(Is There) Motivation for VoIP Fuzzing
We (at PROTOS research) released our first free VoIP fuzzers in 2002, and were amazed by the success! Everyone seemed to immediately adapt them into their quality assurance and security assessment practices. Some people still use them!
We (at Codenomicon) simultaneously released a commercial fuzzer. A number of other security companies have also released their own versions, some good, but most of them worse than even the first original release by us (IMHO).
What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.
#1 Availability
A free open source fuzzer will be used by everyone. Provided the tool is easy to use, and easy to integrate in your processes, there is no reason not to use it.
#2 Requirements
After tools are used by end users of VoIP, the market creates a requirement for manufacturers to also use the tools. Carriers and service providers have done a good work at this.
#3 Poor consumers
Nobody cares for consumer products, or so it appears. Unfortunately there is no market requirement for testing consumer products.
#4 Open source projects
Let's face it, there is no test tool budget for FOSS (free open source software). Fortunately some government agencies and service providers depend on these products, and sometimes contract people to test some of them.
#5 Coverage
Interesting studies on fuzzer coverage are mostly ignored by the industry. This might be due to bad requirements from the customers, i.e. if any fuzzer will do, then the cheapest is used.
#6 Disclosure
Vulnerability disclosure has no influence on fuzzer usage. Free testing is free testing. When other people fuzz the product, and report problems, people think that the work is done for them.
#7 Forums have failed
Quality assurance forums have not yet found security testing. Security forums do not care for tools, but are services driven.
#8 Certification
Almost all certification efforts are commercially driven, and do not provide an open forum where the differences between fuzzing techniques can be discussed. Participation in expensive and closed. All certification efforts have failed. People shop for easiest certification levels, not the best ones.
#9 Metrics
There are no accepted metrics for fuzzing.
#10 Processes
Who should do fuzzing, and when. Nobody knows.
So what is the status of VoIP fuzzing today? It is still an emerging business where the key driver for adaptation is responsibility of the actors involved. You do not need to do it, but if you do then the results will be extremely positive. Fuzzing provides a competitive edge that you do not necessarily want to share with your competitors.
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
I started up a recent
I started up a recent Fuzzing project that was used to target Asterisk, the Open Source PBX. Well, the fuzzer worked out quite well. I was able to test the foremost portion of the IAX protocol stack within a day. By day two I was spending most of my time parsing gigs of logs and back traces. No human could do this without fuzzing. No exceptions.Currently and unfortunately Digium does not understand the inevitable requirement of Asterisk having a Secured SDLC. I have to agree with you concerning that consumer products usually receive less security testing. Well, how many businesses run Asterisk right now? Should they expect to have Secure Code?
voip 0day
Digium definitely touches
Digium definitely touches many of the points I made in the original post as it is kind-of free and kind-of open source. Motivation for a QA budget can be problematic when you cannot really show any return for the investment (i.e. more sales).Linkbit fuzzing tool
Ari,One of our customers asked for H.248 fuzzer, as it's not covered by PROTOS tool. Can I contact you over email?