3G-GPRS, GTP Robustness Testing Supervisor: Professor Timo Korhonen Instructor: Mika J Virtanen Thesis worker: Nitayaruk Chomchuen 3G-SGSN 1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Contents • Security Issues in Communication systems • GTP Robustness Testing • Testing technique & Test Case design • Test Results • Analysis • Conclusion 2 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Objectives • This thesis is written in LEKA 2 project, IP Mobility Network, Mobile Packet Core department. • The objectives of this project is to evaluate the ability of GTP to tolerate unexpected input events and stressful environment conditions and to discover the vulnerabilities of software that may lead to security attack in the early phase of development. • It is a new functional method for assessing Protocol Implementation Security. The testing tool that used in this project is developed by Codenomicon Oy. 3 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Security issues in IP-based network Incidents Reported (CERT) 160000 140000 Number 120000 100000 Year 80000 Incidents 60000 40000 •As lessons learned from the Internet, the rate of security attacks doubles every year. Such attacks are Worms, Viruses, Password Sniffers, Denial of Service, Distributed Denial of Services, etc. 20000 03 02 20 01 20 00 20 99 20 98 19 97 19 96 19 95 19 94 19 93 19 91 19 90 19 89 19 19 19 88 0 Year • Attacking IP-based network today an intruder may not need an indepth technical knowledge. As the attacking tools and techniques are widely available in the Internet, the help of Internet Search engine could make thing even easier. •Trends of attacking tool: Automation, faster speed to discover vulnerability and Hard to detect. 4 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Enhancing security with “Secure” Protocol • IP Protocol was not designed with security in mind. • Many secure protocols based on authentication and encryption mechanisms are introduced with intention to enhance the security in the IP-based network. • Ironically, these secure protocols can also contain the vulnerabilities. IPsec, SSH, SSL? Examples of Secure Protocol Vulnerability (CERT): CA-2003-26: Multiple Vulnerabilities in SSL/TLS Implementations CA-2000-18: PGP May Encrypt Data With Unauthorized ADKs CA-1999-15: Buffer Overflows in SSH daemon and RSAREF2 Library 5 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Causes of the system vulnerabilities Flaws in Design/ Architecture Flaws in Implemenation Flaws in Operation The system vulnerabilites •Flaws in Design/Architecture: Poor design caused by lack of expertise of the designers •Flaws in Implementation: caused by programming mistakes •Flaws in Operation: caused by operating with the minimum-security setting 6 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Weaknesses in how software or protocols are implemented • Basic programming mistakes can lead to serious security violation. • The mistakes come from various ways: - failure to verify the validity of input - use of an insecure library function - use of the function in an insecure way. Software Security Vulnerabilities Results Buffer overflow Crashed or in denial of service situation Format string vulnerability Crashed or in denial of service situation Memory allocation bomb Denial-of-service situations Resource allocation problems Degraded performance or denial-of-service Missing validity checks Corruption of data or termination of the program Busy loops and deadlocks Restart or reboot to recover. Recursion failures Stack-memory allocation problems Software Security Vulnerabilities and Results 7 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Weaknesses in how software or protocols are implemented (2) • To solve this problem, the software developers should implement the software in a secure manner. • Secure Programming is a good start. However, the effective of secure programming is dependent on the effort and knowledge of software developers. • Therefore, the method of assessing the quality of software code from security point of view is necessary. 8 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential 3G-GPRS System Overview Circuit Switched domain PSTN Uu Iu-CS BTS RNC Iu-PS BTS Packet Switched domain Internet Radio Access Network • General Packet Radio System (GPRS): uses packet-mode techniques to transfer the user’s data and signaling in an efficient manner. • Two main network elements in GPRS network are: • Serving GPRS Support Node (SGSN): keeps track of the location of an individual MS and performs security functions and access control • Gateway GPRS Support Node (GGSN): provides internetworking with packet data networks. It is also connected with SGSNs via an IP-based network. 9 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential GTP Robustness Testing • GTP is the main protocol used in GPRS backbone for handling the signaling messages and the end-user’s data between GPRS support nodes ( i.e.SGSN and GGSN) in the GPRS networks. IP network GTP-U GTP-C UDP UDP IP IP Link Layer Link Layer Physical Layer Physical Layer User Plane Control Plane GTP: GPRS Tunneling Protocol UDP: User Datagram Protocol IP: Internet Protocol MTP: Message Transfer Protocol 10 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials •The objectives of this testing are to enhance the efficiency of finding hidden vulnerabilities and to exercise GTP from the security perspectives. •GTP Robustness testing is a functional testing method using Fault Injection Technique. Company Confidential Fault Injection Technique Overview • Fault injection technique has been applied to the safety critical system that its failure and downtime have become more severe. For example, Air craft flight control, nuclear reactor monitoring, medical life support, etc. • The objectives of applying this technique are to study in the case of the presence of faults, unusual system event, or under malicious attack and to monitor the following response of the system in particular cases. • First, this technique was applied to Hardware testing field, as an example, by injecting artificial faults into the printed circuit boards, then observing the result if there would be any short circuit or broken device. • Today this technique is used also in the software testing field by injecting malicious codes into the software and observing how the software behaves. Fault or Invalid Input System Under test 11 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Applying Fault Injection technique to Software Security Testing • It can turn into a security assessment tool by injecting faults or inputting values that are known to be problematic or can be used by intruders to attack the system. • Thus, the effectiveness and efficiency of this testing tool depend on how the test cases are implemented; the fault and the location to be inserted. • The artificial fault used in test case is called “Anomaly” 12 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential GTP Testing Tool: Test Case design • It is based on a systematic generation of a very large number of protocol messages (tens of thousands) containing exceptional elements simulating the malicious attacks. • A test case is in fact a signaling message containing at least one anomaly or exceptional information element. For example: • A signaling message that contains multiple extension header • A signaling message that contains repeated information element • A signaling message that missed some information element • A signaling message that contains unexpected information element • A signaling message that some of information elements are out of sequence 13 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Anomaly type VS. Location type Anomaly Types Location Type Integer anomalies Most effective when they are applied to length fields especially when the boundary values for integer fields are known. This type of anomalies is suitable with the integer/length field that is less than 8 bits. All possible integer values anomalies Overflow anomalies This type of anomaly should be applied to the field that its size is not fixed (noctets) Underflow anomalies Applicable for all types C-Style format string anomalies 14 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials They can be applied to the PDU fields containing textual information such as common names, telephone numbers, domain names, and other alpha-numeric strings. Company Confidential Example of test case a) Overflow Bits Octets Bits Octets 8 7 6 5 4 3 2 1 2 3 4 5 6 7 8 1 1 (length) PDCP PDU number PDCP PDU number Next Extension Header type 1 2 3 4 b) Underflow Bits Octets 1 2 3 4 5 6 7 8 9 10 11 12 15 © NOKIA 8 7 6 5 4 3 2 1 Version (001) (1) (0) (1) (0) (0) Message Type Echo request (0x01) Length (0x00) Length (0x04) TEID (0x00) TEID (0x00) TEID (0x00) TEID(0x00) Sequence Number (0x01) Sequence Number (0x57) N-PDU Number (0x00) missing expected Information element Presentation_Name.PPT / DD-MM-YYYY / Initials Mandatory Part Payload Company Confidential 8 7 6 5 4 3 2 1 (length) PDCP PDU number (0x00) PDCP PDU number(0x00) PDCP PDU number (0x00) PDCP PDU number (0x00) PDCP PDU number (0x00) PDCP PDU number (0x00) Next Extension Header type 1 Overflow anomaly Laboratory Environment HLR emulator The testing tool simulates itself as a GGSN network element communicating with a tested SGSN over Gn interface. DNS Gd:SS7 Iu:ATM 3G mobile phone& RNC emulator Other test equipments and network elements are: Gn:ethernet Tested 3G-SGSN Control PC GTP testing tool: GGSN •Home Local Register (HLR) emulator connected to SS7 interface (Gd interface). •Domain Name Server connected to IP backbone •UE and RNC emulator connected to ATM interface (Iu interface) •Control PC connected to Ethernet interface to control all tools in test environment 16 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Test case injection process The focus is not on the correctness or conformance but on how the tested system responses or behaves to such faulty inputs,which could result in the situations such as system crash, or hang or in denial of service condition. Gn GTP-Testing Tool 3G-SGSN Echo Request Echo Response Injecting test case Echo Request Echo Response Time Interval = 100 ms Verdict = "Pass", if no response, Verdict = "fail" The test result can be evaluated by determining if the tested SGSN is still functioning. After injecting a test case, the GTP testing tool will send an "echo request" message to the tested SGSN. If the tested SGSN responses with an "echo-response" message back to the GTP testing tool, it means that it is still alive and then the GTP testing tool will report the result of that test case with "Pass” verdict. Start injecting next test case On the other hand, if the GTP testing tool does not receive any response from the tested SGSN within a certain period (until Instrument Timeout), it will log the result of that test case as "fail" verdict. 17 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Test Result • From the test result, the first observation was that buffer overflows are the major vulnerabilities in GTP protocol stack and often found in the information element without specific length indication. Bits Octets 1 2 3 4-n 8 7 6 5 4 3 2 1 Type= 142 (decimal) Length Length Trigger ID a) Trigger ID information element • The second observation was that if an information element turns out to be vulnerability of one signaling message type, there is also a possibility that it will be vulnerability in other signaling message types. This could happen by calling the same library or re-using the same component containing the security flaws. •The last observation was that some system processes failed due to lack of capability to control the system in such a stressful situation. 18 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Analysis Knowledge of Anomaly type VS. Location Message Type Information Element Location Test Case Anomaly a) How the test cases are implemented Test Plan Test Design Test Preparation& Execution Test Result Vulnerability Type, Anomaly Type, &Location Root Cause b) How the result should be analyzed 19 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Develop Patch Conclusion Discover Vulnerability Get Alert and install patch • As an immediate effect, the GTP testing tool will promote a higher-quality product, which is more reliable and stable in GPRS operations. • For a long-term benefit, the software developers will eventually learn how to avoid the security vulnerabilities; this is also promoting securityprogramming awareness in practice. Thus, the software security flaws will be gradually reduced. • However, the importance of software unit or module testing should not be overlooked. Applying White-box testing technique such as code auditing or code inspection techniques will definitely help decreasing the number of vulnerabilities at the early stage of development. 20 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential