Data Fuzzing with TTCN-3Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Jurgen Großmann, Martin SchneiderTTCN-3 User Conference 2012, Bangalore
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 2
Authors
Testing TechnologiesStephan PietschBogdan Stanca-KapostaDr. Jacob WielandDirk Tepelmann
Fraunhofer FOKUSJurgen GroßmannMartin Schneider
This proposal was developed in the ITEA2 project DIAMONDS – Development and Industrial Application of Multi-Domain Security Testing Technologieshttp://www.itea2-diamonds.org
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 3
Introduction
TTCN-3 Is widely accepted in functional (protocol) testing in telecommunicationsIs pushed into new areas like Intelligent Transport Systems (ITS) or Internet of Things (IoT)Is pretty new to security testing
FuzzingAutomated and efficient black-box testing method for finding software flawsMonitors a system for exceptional behavior (such as crashes, memory leaks) while stimulating it with large amounts of anomalous input data (random, invalid or unexpected)If the program fails, it indicates a bug in the softwareIs widely used for security testing
Security testing aspects get more and more important in traditional TTCN-3 domains
Proposal of a Fuzz Extension Package for TTCN-3
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 4
Proposal – Fuzz Extension Package
Concentration on data fuzzing, i.e. generation of multiple variants to be sent, can be realized via loop constructsNew construct fuzz function instanceSimilar to external function, but call is delayed until a specific value selected via send or valueofFuzz function may declare formal parameters Fuzz function must declare a return typefuzz function zf_UnicodeUtf8ThreeCharMutator(
in template charstring param1) return charstring;
fuzz function zf_RandomSelect(in template integer param1) return integer;
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 5
Proposal – Fuzz Extension Package
Fuzz function instance denotes a set of values Can only occur in value templatesUsed like a normal matching mechanism “instead of values”
Single value will be selected in the event of Sending operationInvocation of valueof() operation
template myType myData := {field1 := zf_UnicodeUtf8ThreeCharMutator(?),field2 := '12AB'O,field3 := zf_RandomSelect((1, 2, 3)) }
myPort.send(myData);myPort.send(zf_UnicodeUtf8ThreeCharMutator(?));var myType myVar := valueof(myData);
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 7
Seed
Optional seed for the generation of random numbers
Used to determine random selectionTo allow repeatability of fuzzed test cases
One seed per test componentTwo new predefined functions
To set the seed To read the current seed value
setseed(in float initialSeed) return float;getseed() return float;
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 8
TCI Extension – tciFuzzySelect
Fuzz function implemented as a runtime extension in TTCN-3 Test Control Interface (TCI) tciFuzzySelect()Called by the Test Environment (TE) for each fuzz function instance at the moment a template is sent or evaluated by use of valueof()To compute the concrete value a randomized approach could be used using the given seed External data fuzzers might be used to achieve better results intelligent application/protocol based fuzzing with Data Fuzzing Library
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 9
tciFuzzySelect Synopsis
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 10
Data Fuzzing Library
Makes traditional data fuzzing widely availableEases integration into tools without deep knowledge about fuzz data generationAllows data fuzzing without the need for
Making familiar with a specific fuzzing toolIntegrating further fuzzing tools into the test process
ApproachDon’t reinvent the wheel, use the potential of existing fuzzing tools
Peach Sulley OWASP WebScarab
Extract their fuzzing generators and operators into a library (reimplementation in Java)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 11
Architecture
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 12
Generators and OperatorsGenerators Peach SulleyStringCaseMutator OUnicodeStringsMutator GUnicodeBomMutator GUnicodeBadUtf8Mutator GUnicodeUtf8ThreeCharMutator GStringMutator GPathMutator GHostnameMutator GFilenameMutator GBadIpAddress GBadNumbers GBadDate GBadTime GFiniteRandomNumbersMutator GString Repitition OSQL Injection GCommand Injection GFormat String G
Generators Peach
Sulley
OWASP WebScarab
Delimiter GRegExExpander G/ONumerical Edge Case Mutator
G G
Numerical Variance Mutator OLongString G
G – GeneratorO – Operator
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 13
Summary
Fuzz testing is a commonly used method to test for security problems The purpose of fuzzing is to reveal implementation vulnerabilities by triggering failure modesLight-weight extension to the TTCN-3 standard supports fuzzing while maximizing its usability for existing TTCN-3 usersWhile simple dump random fuzzing often causes poor results, intelligent application/protocol based fuzzing is much more powerfulTo support application/protocol based fuzz generators a TCI extension allows integration of external data fuzzers
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 14
Thank you!
Questions?