3GGPRS, GTP Robustness Testing

1
3G-GPRS, GTP Robustness Testing

• Supervisor Professor Timo Korhonen
• Instructor Mika J Virtanen
• Thesis worker Nitayaruk Chomchuen

3G-SGSN
2
Contents

• Security Issues in Communication systems
• GTP Robustness Testing
• Testing technique Test Case design
• Test Results
• Analysis
• Conclusion

3
Objectives

• This thesis is written in LEKA 2 project, IP
  Mobility Network, Mobile Packet Core department.
• The objectives of this project is to evaluate the
  ability of GTP to tolerate unexpected input
  events and stressful environment conditions and
  to discover the vulnerabilities of software that
  may lead to security attack in the early phase of
  development.
• It is a new functional method for assessing
  Protocol Implementation Security. The testing
  tool that used in this project is developed by
  Codenomicon Oy.

4
Security issues in IP-based network

• As lessons learned from the Internet, the rate of
  security attacks doubles every year. Such
  attacks are Worms, Viruses, Password Sniffers,
  Denial of Service, Distributed Denial of
  Services, etc.

• Attacking IP-based network today an intruder may
  not need an in-depth technical knowledge. As the
  attacking tools and techniques are widely
  available in the Internet, the help of Internet
  Search engine could make thing even easier.
• Trends of attacking tool Automation, faster
  speed to discover vulnerability and Hard to
  detect.

5
Enhancing security with Secure Protocol

• IP Protocol was not designed with security in
  mind.
• Many secure protocols based on authentication and
  encryption mechanisms are introduced with
  intention to enhance the security in the IP-based
  network.
• Ironically, these secure protocols can also
  contain the vulnerabilities.

IPsec, SSH, SSL?
Examples of Secure Protocol Vulnerability
(CERT) CA-2003-26 Multiple Vulnerabilities in
SSL/TLS Implementations CA-2000-18 PGP May
Encrypt Data With Unauthorized ADKs CA-1999-15
Buffer Overflows in SSH daemon and RSAREF2 Library
6
Causes of the system vulnerabilities

• Flaws in Design/Architecture Poor design caused
  by lack of expertise of the designers
• Flaws in Implementation caused by programming
  mistakes
• Flaws in Operation caused by operating with the
  minimum-security setting

7
Weaknesses in how software or protocols are
implemented

• Basic programming mistakes can lead to serious
  security violation.
• The mistakes come from various ways
• failure to verify the validity of input
• use of an insecure library function
• use of the function in an insecure way.

  Software Security
Vulnerabilities and Results
8
Weaknesses in how software or protocols are
implemented (2)

• To solve this problem, the software developers
  should implement the software in a secure manner.
  
• Secure Programming is a good start. However, the
  effective of secure programming is dependent on
  the effort and knowledge of software developers.
• Therefore, the method of assessing the quality of
  software code from security point of view is
  necessary.

9
3G-GPRS System Overview

• General Packet Radio System (GPRS) uses
  packet-mode techniques to transfer the users
  data and signaling in an efficient manner.
• Two main network elements in GPRS network are
• Serving GPRS Support Node (SGSN) keeps track of
  the location of an individual MS and performs
  security functions and access control
• Gateway GPRS Support Node (GGSN) provides
  internetworking with packet data networks. It is
  also connected with SGSNs via an IP-based
  network.

10
GTP Robustness Testing

• GTP is the main protocol used in GPRS backbone
  for handling the signaling messages and the
  end-users data between GPRS support nodes (
  i.e.SGSN and GGSN) in the GPRS networks.

• The objectives of this testing are to enhance the
  efficiency of finding hidden vulnerabilities and
  to exercise GTP from the security perspectives.
• GTP Robustness testing is a functional testing
  method using Fault Injection Technique.

11
Fault Injection Technique Overview

• Fault injection technique has been applied to the
  safety critical system that its failure and
  downtime have become more severe. For example,
  Air craft flight control, nuclear reactor
  monitoring, medical life support, etc.
• The objectives of applying this technique are to
  study in the case of the presence of faults,
  unusual system event, or under malicious attack
  and to monitor the following response of the
  system in particular cases.
• First, this technique was applied to Hardware
  testing field, as an example, by injecting
  artificial faults into the printed circuit
  boards, then observing the result if there would
  be any short circuit or broken device.
• Today this technique is used also in the software
  testing field by injecting malicious codes into
  the software and observing how the software
  behaves.

Fault or Invalid Input
System Under test
12
Applying Fault Injection technique to Software
Security Testing

• It can turn into a security assessment tool by
  injecting faults or inputting values that are
  known to be problematic or can be used by
  intruders to attack the system.
• Thus, the effectiveness and efficiency of this
  testing tool depend on how the test cases are
  implemented the fault and the location to be
  inserted.
• The artificial fault used in test case is called
  Anomaly

13
GTP Testing Tool Test Case design

• It is based on a systematic generation of a very
  large number of protocol messages (tens of
  thousands) containing exceptional elements
  simulating the malicious attacks.
• A test case is in fact a signaling message
  containing at least one anomaly or exceptional
  information element.
• For example
• A signaling message that contains multiple
  extension header
• A signaling message that contains repeated
  information element
• A signaling message that missed some information
  element
• A signaling message that contains unexpected
  information element
• A signaling message that some of information
  elements are out of sequence

14
Anomaly type VS. Location type
15
Example of test case
a) Overflow
b) Underflow
16
Laboratory Environment

• The testing tool simulates itself as a GGSN
  network element communicating with a tested SGSN
  over Gn interface.
• Other test equipments and network elements are
• Home Local Register (HLR) emulator connected to
  SS7 interface (Gd interface).
• Domain Name Server connected to IP backbone
• UE and RNC emulator connected to ATM interface
  (Iu interface)
• Control PC connected to Ethernet interface to
  control all tools in test environment

17
Test case injection process
The focus is not on the correctness or
conformance but on how the tested system
responses or behaves to such faulty inputs,which
could result in the situations such as system
crash, or hang or in denial of service condition.
The test result can be evaluated by determining
if the tested SGSN is still functioning. After
injecting a test case, the GTP testing tool will
send an "echo request" message to the tested
SGSN. If the tested SGSN responses with an
"echo-response" message back to the GTP testing
tool, it means that it is still alive and then
the GTP testing tool will report the result of
that test case with "Pass verdict. On the
other hand, if the GTP testing tool does not
receive any response from the tested SGSN within
a certain period (until Instrument Timeout), it
will log the result of that test case as "fail"
verdict.
18
Test Result

• From the test result, the first observation was
  that buffer overflows are the major
  vulnerabilities in GTP protocol stack and often
  found in the information element without specific
  length indication.

a) Trigger ID information element

• The second observation was that if an
  information element turns out to be vulnerability
  of one signaling message type, there is also a
  possibility that it will be vulnerability in
  other signaling message types. This could happen
  by calling the same library or re-using the same
  component containing the security flaws.
• The last observation was that some system
  processes failed due to lack of capability to
  control the system in such a stressful situation.
  

19
Analysis
a) How the test cases are implemented
b) How the result should be analyzed
20
Conclusion

• As an immediate effect, the GTP testing tool will
  promote a higher-quality product, which is more
  reliable and stable in GPRS operations.
• For a long-term benefit, the software developers
  will eventually learn how to avoid the security
  vulnerabilities this is also promoting
  security-programming awareness in practice. Thus,
  the software security flaws will be gradually
  reduced.
• However, the importance of software unit or
  module testing should not be overlooked. Applying
  White-box testing technique such as code auditing
  or code inspection techniques will definitely
  help decreasing the number of vulnerabilities at
  the early stage of development.