Section: New Results
Vulnerabilities preventions techniques in SIP networks
Participants : Abdelkader Lahmadi [ contact ] , Olivier Festor.
The fuzzing activity carried in the Madynes team reveals the large number of vulnerabilities related to the SIP. The sources of these vulnerabilities are mainly the weakness of its implementations and sometimes even its specification semantics. A primary way to counter SIP implementations vulnerabilities is through patching. However, patching time is often important or unknown and until that happens a SIP network is kept on leash by attackers. A defense system can start with network level firewalls, where packets are filtered without a deep understand of the SIP protocol semantics. Another way, is to use detection engines like Snort. These solutions are inefficient to prevent from SIP protocol existing vulnerabilities since they are stateless and they are unable to provide all necessary protection scheme against those vulnerabilities.
To overcome such scourge, we have developed a defense tool, called SecSIP  to protect a SIP network from SIP protocol related vulnerabilities. The SecSIP tool is fed with vulnerabilities specifications and their counter measures. It screens the SIP traffic, identifies the vulnerabilities and applies preventions actions. The preventions schemes within the SecSIP tools are authored using our developed domain-specific language, called VeTo. The VeTo language relies on an event-driven and rule-based approach to specify in a flexible, and a scalable manner preventions schemes from existing vulnerabilities within a SIP network. The language combines context, definition and events blocks extracted from vulnerabilities properties to provide the ability to prevent against its exploitation. The context block exhibits the vulnerability surrounding environment properties. The definition block provides the vulnerability related assumptions on its behavior such as the involved SIP messages and their respective fields. The pr evention block describes the vulnerable behavior within its context and includes a response action. We have shown through real discovered vulnerabilities the usage of VeTo specifications to protect different deployed SIP devices on a target testbed.