sip robustness testing for large scale use
play

SIP Robustness Testing for Large-Scale Use OUSPG - PowerPoint PPT Presentation

Nov 08, 2023 •331 likes •443 views

Christian Wieser, Marko Laakso and Henning Schulzrinne SIP Robustness Testing for Large-Scale Use OUSPG [http://www.ee.oulu.fi/research/ouspg] Motivation Software vulnerabilities prevail: Fragile and insecure software continues to be a

  1. Christian Wieser, Marko Laakso and Henning Schulzrinne SIP Robustness Testing for Large-Scale Use OUSPG [http://www.ee.oulu.fi/research/ouspg]

  2. Motivation  Software vulnerabilities prevail: “Fragile and insecure software continues to be a major threat to a society increasingly reliant on complex software systems.” - Anup Ghosh [Risks Digest 21.30]  Our purpose: “To study, evaluate and develop methods of implementing and testing application and system software in order to prevent, discover and eliminate implementation level security vulnerabilities in a pro-active fashion. Our focus is on implementation level security issues and software security testing.” OUSPG [http://www.ee.oulu.fi/research/ouspg]

  3. Dominant security problems  From ICAT vulnerability statics Vulnerability Type 2003 2002 2001 2000 Input Validation Error 526 (52%) 661 (51%) 744 (49%) 359 (36%) (Boundary Condition Error) 81 (8%) 22 (2%) 51 (3%) 66 (7%) (Buffer Overflow) 236 (23%) 288 (22%) 316 (21%) 190 (19%) Access Validation Error 92 (9%) 121 (9%) 126 (8%) 168 (17%) Exceptional Condition Error 152 (15%) 117 (9%) 146 (10%) 119 (12%) Environment Error 3 (0%) 10 (1%) 36 (2%) 19 (2%) Configuration Error 49 (5%) 67 (5%) 74 (5%) 82 (8%) Race Condition 17 (2%) 22 (2%) 50 (3%) 21 (2%) Design Error 266 (26%) 407 (31%) 339 (26%) 166 (17%) Other 18 (2%) 2 (0%) 8 (1%) 14 (1%)  Dominance of “Input Validation Error” OUSPG [http://www.ee.oulu.fi/research/ouspg]

  4. Our approach - in a nutshell Today, thousands of gifted and patient, but uncoordinated monkeys are pounding different products in order to reveal vulnerabilities. Visual by http://www.PDImages.com Think of us as rather dumb monkeys using a monkey-machine and systematic methodology to eliminate the most trivial ones. OUSPG [http://www.ee.oulu.fi/research/ouspg]

  5. PROTOS project  Security Testing of Protocol Implementations  Results:  A novel (mini-simulation) vulnerability testing method developed  Several papers and test suites published  Continuation:  Spin-off company Codenomicon Ltd  OUSPG will continue with public research OUSPG [http://www.ee.oulu.fi/research/ouspg]

  6. c07-sip Robustness Test Suite  Applying the PROTOS approach in SIP  SIP matures from academic interest to an industry deployed protocol  Extending the work done in  SIP Torture Test Messages  RFC3261 compliant  Working on the awareness front  SIPit’s  Interaction during vulnerability process OUSPG [http://www.ee.oulu.fi/research/ouspg]

  7. c07-sip Design  Mutating SIP INVITE-requests to simulate attacks to the Software Under Test (SUT).  54 test groups  4527 test cases  Available as Java JAR-package  UDP as only injection vector  Teardown with  CANCEL/ACK messages  Valid-case as minimal instrumentation OUSPG [http://www.ee.oulu.fi/research/ouspg]

  8. c07-sip Results  Approach new to SIP scene  Alarming rates of failed subjects  Nine implementations (6 UA, 3 servers) tested  1 passed  8 failed in various test-groups  For demonstration purpose  2 working exploits “Hitting the Granny with a stick”? OUSPG [http://www.ee.oulu.fi/research/ouspg]

  9. Vulnerability Process  Vulnerability process: Phases  Development  Creating and wrapping-up the test-suite  Internally testing the available implementations  Pre-release  Involvement of neutral third party (in this case CERT/CC)  Notifying respective vendors of any vulnerabilities found  Distributing the test-suite to identified vendors implementing the chosen protocol  Vulnerability and advisory coordination  Grace period  Release  Deploying the test-suite for public perusal  Collecting feedback  Reiterating either with same or next protocol Development SiPit11 Pre-release SiPit12 Release t 2002-10-01 2002-11-01 2002-12-01 2003-01-01 2003-02-01 2003-03-01 OUSPG [http://www.ee.oulu.fi/research/ouspg]

  10. Summary  Noticeable amount of vulnerabilities found  Awareness on Implementation Level Vulnerabilities among vendors non equally distributed  Vulnerability process seems new to SIP community  Fair amount of interest  as of 2004-02: around 2500 test material downloads  Further information: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ OUSPG [http://www.ee.oulu.fi/research/ouspg]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MORO: a Cytoscape App for Relationship Analysis between Modularity and Robustness in Large-Scale

MORO: a Cytoscape App for Relationship Analysis between Modularity and Robustness in Large-Scale

MORO: a Cytoscape App for Relationship Analysis between Modularity and Robustness in Large-Scale Biological Networks Authors: Cong-Doan Truong , Tien-Dzung Tran and Yung-Keun Kwon 1 October 8, 2016 Contents l Motivation l Modularity and

285 views • 24 slides
E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale Information Access Technologies Evaluation and Testing Evaluation and Testing Noriko Kando Noriko Kando National Institute of Informatics, Japan

632 views • 61 slides
Factor Analysis for Multiple Testing : an R package for large-scale significance testing under

Factor Analysis for Multiple Testing : an R package for large-scale significance testing under

Background Factor Analysis for Multiple Testing The FAMT package procedure Concluding comments Factor Analysis for Multiple Testing : an R package for large-scale significance testing under dependence Maela Kloareg, Chlo Friguet & David

402 views • 24 slides
Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and

Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and

Automatic Detection of Performance Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and Intelligence Lab (SAIL) Queens University, Kingston, Canada Large scale systems need to satisfy performance constraints

822 views • 37 slides
EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF Outline

EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF Outline

EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF Outline Background on EMI certification and testing process: Role of Testing Infrastructure within Quality Assurance o Product Team (PT) centric

504 views • 19 slides
A Two-Level Toeplitz Model for Large-Scale Simultaneous Hypothesis Testing Dan Cervone Advisor:

A Two-Level Toeplitz Model for Large-Scale Simultaneous Hypothesis Testing Dan Cervone Advisor:

Empirical Bayes Methods for Simultaneous Hypothesis Testing Estimating Level II Covariance Matrix Data Results Conclusion A Two-Level Toeplitz Model for Large-Scale Simultaneous Hypothesis Testing Dan Cervone Advisor: Carl Morris December

414 views • 24 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions

Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions

Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions at 0.99 c , and observe the decay products. Images: CERN; Chaix & Morel et associs David Cock | 19. September 20 | 2 16 Programmers

539 views • 24 slides
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song , Insik Shin KAIST, * Purdue, UCR 1 Memory error glibc: getaddrinfo Heartbleed Shellshock

659 views • 47 slides
Different kinds of robustness in genetic and metabolic networks Peter Schuster Institut fr

Different kinds of robustness in genetic and metabolic networks Peter Schuster Institut fr

Different kinds of robustness in genetic and metabolic networks Peter Schuster Institut fr Theoretische Chemie und Molekulare Strukturbiologie der Universitt Wien Seminar lecture Linz, 15.12.2003 Genomics and proteomics Large scale data

1.29k views • 109 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Inference following aggregate-level hypothesis testing in large scale genomic data Ruth Heller

Inference following aggregate-level hypothesis testing in large scale genomic data Ruth Heller

Inference following aggregate-level hypothesis testing in large scale genomic data Ruth Heller www.math.tau.ac.il/ ruheller Joint work with Nilanjan Chatterjee, Abba Krieger, and Jianxin Shi Ruth Heller (TAU) Inference following

638 views • 28 slides
Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is

Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is

Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is a serious problem Key issue: Squaring a large number produces a huge number A few wildly mismatch points can throw off R, t Fixes:

153 views • 12 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author:

AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author:

AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author: Filippo Tilaro Supervised by: Brice Copy Overview Scope & Objectives IT & Industrial Security Model Security Metrics & Testing

327 views • 15 slides
EP 222: Classical Mechanics - Lecture 12 Dipan K. Ghosh Indian Institute of Technology Bombay

EP 222: Classical Mechanics - Lecture 12 Dipan K. Ghosh Indian Institute of Technology Bombay

EP 222: Classical Mechanics - Lecture 12 Dipan K. Ghosh Indian Institute of Technology Bombay dipan.ghosh@gmail.com Dipan K. Ghosh EP 222: Classical Mechanics - Lecture 12 August 17, 2014 Review of Lecture 11: Concept of Symmetry We discussed

511 views • 16 slides
Sensitivity of T2HKK to non-standard flavor-dependent interactions Osamu Yasuda Tokyo

Sensitivity of T2HKK to non-standard flavor-dependent interactions Osamu Yasuda Tokyo

Sensitivity of T2HKK to non-standard flavor-dependent interactions Osamu Yasuda Tokyo Metropolitan University Sep. 26, 2017 WG5, NuFact 2017@ Uppsala, Sweden 1/31 Contents of this talk 1. Introduction 2. Nonstandard Interaction in

493 views • 33 slides
Domain Modeling in a Functional World some real life experiences Monday 18 June 12 Debasish

Domain Modeling in a Functional World some real life experiences Monday 18 June 12 Debasish

Domain Modeling in a Functional World some real life experiences Monday 18 June 12 Debasish Ghosh @debasishg on Twitter code @ http://github.com/debasishg blog @ Ruminations of a Programmer http://debasishg.blogspot.com Monday 18 June 12

1.17k views • 88 slides
CS11001/CS11002 Programming and Data Structures Autumn/Spring Semesters Introduction Department

CS11001/CS11002 Programming and Data Structures Autumn/Spring Semesters Introduction Department

Introduction Title page CS11001/CS11002 Programming and Data Structures Autumn/Spring Semesters Introduction Department of Computer Science & Engineering Indian Institute of Technology, Kharagpur Last modified: July 8, 2010 Introduction

1.38k views • 115 slides
Zero Emissions MHDVs The Transformation is Accelerating C o l o ra d o E n e rg y Re s e a rc h

Zero Emissions MHDVs The Transformation is Accelerating C o l o ra d o E n e rg y Re s e a rc h

Zero Emissions MHDVs The Transformation is Accelerating C o l o ra d o E n e rg y Re s e a rc h C o l l a b o ra t o r y We b i n a r J u l y 1 4 2 0 2 0 Freight fuel consumption and GHGs are forecasted to grow four- fold through 2050 and

251 views • 13 slides
Welcome to STAT100A! Instructor: Lauren Cappiello, M.S. July 29, 2019 July 29, 2019 1 / 61

Welcome to STAT100A! Instructor: Lauren Cappiello, M.S. July 29, 2019 July 29, 2019 1 / 61

Welcome to STAT100A! Instructor: Lauren Cappiello, M.S. July 29, 2019 July 29, 2019 1 / 61 Welcome! A little about me: Why statistics? What else do I do? Intro July 29, 2019 2 / 61 Administrative Business Course Website:

991 views • 61 slides
INFLAMMATION Dr. Jinal Chaudhary Dr. Jinal Chaudhary Assistant Professor Assistant Professor

INFLAMMATION Dr. Jinal Chaudhary Dr. Jinal Chaudhary Assistant Professor Assistant Professor

INFLAMMATION Dr. Jinal Chaudhary Dr. Jinal Chaudhary Assistant Professor Assistant Professor Department of Pharmacy Practice Pharmacy Practice Department of Inflammation Definition A dynamic process of chemical and cytological

2.31k views • 188 slides
Gen 49:27, Benjamin is a ravenous wolf; in the morning he shall devour the prey, and at night

Gen 49:27, Benjamin is a ravenous wolf; in the morning he shall devour the prey, and at night

Gen 49:27, Benjamin is a ravenous wolf; in the morning he shall devour the prey, and at night he shall divide the spoil. Gen 49:28, All these are the twelve tribes of Israel, and this is what their father spoke to them. And he blessed

654 views • 8 slides

More recommend