Recent blog posts

(Is There) Motivation for VoIP Fuzzing

By Ari Takanen  4 comments

September 04, 2008, 3:06 AM We (at PROTOS research) released our first free VoIP fuzzers in 2002, and were amazed by the success! Everyone seemed to immediately adapt them into their quality assurance and security assessment practices. Some people still use them!

We (at Codenomicon) simultaneously released a commercial fuzzer. A number of other security companies have also released their own versions, some good, but most of them worse than even the first original release by us (IMHO).

What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.

#1 Availability

A free open source fuzzer will be used by everyone. Provided the tool is easy to use, and easy to integrate in your processes, there is no reason not to use it.

#2 Requirements

After tools are used by end users of VoIP, the market creates a requirement for manufacturers to also use the tools. Carriers and service providers have done a good work at this.

#3 Poor consumers

Nobody cares for consumer products, or so it appears. Unfortunately there is no market requirement for testing consumer products.

#4 Open source projects

Let's face it, there is no test tool budget for FOSS (free open source software). Fortunately some government agencies and service providers depend on these products, and sometimes contract people to test some of them.

#5 Coverage

Interesting studies on fuzzer coverage are mostly ignored by the industry. This might be due to bad requirements from the customers, i.e. if any fuzzer will do, then the cheapest is used.

#6 Disclosure

Vulnerability disclosure has no influence on fuzzer usage. Free testing is free testing. When other people fuzz the product, and report problems, people think that the work is done for them.

#7 Forums have failed

Quality assurance forums have not yet found security testing. Security forums do not care for tools, but are services driven.

#8 Certification

Almost all certification efforts are commercially driven, and do not provide an open forum where the differences between fuzzing techniques can be discussed. Participation in expensive and closed. All certification efforts have failed. People shop for easiest certification levels, not the best ones.

#9 Metrics

There are no accepted metrics for fuzzing.

#10 Processes

Who should do fuzzing, and when. Nobody knows.

So what is the status of VoIP fuzzing today? It is still an emerging business where the key driver for adaptation is responsibility of the actors involved. You do not need to do it, but if you do then the results will be extremely positive. Fuzzing provides a competitive edge that you do not necessarily want to share with your competitors.

4 comments

    mbt
    mbt 2 years ago
    Nice blogpost, good looking website, added it to my favs.mbt shoes
    mbt shoe
    mbt sale
    Cheap mbt shoes
    mbtmbt shoes salembt anti shoescheap mbt shoesmbt LamiCheap Timberland Bootscheap timberland classic bootskids timberland bootsTimberland
    timberland boot
    Timberland Bootstimberland boots cheaptimberland boots for cheap
    timberland boots for kids
    timberland boots for men
    timberland boots for saletimberland boots for women
    timberland boots men
    timberland boots on sale
    timberland boots uk
    Timberland ClassicTimberland Mens 6 InchTimberland Mens ChukkaTimberland Mens Customtimberland shoes
    timberland uk
    timberland women boots
    Timberland Work Boots
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    Ari,One of our customers asked for H.248 fuzzer, as it's not covered by PROTOS tool. Can I contact you over email?
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I started up a recent Fuzzing project that was used to target Asterisk, the Open Source PBX. Well, the fuzzer worked out quite well. I was able to test the foremost portion of the IAX protocol stack within a day. By day two I was spending most of my time parsing gigs of logs and back traces. No human could do this without fuzzing. No exceptions.Currently and unfortunately Digium does not understand the inevitable requirement of Asterisk having a Secured SDLC. I have to agree with you concerning that consumer products usually receive less security testing. Well, how many businesses run Asterisk right now? Should they expect to have Secure Code?voip 0day
    Flag comment  |  Permalink Reply
    Ari Takanen
    Ari Takanen 3 years ago in reply to Anonymous
    Digium definitely touches many of the points I made in the original post as it is kind-of free and kind-of open source. Motivation for a QA budget can be problematic when you cannot really show any return for the investment (i.e. more sales).
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      SecurityWhite Papers & Webcasts

      White Paper

      Overcome Top 7 Admin Challenges of Active Directory

      As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.

      White Paper

      Insiders Can Ruin Your Company. Take Action.

      Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

      White Paper

      Top Solutions and Tools to Prevent Devastating Malware

      Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.

      White Paper

      Streamline Compliance and Increase ROI

      Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.

      White Paper

      X-Ray of the PCI Process-4 Proactive Steps

      This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.

      See more White Papers | Webcasts

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      How to distribute apps to mobile employees?
      3 answers
      Why do VoIP calls over WiFi still get counted as "minutes used" by mobile providers?
      0 answers
      Which is better for password security, length or complexity?
      2 answers
      What are the chances that the cloud will kill off the PC?
      2 answers
      Where can I find tech services providers that focus on really small businesses?
      0 answers
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question