What is Fuzzing?

The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol. Quite simply, fuzzing is a method for finding bugs and vulnerabilities by creating different types of packets for the target protocol that push the protocol's specifications to the breaking point. These specially formed packets are then sent to an application, operating system, or hardware device and the results are closely monitored for any abnormal conditions (crash, resource consumption, and so on).

Monitoring for abnormal conditions as you are fuzzing can be tricky, depending on whether you're testing a software VoIP application or a hard VoIP phone. Sometimes simply looking at the application's or device's logs is sufficient. Other times, a system failure might be harder to detect. For instance, sending one of the fuzzing packets against a VoIP phone might cause it to go into a strange state where no incoming calls can be received. However, unless you actually test this ability on the phone after each test case, there may not be enough obvious evidence (log entry, full crash, and so on) that something has gone awry.

The prize for the most prolific university fuzzing results to date belongs to the PROTOS project of Oulu University's Secure Programming Group (http://www.ee.oulu.fi/research/ouspg/protos/). Through various incarnations of grad student participation, the PROTOS group has been faithfully discovering vulnerabilities in a variety of protocol implementations , including SIP (http://www.cert.org/advisories/CA-2003-06.html) and H.323 (http://www.cert.org/advisories/CA-2004-01.html). Some of the participants with the PROTOS project went on to graduate and start a commercial fuzzing company called Codenomicon. We touch on Codenomicon's offerings later in this chapter.

Today, VoIP is starting to become a more interesting target for security researchers as the technology becomes more affordable and popular among consumer and enterprise customers. While it would be ideal if all VoIP vendors tested their own products internally for security bugs, the reality is that not all of them have the time, resources, or even the security DNA to find them all ahead of time.