The Intelligent Fuzzing in TTCN-3
Download
Report
Transcript The Intelligent Fuzzing in TTCN-3
The Intelligent Fuzzing in
TTCN-3
Xu Luo, Wu Ji, Liu Chao
Software Engineering Institute
Beihang University
http://www.sei.buaa.edu.cn
Outline
Background
Fuzzing in TTCN-3
Summary
Outline
Background
Definition of Fuzzing
Fuzzer Types
Fuzzing in TTCN-3
Summary
Definition
Fuzzing —
A highly automated testing technique
that covers numerous boundary cases
using invalid data (from files, network
protocols, API calls, and other targets)
as application input to better ensure the
absence of exploitable vulnerabilities.
From modem applications’ tendency to
fail due to random input caused by line
noise on “fuzzy” telephone lines.
Simple Fuzz Example
SUT: Fake Clear Text Protocol
[Client] -> "user jared\r\n"
"user OK. Provide pass.\r\n" <- [Server]
[Client] -> "pass mylamepasswd\r\n"
"Login successful. Proceed.\r\n" <-[Server]
[Client] -> "list file 1\r\n"
...
Simple Fuzz Example (cont.)
Test case 1
[Client] -> "us<50000 \xff's>er jared\r\n"
Test case 2
[Client] -> "user ja<12 %n's>red\r\n"
Test case 3
[Client] -> "user jared\r\n"
"user OK. Provide pass.\r\n" <- [Server]
[Client] -> "\x04\x98\xbb\x...\r\n"
Fuzzer Classification
Generation Method
Generation
Mutation
Knowledge of Inputs
Random
Intelligent
Scope of SUT
Specialized Fuzzer
Generic Fuzzer
Intelligent vs. Generic
The contradiction between …
Intelligent
Needs the knowledge of SUT
Generic
Independent of a specific SUT
How to resolve the contradiction
TTCN-3
Outline
Background
Fuzzing in TTCN-3
Our Purpose
Architecture
Details
Summary
Our Purpose
Develop a Generic Fuzzer
Based on TTCN-3
Using the Knowledge of the Input Format
— Intelligent
Applying Data Mutation Approach
— Mutation
Capture Valid Input
Input:
TTCN-3 ATS
Output:
TTCN-3 Value
With its syntax
Purpose:
Instance of Valid Input
As seed to generate Invalid Inputs
Syntax Information
Needed by the Intelligent mutation
Capture Valid Input (cont.)
How to capture
Insert the capture code btw. TE & CD
Valid Input
CD Req
CD Prv
Capture
TE
CD:
encode
Intelligent Mutation
Input:
TTCN-3 value
With its syntax
Mutation Strategy
Output:
<Field, Mutation Operator>s
Purpose:
Generate Mutation Operators
One mutation operator → One field
Intelligent Mutation (cont.)
How to mutate (intelligently)
Type-Sensitive Mutation
Choose mutation operators according to the
type of the data being mutated
Attack Heuristics
Design mutation operators according to the
stored invalid inputs that have previously
been known to expose software
vulnerabilities
Attack Heuristics
Buffer Overflow
[Client] -> "us<50000 \xff's>er jared\r\n"
Format String Attack
[Client] -> "user ja<12 %n's>red\r\n"
Inserting Special Characters
[Client] -> "user ja<1342 \x00's>red\r\n"
Integer Overflow
0x00, 0x0000, 0x00000000
0xFF, 0xFFFF, 0xFFFFFFFF
……
Type-Sensitive Mutation
Supported TTCN-3 Types
Basic Types
BOOLEAN
Reverse
INTEGER
Boundary, Integer Overflow, ++, --
CHARSTRING,OCTETSTRING
Null, Buffer Overflow, Format String Attack
……
Type-Sensitive Mutation (cont.)
Supported TTCN-3 Types
Structured Types
RECORD,SET
Remove optional fields
RECORD_OF,SET_OF
Remove elements,
Duplicate elements,
Change the order of elements
ENUMERATED
Choose other value
……
Inject Invalid Inputs
Input:
Test cases
Valid Inputs
Output:
Invalid Inputs
Procedure:
Applying mutation operator to generate invalid
input from the instance of the valid input
The invalid input will be sent to SUT
Inject Invalid Inputs (cont.)
How to inject
Insert the injection code btw. TE & CD
Mutation Operator
CD Req
CD Prv
Inject
TE
CD:
encode
Test Verdict
The problem
The response of SUT can’t be predicted
when an invalid input is injected
The solution
Each time an invalid input is injected,
followed with a positive test case that is
defined in conformance or functional test
suite
Test Verdict (cont.)
Each test case includes 3 parts:
1. Inject an invalid input
2. Cancel current transaction (if needed)
Don’t care the response of SUT
3. Execute a positive test case
Determine if a failure has occurred
Evaluation
SUT
Implementations of SIP
Three popular softphones:
Linphone
1.7.1 with libosip2 2.2.2
SJphone
For windows XPsp2, 1.65.377a
X-Lite
2.0, Win32-1103m-14262
The Number of Test Cases
How many TCs have been generated
Focusing on INVITE
Based on the ETSI standardized SIP
conformance test suite
429 test cases has been generated
Results
Linphone
3 test cases caused crashes
…via.viaBody.0.viaParams.0.paramValue
…fromField…userOrTelephoneSubscriber
…fromField…hostPort.host
SJphone
1 test case caused crash
…contentLength.len
X-Lite
No crash
One line has not been released
Outline
Background
Fuzzing in TTCN-3
Summary
Summary
How TTCN-3 resolves the contradiction
between Intelligent & Generic
TTCN-3 conformance or functional test suite
specifies the syntax structure of the valid inputs,
which can be used by our fuzzer
— Intelligent
The syntax structure definitions are independent
of the message encoding rules, the mutation
operators could work on the syntax level instead
of bit level
— Generic
Thanks!