Security analysis of session initiation protocol
Dobson, Lucas E.
MetadataShow full item record
The goal of this thesis is to investigate the security of the Session Initiation Protocol (SIP). This was accomplished by researching previously discovered protocol and implementation vulnerabilities, evaluating the current state of security tools and using those tools to discover new vulnerabilities in SIP software. The CVSS v2 system was used to score protocol and implementation vulnerabilities to give them a meaning that was used to compare the severity of protocol vulnerabilities versus the implementation vulnerabilities. Comparison between protocol and implementation vulnerabilities reveals that software remains the greatest weakness of SIP. One particular weakness is lack of TLS (secure session level) implementation in any software tested. This remains a significant concern and leaves all of the software tested open to many of the protocol vulnerabilities mentioned. Furthermore, the large number of implementation vulnerabilities discovered in the parsing mechanisms while testing software leads to the conclusion that SIP is still too immature and complex of a protocol. More work needs to be done developing a reference implementation and robust parser for SIP, and TLS with SIP, before SIP is ready for environments that require high assurances of authenticity, secrecy and integrity.
Approved for public release; distribution is unlimited
Showing items related by title, author, creator and subject.
Nord, Robert L.; Ozkaya, Ipek; Shull, Forrest (Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-099Technical debt describes a universal software development phenomenon: "Quick and easy" design or implementation choices that linger in the system will cause ripple effects that make future changes more costly. Although DoD ...
Nord, Robert L.; Ozkaya, Ipek; Shull, Forrest (Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-047Technical debt describes a universal software development phenomenon: ﾓQuick and easyﾔ design or implementation choices that linger in the system will cause ripple effects that make future changes more costly. Although DoD ...
A dynamic three-dimensional network visualization program for integration into cyberciege and other network visualization scenarios Coomes, Donald E. (Monterey, California. Naval Postgraduate School, 2007-06);Detailed information and intellectual understanding of a network's topology and vulnerabilities is invaluable to better securing computer networks. Network protocol analyzers and intrusion detection systems can provide ...