We (at PROTOS research) released our first free VoIP fuzzers in 2002, and were amazed by the success! Everyone seemed to immediately adapt them into their quality assurance and security assessment practices. Some people still use them!
We (at Codenomicon) simultaneously released a commercial fuzzer. A number of other security companies have also released their own versions, some good, but most of them worse than even the first original release by us (IMHO).
What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.
#1 Availability
A free open source fuzzer will be used by everyone. Provided the tool is easy to use, and easy to integrate in your processes, there is no reason not to use it.
#2 Requirements
After tools are used by end users of VoIP, the market creates a requirement for manufacturers to also use the tools. Carriers and service providers have done a good work at this.
#3 Poor consumers
Nobody cares for consumer products, or so it appears. Unfortunately there is no market requirement for testing consumer products.
#4 Open source projects
Let's face it, there is no test tool budget for FOSS (free open source software). Fortunately some government agencies and service providers depend on these products, and sometimes contract people to test some of them.
#5 Coverage
Interesting studies on fuzzer coverage are mostly ignored by the industry. This might be due to bad requirements from the customers, i.e. if any fuzzer will do, then the cheapest is used.
#6 Disclosure
Vulnerability disclosure has no influence on fuzzer usage. Free testing is free testing. When other people fuzz the product, and report problems, people think that the work is done for them.
#7 Forums have failed
Quality assurance forums have not yet found security testing. Security forums do not care for tools, but are services driven.
#8 Certification
Almost all certification efforts are commercially driven, and do not provide an open forum where the differences between fuzzing techniques can be discussed. Participation in expensive and closed. All certification efforts have failed. People shop for easiest certification levels, not the best ones.
#9 Metrics
There are no accepted metrics for fuzzing.
#10 Processes
Who should do fuzzing, and when. Nobody knows.
So what is the status of VoIP fuzzing today? It is still an emerging business where the key driver for adaptation is responsibility of the actors involved. You do not need to do it, but if you do then the results will be extremely positive. Fuzzing provides a competitive edge that you do not necessarily want to share with your competitors.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
I started up a recent
I started up a recent Fuzzing project that was used to target Asterisk, the Open Source PBX. Well, the fuzzer worked out quite well. I was able to test the foremost portion of the IAX protocol stack within a day. By day two I was spending most of my time parsing gigs of logs and back traces. No human could do this without fuzzing. No exceptions.Currently and unfortunately Digium does not understand the inevitable requirement of Asterisk having a Secured SDLC. I have to agree with you concerning that consumer products usually receive less security testing. Well, how many businesses run Asterisk right now? Should they expect to have Secure Code?
voip 0day
Digium definitely touches
Digium definitely touches many of the points I made in the original post as it is kind-of free and kind-of open source. Motivation for a QA budget can be problematic when you cannot really show any return for the investment (i.e. more sales).Linkbit fuzzing tool
Ari,One of our customers asked for H.248 fuzzer, as it's not covered by PROTOS tool. Can I contact you over email?