L. Xu, J. Wu, and C. Liu, "The Intelligent Fuzzing in TTCN-3," ETSI TTCN-3 User Conference 2007 Asia: Beijing (China), Oct. 29-30, 2007.
Added by: Deleted user (06 Aug 2008 14:18:20 Europe/Berlin) Last edited by: Deleted user (13 Aug 2008 15:00:35 Europe/Berlin)
|Resource type: Conference Paper
BibTeX citation key: Xub
View all bibliographic details
Creators: Liu, Wu, Xu
Publisher: Beihang University, ETSI (Beijing (China))
Collection: ETSI TTCN-3 User Conference 2007 Asia
Views index: %
Popularity index: 2%
TTCN-3 (Testing and Test Control Notation-version 3) is widely adopted for test system development. To maximize the investment in TTCN-3, enterprise expects to develop all possible tests, rather than functional and conformance tests, in TTCN-3. Security of network applications has become increasingly important in the past several years. In this presentation, we focus on applying TTCN-3 to the security testing.
Fuzzing is a well-known black-box approach to the security testing. Its basic idea is to provide unexpected or invalid inputs to execute a SUT, which may expose hidden vulnerabilities. How to automatically generate such invalid inputs is a key problem of fuzzing. Purely random inputs lack the ability to find the sophisticated bugs. Intelligent fuzzer could generate more effective invalid inputs by using the knowledge of the input format it is attacking and of the attack modes. This presentation proposes an intelligent fuzzer which generates invalid inputs from the TTCN-3 conformance or functional test suite. The message type defined in the conformance or functional test suite formally describes the input syntax structure of SUT, and the message template of valid input is treated as a seed from which invalid inputs could be generated by applying data mutation approach.
The data mutation engine takes the valid test data as input. By the given mutation strategy, the engine chooses appropriate mutation operators based on the data being mutated, and generates mutant data. The mutation strategies are based on attack heuristics that focus on triggering specific vulnerabilities, such as buffer overflow, format string vulnerabilities, integer overflows, etc. The operators could operate on both TTCN-3 basic types and structured types. The mutant data is injected by test case execution. To determine if a failure has occurred, a positive test case defined in conformance or functional test suite will be executed. Each time an invalid input is injected, followed with the positive test case.
The TTCN-3 based intelligent fuzzer has the following advantages:
(1) Invalid inputs generation could not be effectively performed without the input syntax structure of SUT, especially for the complex one. A TTCN-3 test suite specifies not only test case, but also the syntax structure of the test data, such as PDU structure;
(2) A TTCN-3 test system provides a separated codec to encode the abstract test data into bitstring. Therefore, the abstract test data is independent of its encoding rules. Benefiting from the architecture, the mutation operators could work on the syntax level instead of bit level of the test data;
(3) Incorrect seed could lead to useless invalid inputs. The published conformance or functional test suites ensure the high quality of the generated test cases.
To demonstrate our automated security testing approach, we also report a case study and its experiment result. In this case study, we have implemented a prototype to test SIP protocol implementations. The invalid inputs are generated from the ETSI standardized SIP conformance test suite.
Added by: Deleted user Last edited by: Deleted user