kif a stateful sip fuzzer
play

KiF: A stateful SIP Fuzzer Humberto J. Abdelnur - PowerPoint PPT Presentation

May 29, 2023 •479 likes •709 views

Introduction Assessing Framework Results & Future work KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State Radu.State@loria.fr Olivier Festor Olivier.Festor@loria.fr Madynes team

  1. Introduction Assessing Framework Results & Future work KiF: A stateful SIP Fuzzer Humberto J. Abdelnur Humberto.Abdelnur@loria.fr Radu State Radu.State@loria.fr Olivier Festor Olivier.Festor@loria.fr Madynes team http://madynes.loria.fr LORIA-INRIA Lorraine, France July 20, 2007 1

  2. Introduction Assessing Framework Results & Future work Motivations Why VoIP? VoIP network are becoming widely spread VoIP traffic is transported over Internet Public network where access is granted to everyone Exposes it to security threats (e.g. DoS, Evasdropping, Hijacking) Major signaling protocols are SIP and H.323 No centralized smartness 2

  3. Introduction Assessing Framework Results & Future work Motivations Why Security? DoS just sending one packet “What if you are alone and dial 911 and no one answers?”. Die Hard 4 3

  4. Introduction Assessing Framework Results & Future work Overview SIP Functional Hierarchy SIP communication can be classified in: Dialogs: Kept between 2 entities Maintain a session state Transactions: Define the handshake for each request Messages: Individual data unit The sequence of transactions defines the current state of the entity 4

  5. Introduction Assessing Framework Results & Future work Fuzzing and beyond Fuzzing Emerged as a branch of Software Testing Important topic for black box testing Based in input data validation Random or invalid characters Malicious data (e.g. string formatters) Functional verification is marginal Main objective is to find possible potential vulnerabilities 5

  6. Introduction Assessing Framework Results & Future work Fuzzing and beyond General limitations Limitates fuzzing to just a bunch of modifications Random data-base crafted generation only Hard to estimate what will be the generated output Hard to estimate the expected answer Success evaluation depends only in crashed or NOT-crashed Unavailable to test specific states of the target (i.e. stateless) Capitalized experience from the past is not considered 6

  7. Introduction Assessing Framework Results & Future work Fuzzing and beyond General limitations Limitates fuzzing to just a bunch of modifications Random data-base crafted generation only Hard to estimate what will be the generated output Hard to estimate the expected answer Success evaluation depends only in crashed or NOT-crashed Unavailable to test specific states of the target (i.e. stateless) Capitalized experience from the past is not considered Proposing solutions to these issues became our challenge 6

  8. Introduction Assessing Framework Results & Future work Fuzzing around What to fuzz? Syntax fuzzing. Invalid messages may reveal vulnerabilities Consider which item of the message should be fuzzed Headers or input values may be fuzzed Think about which value should be the one to replace The new value may or may not be syntactically correct Behavioral fuzzing Unexpected messages may reveal vulnerabilities Decide what type of message to send Decide when to send the next message 7

  9. Introduction Assessing Framework Results & Future work Framework KiF: General Framework 8

  10. Introduction Assessing Framework Results & Future work Framework KiF: General Framework 8

  11. Introduction Assessing Framework Results & Future work Framework KiF: General Framework 8

  12. Introduction Assessing Framework Results & Future work Framework KiF: General Framework 8

  13. Introduction Assessing Framework Results & Future work Grammar overview An ABNF grammar Grammar components: Σ - Terminals (e.g. “Querry”, “Reply”, %x30-39) N - Non-Terminals (e.g. Method, Header, Digit) e 1 .. e n - Sequences e 1 /../e n - Choices e i,j - Repetitions Note the e may be any of the Grammar items 9

  14. Introduction Assessing Framework Results & Future work Syntax fuzzing Grammar inference Infer rules from a Context-Free Grammar (the use of an ABNF provides a complete knowledge of the messages syntax) Admits any grammar to create new fuzzers (i.e. genericity) Allows choosing the fields to fuzz (i.e. specificity to generate the crafted message) 10

  15. Introduction Assessing Framework Results & Future work Syntax fuzzing Syntax modifications Any existing reduction may be replaced (i.e. mutation or merging) Any grammar rule may be generated (i.e. generation from scratch) Statistic measures may influence the reduction of new rules (i.e. learning from the past) 11

  16. Introduction Assessing Framework Results & Future work Syntax fuzzing Fuzzer evaluator operations 5 operations were defined for replacing 1 Input a fixed string or randomly generated from a RegExp 2 Append a structure generated by another evaluator 3 Reduce from another rule defined 4 Reduce from a new rule defined on the fly 5 Generate a Function rule Semantic purposes Used for checksums, content lengths, etc. 12

  17. Introduction Assessing Framework Results & Future work Behavioral fuzzing Behavioral testing One induced state machine is used to supervise the testing Deduces the normal behavior of the target entity Another state machine may be provided as the scenario This will force the course of the testing 13

  18. Introduction Assessing Framework Results & Future work Evaluation impact Reporting errors If the reply messages are syntactically incorrect The type of transition does not match any of the possible one from the induced State Machine When a message other than the expected one in the scenario occurs (i.e. when the scenario is trying to avoid the normal proceedings, e.g. for registering) And when the device is not responding anymore 14

  19. Introduction Assessing Framework Results & Future work Time to play Tested devices All the 8 devices report vulnerabilities Remote DoS Asterisk ( PBX, SIP, H.323, PSTN, etc.) Tollfraud and DoS Cisco Callmanager 5.1 Remote DoS Cisco 7940 Remote DoS and auto-answering GrandStream GXV-3000 Remote DoS GrandStream BudgeTone 200 Remote DoS and String Overflows Linksys SPA941 String Overflow Thomson ST2020 Remote DoS Thomson ST2030 Thus, the vulnerabilities were related to: Just syntax fuzzing Others syntax fuzzing but state aware Some more were syntactically right but not corresponding to the current state 15

  20. Introduction Assessing Framework Results & Future work Time to play Cisco 7940 0-day Vulnerability DoS after sending 3 or either 10 messages All messages are SIP compliant Vulnerability reported in February 2007 Fix release expected to be in August 2007 16

  21. Introduction Assessing Framework Results & Future work Future work Future work Improve the learning capacity of the State Machine Measure the testing coverage Improve the evaluation of the impact of a message on the target Use Genetic Algorithms to improve the fuzzing for each devices Some devices just forward the data, they do not interpret it Some others are really strong for syntax validation However, semantic issues can be found 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit -

Mesos Go Stateful An Abstraction for frameworks running stateful workload Dhilip & Amit - PaaS Team, Huawei Contents Why Abstraction Available solution in Kubernetes Available solution in Mesos Mesos Go Stateful Design

492 views • 25 slides
Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11

Stateful access control using LSM CS547 Thomas Uphill Stateful access cont rol using LSM 11 December 2007 1 Why? Maintaining state allows for decisions to be made based on runtime conditions. State based policy can be more concise

576 views • 18 slides
Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly

Scalable Verification of Stateful Networks Aurojit Panda, Ori Lahav, Katerina Argyraki, Mooly Sagiv, Scott Shenker UC Berkeley, TAU, ICSI Roadmap Why consider stateful networks? The current state of stateful network verification?

1.31k views • 80 slides
IoTFu Fuzzer: Discovering Memo mory Corruptions in IoT Through App-based Fu Fuzzing Jiongyi

IoTFu Fuzzer: Discovering Memo mory Corruptions in IoT Through App-based Fu Fuzzing Jiongyi

IoTFu Fuzzer: Discovering Memo mory Corruptions in IoT Through App-based Fu Fuzzing Jiongyi Chen 1 , Wenrui Diao 2 , Qingchuan Zhao 3 , Chaoshun Zuo 3 , Zhiqiang Lin 3,4 , XiaoFeng Wang 5 , Wing Cheong Lau 1 , Menghan Sun 1 , Rongai Yang 1 , and

451 views • 22 slides
Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3

1 Probably the worlds best stateful traffic generation and analysis platform 2 1 2 4 5 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE KEY FEATURES LEARN MORE 3 OVERVIEW Vulcan generates stateful Ethernet traffic to analyze how

349 views • 34 slides
Stateful Services on DC/OS Santa Clara, California | April 23th 25th, 2018 Who Am I?

Stateful Services on DC/OS Santa Clara, California | April 23th 25th, 2018 Who Am I?

Stateful Services on DC/OS Santa Clara, California | April 23th 25th, 2018 Who Am I? Shafique Hassan Solutions Architect @ Mesosphere Operator 2 Agenda DC/OS Introduction and Recap Why Stateful Services on

583 views • 29 slides
Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org>

Fault tolerant stateful firewalling with GNU/Linux Pablo Neira Ayuso <pablo@netfilter.org> Proyecto Netfilter <pneira@us.es> University of Sevilla Outline Introduction: Stateless and stateful firewalls Fault-Tolerance

442 views • 21 slides
PCEP Extension for Stateful Inter-Domain Tunnels Olivier Dugeon & Julien Meuric (Orange Labs)

PCEP Extension for Stateful Inter-Domain Tunnels Olivier Dugeon & Julien Meuric (Orange Labs)

PCEP Extension for Stateful Inter-Domain Tunnels Olivier Dugeon & Julien Meuric (Orange Labs) Y. Lee (Huawei Technologies) D. Ceccarelli (Ericsson) draft-dugeon-pce-stateful-interdomain-02 Update since previous versions Version 00

942 views • 6 slides
Tes$ng Stateful and Dynamic Data Planes with FlowTest

Tes$ng Stateful and Dynamic Data Planes with FlowTest

Tes$ng Stateful and Dynamic Data Planes with FlowTest Seyed K. Fayaz, Vyas Sekar Mo$va$ng Scenario 1) Keep count of TCP connec$ons per host.

228 views • 6 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
Auto-Parallelizing Stateful Distributed Streaming Applica9ons Sco$

Auto-Parallelizing Stateful Distributed Streaming Applica9ons Sco$

Auto-Parallelizing Stateful Distributed Streaming Applica9ons Sco$ Schneider * , Mar9n Hirzel * , Bugra Gedik + and Kun-Lung Wu * * IBM Research

433 views • 22 slides
1 Breaking Barriers with HTML 5 Communication How to enable a stateful Web 2 Challenge If

1 Breaking Barriers with HTML 5 Communication How to enable a stateful Web 2 Challenge If

1 Breaking Barriers with HTML 5 Communication How to enable a stateful Web 2 Challenge If we were not restricted by the traditional limitations of HTTP, what type of Web applications would we build? 3 Speakers Jonas Jacobi

618 views • 35 slides
Dependent Type Theory of Stateful Higher-Order Functions Aleksandar Nanevski Harvard University

Dependent Type Theory of Stateful Higher-Order Functions Aleksandar Nanevski Harvard University

Dependent Type Theory of Stateful Higher-Order Functions Aleksandar Nanevski Harvard University joint with Greg Morrisett and Lars Birkedal TYPES 2006, Nottingham April 20, 2006 Dependent Type Theory of Stateful Higher-Order Functions p.

625 views • 44 slides
PAT HELLAND AND ME HOW TO BUILD STATEFUL DISTRIBUTED APPLICATIONS THAT CAN SCALE ALMOST INFINITELY

PAT HELLAND AND ME HOW TO BUILD STATEFUL DISTRIBUTED APPLICATIONS THAT CAN SCALE ALMOST INFINITELY

PAT HELLAND AND ME HOW TO BUILD STATEFUL DISTRIBUTED APPLICATIONS THAT CAN SCALE ALMOST INFINITELY PAT HELLAND AND ME SEAN T. ALLEN VP OF ENGINEERING AT WALLAROO LABS MEMBER OF THE PONY CORE TEAM AUTHOR OF STORM APPLIED LOVER OF FRENCH

876 views • 49 slides
GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework

GASPP: A GPU-Accelerated Stateful Packet Processing Framework Giorgos Vasiliadis, FORTH-ICS, Greece Lazaros Koromilas, FORTH-ICS, Greece Michalis Polychronakis,

949 views • 56 slides
Stateful Dataflow Multigraphs: A Data-Centric Model for Performance Portability on Heterogeneous

Stateful Dataflow Multigraphs: A Data-Centric Model for Performance Portability on Heterogeneous

spcl.inf.ethz.ch @spcl_eth Tal Ben-Nun , Johannes de Fine Licht, Alexandros-Nikolaos Ziogas, Timo Schneider, Torsten Hoefler Stateful Dataflow Multigraphs: A Data-Centric Model for Performance Portability on Heterogeneous Architectures This

738 views • 42 slides
CSS & i18n dos and donts when styling multilingual websites Gunnar Bittersmann

CSS & i18n dos and donts when styling multilingual websites Gunnar Bittersmann

CSS & i18n dos and donts when styling multilingual websites Gunnar Bittersmann brands4friends Road ahead 1. pitfalls when styling multilingual websites 2. whats new in CSS 3 3. whats not in CSS (yet?) Problem: word length Einige

330 views • 21 slides
Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on

Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on

Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on Availability Denial-of-Service (DoS): preventing legitimate users from using a computing service We do though need to consider our threat model

1.09k views • 42 slides
2020 ASX Small and Mid-Cap Conference Delivering exceptional growth 9th September 2020

2020 ASX Small and Mid-Cap Conference Delivering exceptional growth 9th September 2020

2020 ASX Small and Mid-Cap Conference Delivering exceptional growth 9th September 2020 Disclaimer The material in this presentation has been prepared by SelfWealth Ltd and is general background information about SelfWealths activities

545 views • 11 slides
Ethics 2017 Charles M. Craig Presented: November 16, 2017 Your phones are muted. This

Ethics 2017 Charles M. Craig Presented: November 16, 2017 Your phones are muted. This

Welcome to our webinar! Ethics 2017 Charles M. Craig Presented: November 16, 2017 Your phones are muted. This allows a better recording. Q&A Process Ask questions in two ways: 1. During the webinar, use online chat feature

824 views • 39 slides
n TTC Topical Workshop -RF superconductivity: Pushing Cavity Performance Limits Fermilab, IL, USA

n TTC Topical Workshop -RF superconductivity: Pushing Cavity Performance Limits Fermilab, IL, USA

arXiv:1711.03077 To be published in Physical Review B n TTC Topical Workshop -RF superconductivity: Pushing Cavity Performance Limits Fermilab, IL, USA (2017) 1 The surface resistance of an SRF cavity is usually written as the summation of

1.06k views • 79 slides
Towards DoS-resistant Internet Architecture Prof. Mark Handley University College London

Towards DoS-resistant Internet Architecture Prof. Mark Handley University College London

Towards DoS-resistant Internet Architecture Prof. Mark Handley University College London Denial-of-Service Attacker attempts to prevent the victim from doing any useful work. Flooding Attacks Exploiting Software Weaknesses

319 views • 19 slides
Square Dancing in the Pure Braid Group 8 1 2 7 3 6 5 4 Jon McCammond U.C. Santa Barbara

Square Dancing in the Pure Braid Group 8 1 2 7 3 6 5 4 Jon McCammond U.C. Santa Barbara

Square Dancing in the Pure Braid Group 8 1 2 7 3 6 5 4 Jon McCammond U.C. Santa Barbara Dan Margalit U. Utah 1 The braid arrangement The (real) braid arrangement is the space of all n -tuples of distinct real numbers ( x 1 , x 2 , . .

714 views • 17 slides
USCIS Employment Number Use at Service Centers vs. District Offices FY 2017 - FY 2019 (October -

USCIS Employment Number Use at Service Centers vs. District Offices FY 2017 - FY 2019 (October -

USCIS Employment Number Use at Service Centers vs. District Offices FY 2017 - FY 2019 (October - March) 30,000 25,000 20,000 Adjustments of Status 15,000 10,000 5,000 0 FY 2017 FY 2018 FY 2017 FY 2018 FY 2017 FY 2018 E1 E2 E3

251 views • 4 slides

More recommend