Interesting background about my Kamailio SIP fuzzing project.
Several people asked me to provide some background about my Kamailio SIP fuzzing project. Therefore I will describe in two posts my motivation and the setup that I used to find several security vulnerabilities in the Kamailio code base.
In this (first) post I will describe my motivation and share the presentation that I did at the Kamailio World conference 2018. I will also link the results that I had so far with my research.
In the second post I will describe my new parallel fuzzing setup in more details, you can find it here.
Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. More informations can be found e.g. in the wikipedia article.
IT-Security has been always one of the areas that interested me, starting in the university when I read several of cryptography books from Bruce Schneier. It was also (among software engineering) one of my favorite areas at university.
I have been interested in trying fuzzing as a testing technique since several years. I saw in the past years several presentations about the good results that can be achieved with it, especially with structured protocol (e.g. SIP). But it took some time until I was able to start a project related to this. Finally in October 2017 I started looking more into fuzzing Kamailio, with the goal of eventually presenting my results at the Kamailio World conference 2018.
I think it helps a lot to have a fixed date to actually start something new. This preparation work (and also just the fuzzing iterations) needed some time until it produced first results. Thankfully I was lucky to actually find some issue some weeks before the Kamailio World conference which I presented there.
There are several different tools that can be used to for software fuzzing. I choose the well-known afl
american fuzzy loop tool. From it's home page: "This tool employs a novel type of compile-time instrumentation and "genetic" algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code." More information can be found at the afl home page.
I found in my experience that afl is a flexible and powerful tool and a good fit to for fuzzing a SIP server like Kamailio. I talk more about my experience in the first iteration of my project at my talk at Kamailio World.
Kamailio World is the annual conference about Kamailio and it's eco-system of related projects. It's usually in the spring and organized from Daniel-Constantin Mierla in Berlin.
I will present in this talk my results in fuzzing the Kamailio SIP Server. This includes an overview of the fuzzing tool chain and motivation for applying this quality assurance method. I will describe the fuzzing setup and the necessary changes in the core for the fuzzer to interact with the server. Furthermore I will give an overview of the results and and describe possible future extensions.
You can find the presentation slides in our archive on kamailio.org
You can find a recording of my talk on youtube and also below.
So far I found in my research this two results: