Liang Gao (lgao@sigma-rt.com)

2

214-748-3647 Most popular phone number in US

Largest 32 bit signed number

Store phone number in a signed 32 bits and didn’t check buffer overflow

*Boundary value testing ensures proper functionality at the boundary (or edges) or allowable data input. Boundary values include maximum, minimum, just inside/outside boundary, typical values, and error (malformed values).

* Looking for problems in error handling, mainly on protocol parsing code

4

1. Value Boundary Testing

2. Logic Boundary Testing

3. Performance Boundary Testing

6

7

*Create reasonable number of malformedpackets to cover all PDUs, all fields in PDUs with enough boundary values.

* Individual fields boundary check Vary each field of PDU with boundary values Cover all fields in a PDU

*Combination fields boundary check Vary Multiple fields in a PDU with boundary values the same time.

10

* Boundary Testing Test Case Explosion Theoretically we want to test code against all

possible combinations with all values in a packet.

* A minimum size OSPF Hello PDU along has 18 fields, 234 bit long, totally 2234 possible packets.

* OSPF protocol has 5 type of LSAs, 4 type of PDUs.

* Almost impossible to cover.

11

Structured approach (major effort)

Build Malformed Packet as smart as possible

*For each field , we want to try at least 5 values

Maximum value; Maximum value + 1 (if possible); Minimum value

Minimum value -1 (if possible); Invalid value

*For a minimum size of OSPF Hello PDU, we want to test 8 fields, totally 58 = 390,625 packets

*Bounded to the best knowledge of a tester towards a protocol

*Conclusion – Protocol Fuzzing Tool + extensions

12

Un-Structured approach (supplement effort)

Build as many packets as possible

*Unstructured randomization Testing, randomize all fields in a PDU the same time and test for a long period of time.

*Simple, low effort, could be run at the background while working on the structured approach.

*Not bounded to testers knowledge. Billion packets march?

13

14

1. Value Boundary Testing

2. Logic Boundary Testing

3. Performance Boundary Testing

15

16

17

*Most likely Protocol Dependent

*Creative Attacking involved

*An Attack Tree Structure Approach draft-convery-bgpattack-01.txt

draft-jones-OSPF-vuln-01.txt

18

Setup the Atomic Goals

* Compromise MD5 authentication * Establish unauthorized OSPF neighbor with a OSPF router * Originate unauthorized prefix into OSPF neighbor route

table * Change path preference of a prefix * Conduct denial/degradation of service against OSPF

process * Tear down OSPF neighbor * Spoof/hijack a OSPF neighbor * Forge/Spoof OSPF LSA

19

Forge/Spoof LSA –Attack

*Sequence Number ++ Attack

*MaxAge Attack

*MaxSeq Number Attack

*Link State ID Attack

*Max Age Different Attack

*RFC State Machine Attack

20

1. Value Boundary Testing

2. Logic Boundary Testing

3. Performance Boundary Testing

21

How box perform when protocol under attack?

* CPU Usage (Process, Interrupt) * Transit Packet Loss * Latency * Attacked Interface Packet Transit Packet Loss* Memory Usage * Routing protocol convergence

22

23