[VOIPSEC] RE: VoIP-Phones: Weakness in proccessing

[Geoff Devine]

The whole problem here is that SIP is far too complex to perform completeness testing.  Formal verification just isn't possible.  Even worse, the protocol is being made more complex daily as the IETF adopts extensions.  I sure wouldn't want to be a network operator trying to charge for services in an environment where unauthenticated or lightly authenticated SIP user agents on home computers can fire mal-formed messages into my network.  
 
If you look at what the wireless people have done with 3GPP/IMS, they've simplified the flavor of SIP spoken by the cell phone to the point where you can actually do a formal verification test.  When you layer SecureCard types of technology on top of this in the form of a GSM SIM chip, you can make a pretty reasonable attempt at hardening the access network.  The filters and grammar authenticators that are so difficult to write in vanilla SIP become quite straightforward.  In my opinion, any other open network that charges for services is going to have to take a similar approach with SIP since all the complexity creates a huge security vulnerability.
 
Geoff

 
________________________________


Date: Fri, 22 Jul 2005 17:07:10 +0300
From: Christian Wieser <chwieser at ee.oulu.fi>
Subject: Re: [VOIPSEC] VoIP-Phones: Weakness in proccessing
To: "Geoff Devine" <gdevine at cedarpointcom.com>
Cc: Ari Takanen <art at codenomicon.com>, Voipsec at voipsa.org
Message-ID: <200507221407.j6ME7AG4021170 at ee.oulu.fi>

[snip]
>
> My point is that SIP has enough complexity that you can't possibly test all p
> ossible permutations of messages and message sequences.  You've just taken an
>  unsolvable problem and tossed it in the lap of your QA group. 

This is the question for completeness of the testing. With testing we
can only show the absence of specific bugs, but can not claim the
correctness of the software. Formal verification of implementations
has not been done for SIP, afaik.


> Unless you in
> sist on a well-defined SIP profile and filter messages that don't fit within
> that profile, you're always going to have a significant vulnerability to atta
> cks by mal-formed SIP messages and sequences. 

True, a single bug can ruin your day. On filtering:
It is rather challenging to write correct filters. Giving an example:
The maximum field length of a "Display name" is not limited by the
specification. A name consisting of 512x"A" is a valid Display name,
but can already crash an application due to an buffer overflow, how
about "%100s"?


> In the carrier-class cable voi
> ce space I live in, the certification process for a code image on a VoIP devi
> ce takes many months.  Cable operators are going to be reluctant to take shot
> gun images from their vendors that risk creating millions of truck rolls when
>  a bug in a new image turns that device into a doorstop.  This has happened w
> ith set-top boxes and that kind of mistake costs tens of millions of dollars.
>   Even worse, you can attack core facilities like media gateway controllers w
> ith mal-formed SIP messages and sequences.  That could end up denying service
>  to everybody in the network, not just a small set of VoIP terminal devices.
>

Robustness testing, fuzzing is rather efficient to catch certain
 bugs. Does it solve all problems - no.