Your SlideShare is downloading. ×
Protocol Security Testing best practice
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Protocol Security Testing best practice


Published on

A way to do security testing on network protocol (DNS, TCP/IP etc) as fuzzy testing.

A way to do security testing on network protocol (DNS, TCP/IP etc) as fuzzy testing.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Liang Gao (
  • 2. 2 214-748-3647Most popularphone numberin US Largest 32 bitsigned number Store phonenumber in asigned 32 bitsand didn’t checkbuffer overflow
  • 3. *Boundary value testing ensures properfunctionality at the boundary (or edges) orallowable data input. Boundary values includemaximum, minimum, just inside/outsideboundary, typical values, and error (malformedvalues).* Looking for problems in error handling, mainlyon protocol parsing code
  • 4. 41. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  • 5. 6
  • 6. 7*Create reasonable number of malformedpackets to cover all PDUs, all fields in PDUswith enough boundary values.*Individual fields boundary checkVary each field of PDU with boundary valuesCover all fields in a PDU*Combination fields boundary checkVary Multiple fields in a PDU with boundaryvalues the same time.
  • 7. 10* Boundary Testing Test Case ExplosionTheoretically we want to test code against allpossible combinations with all values in a packet.* A minimum size OSPF Hello PDU along has 18fields, 234 bit long, totally 2234 possible packets.* OSPF protocol has 5 type of LSAs, 4 type of PDUs.* Almost impossible to cover.
  • 8. 11Structured approach (major effort)Build Malformed Packet as smart as possible*For each field , we want to try at least 5 valuesMaximum value; Maximum value + 1 (if possible); Minimum valueMinimum value -1 (if possible); Invalid value*For a minimum size of OSPF Hello PDU, we want to test 8fields, totally 58 = 390,625 packets*Bounded to the best knowledge of a tester towards aprotocol*Conclusion – Protocol Fuzzing Tool + extensions
  • 9. 12Un-Structured approach (supplement effort)Build as many packets as possible*Unstructured randomization Testing,randomize all fields in a PDU the same timeand test for a long period of time.*Simple, low effort, could be run at thebackground while working on the structuredapproach.*Not bounded to testers knowledge.Billion packets march?
  • 10. 13
  • 11. 141. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  • 12. 15
  • 13. 16
  • 14. 17*Most likely Protocol Dependent*Creative Attacking involved*An Attack Tree Structure Approachdraft-convery-bgpattack-01.txtdraft-jones-OSPF-vuln-01.txt
  • 15. 18Setup the Atomic Goals* Compromise MD5 authentication* Establish unauthorized OSPF neighbor with a OSPF router* Originate unauthorized prefix into OSPF neighbor routetable* Change path preference of a prefix* Conduct denial/degradation of service against OSPF process* Tear down OSPF neighbor* Spoof/hijack a OSPF neighbor* Forge/Spoof OSPF LSA
  • 16. 19Forge/Spoof LSA –Attack*Sequence Number ++ Attack*MaxAge Attack*MaxSeq Number Attack*Link State ID Attack*Max Age Different Attack*RFC State Machine Attack
  • 17. 201. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  • 18. 21How box perform when protocol underattack?* CPU Usage (Process, Interrupt)* Transit Packet Loss* Latency* Attacked Interface Packet Transit Packet Loss* Memory Usage* Routing protocol convergence
  • 19. 22
  • 20. 23