sip robustness testing for large scale use
play

SIP Robustness Testing for Large-Scale Use OUSPG - PowerPoint PPT Presentation

Nov 08, 2023 •331 likes •443 views

Christian Wieser, Marko Laakso and Henning Schulzrinne SIP Robustness Testing for Large-Scale Use OUSPG [http://www.ee.oulu.fi/research/ouspg] Motivation Software vulnerabilities prevail: Fragile and insecure software continues to be a

  1. Christian Wieser, Marko Laakso and Henning Schulzrinne SIP Robustness Testing for Large-Scale Use OUSPG [http://www.ee.oulu.fi/research/ouspg]

  2. Motivation  Software vulnerabilities prevail: “Fragile and insecure software continues to be a major threat to a society increasingly reliant on complex software systems.” - Anup Ghosh [Risks Digest 21.30]  Our purpose: “To study, evaluate and develop methods of implementing and testing application and system software in order to prevent, discover and eliminate implementation level security vulnerabilities in a pro-active fashion. Our focus is on implementation level security issues and software security testing.” OUSPG [http://www.ee.oulu.fi/research/ouspg]

  3. Dominant security problems  From ICAT vulnerability statics Vulnerability Type 2003 2002 2001 2000 Input Validation Error 526 (52%) 661 (51%) 744 (49%) 359 (36%) (Boundary Condition Error) 81 (8%) 22 (2%) 51 (3%) 66 (7%) (Buffer Overflow) 236 (23%) 288 (22%) 316 (21%) 190 (19%) Access Validation Error 92 (9%) 121 (9%) 126 (8%) 168 (17%) Exceptional Condition Error 152 (15%) 117 (9%) 146 (10%) 119 (12%) Environment Error 3 (0%) 10 (1%) 36 (2%) 19 (2%) Configuration Error 49 (5%) 67 (5%) 74 (5%) 82 (8%) Race Condition 17 (2%) 22 (2%) 50 (3%) 21 (2%) Design Error 266 (26%) 407 (31%) 339 (26%) 166 (17%) Other 18 (2%) 2 (0%) 8 (1%) 14 (1%)  Dominance of “Input Validation Error” OUSPG [http://www.ee.oulu.fi/research/ouspg]

  4. Our approach - in a nutshell Today, thousands of gifted and patient, but uncoordinated monkeys are pounding different products in order to reveal vulnerabilities. Visual by http://www.PDImages.com Think of us as rather dumb monkeys using a monkey-machine and systematic methodology to eliminate the most trivial ones. OUSPG [http://www.ee.oulu.fi/research/ouspg]

  5. PROTOS project  Security Testing of Protocol Implementations  Results:  A novel (mini-simulation) vulnerability testing method developed  Several papers and test suites published  Continuation:  Spin-off company Codenomicon Ltd  OUSPG will continue with public research OUSPG [http://www.ee.oulu.fi/research/ouspg]

  6. c07-sip Robustness Test Suite  Applying the PROTOS approach in SIP  SIP matures from academic interest to an industry deployed protocol  Extending the work done in  SIP Torture Test Messages  RFC3261 compliant  Working on the awareness front  SIPit’s  Interaction during vulnerability process OUSPG [http://www.ee.oulu.fi/research/ouspg]

  7. c07-sip Design  Mutating SIP INVITE-requests to simulate attacks to the Software Under Test (SUT).  54 test groups  4527 test cases  Available as Java JAR-package  UDP as only injection vector  Teardown with  CANCEL/ACK messages  Valid-case as minimal instrumentation OUSPG [http://www.ee.oulu.fi/research/ouspg]

  8. c07-sip Results  Approach new to SIP scene  Alarming rates of failed subjects  Nine implementations (6 UA, 3 servers) tested  1 passed  8 failed in various test-groups  For demonstration purpose  2 working exploits “Hitting the Granny with a stick”? OUSPG [http://www.ee.oulu.fi/research/ouspg]

  9. Vulnerability Process  Vulnerability process: Phases  Development  Creating and wrapping-up the test-suite  Internally testing the available implementations  Pre-release  Involvement of neutral third party (in this case CERT/CC)  Notifying respective vendors of any vulnerabilities found  Distributing the test-suite to identified vendors implementing the chosen protocol  Vulnerability and advisory coordination  Grace period  Release  Deploying the test-suite for public perusal  Collecting feedback  Reiterating either with same or next protocol Development SiPit11 Pre-release SiPit12 Release t 2002-10-01 2002-11-01 2002-12-01 2003-01-01 2003-02-01 2003-03-01 OUSPG [http://www.ee.oulu.fi/research/ouspg]

  10. Summary  Noticeable amount of vulnerabilities found  Awareness on Implementation Level Vulnerabilities among vendors non equally distributed  Vulnerability process seems new to SIP community  Fair amount of interest  as of 2004-02: around 2500 test material downloads  Further information: http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ OUSPG [http://www.ee.oulu.fi/research/ouspg]

Recommend

MORO: a Cytoscape App for Relationship Analysis between Modularity and Robustness in Large-Scale

MORO: a Cytoscape App for Relationship Analysis between Modularity and Robustness in Large-Scale

MORO: a Cytoscape App for Relationship Analysis between Modularity and Robustness in Large-Scale Biological Networks Authors: Cong-Doan Truong , Tien-Dzung Tran and Yung-Keun Kwon 1 October 8, 2016 Contents l Motivation l Modularity and

285 views • 24 slides
E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale Information Access Technologies Evaluation and Testing Evaluation and Testing Noriko Kando Noriko Kando National Institute of Informatics, Japan

632 views • 61 slides
Factor Analysis for Multiple Testing : an R package for large-scale significance testing under

Factor Analysis for Multiple Testing : an R package for large-scale significance testing under

Background Factor Analysis for Multiple Testing The FAMT package procedure Concluding comments Factor Analysis for Multiple Testing : an R package for large-scale significance testing under dependence Maela Kloareg, Chlo Friguet & David

402 views • 24 slides
Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and

Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and

Automatic Detection of Performance Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and Intelligence Lab (SAIL) Queens University, Kingston, Canada Large scale systems need to satisfy performance constraints

822 views • 37 slides
EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF Outline

EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF Outline

EMI Inter-component and Large Scale Testing Infrastructure Danilo Dongiovanni INFN-CNAF Outline Background on EMI certification and testing process: Role of Testing Infrastructure within Quality Assurance o Product Team (PT) centric

504 views • 19 slides
A Two-Level Toeplitz Model for Large-Scale Simultaneous Hypothesis Testing Dan Cervone Advisor:

A Two-Level Toeplitz Model for Large-Scale Simultaneous Hypothesis Testing Dan Cervone Advisor:

Empirical Bayes Methods for Simultaneous Hypothesis Testing Estimating Level II Covariance Matrix Data Results Conclusion A Two-Level Toeplitz Model for Large-Scale Simultaneous Hypothesis Testing Dan Cervone Advisor: Carl Morris December

414 views • 24 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions

Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions

Litmus Testing at Rack Scale We're Going to Build a Large Program Collider ad Collide instructions at 0.99 c , and observe the decay products. Images: CERN; Chaix & Morel et associs David Cock | 19. September 20 | 2 16 Programmers

539 views • 24 slides
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song , Insik Shin KAIST, * Purdue, UCR 1 Memory error glibc: getaddrinfo Heartbleed Shellshock

659 views • 47 slides
Different kinds of robustness in genetic and metabolic networks Peter Schuster Institut fr

Different kinds of robustness in genetic and metabolic networks Peter Schuster Institut fr

Different kinds of robustness in genetic and metabolic networks Peter Schuster Institut fr Theoretische Chemie und Molekulare Strukturbiologie der Universitt Wien Seminar lecture Linz, 15.12.2003 Genomics and proteomics Large scale data

1.29k views • 109 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Inference following aggregate-level hypothesis testing in large scale genomic data Ruth Heller

Inference following aggregate-level hypothesis testing in large scale genomic data Ruth Heller

Inference following aggregate-level hypothesis testing in large scale genomic data Ruth Heller www.math.tau.ac.il/ ruheller Joint work with Nilanjan Chatterjee, Abba Krieger, and Jianxin Shi Ruth Heller (TAU) Inference following

638 views • 28 slides
Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is

Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is

Point sets, Maps and Navigation - II D.A. Forsyth Robustness is a serious problem Robustness is a serious problem Key issue: Squaring a large number produces a huge number A few wildly mismatch points can throw off R, t Fixes:

153 views • 12 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author:

AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author:

AN AUTOMATED TESTING PROCEDURE TO EVALUATE INDUSTRIAL DEVICES COMMUNICATION ROBUSTNESS Author: Filippo Tilaro Supervised by: Brice Copy Overview Scope & Objectives IT & Industrial Security Model Security Metrics & Testing

327 views • 15 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
Enabling Large-Scale Testing of IaaS Cloud Platforms on the Grid5000 Testbed Sbastien Badia,

Enabling Large-Scale Testing of IaaS Cloud Platforms on the Grid5000 Testbed Sbastien Badia,

Enabling Large-Scale Testing of IaaS Cloud Platforms on the Grid5000 Testbed Sbastien Badia, Alexandra Carpen-Amarie, Adrien Lbre, Lucas Nussbaum Grid5000 S. Badia, A. Carpen-Amarie, A. Lbre, L. Nussbaum Testing IaaS Clouds on

280 views • 26 slides
Exploring Sequence-Based Approaches Using Process Data in Large-Scale Assessments Qiwei Britt He

Exploring Sequence-Based Approaches Using Process Data in Large-Scale Assessments Qiwei Britt He

Opportunity versus Challenge Next Generation Psychometrics and Data Exploring Usage of Log-File and Process Data in International Large Science Center Scale Assessments Conference/Workshop Educational Testing Service Exploring Sequence-Based

668 views • 53 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
Inheritance Big software n software engineering : The practice of conceptualizing, designing,

Inheritance Big software n software engineering : The practice of conceptualizing, designing,

Inheritance Big software n software engineering : The practice of conceptualizing, designing, developing, documenting, and testing large- scale computer programs. n Large-scale projects face many issues: q getting many programmers to work

586 views • 40 slides
Inheritance The software crisis software engineering : The practice of conceptualizing,

Inheritance The software crisis software engineering : The practice of conceptualizing,

Inheritance The software crisis software engineering : The practice of conceptualizing, designing, developing, documenting, and testing large- scale computer programs. Large-scale projects face many issues: getting many programmers to

1.23k views • 39 slides
Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E. Santos-Neto, L. Costa, M. Ripeanu. IEEE TPC, 2014 Sami (sa894) - R244: Large-scale data processing and optimization Efficient Large-Scale Graph Processing on

381 views • 25 slides
Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Census: Location-Aware Membership Management for Large-Scale Distributed Systems James Cowling Dan R. K. Ports Barbara Liskov Raluca Ada Popa Abhijeet Gaikwad* MIT CSAIL *cole Centrale Paris Motivation Large-scale distributed systems

606 views • 48 slides

More recommend