Download presentation
Presentation is loading. Please wait.
Published byKimberly McGee Modified over 9 years ago
1
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University http://www.sei.buaa.edu.cn
2
Outline Background Fuzzing in TTCN-3 Summary
3
Outline Background Definition of Fuzzing Fuzzer Types Fuzzing in TTCN-3 Summary
4
Definition Fuzzing — A highly automated testing technique that covers numerous boundary cases using invalid data (from files, network protocols, API calls, and other targets) as application input to better ensure the absence of exploitable vulnerabilities. From modem applications ’ tendency to fail due to random input caused by line noise on “ fuzzy ” telephone lines.
5
Simple Fuzz Example SUT: Fake Clear Text Protocol [Client] -> "user jared\r\n" "user OK. Provide pass.\r\n" <- [Server] [Client] -> "pass mylamepasswd\r\n" "Login successful. Proceed.\r\n" <-[Server] [Client] -> "list file 1\r\n"...
6
Simple Fuzz Example (cont.) Test case 1 [Client] -> "us er jared\r\n" Test case 2 [Client] -> "user ja red\r\n" Test case 3 [Client] -> "user jared\r\n" "user OK. Provide pass.\r\n" <- [Server] [Client] -> "\x04\x98\xbb\x...\r\n"
7
Fuzzer Classification Generation Method Generation Mutation Knowledge of Inputs Random Intelligent Scope of SUT Specialized Fuzzer Generic Fuzzer
8
Intelligent vs. Generic The contradiction between … Intelligent Needs the knowledge of SUT Generic Independent of a specific SUT How to resolve the contradiction TTCN-3
9
Outline Background Fuzzing in TTCN-3 Our Purpose Architecture Details Summary
10
Our Purpose Develop a Generic Fuzzer Based on TTCN-3 Using the Knowledge of the Input Format — Intelligent Applying Data Mutation Approach — Mutation
12
Capture Valid Input Input: TTCN-3 ATS Output: TTCN-3 Value With its syntax Purpose: Instance of Valid Input As seed to generate Invalid Inputs Syntax Information Needed by the Intelligent mutation
13
Capture Valid Input (cont.) How to capture Insert the capture code btw. TE & CD TE CD: encode CD ReqCD Prv Capture Valid Input
14
Intelligent Mutation Input: TTCN-3 value With its syntax Mutation Strategy Output: s Purpose: Generate Mutation Operators One mutation operator → One field
15
Intelligent Mutation (cont.) How to mutate (intelligently) Type-Sensitive Mutation Choose mutation operators according to the type of the data being mutated Attack Heuristics Design mutation operators according to the stored invalid inputs that have previously been known to expose software vulnerabilities
16
Attack Heuristics Buffer Overflow [Client] -> "us er jared\r\n" Format String Attack [Client] -> "user ja red\r\n" Inserting Special Characters [Client] -> "user ja red\r\n" Integer Overflow 0x00, 0x0000, 0x00000000 0xFF, 0xFFFF, 0xFFFFFFFF … …
17
Type-Sensitive Mutation Supported TTCN-3 Types Basic Types BOOLEAN Reverse INTEGER Boundary, Integer Overflow, ++, -- CHARSTRING , OCTETSTRING Null, Buffer Overflow, Format String Attack … …
18
Type-Sensitive Mutation (cont.) Supported TTCN-3 Types Structured Types RECORD , SET Remove optional fields RECORD_OF , SET_OF Remove elements, Duplicate elements, Change the order of elements ENUMERATED Choose other value … …
19
Inject Invalid Inputs Input: Test cases Valid Inputs Output: Invalid Inputs Procedure: Applying mutation operator to generate invalid input from the instance of the valid input The invalid input will be sent to SUT
20
Inject Invalid Inputs (cont.) How to inject Insert the injection code btw. TE & CD TE CD: encode CD ReqCD Prv Inject Mutation Operator
21
Test Verdict The problem The response of SUT can ’ t be predicted when an invalid input is injected The solution Each time an invalid input is injected, followed with a positive test case that is defined in conformance or functional test suite
22
Test Verdict (cont.) Each test case includes 3 parts: 1.Inject an invalid input 2.Cancel current transaction (if needed) Don ’ t care the response of SUT 3.Execute a positive test case Determine if a failure has occurred
23
Evaluation SUT Implementations of SIP Three popular softphones: Linphone 1.7.1 with libosip2 2.2.2 SJphone For windows XPsp2, 1.65.377a X-Lite 2.0, Win32-1103m-14262
24
The Number of Test Cases How many TCs have been generated Focusing on INVITE Based on the ETSI standardized SIP conformance test suite 429 test cases has been generated
25
Results Linphone 3 test cases caused crashes … via.viaBody.0.viaParams.0.paramValue … fromField … userOrTelephoneSubscriber … fromField … hostPort.host SJphone 1 test case caused crash … contentLength.len X-Lite No crash One line has not been released
26
Outline Background Fuzzing in TTCN-3 Summary
27
Summary How TTCN-3 resolves the contradiction between Intelligent & Generic TTCN-3 conformance or functional test suite specifies the syntax structure of the valid inputs, which can be used by our fuzzer — Intelligent The syntax structure definitions are independent of the message encoding rules, the mutation operators could work on the syntax level instead of bit level — Generic
28
Thanks!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.