An empirical study of the reliability of UNIX utilities
Communications of the ACM
Exploiting Software: How to Break Code
Exploiting Software: How to Break Code
Security as a new dimension in embedded system design
Proceedings of the 41st annual Design Automation Conference
Securing Mobile Appliances: New Challenges for the System Designer
DATE '03 Proceedings of the conference on Design, Automation and Test in Europe - Volume 1
IEEE Transactions on Computers
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications
Hardware-assisted run-time monitoring for secure program execution on embedded processors
IEEE Transactions on Very Large Scale Integration (VLSI) Systems
IEEE Spectrum
| Hi-index | 0.00 |
IP phones are an essential component of any VoIP infrastructure. The hardware constraints and newness of these devices, as compared to mature desktop or server systems, lead to software development focused primarily on features and functionality rather than security and dependability. While several automated tools exist to test the security of IP phones, these tools have limitations and can not provide a strong guarantee that a particular IP phone is secure. Our work evaluates the attack resilience of a widely deployed IP phone, the Cisco 7960G, employing techniques such as: vulnerability scans, fuzz tests, and static binary analysis. While the first two techniques found no vulnerabilities, the static analysis of the firmware image revealed critical vulnerabilities and fundamental software design flaws. We conclude that security designs proven useful in desktop and server software architectures should similarly appear as part of the software design for devices such as IP phones.