Data Fuzzing with TTCN-3Stephan Pietsch, Bogdan Stanca-Kaposta, Dr. Jacob Wieland, Dirk Tepelmann, Jurgen Großmann, Martin SchneiderTTCN-3 User Conference 2012, Bangalore

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 2

Authors

Testing TechnologiesStephan PietschBogdan Stanca-KapostaDr. Jacob WielandDirk Tepelmann

Fraunhofer FOKUSJurgen GroßmannMartin Schneider

This proposal was developed in the ITEA2 project DIAMONDS – Development and Industrial Application of Multi-Domain Security Testing Technologieshttp://www.itea2-diamonds.org

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 3

Introduction

TTCN-3 Is widely accepted in functional (protocol) testing in telecommunicationsIs pushed into new areas like Intelligent Transport Systems (ITS) or Internet of Things (IoT)Is pretty new to security testing

FuzzingAutomated and efficient black-box testing method for finding software flawsMonitors a system for exceptional behavior (such as crashes, memory leaks) while stimulating it with large amounts of anomalous input data (random, invalid or unexpected)If the program fails, it indicates a bug in the softwareIs widely used for security testing

Security testing aspects get more and more important in traditional TTCN-3 domains

Proposal of a Fuzz Extension Package for TTCN-3

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 4

Proposal – Fuzz Extension Package

Concentration on data fuzzing, i.e. generation of multiple variants to be sent, can be realized via loop constructsNew construct fuzz function instanceSimilar to external function, but call is delayed until a specific value selected via send or valueofFuzz function may declare formal parameters Fuzz function must declare a return typefuzz function zf_UnicodeUtf8ThreeCharMutator(

in template charstring param1) return charstring;

fuzz function zf_RandomSelect(in template integer param1) return integer;

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 5

Proposal – Fuzz Extension Package

Fuzz function instance denotes a set of values Can only occur in value templatesUsed like a normal matching mechanism “instead of values”

Single value will be selected in the event of Sending operationInvocation of valueof() operation

template myType myData := {field1 := zf_UnicodeUtf8ThreeCharMutator(?),field2 := '12AB'O,field3 := zf_RandomSelect((1, 2, 3)) }

myPort.send(myData);myPort.send(zf_UnicodeUtf8ThreeCharMutator(?));var myType myVar := valueof(myData);

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 7

Seed

Optional seed for the generation of random numbers

Used to determine random selectionTo allow repeatability of fuzzed test cases

One seed per test componentTwo new predefined functions

To set the seed To read the current seed value

setseed(in float initialSeed) return float;getseed() return float;

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 8

TCI Extension – tciFuzzySelect

Fuzz function implemented as a runtime extension in TTCN-3 Test Control Interface (TCI) tciFuzzySelect()Called by the Test Environment (TE) for each fuzz function instance at the moment a template is sent or evaluated by use of valueof()To compute the concrete value a randomized approach could be used using the given seed External data fuzzers might be used to achieve better results intelligent application/protocol based fuzzing with Data Fuzzing Library

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 9

tciFuzzySelect Synopsis

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 10

Data Fuzzing Library

Makes traditional data fuzzing widely availableEases integration into tools without deep knowledge about fuzz data generationAllows data fuzzing without the need for

Making familiar with a specific fuzzing toolIntegrating further fuzzing tools into the test process

ApproachDon’t reinvent the wheel, use the potential of existing fuzzing tools

Peach Sulley OWASP WebScarab

Extract their fuzzing generators and operators into a library (reimplementation in Java)

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 11

Architecture

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 12

Generators and OperatorsGenerators Peach SulleyStringCaseMutator OUnicodeStringsMutator GUnicodeBomMutator GUnicodeBadUtf8Mutator GUnicodeUtf8ThreeCharMutator GStringMutator GPathMutator GHostnameMutator GFilenameMutator GBadIpAddress GBadNumbers GBadDate GBadTime GFiniteRandomNumbersMutator GString Repitition OSQL Injection GCommand Injection GFormat String G

Generators Peach

Sulley

OWASP WebScarab

Delimiter GRegExExpander G/ONumerical Edge Case Mutator

G G

Numerical Variance Mutator OLongString G

G – GeneratorO – Operator

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 13

Summary

Fuzz testing is a commonly used method to test for security problems The purpose of fuzzing is to reveal implementation vulnerabilities by triggering failure modesLight-weight extension to the TTCN-3 standard supports fuzzing while maximizing its usability for existing TTCN-3 usersWhile simple dump random fuzzing often causes poor results, intelligent application/protocol based fuzzing is much more powerfulTo support application/protocol based fuzz generators a TCI extension allows integration of external data fuzzers

Copyright Testing Technologies 2012. Confidential Information. All Rights Reserved. More Information at www.testingtech.com.© 14

Thank you!

Questions?