Perimeta session border controller tested to resist “fuzzing” attacks
The move to all-IP networking from proprietary telecom technologies helps service providers reach more people, on more devices, more quickly than ever before. However, there's a tradeoff: securing IP networks can be incredibly challenging.The broad move to VoIP-based communications, the widespread use of SIP, for example, has opened the doors, not only to the standard volumetric attacks but also to "fuzzing" attacks.
Fuzzing was developed as a software testing technique used to help to find implementation bugs; a "black box" would inject random or malformed data into a program in an automated fashion to see how the program reacted. It's literally a sped up way of using trial and error to see what vulnerabilities exist in a program or, as Wired put it, "poking at a machine and watching what happens."
There are a few classic types of vulnerabilities that can be exposed by "fuzzing" packets an in IP environment.
- Buffer Overflows: where a process tries to store more information in memory then it has been allocated. This means the information of other processes is overwritten, causing the system to crash or increasing the likelihood that it will become vulnerable to takeover.
- Format String Vulnerability: where a program writes information to a buffer without first correctly checking the format. This, too, can lead to system crashes, or a takeover of the device.
- Integer Overflow: a simpler form of buffer overflows. These are simpler to execute, requiring only that you include large numbers in the fuzzing packet.
- Endless Loops and Logic Errors: where specific packets can be crafted to exploit underlying bugs in the structure of the application that is dealing with them. These bugs can lead to memory leaks, a spike in CPU consumption and outright crashes in the overall system.
Of course, attackers know this well and they now commonly use SIP as an interface for fuzzing attacks on telecom network devices. Therefore session border controllers (SBCs), as security devices for VoIP, need to have protection from fuzzing attacks as one of their most basic requirements.
Also, like anything security-related, this is an ongoing process. It is critical that SBC vendors continually verify their devices against fuzzing attacks. This needs to be a broad process, too, using a combination of industry-leading third-party tools and homegrown ones.
With the Perimeta SBC, Metaswitch has worked extensively to ensure that it resists SIP fuzzing attacks. Beyond the work we’ve done ourselves, we are always on the lookout for opportunities to test ourselves against the best in the industry. That's why we’ve worked with Synopsys (formerly Codenomicon) to perform random SIP fuzzing attacks on Perimeta.
We designed and executed a test plan with Synopsys, testing for several things, including:
- General anomalies: SIP-specific anomalies such as missing or repeated headers and out of sequence protocol messages.
- Text anomalies: unusual whitespace and delimiter characters and extreme number values.
- Format strings: using format specifiers in protocol messages (e.g. %s, %9999d, etc.).
- Character anomalies: non-ASCII characters.
- Network address anomalies: invalid or unexpected IP addresses.
- Code injection: where code fragments (e.g. SQL) are added to protocol messages.
- Underflow anomalies: incomplete or missing fragments within protocol messages.
- Overflow anomalies: attempts to overflow fragments within protocol messages.
- Combined anomalies: any combination of the above.
In our desire to measure and remeasure our SBC's effectiveness, we have performed over 2 million individual fuzzing tests against a wide range of device and network configurations. (That's a lot of "poking" and "watching.") We have even altered the underlying transport protocol of the attack to maximize the coverage of the testing.
Along the way, Perimeta has validated its security robustness over and over again, which is why it is one of the industry's leading SBCs, trusted by some of the world's largest service providers.
For full details of the testing we have done, and what it means to you, please contact to your Metaswitch Sales Representative.
Senior Product Line Management, SIP Trunking and Hosted PBX