The intelligent fuzzing in ttcn 3
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

The Intelligent Fuzzing in TTCN-3 PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on
  • Presentation posted in: General

The Intelligent Fuzzing in TTCN-3. Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University http://www.sei.buaa.edu.cn. Outline. Background Fuzzing in TTCN-3 Summary. Outline. Background Definition of Fuzzing Fuzzer Types Fuzzing in TTCN-3 Summary. Definition.

Download Presentation

The Intelligent Fuzzing in TTCN-3

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The intelligent fuzzing in ttcn 3

The Intelligent Fuzzing in TTCN-3

Xu Luo, Wu Ji, Liu Chao

Software Engineering Institute

Beihang University

http://www.sei.buaa.edu.cn


Outline

Outline

  • Background

  • Fuzzing in TTCN-3

  • Summary


Outline1

Outline

  • Background

    • Definition of Fuzzing

    • Fuzzer Types

  • Fuzzing in TTCN-3

  • Summary


Definition

Definition

  • Fuzzing —

    • A highly automated testing technique that covers numerous boundary cases using invalid data (from files, network protocols, API calls, and other targets) as application input to better ensure the absence of exploitable vulnerabilities.

    • From modem applications’ tendency to fail due to random input caused by line noise on “fuzzy” telephone lines.


Simple fuzz example

Simple Fuzz Example

  • SUT: Fake Clear Text Protocol

    [Client] -> "user jared\r\n"

    "user OK. Provide pass.\r\n" <- [Server]

    [Client] -> "pass mylamepasswd\r\n"

    "Login successful. Proceed.\r\n" <-[Server]

    [Client] -> "list file 1\r\n"

    ...


Simple fuzz example cont

Simple Fuzz Example (cont.)

  • Test case 1

    [Client] -> "us<50000 \xff's>er jared\r\n"

  • Test case 2

    [Client] -> "user ja<12 %n's>red\r\n"

  • Test case 3

    [Client] -> "user jared\r\n"

    "user OK. Provide pass.\r\n" <- [Server]

    [Client] -> "\x04\x98\xbb\x...\r\n"


Fuzzer classification

Fuzzer Classification

  • Generation Method

    • Generation

    • Mutation

  • Knowledge of Inputs

    • Random

    • Intelligent

  • Scope of SUT

    • Specialized Fuzzer

    • Generic Fuzzer


Intelligent vs generic

Intelligent vs. Generic

  • The contradiction between …

    • Intelligent

      Needs the knowledge of SUT

    • Generic

      Independent of a specific SUT

  • How to resolve the contradiction

    TTCN-3


Outline2

Outline

  • Background

  • Fuzzing in TTCN-3

    • Our Purpose

    • Architecture

    • Details

  • Summary


Our purpose

Our Purpose

  • Develop a Generic Fuzzer

    • Based on TTCN-3

    • Using the Knowledge of the Input Format

      —Intelligent

    • Applying Data Mutation Approach

      —Mutation


Capture valid input

Capture Valid Input

  • Input:

    • TTCN-3 ATS

  • Output:

    • TTCN-3 Value

    • With its syntax

  • Purpose:

    • Instance of Valid Input

      As seed to generate Invalid Inputs

    • Syntax Information

      Needed by the Intelligent mutation


Capture valid input cont

Capture Valid Input (cont.)

  • How to capture

    Insert the capture code btw. TE & CD

Valid Input

CD Req

CD Prv

TE

Capture

CD:

encode


Intelligent mutation

Intelligent Mutation

  • Input:

    • TTCN-3 value

      With its syntax

    • Mutation Strategy

  • Output:

    • <Field, Mutation Operator>s

  • Purpose:

    • Generate Mutation Operators

      One mutation operator → One field


Intelligent mutation cont

Intelligent Mutation (cont.)

  • How to mutate (intelligently)

    • Type-Sensitive Mutation

      • Choose mutation operators according to the type of the data being mutated

    • Attack Heuristics

      • Design mutation operators according to the stored invalid inputs that have previously been known to expose software vulnerabilities


Attack heuristics

Attack Heuristics

  • Buffer Overflow

    [Client] -> "us<50000 \xff's>er jared\r\n"

  • Format String Attack

    [Client] -> "user ja<12 %n's>red\r\n"

  • Inserting Special Characters

    [Client] -> "user ja<1342 \x00's>red\r\n"

  • Integer Overflow

    0x00, 0x0000, 0x00000000

    0xFF, 0xFFFF, 0xFFFFFFFF

  • ……


Type sensitive mutation

Type-Sensitive Mutation

  • Supported TTCN-3 Types

    • Basic Types

      • BOOLEAN

        • Reverse

      • INTEGER

        • Boundary, Integer Overflow, ++, --

      • CHARSTRING,OCTETSTRING

        • Null, Buffer Overflow, Format String Attack

      • ……


Type sensitive mutation cont

Type-Sensitive Mutation (cont.)

  • Supported TTCN-3 Types

    • Structured Types

      • RECORD,SET

        • Remove optional fields

      • RECORD_OF,SET_OF

        • Remove elements,

        • Duplicate elements,

        • Change the order of elements

      • ENUMERATED

        • Choose other value

      • ……


Inject invalid inputs

Inject Invalid Inputs

  • Input:

    • Test cases

    • Valid Inputs

  • Output:

    • Invalid Inputs

  • Procedure:

    • Applying mutation operator to generate invalid input from the instance of the valid input

    • The invalid input will be sent to SUT


Inject invalid inputs cont

Inject Invalid Inputs (cont.)

  • How to inject

    Insert the injection code btw. TE & CD

Mutation Operator

CD Req

CD Prv

TE

Inject

CD:

encode


Test verdict

Test Verdict

  • The problem

    • The response of SUT can’t be predicted when an invalid input is injected

  • The solution

    • Each time an invalid input is injected, followed with a positive test case that is defined in conformance or functional test suite


Test verdict cont

Test Verdict (cont.)

  • Each test case includes 3 parts:

    • Inject an invalid input

    • Cancel current transaction (if needed)

      Don’t care the response of SUT

    • Execute a positive test case

      Determine if a failure has occurred


Evaluation

Evaluation

  • SUT

    • Implementations of SIP

    • Three popular softphones:

      • Linphone

        1.7.1 with libosip2 2.2.2

      • SJphone

        For windows XPsp2, 1.65.377a

      • X-Lite

        2.0, Win32-1103m-14262


The number of test cases

The Number of Test Cases

  • How many TCs have been generated

    • Focusing on INVITE

    • Based on the ETSI standardized SIP conformance test suite

    • 429 test cases has been generated


Results

Results

  • Linphone

    • 3 test cases caused crashes

      • …via.viaBody.0.viaParams.0.paramValue

      • …fromField…userOrTelephoneSubscriber

      • …fromField…hostPort.host

  • SJphone

    • 1 test case caused crash

      • …contentLength.len

  • X-Lite

    • No crash

    • One line has not been released


Outline3

Outline

  • Background

  • Fuzzing in TTCN-3

  • Summary


Summary

Summary

  • How TTCN-3 resolves the contradiction between Intelligent & Generic

    • TTCN-3 conformance or functional test suite specifies the syntax structure of the valid inputs, which can be used by our fuzzer

      —Intelligent

    • The syntax structure definitions are independent of the message encoding rules, the mutation operators could work on the syntax level instead of bit level

      —Generic


The intelligent fuzzing in ttcn 3

Thanks!


  • Login