Your SlideShare is downloading. ×
Protocol Security Testing best practice
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Protocol Security Testing best practice


Published on

A way to do security testing on network protocol (DNS, TCP/IP etc) as fuzzy testing.

A way to do security testing on network protocol (DNS, TCP/IP etc) as fuzzy testing.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Liang Gao (
  • 2. 2 214-748-3647Most popularphone numberin US Largest 32 bitsigned number Store phonenumber in asigned 32 bitsand didn’t checkbuffer overflow
  • 3. *Boundary value testing ensures properfunctionality at the boundary (or edges) orallowable data input. Boundary values includemaximum, minimum, just inside/outsideboundary, typical values, and error (malformedvalues).* Looking for problems in error handling, mainlyon protocol parsing code
  • 4. 41. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  • 5. 6
  • 6. 7*Create reasonable number of malformedpackets to cover all PDUs, all fields in PDUswith enough boundary values.*Individual fields boundary checkVary each field of PDU with boundary valuesCover all fields in a PDU*Combination fields boundary checkVary Multiple fields in a PDU with boundaryvalues the same time.
  • 7. 10* Boundary Testing Test Case ExplosionTheoretically we want to test code against allpossible combinations with all values in a packet.* A minimum size OSPF Hello PDU along has 18fields, 234 bit long, totally 2234 possible packets.* OSPF protocol has 5 type of LSAs, 4 type of PDUs.* Almost impossible to cover.
  • 8. 11Structured approach (major effort)Build Malformed Packet as smart as possible*For each field , we want to try at least 5 valuesMaximum value; Maximum value + 1 (if possible); Minimum valueMinimum value -1 (if possible); Invalid value*For a minimum size of OSPF Hello PDU, we want to test 8fields, totally 58 = 390,625 packets*Bounded to the best knowledge of a tester towards aprotocol*Conclusion – Protocol Fuzzing Tool + extensions
  • 9. 12Un-Structured approach (supplement effort)Build as many packets as possible*Unstructured randomization Testing,randomize all fields in a PDU the same timeand test for a long period of time.*Simple, low effort, could be run at thebackground while working on the structuredapproach.*Not bounded to testers knowledge.Billion packets march?
  • 10. 13
  • 11. 141. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  • 12. 15
  • 13. 16
  • 14. 17*Most likely Protocol Dependent*Creative Attacking involved*An Attack Tree Structure Approachdraft-convery-bgpattack-01.txtdraft-jones-OSPF-vuln-01.txt
  • 15. 18Setup the Atomic Goals* Compromise MD5 authentication* Establish unauthorized OSPF neighbor with a OSPF router* Originate unauthorized prefix into OSPF neighbor routetable* Change path preference of a prefix* Conduct denial/degradation of service against OSPF process* Tear down OSPF neighbor* Spoof/hijack a OSPF neighbor* Forge/Spoof OSPF LSA
  • 16. 19Forge/Spoof LSA –Attack*Sequence Number ++ Attack*MaxAge Attack*MaxSeq Number Attack*Link State ID Attack*Max Age Different Attack*RFC State Machine Attack
  • 17. 201. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  • 18. 21How box perform when protocol underattack?* CPU Usage (Process, Interrupt)* Transit Packet Loss* Latency* Attacked Interface Packet Transit Packet Loss* Memory Usage* Routing protocol convergence
  • 19. 22
  • 20. 23