securit
y
point of
vie
w
, the
wirel
e
ss network i
s
alway
s
with
new
different atta
cks of net
work and te
rmin
al threat,
therefore, a thre
a
t
on Wi-Fi
sa
fety testing and
vulnerability discovery is of
great si
gnificance.
At present
the international Wi
-Fi
safety
test
ing
and vulnerability di
sc
overy work is still
in
its initial
stag
e. In 20
06, t
w
o
se
nior researche
r
s fro
m
Secure
Works, Jo
hnny Ca
che
an
d David
Mayor [1,2] l
eased the
first 80
2.11
wireless d
r
iving
looph
ole
s
in
the United
States the
world
Black
Hat, through this vulnerabilit
y they successfull
y
broke into
a Mac Book
[3, 4] the same
year, a stud
e
n
t named Se
ng Ooh
Toh
form Ge
orgi
a
Institute of Tech
nolo
g
y, found a le
ak in
802.11
wirele
ss
network card in th
e firmwa
re in the
compl
e
tion o
f
a proje
c
t, To found from
the
ac
ce
ss point
sen
d
t
e
st
re
s
pon
se
data frames if the
Servic
e Set I
D
length Set
to 0 c
a
n caus
e
some
wir
e
le
s
s
ca
rd
st
op re
spo
n
s
e
[
5
,
6]
.
In su
cce
ssi
o
n
after
more
re
sea
r
che
r
s do the
relevant work: In
2006,
seni
or lectu
r
e
r
Chri
s Ea
gle f
r
om
Californi
a the Naval
Postgr
adu
ate
School
by combinin
g Fu
zzing
and m
a
nua
l
analysi
s
, fou
nd the B
r
oad
Com
's
wi
rel
e
ss devi
c
e d
r
iver vulne
r
abi
lities; In 20
07
, a re
sea
r
che
r
,
Laurent BUT
T
I, from net
work an
d servi
c
e
se
cu
rity
laborato
r
y of O
r
ang
e L
a
b
s
F
r
an
ce T
e
le
co
m
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
e-ISSN:
2087
-278X
Wi-Fi Protocol Vulnerability Discover
y based on Fuzzy Testing (K
unhua Zhu)
4833
Network ma
d
e
a re
port
-
Wi-Fi Advan
c
e
d
Fuzzin
g in
2007 Bla
ck Hat Euro
pe,
pre
s
ente
d
h
i
s
results, wh
o use
d
Scaly a
nd Meta Spoil
t
fuzzy test on Wi-Fi, foun
d a lot of bugs:
Similar ba
si
c just to im
prove the
e
x
isting testin
g frame
w
o
r
k foreign, a
n
d
Wi-Fi
appli
c
ation
s
has b
een q
u
i
te extensive
[7], and a
gro
w
ing n
u
m
ber of co
nsu
m
er ele
c
tro
n
i
c
s
prod
uct
s
sup
port wi
rel
e
ss con
n
e
c
tivity. At pr
esent
Wi-Fi
proto
c
ol co
ntinue
s to expand,
the
compl
e
xity increase
will inevitabl
y bring more bugs,
whi
c
h
should
attract
more attention to t
he
excavation
work on the Wi
-Fi secu
rity detection and
vulnerability.
Fuzzy test is
a kin
d
of ba
sed on d
e
fect i
n
jecte
d
auto
m
ation software te
sting te
chn
o
logy,
the target so
ftware a larg
e injection of
half
valid data, monitori
ng pro
g
ra
m of the abnormal
con
d
ition to find software
potential
se
curity vul
nerab
ilities [8, 9].Using fu
zzy test method i
s
not
ensuring that
will find all the progr
am
errors, but through this te
ntative fuzzy
test to find out
mistakes m
u
st be due to so
me mea
s
ured
code cau
s
e.
As far as po
ssible in orde
r to improve the
efficien
cy, we need to
o
p
timize fu
zzy
unit test scheme. Fu
zzy test has t
w
o key op
erati
ons:
Produ
ce
defo
r
mity data a
n
d
ob
se
rve wh
ether th
e
ap
pl
ication
abn
ormal. But two
operation
s
ha
ve
the following ques
t
ions
[8]:
(1) At present, the theory doe
s no
t appear the
way which
can be ma
ture and
optimizatio
n of the genera
t
ion defor
mity data. Many
of the establ
i
s
he
d method
opera
b
ility is not
stron
g
[9]; Fo
r exampl
e, If fuzzy device b
a
se
d on
ex
ha
ustive way to
prod
uce all
sorts
of po
ssi
b
l
e
deformity pro
t
ocol data
co
mbinati
on, is
wheth
e
r p
r
od
uce d
a
ta of
time, or to be
measured target
respon
se te
st
ing time will
rise d
r
am
atica
lly, which m
a
ke
s the te
st
effort and i
n
e
fficient; If fuzzy
device b
a
sed
on ra
ndom
way produ
ce
deformity dat
a, then even i
f
found the p
r
oblem, an
d al
so
it is difficult to accurate p
o
sitioning probl
em.
(2)
Nee
d
to
have a mo
nitor to o
b
serve
wheth
e
r the
appli
c
ation
abno
rmal. Bu
t it use
what
metho
d
to d
e
termi
n
e
the
re
spo
n
se of th
e m
e
a
s
ured
targ
et i
s
a
bno
rmal,
the a
nom
aly i
s
a
found hole
s
. Network prot
ocol
fuzzy de
vice
o
n
ly to
solve ab
ove t
w
o
problem
s ca
n
have
go
od
effect in pra
c
t
i
cal ap
plicatio
n[10].
This pa
pe
r wi
ll focus on
re
sea
r
ch is a wirele
ss n
e
two
r
k p
r
oto
c
ol fo
r 802.11 vuln
erability
discovery
fuzzy te
st fram
e
w
ork, th
e fra
m
ewo
r
k
u
s
in
g
optimi
z
e
s
t
he data gen
e
r
ation metho
d
, in
orde
r to improve the efficiency an
d effect of fuzzy test.
2. Net
w
o
r
k P
r
otoc
ol Fuzzy
Tester
Test obj
ect of
Netwo
r
k protocol fu
zzy i
s
mainly
the produ
ct of all ki
nds of n
e
two
r
k in the
netwo
rk
prot
ocol a
nalysi
s
module, the
purp
o
se is
t
o
test the ex
isten
c
e of vu
lnera
b
ility in the
prog
ram
of assembly, parsing n
e
two
r
k proto
c
ol
s. Th
e idea i
s
that commu
nication
ca
n be m
a
d
e
betw
e
en fuzzy c
ontr
o
ller
and the objec
t
measur
ed ta
r
get, to measur
e target applic
ation s
end
variation o
r
contain e
rro
rs
of fuzzy valu
e, and m
onit
o
ring ta
rget a
pplication to the discove
r
y of
the error.
Acco
rdi
ng to
wheth
e
r net
work p
r
oto
c
ol
adja
c
ent
digit
a
l pa
cket
con
t
ent is rel
a
ted
or not,
we
ca
n
put t
he a
g
reeme
n
t
is
divided
i
n
to no
state agre
e
me
nt
a
nd state agre
e
ment. No st
ate
agre
e
me
nt is refers to the netwo
rk p
r
oto
c
ol bet
wee
n
adja
c
ent pa
cket no contex
t relevance, such
as
have
multi
p
le ICMP Re
que
st, ea
ch
a sepa
rate
Reque
st. A
sta
t
e of the
p
r
ot
ocol
is refers to
betwe
en
a
d
ja
cent pa
cket
s
with context
relevan
c
e.
Su
ch as RTSP (real
time
st
re
aming proto
c
ol)
agreement to terminate the sessio
n initial session there will be a se
ries of related state changes,
and th
e
syste
m
may
be i
n
trodu
ce
d i
n
a
particula
r
state will
existe
n
c
e
of lo
oph
oles. A
c
cordi
n
g
to
the agre
e
me
nt without st
ate,
fuzzy u
n
it each in
p
u
t as an ind
epen
dent m
odule; the st
ate
agre
e
me
nt, fuzzy device a
c
cordi
ng to the state of
the agre
e
me
nt to perform testi
ng mechani
sm.
Usi
ng n
e
two
r
k p
r
oto
c
ol fu
zzy devi
c
e fo
r
fuzzy te
st, firstly, we n
eed
to study
co
d
e
s
and
stand
ard
s
of variou
s a
g
re
e
m
ent, in o
r
de
r to cre
a
te a
reasona
ble te
st data. At prese
n
t, there
are
two plan
s of
the most
co
mmon n
e
two
r
k p
r
oto
c
ol
fu
zzy te
st: Plan 1 is the
clie
nt and the
se
rver
test mode, n
a
mely fuzzy device a
nd t
he mea
s
u
r
ed
obje
c
t being
two end
of testing p
r
o
c
e
ss
respe
c
tively. As sh
own in
Figure 1 sho
w
ed. At th
is time, the fuzzy device
can
serve a
s
a cli
e
n
t
role, u
s
e
d
to
test the
serv
er p
r
og
ram,
such
as
the
se
c
u
r
i
ty o
f
th
e W
e
b se
r
v
ice p
r
og
r
a
m. At th
e
same time, fuzzy device
can al
so a
c
t as the se
rv
ice rol
e
, use
d
to test the safety of client
prog
ram,
su
ch a
s
fuzzy
device
can
be DHCP
(dynamic
ho
st dynamic h
o
st co
nfigu
r
a
t
ion
proto
c
ol
) se
rver, use
d
for test
ing the
DHCP client safety.
Evaluation Warning : The document was created with Spire.PDF for Python.
e-ISSN: 2
087-278X
TELKOM
NIKA
Vol. 11, No
. 8, August 2013: 4832 –
4840
4834
Figure 1. Net
w
ork Proto
c
ol
Fuzzy Test Plan 1
Figure 2. Net
w
ork Proto
c
ol
Fuzzy Test Plan 2
Plan 2
Network p
r
oto
c
ol f
u
zzy test pl
a
n
is to
test t
he eq
uipm
en
t in the mid
d
l
e
of the
deployme
nt o
f
the n
e
two
r
k, su
ch
a
s
the
fire
wall,
rout
er,
se
curity
g
a
teway, et
c. I
t
wa
s
sho
w
n
in
Figure 2.
Fu
zzy devi
c
e
structure
dat
a t
o
be
sent to
the p
r
oto
c
ol
server p
r
o
c
e
s
s, the
mea
s
u
r
ed
obje
c
t bei
ng
betwe
en th
e
fuzzy
app
ara
t
us a
nd P
r
ot
ocol
serve
r
t
o
its
play re
orga
nization
and
analysi
s
fu
nction, and
on
ce th
e rest
ru
cturin
g
a
nd
analytical
proce
s
s e
r
ror,
may ca
use t
h
e
measured o
b
j
ect ap
pea
r a
bnormal
state. Fuzzy a
p
p
a
ratu
s of the
monitori
ng
module
used
to
tested obje
c
t
of abnormal
state for the collectio
n,
analysi
s
, and ultimately positionin
g
hole
s
in.
Thro
ugh thi
s
method
can
find vulne
r
abili
ties of t
he m
easure
d
obj
e
c
ts in t
he p
r
o
c
e
ss
of network
proto
c
ol p
r
o
c
essing.
3. For Wirele
ss Ne
t
w
o
r
k Protocol Wi
-Fi Fuzzy
Test Scheme
Below we
will
from
the f
r
a
m
ewo
r
k d
e
si
gn, detail
ed t
e
ch
nical impl
ementation,
fuzzy test
pro
c
e
ss,
and
the defe
c
ts
of the pa
cket
format
io
n a
nd mo
nitorin
g
and
so o
n
seve
ral
asp
e
cts
expoun
d wire
less network proto
c
ol 80
2.11 vul
nerabili
ty discovery f
u
zzy test fra
m
ewo
r
k.
3.1. IEEE 80
2.11 the
Concept of the
Agreement
The fram
e st
ructure of the
MAC layer
a
nd phy
si
cal layer is
define
d
as
sh
own i
n
Figu
re
3, the relationship between news and
service
defined
by IEEE 802.11 is shown i
n
Figure 4.
Figure 3. Generic
Wi-Fi MAC Frame Former
Figure 4. The relations
h
ip
between IEEE
802.11 me
ssage
s and the
servi
c
e
s
3.2. Wireless
Net
w
o
r
k Pr
otocol Fu
zz
y
Contr
o
ller Design Frame
w
o
r
k
W
i
r
e
less
netw
o
rk
pr
o
t
oco
l
fu
zz
y co
ntr
o
lle
r
tes
t
ob
je
c
t
is
ma
in
ly to
th
e
w
i
r
e
le
ss
con
n
e
c
tion
d
e
vice
drive
r
s bug
lo
catio
n
so a
s
to
achi
eve the
purp
o
se of
e
liminating th
ese
probl
em
s. We desi
gned a
new fuzzy test frame
w
ork,
which ca
n p
r
odu
ce d
e
formity packet a
nd
impleme
n
tation of the
attack on
the t
a
rget
syste
m
, and i
s
ind
epen
dent of
its tran
smi
s
sion
medium. The
fuzzy testin
g frame
w
o
r
k
co
nsi
s
ts of nine
module
s
, as
sho
w
n in Fig
u
re 5.
(6)M
onito
r: monitori
ng th
e state of a
n
obje
c
t is b
e
ing te
sted.
Mainly re
spo
n
sibl
e for
colle
cting
an
d analy
z
ing t
he re
sp
on
se
of the targ
et equipm
ent st
ate, in turn, j
udgme
n
t targ
et
equipm
ent whether th
ere
are a
bno
rm
al
situation. Fo
r example, if
the re
spo
n
se
that destinati
on
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
e-ISSN:
2087
-278X
Wi-Fi Protocol Vulnerability Discover
y based on Fuzzy Testing (K
unhua Zhu)
4835
device
retu
rn
s i
s
n
o
t in
co
nformity with
the RFC (req
uest fo
r
com
m
ents), sho
w
s that
abn
orm
a
l in
equipm
ent. There a
r
e ex
ce
ptional, monit
o
r will repo
rt to attack
cont
roller.
(7) Me
asured
unit: Optional comp
one
n
t
s in the test unit monitori
ng pro
g
ram and the
transmitter
can exchan
ge
the statu
s
o
f
the unit
un
der te
st, to d
e
tect whethe
r the atta
ck
wa
s
su
ccessful which i
s
co
ndu
cive to deci
d
e
what sh
ould
be implem
ent
ed next attack.
(8) A
c
cess
point: acce
ss p
o
int of o
p
tional
com
p
onent tran
sfer d
e
vice i
s
used to
gene
rate a
n
d
excha
nge l
e
gal pa
ckets
what bet
ween acce
ss point and
me
asure
d
unit,
whi
c
h can
observe
in attack
an
d
re
al acce
ss point transfe
r
the
ri
ght data at th
e sam
e
time
the beh
avior
o
f
the system.
(9)
Hol
e
s
co
nfirm an
d an
alysis: O
n
ce
you deter
min
e
mea
s
u
r
ed t
a
rget
exists f
ault, it is
necessa
ry to determin
e
whether
th
e Bug found
ca
n
return, and
after retu
rn
succe
ssfully, you
have to make
further jud
g
m
ent wheth
e
r the Bug can
be used.
Figure 5. The
Frame Stru
ct
ure of Wi
rele
ss
Network Prot
ocol Fu
zzy Controlle
r
Figure 6. The
Compo
s
ition
of the Test
Equipme
n
t
3.3. Test Eq
uipment Detailed Techni
cal Realizati
on
Test eq
uipme
n
t is made up
of four parts,
as sh
own in Figure 6 sh
o
w
s.
(1)
Co
ntrolle
r: Controller f
o
rmatio
n con
t
ains
the
malf
orme
d data
Wi-Fi
pa
cket (su
c
h
a
s
the cro
s
s-bo
rder valu
e an
d
repe
at label
),
and th
roug
h
the Wi
-Fi inte
rface
sent
it to the me
asured
unit, ea
ch
dat
a pa
ckets are
se
nt several
times to
en
su
re that th
e m
easure
d
u
n
it
can
re
ceive.
At
the sam
e
tim
e
, the co
ntroll
er mo
nitorin
g
test of
the d
a
ta and th
e collectio
n of d
a
ta stored in
the
hard di
sk for l
a
ter analy
s
is.
(2) Me
asure
d
unit: measu
r
ed unit is a
Wi-Fi de
stin
ation device.
It runs a m
onitorin
g
prog
ram
can
reg
u
la
rly co
nne
cted to
the
controlle
r of the
mon
i
tor, and
info
rm the
curre
n
t
detecte
d access point list
and any existi
ng link
state.
(3)
Ho
st com
puter: Mea
s
u
r
ed u
n
it and
host throug
h the USB interface get
con
nectio
n
,
the ho
st
runn
ing
Wind
ows
XP and
Micro
s
oft syn
c
soft
ware, which
can
allo
w m
e
asu
r
ed
unit
a
nd
host th
rou
gh
the TCP
prot
ocol
ma
king
comm
uni
cati
on on
the
USB, and ho
st
and
co
ntroll
er i
s
throug
h the T
C
P protocol g
e
tting co
nne
ction in LA
N,
thus,
cont
rol p
r
og
ram of m
e
asu
r
ed i
n
a
u
n
it
need n
o
t take
up Wi-Fi m
e
dia and atta
ck the co
ntroll
er interactio
n.
(4) The
re
al
acce
ss point:
The
real
a
c
cess
p
o
int is i
n
stalle
d in
Wi
ndo
ws XP on
a ready
acce
ss p
o
int appli
c
ation, it can ma
ke th
e meas
ured
unit experie
n
c
e Wi
-Fi ag
reement of ea
ch
Evaluation Warning : The document was created with Spire.PDF for Python.
e-ISSN: 2
087-278X
TELKOM
NIKA
Vol. 11, No
. 8, August 2013: 4832 –
4840
4836
state, so a
s
t
o
en
su
re that
cont
rolle
r
co
ding
com
p
lexity
can
b
e
con
t
rolled, so sp
ecific data
f
r
a
m
e
can b
e
inje
ction in ea
ch st
ate.
3.4. The Implementa
tion
Process o
f
F
u
zz
y
Test
Use this fram
ewo
r
k im
ple
m
ent fuzz
y tes
t
proc
ess
is
as
follows
:
(1)
Determine
the target obj
ect
The task of this pha
se i
s
to determine
t
he measure
d
object, to define the test range,
usu
a
lly need
to con
s
ide
r
the followin
g
que
stion
s
: type of measured target, Such a
s
mea
s
u
r
ed
goal is
client
or serve
r
pro
g
ram, is th
e appli
c
at
ion la
yer proto
c
ol
or the net
wo
rk layer p
r
oto
c
ol,
etc; Th
e hi
st
ory of
mea
s
u
r
ed
targ
et
wh
ether
ap
pea
red h
o
le
s, an
d whe
r
e th
e
reason
s fo
r th
ese
vulnerabilities.
(2) Editing
strategy
Acco
rdi
ng to
the cha
r
a
c
teristics of t
a
rg
e
t, add n
e
w o
r
mo
dify exist
i
ng d
a
ta g
e
n
e
ration
strategy. F
o
r
example, to
test the
p
r
o
c
e
ssi
ng
po
we
r
of a n
e
two
r
k
device
Http
(hyper text tra
n
sfer
proto
c
ol
) p
r
ot
ocol,
Http p
r
otocol ve
rsio
n can b
e
edi
ted, Method,
Req
u
e
s
t-He
ader et al
op
tion
data gen
erati
on strat
egy. After you have finishe
d
edi
ting strategy i
s
sued to the
core engi
ne.
(3) Generate
fuz
z
y
tes
t
dat
a
The co
re eng
ine
u
s
e
s
a
va
riation and
m
odifi
es the
de
fault and
oth
e
r
ways to g
enerate
malforme
d d
a
ta. For exa
m
ple, the
fields
of net
wo
rk s
n
iffer
c
a
p
t
ur
e
ne
tw
ork
pa
ck
e
t
s to
var
i
a
t
io
n
or modify, a particul
a
r field
of network pa
ckets
can be
set termin
ator and invalid string ope
ratio
n
and so on.
(4) Pe
rform t
e
sts a
nd mon
i
toring
To pe
rform
te
sting i
s
the
proce
s
s of runn
ing
a
parti
cul
a
r te
st strate
gy. Data
cont
ract
ca
n
c
h
oo
se
th
e
nu
mb
er
o
f
c
onc
u
r
r
e
n
t
p
r
oc
es
se
s
in
th
e proce
s
s, the order of
the
co
ntract. Also st
art
monitor to mo
nitor the ope
ration of the target.
(5)
Hole
s con
f
irm and an
al
ysis
Once you det
ermin
e
mea
s
ured ta
rget e
x
ists
fault, it is ne
ce
ssary to determi
ne
wheth
e
r
the Bug foun
d can return,
and after re
turn su
cce
ssf
ully, you have to make further jud
g
me
nt
wheth
e
r th
e
Bug can
be u
s
ed. T
he
mo
st commo
nly use
d
me
an
s t
o
re
produ
ce t
he failu
re i
s
t
he
replay detecti
on, whi
c
h is packet repl
ay
tools
will dum
p network packets to replay.
3.5. Data F
o
r
m
ation and
Abnorm
a
l Monitoring
First of all, thi
s
fram
ewo
r
k
usin
g optimi
z
at
ion groupi
n
g
method try
to solve the d
e
formity
data to
creat
e ineffici
ent.
In order to
cl
arify t
he
data
structu
r
e
m
e
thod, first m
a
ke
a
con
c
e
p
t,
anomaly el
e
m
ents, Pie
c
e
of data in thi
s
definition
a
r
e
use
d
to excit
e
the un
expe
cted b
ehavio
r o
f
the mea
s
ure
d
target. A test ca
se
can
contain on
e or more ab
no
rmal factors.
Abnorm
a
l factors
often dama
g
e
proto
c
ol
spe
c
ificatio
n, but in som
e
ca
se
s, its value i
s
not illegal, thi
s
is to
con
s
id
er
wheth
e
r a
p
p
r
op
riate whe
n
testing the
proto
c
ol im
plementatio
n. The follo
wi
ng the 80
2.11a
protocol
as
an exampl
e to illust
rate the process of
t
he constructi
on of the test
data. It can
b
e
con
s
id
ere
d
a
n
802.1
1a p
r
otocol te
st da
ta is an
Wi-Fi
packet
con
s
i
s
ts of field
s
, each field ma
y be
con
s
tituted
b
y
abno
rmal
e
l
ements
can
also
be
con
s
tituted by the
norm
a
l el
em
ents,
na
mely
a
Wi-Fi
pa
ckets
ca
n contai
n one or
mo
re abno
rmal
fa
ct
ors.
To
achie
v
e the p
u
rpo
s
e
of the t
e
st
, a
test data sh
o
u
ld co
ntain a
n
abno
rmal fa
ctor, at lea
s
t.
For in
stan
ce,
in the fu
zzy
test fram
ework,
F
u
zz
()
function
provide can p
r
ovi
de the
followin
g
mea
n
s ra
ndo
m ge
neratio
n any frame,
even if you did not provide its valu
e.
(1) In a be
acon, wheth
e
r to rand
om fuzzy IE
frame=
Dot11(proto=0,FCfi
eld=0,ID=0,addr1=DST,addr
2=
BSSID,addr3=
BSSID,
SC=
0
,a
d
d
r
4=N
o
ne
)
/
D
o
t1
1
B
ea
co
n(
b
e
a
c
o
n
in
te
rva
l
=
1
00
,c
ap
=“
ESS”
)
/
Do
t1
1Elt(
)
(2)
Wheth
e
r t
o
rand
om fuzzy SSID beacon
frame=
Dot11(proto=0,FCfi
eld=0,ID=0,addr1=DST,addr
2=
BSSID,addr3=
BSSID,
SC=
0
,a
d
d
r
4=N
o
ne
)
/
D
o
t1
1
B
ea
co
n(
b
e
a
c
o
n
in
te
rva
l
=
1
00
,c
ap
=“
ESS”
)
/
Do
t1
1Elt(
I
D
=
0)
(3)
Wheth
e
r t
o
rand
om fuzzy 802.11 p
a
c
kets
Frame
=
Dot1
1 (add
r1
=DST, addr2
=
BS
SID, addr3
=
B
SSID, addr4
=
Non
e
)
The co
mpo
s
it
ion of the test cases
wa
s shown in Figu
re 7 sho
w
s.
The test d
a
ta is a
colle
ction of a v
e
ry
large sp
ace, a
nd th
e mea
s
u
r
ed
netwo
rk
equipm
ent protocol d
e
fect
s is un
kno
w
n
.
To test
the
entire colle
ction, will con
s
u
m
e a lot of ti
me,
so it is ne
ce
ssary to optimi
z
e the g
r
oupi
ng of test
data, to find a repre
s
entative
set of use
ca
se
s.
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
e-ISSN:
2087
-278X
Wi-Fi Protocol Vulnerability Discover
y based on Fuzzy Testing (K
unhua Zhu)
4837
Optimize th
e packet can b
e
divided into
kno
w
n
vulne
r
ability, spe
c
ify the value, particul
a
r
option ra
ndo
m values, an
d all data col
l
ection.
Amo
ng them, on
e of the most important data
gene
rated i
s
based on th
e
cha
r
a
c
teri
sti
c
of kn
own
e
x
ploits variati
on metho
d
, b
e
ca
use loop
h
o
le
prog
ram th
at appea
re
d in
the histo
r
y often still ha
s wea
k
poi
nt. Known vul
n
e
r
abilitie
s can
be
obtaine
d fro
m
CNNV
D,
CVE (com
m
on vu-i
ne
rra
b
ility and exp
o
su
re
s),
CE
RT/CC
(Com
puter
Exigency Re
spo
n
se
Te
a
m
Co
ordinati
on Cente
r) o
r
Seq
uoia, et
c, so that
we
ca
n q
u
ickly
find
agre
e
me
nt in whi
c
h there a
r
e se
cu
rity flaw,
use
d
as a
deformity dat
a gene
rated
referen
c
e.
Figure 7. Test Data Comp
onent Di
agra
m
3.6. An Exa
m
ple of Usin
g the Fu
zzy
Test Fr
ame
w
ork Found a
Bug Progr
a
m
For exampl
e, using the fu
zzy test metho
d
,
bugs a
r
e f
ound in a
spe
c
ific WPA tester, the
c
ontent is
as
follows
:
IE browser p
a
yload mu
st have a valid WPA (O
UI + Type + Editio
n),
Located in th
e hole
s
of the code: net8
0
2
11/ieee
8021
1
_
wirele
ss.
c
It is defined in giwscan_
cb
() static
b
u
ffer, as sho
w
n in Figure 8 sh
ows:
Figure 8. Defi
ned in gi
wsca
n_cb () Static
Buffer
Figure 9. Security Bug Cod
e
RSN
and
WME inform
ation ele
m
ent
are th
e
sam
e
code. T
h
e
first
se
cu
rity bug, a
s
s
h
ow
n
in
F
i
gu
r
e
9
sh
ow
s
:
Ielen is IE80
2.11 frame le
ngth, may be 257, if gi
ve it is not the approp
riate valu
e, static
buffer will overflow.
These bu
gs
are tri
gge
red
due to a S
I
OCGIWS
CA
N, only abn
ormal 8
02.1
1
frame
vulnera
b
le code attack
h
o
les,
SIOSI
W
SCA
N
w
ill
be tri
gge
re
d. If you scan the
drive
r
may
analytic tho
s
e abn
orm
a
l 8
02.11 frame,
but any oth
e
r a
ppli
c
ation
s
u
s
ing
wi
rel
e
ss tool API
will
trigge
r bug.
Evaluation Warning : The document was created with Spire.PDF for Python.
e-ISSN: 2
087-278X
TELKOM
NIKA
Vol. 11, No
. 8, August 2013: 4832 –
4840
4838
3.7. This Frame
w
o
r
k
Attempts to Use Re
c
onnai
ssanc
e
Pac
kage to Mo
nitor the T
a
rget
Object
In the fuzzy test process, t
he mo
st com
m
on targ
et monitorin
g
met
hod
s incl
udin
g
simpl
e
observation
analysi
s
, re
connai
ssan
ce
bag rec
ogn
ition method,
debu
gge
r tracking m
e
th
od,
dynamic bin
a
r
y insert m
e
thod, et
c. In t
h
is
frame
w
o
r
k u
s
in
g reco
nnai
ssan
ce b
ag recognitio
n
method, n
a
m
e
ly to mea
s
ure ta
rget to
sen
d
a
gro
up of malfo
r
mation te
st data, then i
n
to a
norm
a
l/re
con
naissa
n
ce ba
g 0, thro
ugh t
he an
alys
i
s
o
f
the mea
s
ured target for
reconn
aissa
n
c
e
packet data resp
on
se to monitor the op
e
r
ation of the
measur
ed target state.
Becau
s
e of the mea
s
ured
object hole
s
caus
ed by system resp
onse
set itself exists
unpredi
ctabili
ty, in this fra
m
ewo
r
k d
e
si
gn p
r
o
c
e
s
s will monito
r a
s
a fuzzy
controller i
s
a p
r
og
ra
m
module,
mon
i
tor in th
e fol
l
owin
g
condit
i
ons ap
pea
r
whe
n
the
obj
ect to
be
m
easure
d
stre
ss
analysi
s
to de
termine
whet
her the
r
e are vulnera
b
ility :
(1) The
re
sp
o
n
se
of the
me
asu
r
ed
obj
ect
doe
s n
o
t a
c
cord
with
a
sta
ndard o
r
n
o
rms. Fo
r
example, the meas
ur
ed objec
t is
a Web
s
e
r
v
er
, the fuzzy after
sending a gr
oup of
malformatio
n
s
test data
is sent to the m
easu
r
ed targ
et host the a/Http Get0 req
uest
reconn
aissa
n
c
e pa
ckage,
and re
co
gni
zed in t
he malforme
d packet before sendin
g
the next
grou
p
re
ceiv
ed respon
se,
to dete
r
min
e
whethe
r
the
me
as
ur
ed
ta
r
g
e
t
s
y
s
t
em
h
a
s
ma
lfor
me
d
packet
s
u
n
d
e
r a
bno
rmal.
By default,
the Web
se
rv
er shoul
d b
e
a
c
cordi
ng t
o
the
req
u
e
s
t to
return to Http status
cod
e
, see Ta
ble 1.
Table 1. HT
T
P
Status Cod
e
Status Code
Description
100 Continue
…
200 OK
…
400 Bad Req
uest
500 Intern
al Server
Error
…
The client should conti
nue to send
the request
…
Request has bee
n successfully
, r
e
sponse header t
hat request desir
ed, or the
data bod
y
w
ill be returne
d
w
i
th thi
s
response
…
Contains a s
y
nta
x
er
ror, th
e req
u
e
s
t can not be und
erstood b
y
the se
rver
The servers enc
ounter an
une
xp
ected conditi
on, ledding that it can
not complete
the request p
r
oc
essing…
If the re
spon
se of th
e me
asu
r
ed
obje
c
t
re
co
n
nai
ssa
n
ce pa
ckage
doe
s
not co
mply
with
the provisi
o
n
s
of RF
C, you can focus o
n
analysi
s
.
(2) T
h
roug
h
the Syslog
(re
co
rdin
g
system
lo
g
mode
), SNM
P
(simpl
e n
e
t work
manag
eme
n
t protocol)
etc, detectio
n
m
easure
d
o
b
je
ct ap
pea
red
i
n
softwa
r
e
an
d ha
rd
wa
re
o
f
a
seri
ou
s disorder, su
ch a
s
system
cra
s
h
,
rest
art, process, dead o
r
output
se
gme
n
t erro
r, etc.
Nee
d
to mention is that throug
h an a
u
tomatic met
hod to reali
z
e fuzzy test pro
c
e
s
s
monitori
ng is
not mature,
monitor p
r
o
c
e
ss n
eed
som
e
manual o
p
e
r
ation to fit.
4. Applicatio
n Analy
s
is
The follo
win
g
use of th
e fu
zzy
co
ntrol
framew
ork to
achi
eve the
a
u
tomatic dete
c
tion
of
the Bug, test environ
ment
m
ap ca
n be found in Fig
u
re 10.
Figure 10. Bug Automatic
Dete
ction
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
e-ISSN:
2087
-278X
Wi-Fi Protocol Vulnerability Discover
y based on Fuzzy Testing (K
unhua Zhu)
4839
In Windo
ws, the key bu
g will trigger a B
S
OD (b
l
u
e
s
creen cra
s
h
)
. A script at any time to
run
on Fu
zzi
ng statio
n ie
ping F
u
zzed
-pro
ce
ssi
ng
st
ation, and
se
nds
a SIGINT, the victim
can
not respon
d. Figure fuzzer
displ
a
ys
the l
a
st test --- tri
ggered bu
g.
In Linux, bug will trigger dump
kernel log (s
ystem
log), there i
s
a
script run in the
Fuzzed
statio
n, in the kern
el messag
e grep {
oop
s | can n
o
t hand
le | asse
rtion
| panic} failu
re
may have
mi
ssed th
e
non
-functio
n
a
wi
rele
ss d
e
vice
s.
A
script
at
any time to
li
sten to
the
ra
dio
prob
e re
que
st and sen
d
SIGINT an
d ha
ve no more p
r
obe
req
u
e
s
t.
Fuzz
y tes
t
proc
ess
:
(1) S
t
r
u
ct
u
r
e
f
u
zzy
t
e
st
pa
ck
et
s.
A
c
co
rd
ing
to the ab
ove descripti
on of the opti
m
ization
of the test data, accordi
n
g to the known vulnerab
ilities y, specify a value of Y, specific opti
ons
rand
om value
y, all data packet seq
uen
ce, stru
cture d
a
ta packet.
Thro
ugh the
retrieval of the
Wi-Fi p
r
oto
c
ol rela
ted
hist
orical vulne
r
a
b
ility, we can
find th
e
related fla
w
of Wi-Fi p
r
ot
ocol a
ppe
ars in the Wi-Fi
proto
c
ol d
r
i
v
er(su
c
h a
s
CVE-20
06
-66
5
1
,
CVE-20
06
-63
32, CVE-20
0
6
-61
25, CVE
-
200
6-
6059,
CVE-20
06
-60
55, CVE-20
0
6
-59
72, CVE-
2006
-58
82, CVE-20
06
-57
10, CVE-20
0
6
-39
92,
CVE
-
200
6-3509, CVE-20
06
-3
5
08, etc.), Wi
-Fi
malicio
us all
o
w rem
o
te attackers to caus
e deni
al-of-se
rvice
comman
d
parsing ove
r
flow,
malicio
us re
mote attacker could exe
c
ut
e arbitra
r
y co
de with the unkn
o
wn vector by the Multiple
SSID the INA Cisco vend
o
r
tag 802.11
manag
eme
n
t framework, based on the
stack overflo
w
,
etc. Du
ring
th
e test, the fra
m
ewo
r
k focu
sing
on
Wi-Fi
proto
c
ol
com
m
and o
p
tion
s data vari
abili
ty,
su
ch a
s
cro
s
s-b
o
rder val
u
e and repe
at labels,
in th
e Wi-Fi ag
re
ement rel
a
te
d field fill so
me
illegal charact
e
r.
(2)
P
e
rf
o
r
m t
e
st
s.
S
end
a
t
e
st
p
a
c
k
et
in
a
c
cord
an
ce with
the
order of the
o
p
timized
data, all the
histori
c
al vul
nerabilities
packet to
send all other packet to
be sent in accordance
with the g
e
n
e
rated
seque
nce, o
pen th
e log fun
c
tio
n
mea
s
u
r
ed
se
curity g
a
te
way, and
ca
pture
the replay of the in
tera
ctive
process.
(3) M
onito
rin
g
found th
at the pro
b
lem
.
Send re
co
n
naissa
n
ce pa
ckage i
n
the
testing
pro
c
e
ss, mo
n
i
toring the m
easure
d
obje
c
t, eac
h
sen
d
ing 10 ab
normal pa
cket, a
nd then send
a
norm
a
l RTSP
reque
st. At the sam
e
time
with the net
work sniffer, target sy
stem
log functio
n
a
n
d
resou
r
ce ma
nagem
ent fu
nction
s to mo
nitor them
. T
e
sts fo
und th
at measured
se
curity gate
w
ay
appe
are
d
ma
ny system is
down machin
e and re
sta
r
t phen
omen
on.
(4)
Reproduction. Accordi
n
g to the fuzzy te
st system
desi
gn requi
rements, once found
measured ta
rget failure, you ne
ed to
save network
comm
uni
cati
on p
r
o
c
e
ss,
use
d
in the
replay
detectio
n
. Du
ring th
e test
pro
c
e
ss, th
e
fuzzy u
n
it
ca
pture
s
a
nd
save the 31
n
e
twork i
n
tera
ctive
pro
c
e
ss d
a
ta packet. Statistical re
sults
such a
s
sho
w
n
in Table 2.
Table 2. Statistical
Re
sults
name
Occurrence
numbe
1.ieee80211_ioct
l
.c Integer overfl
ow
2.Apple Mac OS X 10.3.9 and
10.4.7 AirPort i
n
w
i
reless driver Multiple stack-
based buff
e
r
overflow
3.Apple Mac OS
X 10.4.7 AirPort
of
w
i
reless driver API intege
r overflo
w
4.Throu
gh the 8
0
2
.11 response f
r
ame contains
Broadcom BCMW
L5. S
Y
S
w
i
reless device
Drivers Based o
n
the stack buffer
5. Intel 2200 bg8
02. 11
w
i
reless Mini - PCI driver
Denial of S
e
rvice Attacks In
cidents
total
1
2
4
20
4
31
The 31 i
n
teractive data
p
a
cket to repl
ay te
sting, we found th
at se
curity gat
eway all
appe
ar to re
start pheno
me
non. From th
e statistics we
can see, all
31 pro
c
e
ssi
n
g
error is all
due
to Wi-Fi ag
re
ement wi
rele
ss d
r
ive co
ntains
d
e
formit
y content pro
c
e
ssi
ng erro
r by.
(5) Po
sitionin
g
hole
s
. Vulnerability dete
c
ti
on pe
rson
nel analysi
s
asse
ssm
ent of these
issue
s
, at the
sam
e
time in
forms th
e research
d
e
velo
pment of
se
curity
gateway vendor to he
lp
them a
s
soo
n
a
s
po
ssibl
e
to lo
cate t
he p
r
obl
em
and
rep
a
ir. F
r
om th
e resu
lts of devel
o
per’
s
feedba
ck, they have positio
ning of the ho
les,
and h
a
ve
complete
d the se
curity pat
che
s
.
Evaluation Warning : The document was created with Spire.PDF for Python.
e-ISSN: 2
087-278X
TELKOM
NIKA
Vol. 11, No
. 8, August 2013: 4832 –
4840
4840
5. Conclusio
n
This pa
pe
r introdu
ce
s th
e basi
c
con
c
ept
s in fuzzy test; we study and d
e
sig
n
a
framework of
fuzzy test technology for the wire
l
e
ss network protocol vulnerability discov
e
ry
Practi
cal te
sts sho
w
that if the frame
w
ork
wo
rkin
g
in black b
o
x
testing met
hod
s could fi
nd
existing
network p
r
oto
c
ol i
n
wi
rele
ss. T
h
is
also
p
r
ov
es th
at fuzzy
test
can
be
better
applie
d to
the black box
of vulnerabili
ty discovery.
Ackn
o
w
l
e
dg
ements
This wo
rk was sup
porte
d
by
Hen
an provin
cial n
a
t
ural scie
nce
foundatio
n rese
arch
proje
c
t.
Referen
ces
[1]
A
y
e
w
a
h
N, Ho
veme
yer D, Merge
n
thal
er JD
. Using static ana
l
y
sis to find bugs soft
w
a
re.
IEEE Soft
wa
re
. 2008; 25
(5): 22-29.
[2]
ABHISHEK K, SANT
H
I
T
,
CAMANILO G. A Novel
Appr
oac
h for Eval
uati
n
g an
d D
e
tectin
g Lo
w
Rat
e
SIP F
l
oodin
g
A
ttack.
Internationa
l Journ
a
l of
Computer Ap
p
licatio
n.
20
11; 26(1): 31-
36.
[3]
W
ondrac
ek G, Comp
arett
y
P
M
, Kruege
l C, Etc.
Automatic
netw
o
rk proto
c
ol an
alys
is
. Procee
din
g
s o
f
the 15th An
nu
a
l
Net
w
ork a
nd
Distribut
ed S
y
s
t
em Securit
y
S
y
mp
osi
u
m. 200
8; 77-84.
[4]
Banks G, Cova M, Felmetsger V, et al.
T
o
w
a
rd a statefu
l
netw
o
rk proto
c
ol fu
zz
e
r
. Proce
e
d
i
n
g o
f
the
9th Inform at ion Securit
y
Co
n
f
erence (ISC). 200
6.
[5]
Hua
ng YW
, H
uan
g SK, L
i
n
T
P
, et al.
W
e
b
ap
plic
ation
se
curity assess
ment by
fault
inj
e
ct io
n a
n
d
beh
avior
mon
i
torin
g
. Proce
e
d
i
ngs
of the
1
2
th Intern
atio
nal
W
o
rld W
i
d
e
W
eb C
onfer
enc
e
.
Ne
w
Y
o
rk,
NY, U SA: ACM Press. 2003;
148-1
59.
[6]
Kakson
e
n
R, L
aakso
M, T
a
kanen
A.
Soft w
a
re s
e
curity
as
sessment thr
o
ugh
sp
ecificati
on
mutatio
n
s
and fau
l
t inj
e
c
t
ion
. Procee
di
ng of Commu
nicati
ons a
nd
Mult
imed
ia Se
curit
y
Issu
es of the Ne
w
Centur
y. 20
01.
[7]
Oehlert P. Viol
ating Assum
p
ti
ons
w
i
th F
u
zzi
ng.
IEEE Secu
rity and Privac
y
. 2005; l3 (2): 58-6
2
.
[8]
CHRIST
IAN S, ST
EFAN T, KARIN P,
etc. Secu
rit
y
T
e
st Appro
a
ch f
o
r Autom
a
ted
Detecti
on
o
f
Vuln
erab
iliti
e
s
of SIP-based
VoIP Soft pho
nes.
Internati
o
nal J
ourn
a
l o
n
Advanc
es in
Security
. 20
11;
4(1&2): 95-
10
5
.
[9]
Agr
w
al Sudhir,
Jain Sanjeev,
Sanjeev S
har
ma. A Surv
ey
of Routin
g attacks and Sec
u
rit
y
Measur
es in
Mobile Ad Hoc
Net
w
orks.
Jour
nal of Co
mputi
ng.
201
1; l(3): 41-4
8
.
[10]
Ehsan H
ear
n, Mohamm
ad Ja
il Pira
nha.
SE
LECT
OR: An Intelli
ge
nt Eval
uatio
n Syste
m
for Routin
g
Protocols
in
W
i
reless
Ad
Hoc
an
d S
ensor
N
e
tw
orks
. Proce
edi
ng
of 3r
d In
ternatio
nal
C
o
nferenc
e
o
n
Electron
ics Co
mputer T
e
chno
log
y
, ICECT
.
Kan
y
ak
un
ari,
Indi
a. 201
1; 30
0-30
5.
Evaluation Warning : The document was created with Spire.PDF for Python.