Protocol Security Testing best practice


Published on

A way to do security testing on network protocol (DNS, TCP/IP etc) as fuzzy testing.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protocol Security Testing best practice

  1. 1. Liang Gao (
  2. 2. 2 214-748-3647Most popularphone numberin US Largest 32 bitsigned number Store phonenumber in asigned 32 bitsand didn’t checkbuffer overflow
  3. 3. *Boundary value testing ensures properfunctionality at the boundary (or edges) orallowable data input. Boundary values includemaximum, minimum, just inside/outsideboundary, typical values, and error (malformedvalues).* Looking for problems in error handling, mainlyon protocol parsing code
  4. 4. 41. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  5. 5. 6
  6. 6. 7*Create reasonable number of malformedpackets to cover all PDUs, all fields in PDUswith enough boundary values.*Individual fields boundary checkVary each field of PDU with boundary valuesCover all fields in a PDU*Combination fields boundary checkVary Multiple fields in a PDU with boundaryvalues the same time.
  7. 7. 10* Boundary Testing Test Case ExplosionTheoretically we want to test code against allpossible combinations with all values in a packet.* A minimum size OSPF Hello PDU along has 18fields, 234 bit long, totally 2234 possible packets.* OSPF protocol has 5 type of LSAs, 4 type of PDUs.* Almost impossible to cover.
  8. 8. 11Structured approach (major effort)Build Malformed Packet as smart as possible*For each field , we want to try at least 5 valuesMaximum value; Maximum value + 1 (if possible); Minimum valueMinimum value -1 (if possible); Invalid value*For a minimum size of OSPF Hello PDU, we want to test 8fields, totally 58 = 390,625 packets*Bounded to the best knowledge of a tester towards aprotocol*Conclusion – Protocol Fuzzing Tool + extensions
  9. 9. 12Un-Structured approach (supplement effort)Build as many packets as possible*Unstructured randomization Testing,randomize all fields in a PDU the same timeand test for a long period of time.*Simple, low effort, could be run at thebackground while working on the structuredapproach.*Not bounded to testers knowledge.Billion packets march?
  10. 10. 13
  11. 11. 141. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  12. 12. 15
  13. 13. 16
  14. 14. 17*Most likely Protocol Dependent*Creative Attacking involved*An Attack Tree Structure Approachdraft-convery-bgpattack-01.txtdraft-jones-OSPF-vuln-01.txt
  15. 15. 18Setup the Atomic Goals* Compromise MD5 authentication* Establish unauthorized OSPF neighbor with a OSPF router* Originate unauthorized prefix into OSPF neighbor routetable* Change path preference of a prefix* Conduct denial/degradation of service against OSPF process* Tear down OSPF neighbor* Spoof/hijack a OSPF neighbor* Forge/Spoof OSPF LSA
  16. 16. 19Forge/Spoof LSA –Attack*Sequence Number ++ Attack*MaxAge Attack*MaxSeq Number Attack*Link State ID Attack*Max Age Different Attack*RFC State Machine Attack
  17. 17. 201. Value Boundary Testing2. Logic Boundary Testing3. Performance Boundary Testing
  18. 18. 21How box perform when protocol underattack?* CPU Usage (Process, Interrupt)* Transit Packet Loss* Latency* Attacked Interface Packet Transit Packet Loss* Memory Usage* Routing protocol convergence
  19. 19. 22
  20. 20. 23