Challenges in Fuzzing RFC 1149

Greg McLearnCommon Criteria, Humour

Conan Hoye and Greg McLearn contributed to this article.

At Lightship, we test a lot of NDcPP-compliant products. As part of those evaluations, we are required, as per Appendix A in the Supporting Document, to perform network fuzzing against the in-scope IP networking stacks. Recently we had a rather unique TOE which claimed conformance against RFC 1149 for one of their remote management interfaces.

Lightship was more concerned about fuzzing the delivery mechanism rather than the datagram content itself. This particular TOE implemented two main variants of the protocol: the more typical homing implementation as well as the less common round-robin implementation. We were generally unsurprised that increased aerodynamic drag from direct fuzzing attempts resulted in protocol failure, even with the TOE’s highly conservative timeout.

Direct fuzzing attempts.

The evaluators also considered generational- and mutation-based fuzzing approaches, but ultimately rejected them due to the amount of time required to adequately conduct testing.

Falling back to RFC 1149 the testers noted that the carrier was adversely affected by environmental conditions, though in hindsight, conducting such experiments within the Lightship Security test laboratory was probably not the best. We became coated in our fuzzing attempts and needed a shower.

Fuzz-testing RFC 1149-conformant implementations are best done in a non-production lab.

During the course of the setup of the protocol we noted a few repeating issues:

  • Common Linux distros failed to load while the protocol was being tested.  We determined that this was due to the bootloader being eaten.
  • Microsoft operating systems in the vicinity had a similar issue where carriers would repeatedly strike the OS in an attempt to get to a specific destination.

Finally, during our experiments, it was discovered that the carrier could be spoofed offering attackers the ability to inject arbitrary datagrams. Confidentiality and integrity of the underlying data was adequately protected by cryptography, though the stack was spectacularly prone to denial of service attacks.

 

Talk to Lightship Security about how we can help fuzz-test your unique products.

Greg McLearn is Lightship’s Technical Director. He has been doing Common Criteria and security certifications for 10+ years and enjoys getting his hands on some of the latest technology. He has authored several tools to help facilitate security testing.