The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

Slides:



Advertisements
Similar presentations
Comparing TTCN-3 and TTCN-2 TTCN-3 User Conference May 3 rd -May 5 th,2004 Sophia Antipolis.
Advertisements

An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.
By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.
Grey Box testing Tor Stålhane. What is Grey Box testing Grey Box testing is testing done with limited knowledge of the internal of the system. Grey Box.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
1 Testing the OPN Language: Rule Coverage and Fuzz Testing Wujie Zheng.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
ICS (072)Database Recovery1 Database Recovery Concepts and Techniques Dr. Muhammad Shafique.
Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.
Software Testing and Quality Assurance
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.
High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.
1 Nassau Community CollegeProf. Vincent Costa Acknowledgements: Introduction to Database Management, All Rights ReservedIntroduction to Database Management.
Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.
A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.
SQL INJECTION COUNTERMEASURES &
C++ Code Analysis: an Open Architecture for the Verification of Coding Rules Paolo Tonella ITC-irst, Centro per la Ricerca Scientifica e Tecnologica
A Security Review Process for Existing Software Applications
Software Engineering Chapter 23 Software Testing Ku-Yaw Chang Assistant Professor Department of Computer Science and Information.
VoIP Security Assessment: Methods and Tools H. Abdelnur, V. Cridlig, R. State and O. Festor Madynes, LORIA-INRIA.
Computer Security and Penetration Testing
Software Security Testing Vinay Srinivasan cell:
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
OBJECT ORIENTED SYSTEM ANALYSIS AND DESIGN. COURSE OUTLINE The world of the Information Systems Analyst Approaches to System Development The Analyst as.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
Dr. Tom WayCSC Testing and Test-Driven Development CSC 4700 Software Engineering Based on Sommerville slides.
Grey Box testing Tor Stålhane. What is Grey Box testing Grey Box testing is testing done with limited knowledge of the internal of the system. Grey Box.
16 October Reminder Types of Testing: Purpose  Functional testing  Usability testing  Conformance testing  Performance testing  Acceptance.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
 Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User.
Chapter 8 Lecture 1 Software Testing. Program testing Testing is intended to show that a program does what it is intended to do and to discover program.
Equivalence Class Testing In chapter 5, we saw that all four variations of boundary value testing are vulnerable to –gaps of untested functionality, and.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
1 Phase Testing. Janice Regan, For each group of units Overview of Implementation phase Create Class Skeletons Define Implementation Plan (+ determine.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Fuzzing And Oracles By: Thomas Sidoti. Overview Introduction Motivation Fuzzable Exploits Oracles Implementation Fuzzing Results.
CS223: Software Engineering Lecture 25: Software Testing.
By Brandon Barton & Eric Van Horn. What is Backtrack 4? Operating system Collection of many security tools world’s leading penetration testing and information.
UC Marco Vieira University of Coimbra
Creating Database Objects
SE-1021 Software Engineering II
Verification and Validation
Testing Tutorial 7.
Configuration Fuzzing for Software Vulnerability Detection
Black Box Testing PPT Sources: Code Complete, 2nd Ed., Steve McConnell
A Security Review Process for Existing Software Applications
IT6004 – SOFTWARE TESTING.
Secure Software Development: Theory and Practice
Fuzzing fuzz testing == fuzzing
Understanding and Defending Binder Attack Surface in Android
Marking Scheme for Semantic-aware Web Application Security
UNIT-4 BLACKBOX AND WHITEBOX TESTING
Develop a Reliability Test in TTCN-3
Creating Database Objects
Performing Security Auditing In Hardware
UNIT-4 BLACKBOX AND WHITEBOX TESTING
Format String Vulnerability
Presentation transcript:

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

Outline  Background  Fuzzing in TTCN-3  Summary

Outline  Background Definition of Fuzzing Fuzzer Types  Fuzzing in TTCN-3  Summary

Definition  Fuzzing — A highly automated testing technique that covers numerous boundary cases using invalid data (from files, network protocols, API calls, and other targets) as application input to better ensure the absence of exploitable vulnerabilities. From modem applications ’ tendency to fail due to random input caused by line noise on “ fuzzy ” telephone lines.

Simple Fuzz Example  SUT: Fake Clear Text Protocol [Client] -> "user jared\r\n" "user OK. Provide pass.\r\n" <- [Server] [Client] -> "pass mylamepasswd\r\n" "Login successful. Proceed.\r\n" <-[Server] [Client] -> "list file 1\r\n"...

Simple Fuzz Example (cont.)  Test case 1 [Client] -> "us er jared\r\n"  Test case 2 [Client] -> "user ja red\r\n"  Test case 3 [Client] -> "user jared\r\n" "user OK. Provide pass.\r\n" <- [Server] [Client] -> "\x04\x98\xbb\x...\r\n"

Fuzzer Classification  Generation Method Generation Mutation  Knowledge of Inputs Random Intelligent  Scope of SUT Specialized Fuzzer Generic Fuzzer

Intelligent vs. Generic  The contradiction between … Intelligent Needs the knowledge of SUT Generic Independent of a specific SUT  How to resolve the contradiction TTCN-3

Outline  Background  Fuzzing in TTCN-3 Our Purpose Architecture Details  Summary

Our Purpose  Develop a Generic Fuzzer Based on TTCN-3 Using the Knowledge of the Input Format — Intelligent Applying Data Mutation Approach — Mutation

Capture Valid Input  Input: TTCN-3 ATS  Output: TTCN-3 Value With its syntax  Purpose: Instance of Valid Input As seed to generate Invalid Inputs Syntax Information Needed by the Intelligent mutation

Capture Valid Input (cont.)  How to capture Insert the capture code btw. TE & CD TE CD: encode CD ReqCD Prv Capture Valid Input

Intelligent Mutation  Input: TTCN-3 value With its syntax Mutation Strategy  Output: s  Purpose: Generate Mutation Operators One mutation operator → One field

Intelligent Mutation (cont.)  How to mutate (intelligently) Type-Sensitive Mutation  Choose mutation operators according to the type of the data being mutated Attack Heuristics  Design mutation operators according to the stored invalid inputs that have previously been known to expose software vulnerabilities

Attack Heuristics  Buffer Overflow [Client] -> "us er jared\r\n"  Format String Attack [Client] -> "user ja red\r\n"  Inserting Special Characters [Client] -> "user ja red\r\n"  Integer Overflow 0x00, 0x0000, 0x xFF, 0xFFFF, 0xFFFFFFFF  … …

Type-Sensitive Mutation  Supported TTCN-3 Types Basic Types  BOOLEAN Reverse  INTEGER Boundary, Integer Overflow, ++, --  CHARSTRING , OCTETSTRING Null, Buffer Overflow, Format String Attack  … …

Type-Sensitive Mutation (cont.)  Supported TTCN-3 Types Structured Types  RECORD , SET Remove optional fields  RECORD_OF , SET_OF Remove elements, Duplicate elements, Change the order of elements  ENUMERATED Choose other value  … …

Inject Invalid Inputs  Input: Test cases Valid Inputs  Output: Invalid Inputs  Procedure: Applying mutation operator to generate invalid input from the instance of the valid input The invalid input will be sent to SUT

Inject Invalid Inputs (cont.)  How to inject Insert the injection code btw. TE & CD TE CD: encode CD ReqCD Prv Inject Mutation Operator

Test Verdict  The problem The response of SUT can ’ t be predicted when an invalid input is injected  The solution Each time an invalid input is injected, followed with a positive test case that is defined in conformance or functional test suite

Test Verdict (cont.)  Each test case includes 3 parts: 1.Inject an invalid input 2.Cancel current transaction (if needed) Don ’ t care the response of SUT 3.Execute a positive test case Determine if a failure has occurred

Evaluation  SUT Implementations of SIP Three popular softphones:  Linphone with libosip  SJphone For windows XPsp2, a  X-Lite 2.0, Win m-14262

The Number of Test Cases  How many TCs have been generated Focusing on INVITE Based on the ETSI standardized SIP conformance test suite 429 test cases has been generated

Results  Linphone 3 test cases caused crashes  … via.viaBody.0.viaParams.0.paramValue  … fromField … userOrTelephoneSubscriber  … fromField … hostPort.host  SJphone 1 test case caused crash  … contentLength.len  X-Lite No crash One line has not been released

Outline  Background  Fuzzing in TTCN-3  Summary

Summary  How TTCN-3 resolves the contradiction between Intelligent & Generic TTCN-3 conformance or functional test suite specifies the syntax structure of the valid inputs, which can be used by our fuzzer — Intelligent The syntax structure definitions are independent of the message encoding rules, the mutation operators could work on the syntax level instead of bit level — Generic

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.