protocol security testing best practice
DESCRIPTION
A way to do security testing on network protocol (DNS, TCP/IP etc) as fuzzy testing.TRANSCRIPT
Liang Gao ([email protected])
2
214-748-3647 Most popular phone number in US
Largest 32 bit signed number
Store phone number in a signed 32 bits and didn’t check buffer overflow
*Boundary value testing ensures proper functionality at the boundary (or edges) or allowable data input. Boundary values include maximum, minimum, just inside/outside boundary, typical values, and error (malformed values).
* Looking for problems in error handling, mainly on protocol parsing code
4
1. Value Boundary Testing
2. Logic Boundary Testing
3. Performance Boundary Testing
6
7
*Create reasonable number of malformedpackets to cover all PDUs, all fields in PDUs with enough boundary values.
* Individual fields boundary check Vary each field of PDU with boundary values Cover all fields in a PDU
*Combination fields boundary check Vary Multiple fields in a PDU with boundary values the same time.
10
* Boundary Testing Test Case Explosion Theoretically we want to test code against all
possible combinations with all values in a packet.
* A minimum size OSPF Hello PDU along has 18 fields, 234 bit long, totally 2234 possible packets.
* OSPF protocol has 5 type of LSAs, 4 type of PDUs.
* Almost impossible to cover.
11
Structured approach (major effort)
Build Malformed Packet as smart as possible
*For each field , we want to try at least 5 values
Maximum value; Maximum value + 1 (if possible); Minimum value
Minimum value -1 (if possible); Invalid value
*For a minimum size of OSPF Hello PDU, we want to test 8 fields, totally 58 = 390,625 packets
*Bounded to the best knowledge of a tester towards a protocol
*Conclusion – Protocol Fuzzing Tool + extensions
12
Un-Structured approach (supplement effort)
Build as many packets as possible
*Unstructured randomization Testing, randomize all fields in a PDU the same time and test for a long period of time.
*Simple, low effort, could be run at the background while working on the structured approach.
*Not bounded to testers knowledge. Billion packets march?
13
14
1. Value Boundary Testing
2. Logic Boundary Testing
3. Performance Boundary Testing
15
16
17
*Most likely Protocol Dependent
*Creative Attacking involved
*An Attack Tree Structure Approach draft-convery-bgpattack-01.txt
draft-jones-OSPF-vuln-01.txt
18
Setup the Atomic Goals
* Compromise MD5 authentication * Establish unauthorized OSPF neighbor with a OSPF router * Originate unauthorized prefix into OSPF neighbor route
table * Change path preference of a prefix * Conduct denial/degradation of service against OSPF
process * Tear down OSPF neighbor * Spoof/hijack a OSPF neighbor * Forge/Spoof OSPF LSA
19
Forge/Spoof LSA –Attack
*Sequence Number ++ Attack
*MaxAge Attack
*MaxSeq Number Attack
*Link State ID Attack
*Max Age Different Attack
*RFC State Machine Attack
20
1. Value Boundary Testing
2. Logic Boundary Testing
3. Performance Boundary Testing
21
How box perform when protocol under attack?
* CPU Usage (Process, Interrupt) * Transit Packet Loss * Latency * Attacked Interface Packet Transit Packet Loss* Memory Usage * Routing protocol convergence
22
23