October 02, 2008, 1:22 PM — As I've mentioned in an earlier post, VoIP is a fascinating topic for security researchers. It comes with a number of very interesting interfaces and protocols for both signaling and media. It is loaded with funny intermediary devices that do peculiar things to the communications. And finally, almost nobody knows how it all works together -- a dream for technical people that enjoy taking things apart, peeking under the hood, and poking around to see what makes it tick (or crash).
Fuzzing VoIP is exactly that: playing with complex message sequences, structures, and data types. Combining past security knowledge such as applying overflow and SQL strings to the text-based protocols and carefully constructed ASN.1 structures to the binary protocols. Sometimes this requires a bit of reverse-engineering of both the protocols and network architectures. But the result is almost always just what the researchers want: A nice, juicy zero-day vulnerability. (For more on VoIP fuzzing read "(Is There) Motivation for VoIP Fuzzing")
One would think that VoIP vendors would have learned something during these past six or seven years of VoIP fuzzing. But no, there still are people who don't really understand why these people torment them with a constant flow of crash level failures and proof-of-concept exploits. They keep on wasting huge amounts of money and resources on snake-oil solutions that don't do what the attractive marketing materials claim these security products should do.
Some people still live in a dream world of static analysis, loaded with nightmare projects of fixing false positives and and are surprised by the number of false negatives. A false positive is basically a programming construct that is definitely bad coding but does not pose any real security threat to the product. A false negative is a flaw left uncaught, and later discovered by these security researchers. To me it still seems like the security market is like a horse race. And, as always, most people are betting all their money on the wrong horse.
So what is the solution then?
A Free Fuzzing Book (no strings attached)
I promised to do a draw of my latest book on fuzzing by end of last month, but today decided to extend that by couple of days to give the readers of ITworld also a chance to win a copy. For more information, see http://www.codenomicon.com/fuzzing-book/.