Home » Eclipse Projects » Eclipse Titan » Negative Testing in Eclipse Titan: Fuzzing basics
| Negative Testing in Eclipse Titan: Fuzzing basics [message #1723065] |
Thu, 11 February 2016 10:59 |
|
Negative testing is yet another feature of Titan that is not covered by the standard.
Negative testing responds to the need of sending illegal (wrongly formatted , violating structural constraints etc.)
messages to the SUT and observe how it reacts.
For a particular protocol, there are several possibilities: one can write a "shadow" protocol module with illegal structures ,
or can create a codec that turns legal structures into illegal values.
There's also the possibility of manipulating encoded values externally , e.g. using functions external to Titan.
Such a scenario is described in the below thesis, where Titan was used to create valid messages of telecom protocols , which then have been corrupted externally:
http://publications.lib.chalmers.se/records/fulltext/193628/193628.pdf
However , Titan offers the possibility to deal with this problem not at a particular level , but a generic level.
The feature is described in great detail in ch 4.28 of the reference guide.
Negative testing is implemented with attributes assigned to constants and templates , attributes which modify the encoding of the value.
The templates and constants themselves will not be modified ( that is , the abstract syntax remains untouched, only the transport syntax is corrupted).
Obviously, only the encoding direction can be influenced with such attributes.
The following structured types can be made erroneous:
• record
• set
• record of
• set of
• union
The corresponding ASN.1 types can also be used when imported from an ASN.1 module.
The following erroneous behaviors can be defined for the encoding of an erroneous value or template:
• omit specified fields
• change the specified field's value or both type and value
• omit all fields before or after the specified field
• insert a new field before or after the specified field
The inserted data can be either the value of a given constant or any "raw" binary data.
Let's consider the example of the below TTCN-3 code ( an easily readable JSON example was chosen, but the feature works with all Titan variable codecs - RAW, TXT, XML, JSON):
module neg
{
external function f_enc_content(in type_content par) return octetstring
with { extension "prototype(convert) encode(JSON) printing(pretty)" }
external function f_dec_content(in octetstring par) return type_content
with { extension "prototype(convert) decode(JSON)" }
type record type_content
{
charstring contentName,
integer pccRuleId optional,
integer pccRuleType optional,
charstring pccRuleValue
}
type integer type_pccRuleType (0..2);
const type_content cl_illegalContent := {
contentName := "service1",
pccRuleId := 1,
pccRuleType := 1,
pccRuleValue := "somecharstringhere"
} with {
erroneous(pccRuleId) "before := \"before\"";
erroneous(pccRuleId) "after(raw) := \"after\"";
erroneous (pccRuleType) "value := charstring:\"1\"";
erroneous (pccRuleValue) "value := omit"
}
const type_content cl_legalContent := {
contentName := "service1",
pccRuleId := 1,
pccRuleType := 1,
pccRuleValue := "somecharstringhere"
}
function f_badRequest ()
{
var charstring vl_cs_content;
vl_cs_content := oct2char(f_enc_content(cl_legalContent));
//log(cl_badContent);
log(vl_cs_content);
vl_cs_content := oct2char(f_enc_content(cl_illegalContent));
log(vl_cs_content);
}
control {
f_badRequest();
}
}with {encode "JSON"}
Let's generate a Makefile:
makefilegen -sR -e neg neg.ttcn
Mind the usage of -R switch: As this feature is supported only by the Function Test runtime of Titan ,
when doing negative testing this feature must be enabled using the R switch to switch from the default Load Test runtime to the Function Test runtime.
Build and execute:
The generated log after formatting looks like below:
10:43:25.218756 - TTCN-3 Test Executor started in single mode. Version: CRL 113 200/5 R4C.
10:43:25.218891 - Maximum number of open file descriptors: 8193, FD_SETSIZE = 1024
10:43:25.227623 - TTCN Logger v2.2 options: TimeStampFormat:=Time; LogEntityName:=No; LogEventTypes:=No; SourceInfoFormat:=Single; *.FileMask:=LOG_ALL; *.ConsoleMask:=ACTION | ERROR | TESTCASE | STATISTICS | WARNING; LogFileSize:=0; LogFileNumber:=1; DiskFullAction:=Error
10:43:25.227672 - Initializing module PreGenRecordOf.
10:43:25.227701 - Initialization of module PreGenRecordOf finished.
10:43:25.227727 - Initializing module TitanLoggerApi.
10:43:25.227752 - Initialization of module TitanLoggerApi finished.
10:43:25.227777 - Initializing module neg.
10:43:25.227801 - Initialization of module neg finished.
10:43:25.227828 neg.ttcn:55 Execution of control part in module neg started.
10:43:25.227972 neg.ttcn:49 "{
\"contentName\" : \"service1\",
\"pccRuleId\" : 1,
\"pccRuleType\" : 1,
\"pccRuleValue\" : \"somecharstringhere\"
}"
10:43:25.228075 neg.ttcn:51 "{
\"contentName\" : \"service1\",
\"charstring\" : \"before\",
\"pccRuleId\" : 1after,
\"pccRuleType\" : \"1\"
}"
10:43:25.228121 neg.ttcn:57 Execution of control part in module neg finished.
10:43:25.228172 - Verdict statistics: 0 none, 0 pass, 0 inconc, 0 fail, 0 error.
10:43:25.228228 - Test execution summary: 0 test case was executed. Overall verdict: none
10:43:25.228264 - TTCN-3 Test Executor finished in single mode.
Please note that the same variable was encoded differently: the first value is valid, while the second is corrupted.
If someone is familiar with fuzzing , can observe that negative testing lays the foundation of fuzz testing:
creating errored values from existing structures is called mutational fuzzing, as opposite to generational fuzzing, where invalid transport layer structures are directly generated.
A door is opened to an endless area of experimentation . Now it's your turn.
Best regards
Elemer
|
|
|
Goto Forum:
Current Time: Sun Sep 22 19:46:55 GMT 2024
Powered by FUDForum. Page generated in 0.03449 seconds |
] 
Search
Help
Register
Login
Home
