Fuzzing with Aegis

Aegis is a set of fuzzing test cases for ICS/SCADA protocols. The tests are written using several different methodologies to enhance test coverage:

  • modeling of the protocol grammars
  • analysis of the protocol specifications themselves
  • brute-force (but-repeatable) randomness within appropriate encapsulation

It combines aspects of generational and mutational fuzzing to provide deep coverage of the target software.

Generic concepts

Aegis uses a plug-in architecture internally so that protocol modules and test cases can be easily added to the platform. For the user, this means that the generic concepts you learn for one module are applicable to another. These concepts are the same whether you are using the console or the studio (GUI).

  • Modules are collections of test procedures for a single protocol. They may provide client and server test procedures, or these may be broken out into separate modules. Modules are also the lowest level at which the software is licensed.

  • Procedures are sequences of test cases that exercise a specific aspect or layer of a protocol. They range in size from a handful of frames to hundreds of thousands.

  • Test cases are a single test frame and health check sequence tied to a numeric identifier. Test cases are described in more detail below.

  • Health checks are known valid messages for the protocol under test that are interleaved in the test sequence to verify that the target hasn't crashed.

Test flow

A single test case consists of a test message, preceded or followed by one more health checks.

<------> optional health check(s)

=======> test message

<------> optional health check(s)

This strategy will typically help the tester identify the exact test case that caused the target to fail. Sometimes, more complex bugs that involve subtle memory corruptions or non-deterministic behavior will require the use of a debugger or companion tooling as described in another section. Future versions of Aegis may "close the loop" with some of these application monitors to provide more direct feedback on fault analysis to the fuzzer.

Test case ids

Test cases are referred to by their incrementing numeric id. This id starts at zero, and increments to the number of the test cases in the procedure (minus one). You can skip to a particular test case at any time using the start parameter in the studio or console. When a start value is supplied, the fuzzer spins through the seeded random number generator and all of the test frames quickly without transmitting them. This ensures that you get the exact same frame within the procedure as if you had run through all the preceding tests.

Other configurable generic test options are described in the studio section of the documentation.

Communications

Aegis uses an abstract channel interface internally. Tests are unaware of how they are communicating with the target. You need to refer to your specific protocol and ensure that you have configured the communications appropriately. This release supports the following channels:

  • TCP client (default)
  • TCP server
  • serial