3G-GPRS, GTP Robustness Testing

advertisement
3G-GPRS, GTP Robustness Testing
Supervisor: Professor Timo Korhonen
Instructor: Mika J Virtanen
Thesis worker: Nitayaruk Chomchuen
3G-SGSN
1
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Contents
• Security Issues in Communication systems
• GTP Robustness Testing
• Testing technique & Test Case design
• Test Results
• Analysis
• Conclusion
2
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Objectives
• This thesis is written in LEKA 2 project, IP Mobility Network, Mobile Packet
Core department.
• The objectives of this project is to evaluate the ability of GTP to tolerate
unexpected input events and stressful environment conditions and to
discover the vulnerabilities of software that may lead to security attack in
the early phase of development.
• It is a new functional method for assessing Protocol Implementation
Security. The testing tool that used in this project is developed by
Codenomicon Oy.
3
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Security issues in IP-based network
Incidents Reported (CERT)
160000
140000
Number
120000
100000
Year
80000
Incidents
60000
40000
•As lessons learned from the
Internet, the rate of security attacks
doubles every year. Such attacks
are Worms, Viruses, Password
Sniffers, Denial of Service,
Distributed Denial of Services, etc.
20000
03
02
20
01
20
00
20
99
20
98
19
97
19
96
19
95
19
94
19
93
19
91
19
90
19
89
19
19
19
88
0
Year
• Attacking IP-based network today an intruder may not need an indepth technical knowledge. As the attacking tools and techniques are
widely available in the Internet, the help of Internet Search engine
could make thing even easier.
•Trends of attacking tool: Automation, faster speed to discover
vulnerability and Hard to detect.
4
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Enhancing security with “Secure” Protocol
• IP Protocol was not designed with security in mind.
• Many secure protocols based on authentication and encryption mechanisms are
introduced with intention to enhance the security in the IP-based network.
• Ironically, these secure protocols can also contain the vulnerabilities.
IPsec,
SSH,
SSL?
Examples of Secure Protocol Vulnerability (CERT):
CA-2003-26: Multiple Vulnerabilities in SSL/TLS
Implementations
CA-2000-18: PGP May Encrypt Data With
Unauthorized ADKs
CA-1999-15: Buffer Overflows in SSH daemon and
RSAREF2 Library
5
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Causes of the system vulnerabilities
Flaws in Design/
Architecture
Flaws in Implemenation
Flaws in Operation
The system vulnerabilites
•Flaws in Design/Architecture: Poor design caused by lack of expertise of the designers
•Flaws in Implementation: caused by programming mistakes
•Flaws in Operation: caused by operating with the minimum-security setting
6
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Weaknesses in how software or protocols
are implemented
• Basic programming mistakes can lead to serious security violation.
• The mistakes come from various ways:
- failure to verify the validity of input
- use of an insecure library function
- use of the function in an insecure way.
Software Security Vulnerabilities
Results
Buffer overflow
Crashed or in denial of service situation
Format string vulnerability
Crashed or in denial of service situation
Memory allocation bomb
Denial-of-service situations
Resource allocation problems
Degraded performance or denial-of-service
Missing validity checks
Corruption of data or termination of the program
Busy loops and deadlocks
Restart or reboot to recover.
Recursion failures
Stack-memory allocation problems
Software Security Vulnerabilities and Results
7
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Weaknesses in how software or protocols
are implemented (2)
• To solve this problem, the software developers should implement the
software in a secure manner.
• Secure Programming is a good start. However, the effective of secure
programming is dependent on the effort and knowledge of software
developers.
• Therefore, the method of assessing the quality of software code from
security point of view is necessary.
8
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
3G-GPRS System Overview
Circuit Switched domain
PSTN
Uu
Iu-CS
BTS
RNC
Iu-PS
BTS
Packet Switched domain
Internet
Radio Access Network
• General Packet Radio System (GPRS): uses packet-mode techniques to transfer
the user’s data and signaling in an efficient manner.
• Two main network elements in GPRS network are:
• Serving GPRS Support Node (SGSN): keeps track of the location of an individual
MS and performs security functions and access control
• Gateway GPRS Support Node (GGSN): provides internetworking with packet data
networks. It is also connected with SGSNs via an IP-based network.
9
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
GTP Robustness Testing
• GTP is the main protocol used in GPRS backbone for handling the
signaling messages and the end-user’s data between GPRS support nodes
( i.e.SGSN and GGSN) in the GPRS networks.
IP network
GTP-U
GTP-C
UDP
UDP
IP
IP
Link Layer
Link Layer
Physical Layer
Physical Layer
User Plane
Control Plane
GTP: GPRS Tunneling Protocol
UDP: User Datagram Protocol
IP: Internet Protocol
MTP: Message Transfer Protocol
10
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
•The objectives of this testing are to
enhance the efficiency of finding
hidden vulnerabilities and to exercise
GTP from the security perspectives.
•GTP Robustness testing is a
functional testing method using Fault
Injection Technique.
Company Confidential
Fault Injection Technique Overview
• Fault injection technique has been applied to the safety critical system that
its failure and downtime have become more severe. For example, Air craft
flight control, nuclear reactor monitoring, medical life support, etc.
• The objectives of applying this technique are to study in the case of the
presence of faults, unusual system event, or under malicious attack and to
monitor the following response of the system in particular cases.
• First, this technique was applied to Hardware testing field, as an example,
by injecting artificial faults into the printed circuit boards, then observing the
result if there would be any short circuit or broken device.
• Today this technique is used also in the software testing field by injecting
malicious codes into the software and observing how the software behaves.
Fault or Invalid Input
System Under
test
11
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Applying Fault Injection technique to
Software Security Testing
• It can turn into a security assessment tool by injecting faults or inputting
values that are known to be problematic or can be used by intruders to
attack the system.
• Thus, the effectiveness and efficiency of this testing tool depend on how the
test cases are implemented; the fault and the location to be inserted.
• The artificial fault used in test case is called “Anomaly”
12
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
GTP Testing Tool: Test Case design
• It is based on a systematic generation of a very large number of protocol
messages (tens of thousands) containing exceptional elements simulating
the malicious attacks.
• A test case is in fact a signaling message containing at least one anomaly
or exceptional information element.
For example:
• A signaling message that contains multiple extension header
• A signaling message that contains repeated information element
• A signaling message that missed some information element
• A signaling message that contains unexpected information element
• A signaling message that some of information elements are out of
sequence
13
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Anomaly type VS. Location type
Anomaly Types
Location Type
Integer anomalies
Most effective when they are applied to
length fields especially when the
boundary values for integer fields are
known.
This type of anomalies is suitable with
the integer/length field that is less than 8
bits.
All possible integer values anomalies
Overflow anomalies
This type of anomaly should be applied
to the field that its size is not fixed (noctets)
Underflow anomalies
Applicable for all types
C-Style format string anomalies
14
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
They can be applied to the PDU fields
containing textual information such as
common names, telephone numbers,
domain names, and other alpha-numeric
strings.
Company Confidential
Example of test case
a) Overflow
Bits
Octets
Bits
Octets
8
7
6
5
4
3
2
1
2
3
4
5
6
7
8
1
1 (length)
PDCP PDU number
PDCP PDU number
Next Extension Header type
1
2
3
4
b) Underflow
Bits
Octets
1
2
3
4
5
6
7
8
9
10
11
12
15
© NOKIA
8 7
6
5
4
3
2
1
Version (001)
(1) (0)
(1)
(0)
(0)
Message Type Echo request (0x01)
Length (0x00)
Length (0x04)
TEID (0x00)
TEID (0x00)
TEID (0x00)
TEID(0x00)
Sequence Number (0x01)
Sequence Number (0x57)
N-PDU Number (0x00)
missing expected Information element
Presentation_Name.PPT / DD-MM-YYYY / Initials
Mandatory Part
Payload
Company Confidential
8
7
6
5
4
3
2
1 (length)
PDCP PDU number (0x00)
PDCP PDU number(0x00)
PDCP PDU number (0x00)
PDCP PDU number (0x00)
PDCP PDU number (0x00)
PDCP PDU number (0x00)
Next Extension Header type
1
Overflow
anomaly
Laboratory Environment
HLR
emulator
The testing tool simulates itself as a
GGSN network element
communicating with a tested SGSN
over Gn interface.
DNS
Gd:SS7
Iu:ATM
3G mobile phone& RNC
emulator
Other test equipments and network
elements are:
Gn:ethernet
Tested 3G-SGSN
Control PC
GTP testing tool:
GGSN
•Home Local Register (HLR)
emulator connected to SS7
interface (Gd interface).
•Domain Name Server connected to
IP backbone
•UE and RNC emulator connected
to ATM interface (Iu interface)
•Control PC connected to Ethernet
interface to control all tools in test
environment
16
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Test case injection process
The focus is not on the correctness or
conformance but on how the tested system
responses or behaves to such faulty
inputs,which could result in the situations
such as system crash, or hang or in denial
of service condition.
Gn
GTP-Testing Tool
3G-SGSN
Echo Request
Echo Response
Injecting test case
Echo Request
Echo Response
Time Interval =
100 ms
Verdict = "Pass",
if no response,
Verdict = "fail"
The test result can be evaluated by
determining if the tested SGSN is still
functioning.
After injecting a test case, the GTP testing
tool will send an "echo request" message to
the tested SGSN. If the tested SGSN
responses with an "echo-response"
message back to the GTP testing tool, it
means that it is still alive and then the GTP
testing tool will report the result of that test
case with "Pass” verdict.
Start injecting next test case
On the other hand, if the GTP testing tool
does not receive any response from the
tested SGSN within a certain period (until
Instrument Timeout), it will log the result of
that test case as "fail" verdict.
17
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Test Result
• From the test result, the first observation was that buffer overflows are the
major vulnerabilities in GTP protocol stack and often found in the
information element without specific length indication.
Bits
Octets
1
2
3
4-n
8
7
6
5
4
3
2
1
Type= 142 (decimal)
Length
Length
Trigger ID
a) Trigger ID information element
• The second observation was that if an information element turns out to be
vulnerability of one signaling message type, there is also a possibility that it
will be vulnerability in other signaling message types. This could happen by
calling the same library or re-using the same component containing the
security flaws.
•The last observation was that some system processes failed due to lack of
capability to control the system in such a stressful situation.
18
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Analysis
Knowledge of
Anomaly type VS. Location
Message
Type
Information
Element
Location
Test
Case
Anomaly
a) How the test cases are implemented
Test Plan
Test Design
Test Preparation&
Execution
Test Result
Vulnerability Type,
Anomaly Type,
&Location
Root Cause
b) How the result should be analyzed
19
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Develop Patch
Conclusion
Discover
Vulnerability
Get Alert and
install patch
• As an immediate effect, the GTP testing tool will promote a higher-quality
product, which is more reliable and stable in GPRS operations.
• For a long-term benefit, the software developers will eventually learn how to
avoid the security vulnerabilities; this is also promoting securityprogramming awareness in practice. Thus, the software security flaws will
be gradually reduced.
• However, the importance of software unit or module testing should not be
overlooked. Applying White-box testing technique such as code auditing or
code inspection techniques will definitely help decreasing the number of
vulnerabilities at the early stage of development.
20
© NOKIA
Presentation_Name.PPT / DD-MM-YYYY / Initials
Company Confidential
Download