Automated Security Test Approach for SIP-based VoIP Softphones.
Stefan Taber, Christian Schanes, Clemens Hlauschek, Florian Fankhauser, and Thomas Grechenig
The Second International Conference on Advances in System Testing and Validation Lifecycle, IEEE Computer Society Press.
Nice, France. August 2010.

Abstract

Voice over Internet Protocol based systems become more and more part of business
critical IT infrastructures. To increase the robustness of voice applications,
automated security testing is required to detect security vulnerabilities in an
efficient way. In this paper we present a fuzzer framework to detect security
vulnerabilities in Voice over Internet Protocol Softphones, which implement
Session Initiation Protocol. The presented approach automates the Graphical User
Interface interaction for softphones during fuzzing and also observes the
behavior of the softphone Graphical User Interfaces to automatically detect
application errors. Results of testing two open source softphones by using our
fuzzer showed that various unknown vulnerabilities could be identified with the
implemented fuzzer and some vulnerabilities were found that are only detectable
by using Graphical User Interface observation.