Keywords:
Astract: Security testing is an important and at the same time also expensive task for developing robust and secure systems. Test automation can reduce costs of security tests and increase test coverage and, therefore, increase the number of detected security issues during development. A common data format as the basis for specific test cases ensures that the implementation of the generation logic for security test data is only needed once and can be used for various data formats by transforming the data to the common data format, generating the test data and transforming back to the original data format. The introduced approach enables to generate test data for various formats using a single implementation of the generation algorithm and applying the results for specific test cases in different data formats.

Keywords:
Astract: VoIP (Voice over IP) systems more and more replacing PSTN (Public Switched Telephone Network) infrastructureswhat increases dependency of available and secure VoIP systems for successful business. Attacks against VoIP systems are becoming more imaginative and many attacks can cause damage, e.g., gain money for attackers or create costs for the victim. Therefore, in this paper the current security status of VoIP systems are described with observations of VoIP attacks in a honeynet. The achieved results can help to adapt existing prevention system to avoid the recognized and analyzed attacks in a productive environment.

Keywords:
Astract: Robustness of applications used for Voice over Internet Protocol based systems against attacks is a critical part to secure such systems. Automatic security testing is required to detect security vulnera- bilities in an efficient way. This enables to harden the applications early during the development phase. In the paper we present a fuzzer framework to detect security vulnerabilities in Voice over IP (VoIP) Softphones which implement Session Initiation Protocol (SIP). The pre- sented approach automates the Graphical User Interface (GUI) interaction for softphones during fuzzing and also observes the behavior of the softphone GUIs to automatically detect application errors. Results of testing two open source softphones by using our fuzzer showed that various unknown vulnerabilities could be identified with the implemented fuzzer and some vulnerabilities were found that are only detectable by using GUI observation.

Keywords:
Astract: Voice over IP (VoIP) is in wide use today, replacing phone lines in many scenarios. However, often, security isn´t considered well enough, even though many security attacks are already known. More research on VoIP security is needed to enhance the level of security of VoIP systems and to show the implications of failing to take appropriate security measures. This paper presents an architecture and implementation of a robust and flexible VoIP test environ- ment for security related tests. Experiences using the im- plemented environment for different VoIP security tests are shown to demonstrate the suitability of the proposed test en- vironment for research purposes.

Keywords:
Astract: One of the main security ob jectives for systems connected to the Internet which provide services like Voice over Inter- net Protocol (VoIP) is to ensure robustness against security attacks to fulfill Quality of Service (QoS). To avoid system failures during attacks service providers have to integrate countermeasures which have to be tested. This work evalu- ates a test approach to determine the efficiency of counter- measures to fulfill QoS for Session Initiation Protocol (SIP) based VoIP systems even under attack. The main ob jective of the approach is the evaluation of service availability of a System Under Test (SUT) during security attacks, e.g., De- nial of Service (DoS) attacks. Therefore, a simulated system load based on QoS requirements is combined with different security attacks. The observation of the system is based on black-box testing. By monitoring quality metrics of SIP transactions the behavior of the system is measurable. The concept was realized as a prototype and was evaluated using different VoIP systems. For this, multiple security attacks are integrated to the testing scenarios. The outcome showed that the concept provides sound test results, which reflect the behavior of SIP systems availability under various at- tacks. Thus, security problems can be found and QoS for SIP-based VoIP communication under attack can be pre- dicted.