We (at PROTOS research) released our first free VoIP fuzzers in 2002, and were amazed by the success! Everyone seemed to immediately adapt them into their quality assurance and security assessment practices. Some people still use them!
We (at Codenomicon) simultaneously released a commercial fuzzer. A number of other security companies have also released their own versions, some good, but most of them worse than even the first original release by us (IMHO).
What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.
#1 Availability
A free open source fuzzer will be used by everyone. Provided the tool is easy to use, and easy to integrate in your processes, there is no reason not to use it.
#2 Requirements
After tools are used by end users of VoIP, the market creates a requirement for manufacturers to also use the tools. Carriers and service providers have done a good work at this.
#3 Poor consumers
Nobody cares for consumer products, or so it appears. Unfortunately there is no market requirement for testing consumer products.
#4 Open source projects
Let's face it, there is no test tool budget for FOSS (free open source software). Fortunately some government agencies and service providers depend on these products, and sometimes contract people to test some of them.
#5 Coverage
Interesting studies on fuzzer coverage are mostly ignored by the industry. This might be due to bad requirements from the customers, i.e. if any fuzzer will do, then the cheapest is used.
#6 Disclosure
Vulnerability disclosure has no influence on fuzzer usage. Free testing is free testing. When other people fuzz the product, and report problems, people think that the work is done for them.
#7 Forums have failed
Quality assurance forums have not yet found security testing. Security forums do not care for tools, but are services driven.
#8 Certification
Almost all certification efforts are commercially driven, and do not provide an open forum where the differences between fuzzing techniques can be discussed. Participation in expensive and closed. All certification efforts have failed. People shop for easiest certification levels, not the best ones.
#9 Metrics
There are no accepted metrics for fuzzing.
#10 Processes
Who should do fuzzing, and when. Nobody knows.
So what is the status of VoIP fuzzing today? It is still an emerging business where the key driver for adaptation is responsibility of the actors involved. You do not need to do it, but if you do then the results will be extremely positive. Fuzzing provides a competitive edge that you do not necessarily want to share with your competitors.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
I started up a recent
I started up a recent Fuzzing project that was used to target Asterisk, the Open Source PBX. Well, the fuzzer worked out quite well. I was able to test the foremost portion of the IAX protocol stack within a day. By day two I was spending most of my time parsing gigs of logs and back traces. No human could do this without fuzzing. No exceptions.Currently and unfortunately Digium does not understand the inevitable requirement of Asterisk having a Secured SDLC. I have to agree with you concerning that consumer products usually receive less security testing. Well, how many businesses run Asterisk right now? Should they expect to have Secure Code?
voip 0day
Digium definitely touches
Digium definitely touches many of the points I made in the original post as it is kind-of free and kind-of open source. Motivation for a QA budget can be problematic when you cannot really show any return for the investment (i.e. more sales).Linkbit fuzzing tool
Ari,One of our customers asked for H.248 fuzzer, as it's not covered by PROTOS tool. Can I contact you over email?