Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User.

Similar presentations


Presentation on theme: " Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User."— Presentation transcript:

1  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User Conference 2012, Bangalore

2 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Authors Testing Technologies Stephan Pietsch Bogdan Stanca-Kaposta Dr. Jacob Wieland Dirk Tepelmann Fraunhofer FOKUS Ju ̈ rgen Großmann Martin Schneider This proposal was developed in the ITEA2 project DIAMONDS – Development and Industrial Application of Multi-Domain Security Testing Technologies http://www.itea2-diamonds.org http://www.itea2-diamonds.org 2

3 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Introduction TTCN-3 Is widely accepted in functional (protocol) testing in telecommunications Is pushed into new areas like Intelligent Transport Systems (ITS) or Internet of Things (IoT) Is pretty new to security testing Fuzzing Automated and efficient black-box testing method for finding software flaws Monitors a system for exceptional behavior (such as crashes, memory leaks) while stimulating it with large amounts of anomalous input data (random, invalid or unexpected) If the program fails, it indicates a bug in the software Is widely used for security testing Security testing aspects get more and more important in traditional TTCN-3 domains  Proposal of a Fuzz Extension Package for TTCN-3 3

4 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Proposal – Fuzz Extension Package Concentration on data fuzzing, i.e. generation of multiple variants to be sent, can be realized via loop constructs New construct fuzz function instance Similar to external function, but call is delayed until a specific value selected via send or valueof Fuzz function may declare formal parameters Fuzz function must declare a return type 4 fuzz function zf_UnicodeUtf8ThreeCharMutator( in template charstring param1) return charstring; fuzz function zf_RandomSelect( in template integer param1) return integer; fuzz function zf_UnicodeUtf8ThreeCharMutator( in template charstring param1) return charstring; fuzz function zf_RandomSelect( in template integer param1) return integer;

5 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Proposal – Fuzz Extension Package Fuzz function instance denotes a set of values Can only occur in value templates Used like a normal matching mechanism “instead of values” Single value will be selected in the event of Sending operation Invocation of valueof() operation 5 template myType myData := { field1 := zf_UnicodeUtf8ThreeCharMutator(?), field2 := '12AB'O, field3 := zf_RandomSelect((1, 2, 3)) } myPort.send(myData); myPort.send(zf_UnicodeUtf8ThreeCharMutator(?)); var myType myVar := valueof(myData); template myType myData := { field1 := zf_UnicodeUtf8ThreeCharMutator(?), field2 := '12AB'O, field3 := zf_RandomSelect((1, 2, 3)) } myPort.send(myData); myPort.send(zf_UnicodeUtf8ThreeCharMutator(?)); var myType myVar := valueof(myData);

6 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Examples 6 template myType myData := { field1 := zf_UnicodeUtf8ThreeCharMutator(?), field2 := '12AB'O, field3 := zf_RandomSelect((1, 2, 3)) } template myType myData := { field1 := zf_UnicodeUtf8ThreeCharMutator(?), field2 := '12AB'O, field3 := zf_RandomSelect((1, 2, 3)) } Used as “instead of values” in template declaration myPort.send(myData); Specific value selection at send time var myType myVar := valueof(myData); Specific value selection at invocation time of valueof() function myPort.send(zf_UnicodeUtf8ThreeCharMutator(?)); Immediate value selection as inline template Fuzz function declaration fuzz function zf_UnicodeUtf8ThreeCharMutator(in template charstring param1) return charstring; fuzz function zf_RandomSelect(in template integer param1) return integer; fuzz function zf_UnicodeUtf8ThreeCharMutator(in template charstring param1) return charstring; fuzz function zf_RandomSelect(in template integer param1) return integer;

7 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Seed Optional seed for the generation of random numbers Used to determine random selection To allow repeatability of fuzzed test cases One seed per test component Two new predefined functions To set the seed To read the current seed value 7 setseed(in float initialSeed) return float; getseed() return float; setseed(in float initialSeed) return float; getseed() return float;

8 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © TCI Extension – tciFuzzySelect Fuzz function implemented as a runtime extension in TTCN-3 Test Control Interface (TCI)  tciFuzzySelect() Called by the Test Environment (TE) for each fuzz function instance at the moment a template is sent or evaluated by use of valueof() To compute the concrete value a randomized approach could be used using the given seed External data fuzzers might be used to achieve better results  intelligent application/protocol based fuzzing with Data Fuzzing Library 8

9 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © tciFuzzySelect Synopsis 9

10 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Data Fuzzing Library Makes traditional data fuzzing widely available Eases integration into tools without deep knowledge about fuzz data generation Allows data fuzzing without the need for Making familiar with a specific fuzzing tool Integrating further fuzzing tools into the test process Approach Don’t reinvent the wheel, use the potential of existing fuzzing tools Peach Sulley OWASP WebScarab Extract their fuzzing generators and operators into a library (reimplementation in Java) 10

11 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Architecture 11

12 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Generators and Operators 12 G – Generator O – Operator

13 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Summary Fuzz testing is a commonly used method to test for security problems The purpose of fuzzing is to reveal implementation vulnerabilities by triggering failure modes Light-weight extension to the TTCN-3 standard supports fuzzing while maximizing its usability for existing TTCN-3 users While simple dump random fuzzing often causes poor results, intelligent application/protocol based fuzzing is much more powerful To support application/protocol based fuzz generators a TCI extension allows integration of external data fuzzers 13

14 Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com. © Thank you! Questions? 14


Download ppt " Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User."

Similar presentations


Ads by Google