Vulneraibility analysis of the e-Szignó application

OData support
Supervisor:
Dr. Buttyán Levente
Department of Networked Systems and Services

We never know when a complex system will unravel some bugs. Whatever measurements happen for prevention, it is almost certain that the unraveled programming errors will turn out. This is shaded by the growth of high computational capacity.

The object of my thesis is a black box testing of an application that is exhaustively tested, meeting strict requirements and specifications, and handing digital signing and timestamping as well. The test subject is the Microsec zrt.’s e-Szignó application. The purpose of the examination is the vulnerability testing of the communication between the application and the Online Certificate Status Protocol and Timestamp Protocol.

The implementation gives details about two types of fuzzy black box testing techniques. One of them is a generational type, such as american fuzzy lop. The other fuzzy type is a template method used by Sulley. I used asn1c for ASN.1 encoding for the Sulley tests.

The report of the vulnerability analysis contains the statistical summary of the tests and the bug analysis. I have found a segmentation fault error with the afl during my investigations. After the analysis of the recoverable data of the error, I found, it is not exploitable and probably it can be caused by an unhandled NULL reference exception. The bug that I mentioned above has been registered to the e-Szignó’s issue tracker and it is going to be fixed.

Downloads

Please sign in to download the files of this thesis.