Wimax

hello,
evaluating the possibility of start a Wimax fuzzing test bed project
with
Gnu Radio/USRP . anybody knows if :

  • there is a working 802.16d implementation based on Gnu Radio , that
    works
    fine with USRP
  • there are SDR based projects preferably based on GNU Radio , to fuzz
    Radio
    systems : GSM BTS , Wimax Radio , TETRA base stations , etc . the goal
    is to
    do with the Radio what we do with software in Fuzzing stage of security
    related projects . to conduct a huge series of tests , examine the
    results
    and see when and how the Radio is not up to the task

regards

evaluating the possibility of start a Wimax fuzzing test bed project with
Gnu Radio/USRP . . . the goal is to
do with the Radio what we do with software in Fuzzing stage of security
related projects . to conduct a huge series of tests , examine the results
and see when and how the Radio is not up to the task

Sounds like a great idea. (For those who don’t know, “fuzzing”
involves sending subtly or wildly wrong values in every field in a
protocol, testing how the receiving device handles the error. Fuzzing
attacks against Unix command-line utilities found hundreds or
thousands of implementation errors by sending, e.g. lines containing
millions of characters; negative, zero, or huge length values;
non-ASCII character sets, etc, etc, etc. Some fuzz is randomly
created, finding bugs that humans never conceived of looking for. But
after the first round of fuzz testing, throwing totally random values
at a protocol seldom exercises all the code paths in less than an
aeon; most of the garbage is rejected at the front door. Fiendish
software testers with intimate knowledge of the protocol involved can
create constrained fuzzers that smuggle randomly erroneous data deep
into the heart of the receiving system before it explodes.)

If you write this code, products in the market that it addresses will
evolve to become better hardened against both mistakes and attack.
But note that deploying “fuzzing” systems against targets you don’t
control (e.g. other peoples’ infrastructures or mobile devices) is
often considered a hostile act and could lead to criminal penalties
(or war, if done by one country to another).

As for WiMax, I don’t know who (if anyone) is working on it in GNU
Radio.

  • there are SDR based projects preferably based on GNU Radio , to fuzz Radio
    systems : GSM BTS , Wimax Radio , TETRA base stations , etc .

The OpenBTS code implements a GSM base station; this code could easily
be improved to “fuzz” GSM handsets. Anecdotal reports from the
developers indicate that it’s pretty easy for a buggy base station to
tickle numerous bugs in handsets from every manufacturer. (Indeed,
real-world base stations appear to need workarounds for known bugs in
common handsets.) The creation of a GSM handset fuzzing program would
probably improve that situation dramatically. It would also make
possible a powerful denial of service attack on the cellular networks,
making large numbers of existing cellphones crash in their users’
pockets.

OpenBTS doesn’t currently have a GSM handset protocol stack (you
can’t currently emulate a GSM handset with GNU Radio.) Adding that
capability would be very useful – and would probably eventually lead
to the code actually running in freed handsets. (The “baseband
processor” code in modern cellphones is often the last bastion of
proprietary software in the phone – because there’s no free software
choice that works.) If someone improved OpenBTS to include a GSM
handset stack, then that stack could be improved to “fuzz” GSM base
stations, which would lead to better-hardened base stations.

John G.

John -

The more recent 2.5-series releases of OpenBTS includes a feature
called “test call” specifically for fuzing handsets. From the CLI,
you can initiate a mobile-terminated transaction a specific handset
using the test call feature. What the test call feature does is open
an SDCCH in multiframe mode and then just tie that SDCCH to a UDP
socket in L3. Then an external application can interact with the
handset directly in L3 via the UDP socket, allowing you to fuzz to
your heart’s content without actually hacking OpenBTS.

– David

On May 26, 2010, at 4:44 PM, John G. wrote:

pockets.

David A. Burgess
Kestrel Signal Processing, Inc.