The Intelligent Fuzzing in TTCN-3
description
Transcript of The Intelligent Fuzzing in TTCN-3
![Page 1: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/1.jpg)
The Intelligent Fuzzing in TTCN-3
Xu Luo, Wu Ji, Liu Chao
Software Engineering InstituteBeihang University
http://www.sei.buaa.edu.cn
![Page 2: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/2.jpg)
Outline
Background Fuzzing in TTCN-3 Summary
![Page 3: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/3.jpg)
Outline
Background Definition of Fuzzing Fuzzer Types
Fuzzing in TTCN-3 Summary
![Page 4: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/4.jpg)
Definition Fuzzing —
A highly automated testing technique that covers numerous boundary cases using invalid data (from files, network protocols, API calls, and other targets) as application input to better ensure the absence of exploitable vulnerabilities.
From modem applications’ tendency to fail due to random input caused by line noise on “fuzzy” telephone lines.
![Page 5: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/5.jpg)
Simple Fuzz Example
SUT: Fake Clear Text Protocol[Client] -> "user jared\r\n"
"user OK. Provide pass.\r\n" <- [Server][Client] -> "pass mylamepasswd\r\n"
"Login successful. Proceed.\r\n" <-[Server][Client] -> "list file 1\r\n"
...
![Page 6: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/6.jpg)
Simple Fuzz Example (cont.)
Test case 1[Client] -> "us<50000 \xff's>er jared\r\n"
Test case 2[Client] -> "user ja<12 %n's>red\r\n"
Test case 3[Client] -> "user jared\r\n"
"user OK. Provide pass.\r\n" <- [Server][Client] -> "\x04\x98\xbb\x...\r\n"
![Page 7: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/7.jpg)
Fuzzer Classification Generation Method
Generation Mutation
Knowledge of Inputs Random Intelligent
Scope of SUT Specialized Fuzzer Generic Fuzzer
![Page 8: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/8.jpg)
Intelligent vs. Generic
The contradiction between … Intelligent
Needs the knowledge of SUT Generic
Independent of a specific SUT
How to resolve the contradictionTTCN-3
![Page 9: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/9.jpg)
Outline
Background Fuzzing in TTCN-3
Our Purpose Architecture Details
Summary
![Page 10: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/10.jpg)
Our Purpose
Develop a Generic Fuzzer Based on TTCN-3 Using the Knowledge of the Input Format
— Intelligent Applying Data Mutation Approach
— Mutation
![Page 11: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/11.jpg)
![Page 12: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/12.jpg)
Capture Valid Input Input:
TTCN-3 ATS Output:
TTCN-3 Value With its syntax
Purpose: Instance of Valid Input
As seed to generate Invalid Inputs Syntax Information
Needed by the Intelligent mutation
![Page 13: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/13.jpg)
Capture Valid Input (cont.)
How to captureInsert the capture code btw. TE & CD
TECD:
encode
CD Req CD Prv
Capture
Valid Input
![Page 14: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/14.jpg)
Intelligent Mutation Input:
TTCN-3 valueWith its syntax
Mutation Strategy Output:
<Field, Mutation Operator>s Purpose:
Generate Mutation OperatorsOne mutation operator → One field
![Page 15: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/15.jpg)
Intelligent Mutation (cont.)
How to mutate (intelligently) Type-Sensitive Mutation
Choose mutation operators according to the type of the data being mutated
Attack Heuristics Design mutation operators according to the
stored invalid inputs that have previously been known to expose software vulnerabilities
![Page 16: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/16.jpg)
Attack Heuristics Buffer Overflow
[Client] -> "us<50000 \xff's>er jared\r\n" Format String Attack
[Client] -> "user ja<12 %n's>red\r\n" Inserting Special Characters
[Client] -> "user ja<1342 \x00's>red\r\n" Integer Overflow
0x00, 0x0000, 0x000000000xFF, 0xFFFF, 0xFFFFFFFF
… …
![Page 17: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/17.jpg)
Type-Sensitive Mutation
Supported TTCN-3 Types Basic Types
BOOLEAN Reverse
INTEGER Boundary, Integer Overflow, ++, --
CHARSTRING , OCTETSTRING Null, Buffer Overflow, Format String Attack
… …
![Page 18: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/18.jpg)
Type-Sensitive Mutation (cont.) Supported TTCN-3 Types
Structured Types RECORD , SET
Remove optional fields RECORD_OF , SET_OF
Remove elements, Duplicate elements, Change the order of elements
ENUMERATED Choose other value
… …
![Page 19: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/19.jpg)
Inject Invalid Inputs Input:
Test cases Valid Inputs
Output: Invalid Inputs
Procedure: Applying mutation operator to generate invalid
input from the instance of the valid input The invalid input will be sent to SUT
![Page 20: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/20.jpg)
Inject Invalid Inputs (cont.)
How to injectInsert the injection code btw. TE & CD
TECD:
encode
CD Req CD Prv
Inject
Mutation Operator
![Page 21: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/21.jpg)
Test Verdict
The problem The response of SUT can’t be predicted
when an invalid input is injected The solution
Each time an invalid input is injected, followed with a positive test case that is defined in conformance or functional test suite
![Page 22: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/22.jpg)
Test Verdict (cont.)
Each test case includes 3 parts:1. Inject an invalid input2. Cancel current transaction (if needed)
Don’t care the response of SUT
3. Execute a positive test caseDetermine if a failure has occurred
![Page 23: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/23.jpg)
Evaluation
SUT Implementations of SIP Three popular softphones:
Linphone1.7.1 with libosip2 2.2.2
SJphoneFor windows XPsp2, 1.65.377a
X-Lite2.0, Win32-1103m-14262
![Page 24: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/24.jpg)
The Number of Test Cases
How many TCs have been generated Focusing on INVITE Based on the ETSI standardized SIP conform
ance test suite 429 test cases has been generated
![Page 25: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/25.jpg)
Results Linphone
3 test cases caused crashes …via.viaBody.0.viaParams.0.paramValue …fromField…userOrTelephoneSubscriber …fromField…hostPort.host
SJphone 1 test case caused crash
…contentLength.len X-Lite
No crash One line has not been released
![Page 26: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/26.jpg)
Outline
Background Fuzzing in TTCN-3 Summary
![Page 27: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/27.jpg)
Summary How TTCN-3 resolves the contradiction between
Intelligent & Generic TTCN-3 conformance or functional test suite specifies
the syntax structure of the valid inputs, which can be used by our fuzzer— Intelligent
The syntax structure definitions are independent of the message encoding rules, the mutation operators could work on the syntax level instead of bit level— Generic
![Page 28: The Intelligent Fuzzing in TTCN-3](https://reader034.fdocuments.in/reader034/viewer/2022051419/56815887550346895dc5e8ba/html5/thumbnails/28.jpg)
Thanks!