data fuzzing with ttcn-3 stephan pietsch, bogdan stanca-kaposta, dr. jacob wieland, dirk...
TRANSCRIPT
![Page 1:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/1.jpg)
Data Fuzzing with TTCN-3Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Jurgen Großmann, Martin Schneider
TTCN-3 User Conference 2012, Bangalore
![Page 2:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/2.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 2
Authors
Testing TechnologiesStephan PietschBogdan Stanca-KapostaDr. Jacob WielandDirk Tepelmann
Fraunhofer FOKUSJurgen GroßmannMartin Schneider
This proposal was developed in the ITEA2 project DIAMONDS – Development and Industrial Application of Multi-Domain Security Testing Technologieshttp://www.itea2-diamonds.org
![Page 3:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/3.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 3
Introduction
TTCN-3 Is widely accepted in functional (protocol) testing in telecommunicationsIs pushed into new areas like Intelligent Transport Systems (ITS) or Internet of Things (IoT)Is pretty new to security testing
FuzzingAutomated and efficient black-box testing method for finding software flawsMonitors a system for exceptional behavior (such as crashes, memory leaks) while stimulating it with large amounts of anomalous input data (random, invalid or unexpected)If the program fails, it indicates a bug in the softwareIs widely used for security testing
Security testing aspects get more and more important in traditional TTCN-3 domains
Proposal of a Fuzz Extension Package for TTCN-3
![Page 4:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/4.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 4
Proposal – Fuzz Extension Package
Concentration on data fuzzing, i.e. generation of multiple variants to be sent, can be realized via loop constructs
New construct fuzz function instance
Similar to external function, but call is delayed until a specific value selected via send or valueof
Fuzz function may declare formal parameters
Fuzz function must declare a return typefuzz function zf_UnicodeUtf8ThreeCharMutator(
in template charstring param1) return charstring;
fuzz function zf_RandomSelect(in template integer param1) return integer;
![Page 5:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/5.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 5
Proposal – Fuzz Extension Package
Fuzz function instance denotes a set of values Can only occur in value templatesUsed like a normal matching mechanism “instead of values”
Single value will be selected in the event of Sending operationInvocation of valueof() operation
template myType myData := {
field1 := zf_UnicodeUtf8ThreeCharMutator(?),
field2 := '12AB'O,
field3 := zf_RandomSelect((1, 2, 3)) }
myPort.send(myData);
myPort.send(zf_UnicodeUtf8ThreeCharMutator(?));
var myType myVar := valueof(myData);
![Page 6:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/6.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 7
Seed
Optional seed for the generation of random numbers
Used to determine random selectionTo allow repeatability of fuzzed test cases
One seed per test component
Two new predefined functions To set the seed To read the current seed value
setseed(in float initialSeed) return float;
getseed() return float;
![Page 7:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/7.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 8
TCI Extension – tciFuzzySelect
Fuzz function implemented as a runtime extension in TTCN-3 Test Control Interface (TCI) tciFuzzySelect()
Called by the Test Environment (TE) for each fuzz function instance at the moment a template is sent or evaluated by use of valueof()
To compute the concrete value a randomized approach could be used using the given seed
External data fuzzers might be used to achieve better results intelligent application/protocol based fuzzing with Data Fuzzing Library
![Page 8:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/8.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 9
tciFuzzySelect Synopsis
![Page 9:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/9.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 10
Data Fuzzing Library
Makes traditional data fuzzing widely available
Eases integration into tools without deep knowledge about fuzz data generation
Allows data fuzzing without the need forMaking familiar with a specific fuzzing toolIntegrating further fuzzing tools into the test process
ApproachDon’t reinvent the wheel, use the potential of existing fuzzing tools
Peach Sulley OWASP WebScarab
Extract their fuzzing generators and operators into a library (reimplementation in Java)
![Page 10:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/10.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 11
Architecture
![Page 11:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/11.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 12
Generators and Operators
Generators Peach Sulley
StringCaseMutator O
UnicodeStringsMutator G
UnicodeBomMutator G
UnicodeBadUtf8Mutator G
UnicodeUtf8ThreeCharMutator G
StringMutator G
PathMutator G
HostnameMutator G
FilenameMutator G
BadIpAddress G
BadNumbers G
BadDate G
BadTime G
FiniteRandomNumbersMutator G
String Repitition O
SQL Injection G
Command Injection G
Format String G
Generators Peach
Sulley
OWASP WebScarab
Delimiter G
RegExExpander G/O
Numerical Edge Case Mutator
G G
Numerical Variance Mutator O
LongString G
G – GeneratorO – Operator
![Page 12:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/12.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 13
Summary
Fuzz testing is a commonly used method to test for security problems
The purpose of fuzzing is to reveal implementation vulnerabilities by triggering failure modes
Light-weight extension to the TTCN-3 standard supports fuzzing while maximizing its usability for existing TTCN-3 users
While simple dump random fuzzing often causes poor results, intelligent application/protocol based fuzzing is much more powerful
To support application/protocol based fuzz generators a TCI extension allows integration of external data fuzzers
![Page 13:  Data Fuzzing with TTCN-3 Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Ju ̈ rgen Großmann, Martin Schneider TTCN-3 User](https://reader035.vdocument.in/reader035/viewer/2022070402/56649f255503460f94c3c16a/html5/thumbnails/13.jpg)
Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 14
Thank you!
Questions?