The Intelligent Fuzzing in TTCN-3
Xu Luo, Wu Ji, Liu Chao
Software Engineering InstituteBeihang University
http://www.sei.buaa.edu.cn
Outline
Background Fuzzing in TTCN-3 Summary
Outline
Background Definition of Fuzzing Fuzzer Types
Fuzzing in TTCN-3 Summary
Definition Fuzzing —
A highly automated testing technique that covers numerous boundary cases using invalid data (from files, network protocols, API calls, and other targets) as application input to better ensure the absence of exploitable vulnerabilities.
From modem applications’ tendency to fail due to random input caused by line noise on “fuzzy” telephone lines.
Simple Fuzz Example
SUT: Fake Clear Text Protocol[Client] -> "user jared\r\n"
"user OK. Provide pass.\r\n" <- [Server][Client] -> "pass mylamepasswd\r\n"
"Login successful. Proceed.\r\n" <-[Server][Client] -> "list file 1\r\n"
...
Simple Fuzz Example (cont.)
Test case 1[Client] -> "us<50000 \xff's>er jared\r\n"
Test case 2[Client] -> "user ja<12 %n's>red\r\n"
Test case 3[Client] -> "user jared\r\n"
"user OK. Provide pass.\r\n" <- [Server][Client] -> "\x04\x98\xbb\x...\r\n"
Fuzzer Classification Generation Method
Generation Mutation
Knowledge of Inputs Random Intelligent
Scope of SUT Specialized Fuzzer Generic Fuzzer
Intelligent vs. Generic
The contradiction between … Intelligent
Needs the knowledge of SUT Generic
Independent of a specific SUT
How to resolve the contradictionTTCN-3
Outline
Background Fuzzing in TTCN-3
Our Purpose Architecture Details
Summary
Our Purpose
Develop a Generic Fuzzer Based on TTCN-3 Using the Knowledge of the Input Format
— Intelligent Applying Data Mutation Approach
— Mutation
Capture Valid Input Input:
TTCN-3 ATS Output:
TTCN-3 Value With its syntax
Purpose: Instance of Valid Input
As seed to generate Invalid Inputs Syntax Information
Needed by the Intelligent mutation
Capture Valid Input (cont.)
How to captureInsert the capture code btw. TE & CD
TECD:
encode
CD Req CD Prv
Capture
Valid Input
Intelligent Mutation Input:
TTCN-3 valueWith its syntax
Mutation Strategy Output:
<Field, Mutation Operator>s Purpose:
Generate Mutation OperatorsOne mutation operator → One field
Intelligent Mutation (cont.)
How to mutate (intelligently) Type-Sensitive Mutation
Choose mutation operators according to the type of the data being mutated
Attack Heuristics Design mutation operators according to the
stored invalid inputs that have previously been known to expose software vulnerabilities
Attack Heuristics Buffer Overflow
[Client] -> "us<50000 \xff's>er jared\r\n" Format String Attack
[Client] -> "user ja<12 %n's>red\r\n" Inserting Special Characters
[Client] -> "user ja<1342 \x00's>red\r\n" Integer Overflow
0x00, 0x0000, 0x000000000xFF, 0xFFFF, 0xFFFFFFFF
… …
Type-Sensitive Mutation
Supported TTCN-3 Types Basic Types
BOOLEAN Reverse
INTEGER Boundary, Integer Overflow, ++, --
CHARSTRING , OCTETSTRING Null, Buffer Overflow, Format String Attack
… …
Type-Sensitive Mutation (cont.) Supported TTCN-3 Types
Structured Types RECORD , SET
Remove optional fields RECORD_OF , SET_OF
Remove elements, Duplicate elements, Change the order of elements
ENUMERATED Choose other value
… …
Inject Invalid Inputs Input:
Test cases Valid Inputs
Output: Invalid Inputs
Procedure: Applying mutation operator to generate invalid
input from the instance of the valid input The invalid input will be sent to SUT
Inject Invalid Inputs (cont.)
How to injectInsert the injection code btw. TE & CD
TECD:
encode
CD Req CD Prv
Inject
Mutation Operator
Test Verdict
The problem The response of SUT can’t be predicted
when an invalid input is injected The solution
Each time an invalid input is injected, followed with a positive test case that is defined in conformance or functional test suite
Test Verdict (cont.)
Each test case includes 3 parts:1. Inject an invalid input2. Cancel current transaction (if needed)
Don’t care the response of SUT
3. Execute a positive test caseDetermine if a failure has occurred
Evaluation
SUT Implementations of SIP Three popular softphones:
Linphone1.7.1 with libosip2 2.2.2
SJphoneFor windows XPsp2, 1.65.377a
X-Lite2.0, Win32-1103m-14262
The Number of Test Cases
How many TCs have been generated Focusing on INVITE Based on the ETSI standardized SIP conform
ance test suite 429 test cases has been generated
Results Linphone
3 test cases caused crashes …via.viaBody.0.viaParams.0.paramValue …fromField…userOrTelephoneSubscriber …fromField…hostPort.host
SJphone 1 test case caused crash
…contentLength.len X-Lite
No crash One line has not been released
Outline
Background Fuzzing in TTCN-3 Summary
Summary How TTCN-3 resolves the contradiction between
Intelligent & Generic TTCN-3 conformance or functional test suite specifies
the syntax structure of the valid inputs, which can be used by our fuzzer— Intelligent
The syntax structure definitions are independent of the message encoding rules, the mutation operators could work on the syntax level instead of bit level— Generic
Thanks!