discuss-gnuradio
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Discuss-gnuradio] Wimax


From: John Gilmore
Subject: Re: [Discuss-gnuradio] Wimax
Date: Wed, 26 May 2010 16:44:43 -0700

> evaluating the possibility of start a Wimax fuzzing test bed project with
> Gnu Radio/USRP . . .  the goal is to
> do with the Radio what we do with software in Fuzzing stage of security
> related projects . to conduct a huge series of tests , examine the results
> and see when and how the Radio is not up to the task

Sounds like a great idea.  (For those who don't know, "fuzzing"
involves sending subtly or wildly wrong values in every field in a
protocol, testing how the receiving device handles the error.  Fuzzing
attacks against Unix command-line utilities found hundreds or
thousands of implementation errors by sending, e.g. lines containing
millions of characters; negative, zero, or huge length values;
non-ASCII character sets, etc, etc, etc.  Some fuzz is randomly
created, finding bugs that humans never conceived of looking for.  But
after the first round of fuzz testing, throwing totally random values
at a protocol seldom exercises all the code paths in less than an
aeon; most of the garbage is rejected at the front door.  Fiendish
software testers with intimate knowledge of the protocol involved can
create constrained fuzzers that smuggle randomly erroneous data deep
into the heart of the receiving system before it explodes.)

If you write this code, products in the market that it addresses will
evolve to become better hardened against both mistakes and attack.
But note that deploying "fuzzing" systems against targets you don't
control (e.g. other peoples' infrastructures or mobile devices) is
often considered a hostile act and could lead to criminal penalties
(or war, if done by one country to another).

As for WiMax, I don't know who (if anyone) is working on it in GNU Radio.

> - there are SDR based projects preferably based on GNU Radio , to fuzz Radio
> systems : GSM BTS , Wimax Radio , TETRA base stations , etc .

The OpenBTS code implements a GSM base station; this code could easily
be improved to "fuzz" GSM handsets.  Anecdotal reports from the
developers indicate that it's pretty easy for a buggy base station to
tickle numerous bugs in handsets from every manufacturer.  (Indeed,
real-world base stations appear to need workarounds for known bugs in
common handsets.)  The creation of a GSM handset fuzzing program would
probably improve that situation dramatically.  It would also make
possible a powerful denial of service attack on the cellular networks,
making large numbers of existing cellphones crash in their users'
pockets.

OpenBTS doesn't currently have a GSM *handset* protocol stack (you
can't currently emulate a GSM handset with GNU Radio.)  Adding that
capability would be very useful -- and would probably eventually lead
to the code actually *running* in freed handsets.  (The "baseband
processor" code in modern cellphones is often the last bastion of
proprietary software in the phone -- because there's no free software
choice that works.)  If someone improved OpenBTS to include a GSM
handset stack, then that stack could be improved to "fuzz" GSM base
stations, which would lead to better-hardened base stations.

        John Gilmore



reply via email to

[Prev in Thread] Current Thread [Next in Thread]