2. 2
214-748-3647
Most popular
phone number
in US
Largest 32 bit
signed number
Store phone
number in a
signed 32 bits
and didn’t check
buffer overflow
3. *Boundary value testing ensures proper
functionality at the boundary (or edges) or
allowable data input. Boundary values include
maximum, minimum, just inside/outside
boundary, typical values, and error (malformed
values).
* Looking for problems in error handling, mainly
on protocol parsing code
7. 7
*Create reasonable number of malformed
packets to cover all PDUs, all fields in PDUs
with enough boundary values.
*Individual fields boundary check
Vary each field of PDU with boundary values
Cover all fields in a PDU
*Combination fields boundary check
Vary Multiple fields in a PDU with boundary
values the same time.
8.
9.
10. 10
* Boundary Testing Test Case Explosion
Theoretically we want to test code against all
possible combinations with all values in a packet.
* A minimum size OSPF Hello PDU along has 18
fields, 234 bit long, totally 2234 possible packets.
* OSPF protocol has 5 type of LSAs, 4 type of PDUs.
* Almost impossible to cover.
11. 11
Structured approach (major effort)
Build Malformed Packet as smart as possible
*For each field , we want to try at least 5 values
Maximum value; Maximum value + 1 (if possible); Minimum value
Minimum value -1 (if possible); Invalid value
*For a minimum size of OSPF Hello PDU, we want to test 8
fields, totally 58 = 390,625 packets
*Bounded to the best knowledge of a tester towards a
protocol
*Conclusion – Protocol Fuzzing Tool + extensions
12. 12
Un-Structured approach (supplement effort)
Build as many packets as possible
*Unstructured randomization Testing,
randomize all fields in a PDU the same time
and test for a long period of time.
*Simple, low effort, could be run at the
background while working on the structured
approach.
*Not bounded to testers knowledge.
Billion packets march?
18. 18
Setup the Atomic Goals
* Compromise MD5 authentication
* Establish unauthorized OSPF neighbor with a OSPF router
* Originate unauthorized prefix into OSPF neighbor route
table
* Change path preference of a prefix
* Conduct denial/degradation of service against OSPF process
* Tear down OSPF neighbor
* Spoof/hijack a OSPF neighbor
* Forge/Spoof OSPF LSA
19. 19
Forge/Spoof LSA –Attack
*Sequence Number ++ Attack
*MaxAge Attack
*MaxSeq Number Attack
*Link State ID Attack
*Max Age Different Attack
*RFC State Machine Attack