Security analysis of session initiation protocol
10Jun_Dobson.pdf (699.7Kb)Abstract
The goal of this thesis is to investigate the security of the Session Initiation Protocol (SIP). This was accomplished by researching previously discovered protocol and implementation vulnerabilities, evaluating the current state of security tools and using those tools to discover new vulnerabilities in SIP software. The CVSS v2 system was used to score protocol and implementation vulnerabilities to give them a meaning that was used to compare the severity of protocol vulnerabilities versus the implementation vulnerabilities. Comparison between protocol and implementation vulnerabilities reveals that software remains the greatest weakness of SIP. One particular weakness is lack of TLS (secure session level) implementation in any software tested. This remains a significant concern and leaves all of the software tested open to many of the protocol vulnerabilities mentioned. Furthermore, the large number of implementation vulnerabilities discovered in the parsing mechanisms while testing software leads to the conclusion that SIP is still too immature and complex of a protocol. More work needs to be done developing a reference implementation and robust parser for SIP, and TLS with SIP, before SIP is ready for environments that require high assurances of authenticity, secrecy and integrity.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.Collections
Related items
Showing items related by title, author, creator and subject.
-
SOFTWARE DEFINED NETWORKS: DIALECTING SECURITY
(Monterey, CA; Naval Postgraduate School, 2022-03);OpenFlow is the standard used in Software Defined Networks. It handles the communication between the network devices. However, there are some weaknesses linked to OpenFlow. With the use of TLS as a security solution, it ... -
Software Vulnerabilities, Defects, and Design Flaws: A Technical Debt Perspective
(Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-099Technical debt describes a universal software development phenomenon: "Quick and easy" design or implementation choices that linger in the system will cause ripple effects that make future changes more costly. Although DoD ... -
Software Vulnerabilities, Defects, and Design Flaws: A Technical Debt Perspective
(Monterey, California. Naval Postgraduate School, 2017-03); SYM-AM-17-047Technical debt describes a universal software development phenomenon: モQuick and easyヤ design or implementation choices that linger in the system will cause ripple effects that make future changes more costly. Although DoD ...
