SlideShare a Scribd company logo

Protocol Security Testing best practice

Download as PPT, PDF
G
gaoliang641

A way to do security testing on network protocol (DNS, TCP/IP etc) as fuzzy testing.

1 of 24
Liang Gao (lgao@sigma-rt.com)
2  214-748-3647 Most popular phone number in US  Largest 32 bit signed number  Store phone number in a signed 32 bits and didn’t check buffer overflow
*Boundary value testing ensures proper functionality at the boundary (or edges) or allowable data input. Boundary values include maximum, minimum, just inside/outside boundary, typical values, and error (malformed values). * Looking for problems in error handling, mainly on protocol parsing code
4 1. Value Boundary Testing 2. Logic Boundary Testing 3. Performance Boundary Testing
6
7 *Create reasonable number of malformed packets to cover all PDUs, all fields in PDUs with enough boundary values. *Individual fields boundary check Vary each field of PDU with boundary values Cover all fields in a PDU *Combination fields boundary check Vary Multiple fields in a PDU with boundary values the same time.
10 * Boundary Testing Test Case Explosion Theoretically we want to test code against all possible combinations with all values in a packet. * A minimum size OSPF Hello PDU along has 18 fields, 234 bit long, totally 2234 possible packets. * OSPF protocol has 5 type of LSAs, 4 type of PDUs. * Almost impossible to cover.
11 Structured approach (major effort) Build Malformed Packet as smart as possible *For each field , we want to try at least 5 values Maximum value; Maximum value + 1 (if possible); Minimum value Minimum value -1 (if possible); Invalid value *For a minimum size of OSPF Hello PDU, we want to test 8 fields, totally 58 = 390,625 packets *Bounded to the best knowledge of a tester towards a protocol *Conclusion – Protocol Fuzzing Tool + extensions
12 Un-Structured approach (supplement effort) Build as many packets as possible *Unstructured randomization Testing, randomize all fields in a PDU the same time and test for a long period of time. *Simple, low effort, could be run at the background while working on the structured approach. *Not bounded to testers knowledge. Billion packets march?
13
14 1. Value Boundary Testing 2. Logic Boundary Testing 3. Performance Boundary Testing
15
16
17 *Most likely Protocol Dependent *Creative Attacking involved *An Attack Tree Structure Approach draft-convery-bgpattack-01.txt draft-jones-OSPF-vuln-01.txt
18 Setup the Atomic Goals * Compromise MD5 authentication * Establish unauthorized OSPF neighbor with a OSPF router * Originate unauthorized prefix into OSPF neighbor route table * Change path preference of a prefix * Conduct denial/degradation of service against OSPF process * Tear down OSPF neighbor * Spoof/hijack a OSPF neighbor * Forge/Spoof OSPF LSA
19 Forge/Spoof LSA –Attack *Sequence Number ++ Attack *MaxAge Attack *MaxSeq Number Attack *Link State ID Attack *Max Age Different Attack *RFC State Machine Attack
20 1. Value Boundary Testing 2. Logic Boundary Testing 3. Performance Boundary Testing
21 How box perform when protocol under attack? * CPU Usage (Process, Interrupt) * Transit Packet Loss * Latency * Attacked Interface Packet Transit Packet Loss * Memory Usage * Routing protocol convergence
22
23
Protocol Security Testing best practice

Recommended

2 basic of cryptography
2 basic of cryptography2 basic of cryptography
2 basic of cryptography
Panji Prasetyo
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
Roman Oliynykov
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
degarden
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
Abdessamad TEMMAR
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
Conferencias FIST
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
Conferencias FIST
 
Chapter 3 v6.0
Chapter 3 v6.0Chapter 3 v6.0
Chapter 3 v6.0
Sudeep Reddy
 

Recommended

2 basic of cryptography
2 basic of cryptography2 basic of cryptography
2 basic of cryptography
Panji Prasetyo
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
Roman Oliynykov
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
degarden
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
Abdessamad TEMMAR
 
Router and Routing Protocol Attacks
Router and Routing Protocol AttacksRouter and Routing Protocol Attacks
Router and Routing Protocol Attacks
Conferencias FIST
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
Conferencias FIST
 
Chapter 3 v6.0
Chapter 3 v6.0Chapter 3 v6.0
Chapter 3 v6.0
Sudeep Reddy
 
Advanced Sockets Programming
Advanced Sockets ProgrammingAdvanced Sockets Programming
Advanced Sockets Programming
elliando dias
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewall
newbie2019
 
File 10 - CSX 334 _VRA NBO.ppsx
File 10 - CSX 334 _VRA NBO.ppsxFile 10 - CSX 334 _VRA NBO.ppsx
File 10 - CSX 334 _VRA NBO.ppsx
gaurav201196
 
Geometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewallsGeometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewalls
eSAT Journals
 
Geometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewallsGeometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewalls
eSAT Publishing House
 
Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)
Nicole Gaehle, MSIST
 
Cisco Router Throughput
Cisco Router ThroughputCisco Router Throughput
Cisco Router Throughput
3Anetwork com
 
IRJET- Estimating Various DHT Protocols
IRJET- Estimating Various DHT ProtocolsIRJET- Estimating Various DHT Protocols
IRJET- Estimating Various DHT Protocols
IRJET Journal
 
You name it, we analyze it
You name it, we analyze itYou name it, we analyze it
You name it, we analyze it
Jim Gilsinn
 
My speech at AstriCon 2007
My speech at AstriCon 2007My speech at AstriCon 2007
My speech at AstriCon 2007
stefanocarlini
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
primeteacher32
 
Ch 19 Network-layer protocols Section 1
Ch 19 Network-layer protocols Section 1Ch 19 Network-layer protocols Section 1
Ch 19 Network-layer protocols Section 1
Hossam El-Deen Osama
 
Grape generative fuzzing
Grape generative fuzzingGrape generative fuzzing
Grape generative fuzzing
FFRI, Inc.
 
Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for security
Daniel Stenberg
 
Internetworking - IP
Internetworking - IPInternetworking - IP
Internetworking - IP
selvakumar_b1985
 
ODSA PHY Layer
ODSA PHY LayerODSA PHY Layer
ODSA PHY Layer
jennimenni
 
ODSA - PHY Layer
ODSA - PHY LayerODSA - PHY Layer
ODSA - PHY Layer
ODSA Workgroup
 
More on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTMore on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTT
Haystack Technologies
 
Ppt fnr arbitrary length small domain block cipher proposal
Ppt fnr arbitrary length small domain block cipher proposalPpt fnr arbitrary length small domain block cipher proposal
Ppt fnr arbitrary length small domain block cipher proposal
Karunakar Saroj
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
Mhmud Khraibene
 
Why we didn't catch that
Why we didn't catch thatWhy we didn't catch that
Why we didn't catch that
gaoliang641
 
Why we didn't catch that application bugs
Why we didn't catch that application bugsWhy we didn't catch that application bugs
Why we didn't catch that application bugs
gaoliang641
 

More Related Content

Similar to Protocol Security Testing best practice

Advanced Sockets Programming
Advanced Sockets ProgrammingAdvanced Sockets Programming
Advanced Sockets Programming
elliando dias
 
Geometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewallsGeometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewalls
eSAT Journals
 
You name it, we analyze it
You name it, we analyze itYou name it, we analyze it
You name it, we analyze it
Jim Gilsinn
 
My speech at AstriCon 2007
My speech at AstriCon 2007My speech at AstriCon 2007
My speech at AstriCon 2007
stefanocarlini
 
Grape generative fuzzing
Grape generative fuzzingGrape generative fuzzing
Grape generative fuzzing
FFRI, Inc.
 
Ppt fnr arbitrary length small domain block cipher proposal
Ppt fnr arbitrary length small domain block cipher proposalPpt fnr arbitrary length small domain block cipher proposal
Ppt fnr arbitrary length small domain block cipher proposal
Karunakar Saroj
 

Similar to Protocol Security Testing best practice (20)

Advanced Sockets Programming
Advanced Sockets ProgrammingAdvanced Sockets Programming
Advanced Sockets Programming
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewall
 
File 10 - CSX 334 _VRA NBO.ppsx
File 10 - CSX 334 _VRA NBO.ppsxFile 10 - CSX 334 _VRA NBO.ppsx
File 10 - CSX 334 _VRA NBO.ppsx
 
Geometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewallsGeometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewalls
 
Geometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewallsGeometric efficient matching algorithm for firewalls
Geometric efficient matching algorithm for firewalls
 
Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)Understanding Internet Protocol (IPv4)
Understanding Internet Protocol (IPv4)
 
Cisco Router Throughput
Cisco Router ThroughputCisco Router Throughput
Cisco Router Throughput
 
IRJET- Estimating Various DHT Protocols
IRJET- Estimating Various DHT ProtocolsIRJET- Estimating Various DHT Protocols
IRJET- Estimating Various DHT Protocols
 
You name it, we analyze it
You name it, we analyze itYou name it, we analyze it
You name it, we analyze it
 
My speech at AstriCon 2007
My speech at AstriCon 2007My speech at AstriCon 2007
My speech at AstriCon 2007
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
 
Ch 19 Network-layer protocols Section 1
Ch 19 Network-layer protocols Section 1Ch 19 Network-layer protocols Section 1
Ch 19 Network-layer protocols Section 1
 
Grape generative fuzzing
Grape generative fuzzingGrape generative fuzzing
Grape generative fuzzing
 
Testing curl for security
Testing curl for securityTesting curl for security
Testing curl for security
 
Internetworking - IP
Internetworking - IPInternetworking - IP
Internetworking - IP
 
ODSA PHY Layer
ODSA PHY LayerODSA PHY Layer
ODSA PHY Layer
 
ODSA - PHY Layer
ODSA - PHY LayerODSA - PHY Layer
ODSA - PHY Layer
 
More on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTTMore on Using Haystack + DASH7 with MQTT
More on Using Haystack + DASH7 with MQTT
 
Ppt fnr arbitrary length small domain block cipher proposal
Ppt fnr arbitrary length small domain block cipher proposalPpt fnr arbitrary length small domain block cipher proposal
Ppt fnr arbitrary length small domain block cipher proposal
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
 

More from gaoliang641

Why we didn't catch that
Why we didn't catch thatWhy we didn't catch that
Why we didn't catch that
gaoliang641
 
Why we didn't catch that application bugs
Why we didn't catch that application bugsWhy we didn't catch that application bugs
Why we didn't catch that application bugs
gaoliang641
 
Understand release engineering
Understand release engineeringUnderstand release engineering
Understand release engineering
gaoliang641
 
Understand regression testing
Understand regression testingUnderstand regression testing
Understand regression testing
gaoliang641
 
The art of system and solution testing
The art of system and solution testingThe art of system and solution testing
The art of system and solution testing
gaoliang641
 
Tester performance evaluation
Tester performance evaluationTester performance evaluation
Tester performance evaluation
gaoliang641
 
Tester developer interaction
Tester developer interactionTester developer interaction
Tester developer interaction
gaoliang641
 
Tester career path
Tester career pathTester career path
Tester career path
gaoliang641
 
Agile testing for large projects
Agile testing for large projectsAgile testing for large projects
Agile testing for large projects
gaoliang641
 
Project management for qa manager
Project management for qa managerProject management for qa manager
Project management for qa manager
gaoliang641
 
Make good use of explortary testing
Make good use of explortary testingMake good use of explortary testing
Make good use of explortary testing
gaoliang641
 
Bug best practice
Bug best practiceBug best practice
Bug best practice
gaoliang641
 
Lessons learned on localization testing
Lessons learned on localization testingLessons learned on localization testing
Lessons learned on localization testing
gaoliang641
 
How to become a testing expert
How to become a testing expertHow to become a testing expert
How to become a testing expert
gaoliang641
 
Functionality testing techniqu
Functionality testing techniquFunctionality testing techniqu
Functionality testing techniqu
gaoliang641
 

More from gaoliang641 (20)

Why we didn't catch that
Why we didn't catch thatWhy we didn't catch that
Why we didn't catch that
 
Why we didn't catch that application bugs
Why we didn't catch that application bugsWhy we didn't catch that application bugs
Why we didn't catch that application bugs
 
Understand release engineering
Understand release engineeringUnderstand release engineering
Understand release engineering
 
Understand regression testing
Understand regression testingUnderstand regression testing
Understand regression testing
 
The art of system and solution testing
The art of system and solution testingThe art of system and solution testing
The art of system and solution testing
 
Tester performance evaluation
Tester performance evaluationTester performance evaluation
Tester performance evaluation
 
Tester developer interaction
Tester developer interactionTester developer interaction
Tester developer interaction
 
Tester career path
Tester career pathTester career path
Tester career path
 
Agile testing for large projects
Agile testing for large projectsAgile testing for large projects
Agile testing for large projects
 
Project management for qa manager
Project management for qa managerProject management for qa manager
Project management for qa manager
 
Make good use of explortary testing
Make good use of explortary testingMake good use of explortary testing
Make good use of explortary testing
 
Bug best practice
Bug best practiceBug best practice
Bug best practice
 
Lessons learned on localization testing
Lessons learned on localization testingLessons learned on localization testing
Lessons learned on localization testing
 
Lessons learned on software testing automation
Lessons learned on software testing automationLessons learned on software testing automation
Lessons learned on software testing automation
 
How to become a testing expert
How to become a testing expertHow to become a testing expert
How to become a testing expert
 
Functionality testing techniqu
Functionality testing techniquFunctionality testing techniqu
Functionality testing techniqu
 
Backward thinking design qa system for quality goals
Backward thinking design qa system for quality goalsBackward thinking design qa system for quality goals
Backward thinking design qa system for quality goals
 
Automation framework design and implementation
Automation framework design and implementationAutomation framework design and implementation
Automation framework design and implementation
 
Automation from start to finish
Automation from start to finishAutomation from start to finish
Automation from start to finish
 
Agile testing for large projects
Agile testing for large projectsAgile testing for large projects
Agile testing for large projects
 

Protocol Security Testing best practice

  • 2. 2  214-748-3647 Most popular phone number in US  Largest 32 bit signed number  Store phone number in a signed 32 bits and didn’t check buffer overflow
  • 3. *Boundary value testing ensures proper functionality at the boundary (or edges) or allowable data input. Boundary values include maximum, minimum, just inside/outside boundary, typical values, and error (malformed values). * Looking for problems in error handling, mainly on protocol parsing code
  • 4. 4 1. Value Boundary Testing 2. Logic Boundary Testing 3. Performance Boundary Testing
  • 5.
  • 6. 6
  • 7. 7 *Create reasonable number of malformed packets to cover all PDUs, all fields in PDUs with enough boundary values. *Individual fields boundary check Vary each field of PDU with boundary values Cover all fields in a PDU *Combination fields boundary check Vary Multiple fields in a PDU with boundary values the same time.
  • 8.
  • 9.
  • 10. 10 * Boundary Testing Test Case Explosion Theoretically we want to test code against all possible combinations with all values in a packet. * A minimum size OSPF Hello PDU along has 18 fields, 234 bit long, totally 2234 possible packets. * OSPF protocol has 5 type of LSAs, 4 type of PDUs. * Almost impossible to cover.
  • 11. 11 Structured approach (major effort) Build Malformed Packet as smart as possible *For each field , we want to try at least 5 values Maximum value; Maximum value + 1 (if possible); Minimum value Minimum value -1 (if possible); Invalid value *For a minimum size of OSPF Hello PDU, we want to test 8 fields, totally 58 = 390,625 packets *Bounded to the best knowledge of a tester towards a protocol *Conclusion – Protocol Fuzzing Tool + extensions
  • 12. 12 Un-Structured approach (supplement effort) Build as many packets as possible *Unstructured randomization Testing, randomize all fields in a PDU the same time and test for a long period of time. *Simple, low effort, could be run at the background while working on the structured approach. *Not bounded to testers knowledge. Billion packets march?
  • 13. 13
  • 14. 14 1. Value Boundary Testing 2. Logic Boundary Testing 3. Performance Boundary Testing
  • 15. 15
  • 16. 16
  • 17. 17 *Most likely Protocol Dependent *Creative Attacking involved *An Attack Tree Structure Approach draft-convery-bgpattack-01.txt draft-jones-OSPF-vuln-01.txt
  • 18. 18 Setup the Atomic Goals * Compromise MD5 authentication * Establish unauthorized OSPF neighbor with a OSPF router * Originate unauthorized prefix into OSPF neighbor route table * Change path preference of a prefix * Conduct denial/degradation of service against OSPF process * Tear down OSPF neighbor * Spoof/hijack a OSPF neighbor * Forge/Spoof OSPF LSA
  • 19. 19 Forge/Spoof LSA –Attack *Sequence Number ++ Attack *MaxAge Attack *MaxSeq Number Attack *Link State ID Attack *Max Age Different Attack *RFC State Machine Attack
  • 20. 20 1. Value Boundary Testing 2. Logic Boundary Testing 3. Performance Boundary Testing
  • 21. 21 How box perform when protocol under attack? * CPU Usage (Process, Interrupt) * Transit Packet Loss * Latency * Attacked Interface Packet Transit Packet Loss * Memory Usage * Routing protocol convergence
  • 22. 22
  • 23. 23