[VOIPSEC] VoIP-Phones: Weakness in proccessing

Walkoe, Wil J [NTK] Wil.Walkoe at mail.sprint.com
Fri Jul 22 08:53:20 CDT 2005 

Folks --
Isn't it possible to bound the set of SIP message types that we need to
validate by defining a basic set of profiles that the VoIP service will
accept, and rejecting all others ASAP?  Over time, the set of acceptable
messages could be expanded as we gain more experience; but we don't need
every bell & whistle on day 1.
If the set of SIP messages that are accepted in current networks and
current standards is already too large, it would seem to me that this is
the problem to fix, while VoIP is still in its infancy.  Starting small
is better than starting with an "unsolvable problem."
-- Wil 


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Geoff Devine
Sent: Friday, July 22, 2005 4:22 AM
To: Ari Takanen
Cc: Voipsec at voipsa.org
Subject: RE: [VOIPSEC] VoIP-Phones: Weakness in proccessing

Ari concluded:
>There is nothing new or special in this bug, it is just a quality
>assurance flaw that should have been tested away.
>
>/Ari
>
>PS: Update your SIP phone regularly!

 

...but...

My point is that SIP has enough complexity that you can't possibly test
all possible permutations of messages and message sequences.  You've
just taken an unsolvable problem and tossed it in the lap of your QA
group.  Unless you insist on a well-defined SIP profile and filter
messages that don't fit within that profile, you're always going to have
a significant vulnerability to attacks by mal-formed SIP messages and
sequences.  In the carrier-class cable voice space I live in, the
certification process for a code image on a VoIP device takes many
months.  Cable operators are going to be reluctant to take shotgun
images from their vendors that risk creating millions of truck rolls
when a bug in a new image turns that device into a doorstop.  This has
happened with set-top boxes and that kind of mistake costs tens of
millions of dollars.  Even worse, you can attack core facilities like
media gateway controllers with mal-formed SIP messages and sequences.
That could end up denying service to everybody in the network, not just
a small set of VoIP terminal devices.

 

Geoff



________________________________

From: Ari Takanen [mailto:art at codenomicon.com]
Sent: Thu 7/21/2005 8:03 PM
To: Geoff Devine
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VoIP-Phones: Weakness in proccessing



Geoff,

Sorry I could not respond to your comment earlier. You said that all
permutations are impossible to test, which is of course true, but we
have to try. Both robustness tests and fuzzers are attempting to cover
all these unexpected inputs. Fuzzers are typically semi-random,
whereas robustness tests are more advanced, systematic and "smart".

One can start with the free robustness testing techniques introduced
by PROTOS in their SIP and H.323 test-suites. I hope all vendors are
using them by now. PROTOS provides the minimum baseline for
robustness. Also that PROTOS research shows that it is not only ascii
protocols that have these problems. Actually many binary protocols
described in ASN.1 have much more serious problems due to the freedom
of being able to describe about any types of structures with it.

PROTOS tests in SIP have been continued in our company, and
Codenomicon SIP Test Tool is constantly increasing the test coverage
in SIP. From the 4500 PROTOS tests, we are already beyond 100,000 test
cases for SIP. But the number of test cases is not important, it is
the coverage of the tools. You can have millions of redundant fuzzing
test cases and still not reach the coverage of PROTOS even.

It is good to finally notice that people looking for security flaws in
SIP are going beyond the robustness testing coverage of PROTOS! It has
been quite quiet after the release of PROTOS test-suite by CERT/CC.
There is lots of work quietly being done in the commercial companies
though. For example, our company is working with our commercial
customers to fix these issues without disclosing any of the found
flaws publicly. Nobody wants public attention to SIP weaknesses, and
it is in nobodys interest for the exploits to start spreading in VoIP
scene (except perhaps that might be the interest of the hackers).

There is nothing new or special in this bug, it is just a quality
assurance flaw that should have been tested away.

/Ari

PS: Update your SIP phone regularly!

On Fri, Jul 08, 2005 at 09:01:10AM -0400, Geoff Devine wrote:
> I'd point out that this kind of problem is the most glaring security
> weakness with SIP.  As a completely unstructured text-based
> protocol, you can't possibly test all permutations of SIP messages.




_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list