Liang Gao (lgao@sigma-rt.com)
2 214-748-3647Most popularphone numberin US Largest 32 bitsigned number Store phonenumber in asigned 32 bitsand didn’t ...
*Boundary value testing ensures properfunctionality at the boundary (or edges) orallowable data input. Boundary values inc...
41. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
6
7*Create reasonable number of malformedpackets to cover all PDUs, all fields in PDUswith enough boundary values.*Individua...
10* Boundary Testing Test Case ExplosionTheoretically we want to test code against allpossible combinations with all value...
11Structured approach (major effort)Build Malformed Packet as smart as possible*For each field , we want to try at least 5...
12Un-Structured approach (supplement effort)Build as many packets as possible*Unstructured randomization Testing,randomize...
13
141. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
15
16
17*Most likely Protocol Dependent*Creative Attacking involved*An Attack Tree Structure Approachdraft-convery-bgpattack-01....
18Setup the Atomic Goals* Compromise MD5 authentication* Establish unauthorized OSPF neighbor with a OSPF router* Originat...
19Forge/Spoof LSA –Attack*Sequence Number ++ Attack*MaxAge Attack*MaxSeq Number Attack*Link State ID Attack*Max Age Differ...
201. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
21How box perform when protocol underattack?* CPU Usage (Process, Interrupt)* Transit Packet Loss* Latency* Attacked Inter...
22
23
Protocol Security Testing best practice
Protocol Security Testing best practice
Protocol Security Testing best practice
Protocol Security Testing best practice
Upcoming SlideShare
Loading in...5
×

Protocol Security Testing best practice

490

Published on

A way to do security testing on network protocol (DNS, TCP/IP etc) as fuzzy testing.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
490
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Protocol Security Testing best practice"

  1. 1. Liang Gao (lgao@sigma-rt.com)
  2. 2. 2 214-748-3647Most popularphone numberin US Largest 32 bitsigned number Store phonenumber in asigned 32 bitsand didn’t checkbuffer overflow
  3. 3. *Boundary value testing ensures properfunctionality at the boundary (or edges) orallowable data input. Boundary values includemaximum, minimum, just inside/outsideboundary, typical values, and error (malformedvalues).* Looking for problems in error handling, mainlyon protocol parsing code
  4. 4. 41. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  5. 5. 6
  6. 6. 7*Create reasonable number of malformedpackets to cover all PDUs, all fields in PDUswith enough boundary values.*Individual fields boundary checkVary each field of PDU with boundary valuesCover all fields in a PDU*Combination fields boundary checkVary Multiple fields in a PDU with boundaryvalues the same time.
  7. 7. 10* Boundary Testing Test Case ExplosionTheoretically we want to test code against allpossible combinations with all values in a packet.* A minimum size OSPF Hello PDU along has 18fields, 234 bit long, totally 2234 possible packets.* OSPF protocol has 5 type of LSAs, 4 type of PDUs.* Almost impossible to cover.
  8. 8. 11Structured approach (major effort)Build Malformed Packet as smart as possible*For each field , we want to try at least 5 valuesMaximum value; Maximum value + 1 (if possible); Minimum valueMinimum value -1 (if possible); Invalid value*For a minimum size of OSPF Hello PDU, we want to test 8fields, totally 58 = 390,625 packets*Bounded to the best knowledge of a tester towards aprotocol*Conclusion – Protocol Fuzzing Tool + extensions
  9. 9. 12Un-Structured approach (supplement effort)Build as many packets as possible*Unstructured randomization Testing,randomize all fields in a PDU the same timeand test for a long period of time.*Simple, low effort, could be run at thebackground while working on the structuredapproach.*Not bounded to testers knowledge.Billion packets march?
  10. 10. 13
  11. 11. 141. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  12. 12. 15
  13. 13. 16
  14. 14. 17*Most likely Protocol Dependent*Creative Attacking involved*An Attack Tree Structure Approachdraft-convery-bgpattack-01.txtdraft-jones-OSPF-vuln-01.txt
  15. 15. 18Setup the Atomic Goals* Compromise MD5 authentication* Establish unauthorized OSPF neighbor with a OSPF router* Originate unauthorized prefix into OSPF neighbor routetable* Change path preference of a prefix* Conduct denial/degradation of service against OSPF process* Tear down OSPF neighbor* Spoof/hijack a OSPF neighbor* Forge/Spoof OSPF LSA
  16. 16. 19Forge/Spoof LSA –Attack*Sequence Number ++ Attack*MaxAge Attack*MaxSeq Number Attack*Link State ID Attack*Max Age Different Attack*RFC State Machine Attack
  17. 17. 201. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  18. 18. 21How box perform when protocol underattack?* CPU Usage (Process, Interrupt)* Transit Packet Loss* Latency* Attacked Interface Packet Transit Packet Loss* Memory Usage* Routing protocol convergence
  19. 19. 22
  20. 20. 23
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×