Protocol Fuzzing Part II: A Stack Scrambling Example
by Kirby KuehlThe other day we started talking about BreakingPoint's protocol fuzzing capabilities with our Stack Scrambler component. Today I wanted to provide an example of how to use Stack Scrambler.
While I live in the details of the various fields within protocols, their meaning may not be that interesting to everyone, so I'll only highlight an IPv4 example. For additional reading on the format and meaning of various values within a given protocol, see these pages on Ethernet, IPv4, IPv6, TCP, UDP, ICMP, and ICMPv6.
A Stack Scrambler component simulation was created that allowed up to 5 simultaneous corruptions per packet. I set the percentage of corruption to 33% for IP Version, IP Length, Differentiated Services, IP Flags, IP Protocol, and Total Length.
After running the above simulation, I exported the packet buffer and examined various packets in Wireshark. Due to our settings, not every packet within the test has been corrupted, so let’s compare an unscrambled IPv4 header and a scrambled IPv4 header.
First, the non-scrambled IPv4 Header. The Version, Header Length, and Differentiated Services Fields, etc. should be considered normal.
Now we’ll look at an IPv4 Header corrupted by the Stack Scrambler. As you can see, the IP Version—which is normally 4—is set to 1, the differentiated services are set to a random value, and all of the IP Flags are set.
The old version of Stack Scrambler was already a good tool; the new version tops it in a couple of key ways. Since the tool supports more types of corruptions, there are now many more options for configuring your simulations. Also, moving this component directly onto the network processor brings big improvements in terms of performance and available corruptions. The previous Stack Scrambler topped out at about 15Mbps, while the new version can currently generate traffic at 500Mbps—with future speed improvements on the way.
We’d love to know about your experiences using Stack Scrambler, and we’d love to hear your questions or suggestions. Leave a note in the comments!
blog comments powered by Disqus
