Protection des systèmes face aux attaques par fuzzing

International audienceA fuzzing attack enables an attacker to gain access to restricted resources by exploiting a wrong specification implementation. Fuzzing attack consists in sending commands with parameters out of their specification range. This study aims at protecting Java Card applets against such attacks. To do this, we detect prior to deployment an unexpected behavior of the application without any knowledge of its specification. Our approach is not based on a fuzzing technique. It relies on a static analysis method and uses an unsupervised machine-learning algorithm on source codes. For this purpose, we have designed a front end tool fetchVuln that helps the developer to detect wrong implementations. It relies on a back end tool Chucky-ng which we have adapted for Java. In order to validate the approach, we have designed a mutant applet generator based on LittleDar-win. The tool chain has successfully detected the expected missing checks in the mutant applets. We evaluate then the tool chain by analyzing five applets which implement the OpenPGP specification. Our tool has discovered both vulnerabil-ities and optimization problems. These points are then explained and corrected