Upload
vuongkien
View
239
Download
1
Embed Size (px)
Citation preview
2 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Agenda
What are Fuzzing Attacks?
VoIP/UC is different
Impact of Fuzzing attacks on VoIP
Protection techniques
3 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Fuzzing
Fuzzing
• Fuzzing was developed as a Black Box software testing technique, to find implementation bugs using malformed/semi-malformed data injection in an automated fashion
Protocol Fuzzing
• A protocol fuzzer sends forged packets to the tested application, or may act as a proxy modifying packets on the fly and replaying them
Random vs. Protocol Aware
• Truly Random Approach allows for exhaustive coverage but requires infinite time
• Protocol Aware approach limits the randomness
- Makes each message penetrate deeper
- Provides better coverage
4 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Impact of Fuzzing Attacks
Crashes
• This is the most common impact and results in complete Denial of
Service (DoS)
Loops or heavy processing
• Extremely large fuzzed packets sometimes result in loops and
heavy processing, causing DoS of genuine requests
Buffer overflows
• This is the most dangerous impact and the attacker gets to violate,
Confidentiality, Integrity, Availability
• Attacker gains access using fuzzing in spite of all access control
and encryption mechanisms
5 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Writing Protocol Fuzzing Tools
Grammar/ABNF aware Fuzzing steps
• Acquire the ABNF or specification
• Design valid inputs
• Define and/or reuse anomalous inputs
• Insert anomalous inputs by replacing symbols
• Generate test cases or attack vectors
6 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing
SIP grammar (ABNF)
• The SIP grammar is defined in rfc 3261 (Augmented
Backus-Naur Form)
SIP Fuzzing: Exploits different aspects of the
SIP grammar
• Infinite sentences
• Syntax
• Delimiters
• Field Values
• Context-Sensitive
7 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Categories
Grammar/ABNF Valid Impractical errors
• ABNF can express infinite “sentences” which even though perfectly valid are impractical to handle
Example: Grammar for “From” header
From = ( "From" / "f" ) HCOLON from-specfrom-spec = ( name-addr / addr-spec ) *( SEMI from-param )from-param = tag-param / generic-paramtag-param = "tag" EQUAL tokengeneric-param = token [ EQUAL gen-value ]gen-value = token / host / quoted-stringtoken = 1*(alphanum / "-" / "." / "!" / "%" / "*" / "_" / "+" / "`" / "'" / "~" )BNF Valid Impractical Error = From: Alice <sip:[email protected]>;tag=1928301774; gen1=val1;gen2=val2;…;genn=valn
//n=10000
INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774;gen1=val1;…;genn=valnCall-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 70Contact: <sip:[email protected]>Content-Length: 0
8 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Categories
Syntax Errors
• Syntax errors violate the grammar of the underlying language.
• They are created by removing an element, adding an extra element and providing the elements in wrong order.
Example: Grammar for IP address
IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGITSyntax error = 192.192.192.192.192
INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 70Contact: <sip:[email protected]>Content-Length: 0
9 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Categories
Delimiter Errors
• Delimiters mark the separation of fields in a sentence.
• In SIP the delimiters are white space characters (space, tab, line-feed, etc.), or other characters (commas, semicolons, etc.)
• Delimiters can be omitted, multiplied or replaced by other unusual characters. Paired delimiters, such as braces, can be left unbalanced.
Example: “:” is a delimiter after each SIP header
Delimiter error = From Alice
INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From Alice <sip:[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 70Contact: <sip:[email protected]>Content-Length: 0
10 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Categories
Field Value Errors
• Normally, a field value has a range or many disjoint ranges of allowable values.
• Field errors can include values which are at range boundary or totally out-of-range.
Example: Max-Forwards legitimate value = 0-255
Field-value error = Max-Forwards: 99999999999
INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 INVITEMax-Forwards: 99999999999Contact: <sip:[email protected]>Content-Length: 0
11 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Categories
Context Dependent Errors
• A Context dependent error, violates context dependent property of a grammar
Example: CSeq Method can not be BYE in an INVITE message
Context-dependent error = CSeq: 314159 BYE (Inside an INVITE request)
INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bKnashds8To: Bob <sip:[email protected]>From: Alice <sip:[email protected]>;tag=1928301774Call-ID: a84b4c76e66710CSeq: 314159 BYEMax-Forwards: 70Contact: <sip:[email protected]>Content-Length: 0
12 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Tool
Generate Fuzzing test cases
• Simplify formal interface specification
• Design valid-cases
• Define or reuse anomalies
• Insert the anomalies
• Design & Generate test cases
13 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Tool
Simplify formal interface specification
• For example: simplify SIP grammar to express one
header at a time only.<Request-Line> = <Method> SP <Request-URI> SP <SIP-Version> CRLF
<SIP-Version> = "SIP" "/" 1…n {<DIGIT>} "." 1…n {<DIGIT>}
<DIGIT> = 0|1|2|3|4|5|6|7|8|9
Design valid cases
• Some representative valid test cases are generated
(designed) to be used to generate invalid casesINVITE sip:[email protected] SIP/2.0
14 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Tool
Define Reuse Anomalies
• Anomalies are defined as exceptional or unexpected
elements that may cause havoc.
• Each part of the grammar can be replaced with
anomalous grammar
<ASCII-Overflow> = ()|a|aa|aaaa|aaaaaaaa|… 20…17
<FORMAT-Overflow> = <STR-FORMAT-Overflow>|<HEX-FORMAT-OVERFLOW>|<INT-FORMAT-Overflow>
<STR-FORMAT-Overflow> = ()|%s|%s%s|%s%s%s%s|%s%s%s%s%s%s%s%s|… 20…17
<HEX-FORMAT-Overflow> = ()|%x|%x%x|%x%x%x%x|%x%x%x%x%x%x%x%x|… 20…17
<INT-FORMAT-Overflow> = <INT-NORMAL-FORMAT-Overflow>|<INT-UNUSUAL-FORMAT-Overflow>
<INT-NORMAL-FORMAT-Overflow> = ()|%d|%d%d|%d%d%d%d|%d%d%d%d%d%d%d%d|… 20…17
15 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Tool
Insert Anomalies
• For example: replace in SIP version “SIP” with the
selection of the two overflows.<Request-Line> = <Method> SP <Request-URI> SP <SIP-Version> CRLF
<SIP-Version> = <ASCII-Overflow>|<FORMAT-Overflow> "/" 1…n {<DIGIT>} "." 1…n {<DIGIT>}
<DIGIT> = 0|1|2|3|4|5|6|7|8|9
16 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SIP Fuzzing Tool
Design & Generate fuzzed test cases
• Designing test cases involves replace valid parts of grammar with the valid test case<SIP-Version-SIP-Overflow> =
INVITE sip:[email protected] <ASCII-Overflow>|<FORMAT-Overflow>/2.0
• Generating test case involves expanding the fuzzed grammar<SIP-Version-SIP-Overflow> =
INVITE sip:[email protected] /2.0
INVITE sip:[email protected] a/2.0
INVITE sip:[email protected] aa/2.0
INVITE sip:[email protected] aaaa/2.0 …
INVITE sip:[email protected] %s/2.0
INVITE sip:[email protected] %s%s/2.0
INVITE sip:[email protected] %s%s%s%s/2.0 …
17 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
VoIP/UC is different
VoIP is Different
Real-time
Peer-to-peer Weak VoIP Endpoints
Complex Protocols
for Rich FeaturesHuman Interactive
Application Layer
18 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
SMTP: Connect
to Server
& Send email
VoIP is Different Peer-to-peer
Server
Client
IP PBX
Client/ServerClient/Server
POP3: Connect to
Server
& Receive emails
Make Call Deliver Call
Answer Call
Conversation
RTP over UDP
(Voice, Video)
Client/Server Peer-to-peer
Client
19 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
VoIP is DifferentComplex Application Layer
Packet processing
Header inspection
Limited payload inspection
Application state, Context,
Semantic processing
Header Attack
Header Att
Header ack
Header Attack
Header AttHeader Att
Header ackHeader ack
Header Att
Header ack
Attack
20 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
VoIP is DifferentWeak VoIP Endpoints
Virus scanner, firewall, HIDS
High CPU, Memory
Security protocols: IPSec,802.1X
No security tools
Weak CPU, Low memory
Limited security protocols
21 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Impact of Fuzzing Attacks Peer-to-peer
Attackers can directly
fuzz endpoints
Fuzzed attacks usually
pass through IP PBX and
directly attack phones
IP PBX
Client/ServerClient/Server
Make Call Deliver Call
Answer Call
Conversation
RTP over UDP
(Voice, Video)
Peer-to-peer
22 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Impact of Fuzzing AttacksComplex Application Layer
Complex Application
layer grammar allows for
more fuzzing
combinations
Allows for context or
state dependent fuzzing,
very difficult to protect
with stateless firewalls
Transfer Conference Hold Forward…
Header Att
Header ack
Attack
23 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Impact of Fuzzing AttacksWeak VoIP Endpoints
Endpoints are weak
Low CPU, low memory,
Simple loops prove
costly,
No Security tools,
nothing to inspect bad
packets and block on
client No security tools
Weak CPU, Low memory
Limited security protocols
24 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Fuzzing Protection
Protecting against Grammar compliant fuzzes (SIP Torture etc)
• Enforcement of Practical limits
• User, Network, Device based policy control
• Dedicated Vulnerability Research
- Vulnerability Shielding Signatures
• Exploit Research
- Exploit Blocking Signatures
• Signature Update Service
Protecting against Syntactic, delimiter, Field value etc Fuzzing
• Grammar Validation/Enforcement
• Enforcement of Practical limits
• Dedicated Vulnerability Research
- Vulnerability Shielding Signatures
• Exploit Research
- Exploit Blocking Signatures
• Signature Update Service
25 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Fuzzing Protection
Grammar Validation
• Does this comply with RFC ABNF
- As a whole message
- Individual headers
- SDP/Body of the message
REGISTER sip:ss2.wcom.com SIP/2.0Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 2 REGISTER Contact: <sip:[email protected]> Authorization: Digest username="UserB", realm="MCI WorldCom SIP", nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:ss2.wcom.com", response="dfe56131d1958046689cd83306477ecc" Content-Length: 0
Does the SIP
message comply
with SIP RFC ABNF
Does the header
line comply with
RFC ABNF
26 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Fuzzing Protection
Enforcement of Practical limits
• Enforcement of SIP Messages
• Enforcement of SIP Headers
• Enforcement of Field Values
REGISTER sip:ss2.wcom.com SIP/2.0Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 2 REGISTER Contact: <sip:[email protected]> Authorization: Digest username="UserB", realm="MCI WorldCom SIP", nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:ss2.wcom.com", response="dfe56131d1958046689cd83306477ecc" Content-Length: 0
Is this in the list of
allowed SIP
Messages
Are these in the
list of allowed SIP
Headers for this
message
Is this compliant
with maximum
user part length
Is this compliant
with maximum
host part length
Is this compliant
with maximum
header length
27 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Fuzzing Protection
User, Network, Device policy enforcement
• Is this device able to send or receive this message/header length,
header field value etc
• Is this SIP network able to handle this messages
• Is this user/sip domain allowed to send these messages
Policy Enforcement
28 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Fuzzing Protection
Dedicated Vulnerability Research
• Extensively test new devices, phones call servers, for
vulnerabilities till breaking point
• Develop vulnerability shields specific to these devices
29 UC Security Requirements
© 2008 Sipera Systems, Inc. All Rights Reserved.
Fuzzing Protection
Exploit Research
• Extensively research new codes which can exploit
vulnerabilities
• Develop signatures for specific exploits
//Exploit\x52\x52\x52\x52\xB8\x8A\x05sip:ss2.wcom.com SIP/2.0
Via: SIP/2.0/UDP there.com:5060 From: LittleGuy <sip:[email protected]> To: LittleGuy <sip:[email protected]> Call-ID: [email protected] CSeq: 2 REGISTER Contact: <sip:[email protected]> Content-Length: 0