OpenAtom OpenHarmony (hereinafter referred to as "OpenHarmony"), as an open source distributed operating system for all scenarios, can be widely used in smart home IoT terminals, smart wearables, smart large screens, car smart cockpits, speakers and other smart terminals, providing users with full The ultimate experience across devices. These smart terminal devices equipped with OpenHarmony (hereinafter referred to as OpenHarmony terminals) involve all aspects of people's lives and become important carriers for recording people's daily behavior data and privacy information. Inevitably, this makes the OpenHarmony terminal a target of network hackers. Once a security vulnerability is found in the device, the attacker will conduct malicious attacks and exploitation of the vulnerability. It not only affects user equipment, privacy and property security, but also lays potential hidden dangers to social security.
In order to protect the security of OpenHarmony terminals, the HUAWEI DevEco Testing security testing team has brought a mature security solution - injection attack testing.
1. Introduction to HUAWEI DevEco Testing
HUAWEI DevEco Testing (hereinafter referred to as DevEco Testing) is a testing service platform created by Huawei for OpenHarmony ecological partners. It provides professional testing services for partners to access, and builds high-quality smart hardware and application products.
In order to help ecological partners protect the security of OpenHarmony terminals, the DevEco Testing team instantiated Huawei's years of offensive and defensive experience, summed up a rich and comprehensive security test case library, and formed a standardized black box Fuzz automated test service - injection attack test.
Since the DevEco Testing injection attack test is a black-box Fuzz automated test, let's start with the Fuzz test. Through the introduction of the Fuzz test principle and test execution process, you can gain an in-depth understanding of the principle behind the DevEco Testing injection attack test. .
2. Fuzz test
In the face of malicious attacks on vulnerabilities by network hackers, security experts are more willing to take the initiative to attack rather than passively respond to external brute force attacks. By simulating the attacker's thinking, vulnerability mining is carried out for business systems to expose potential security flaws in business processes. Commonly used methods for vulnerability mining in the industry include static code scanning, Fuzz testing, penetration testing, etc. Among them, Fuzz testing is widely used in hacker, academia and business circles because of its remarkable effect and simple principle. For example, Google uses Fuzz test cases as a standard item for product code delivery to ensure that the delivery components are stable, safe and reliable; Microsoft also continuously conducts Fuzz testing throughout the product cycle, from unit testing to system testing, Fuzz never stops .
1. Fuzz test principle and application scenarios
Fuzz testing is a security testing technique that discovers whether there are security problems in an application by providing a large amount of unexpected input (malicious/random data) and monitoring whether the system under test produces abnormal results.
Generally speaking, as long as it is a business component/interface that accepts external data input, it needs to be covered by Fuzz testing. For example, protocol packets with external entrances, parsing codes of external files, system service interfaces, etc., all involve external data input, and the security risk after being attacked is very high. Taking a common mobile operating system as an example, as shown in Figure 1, the Fuzz test will involve the following interfaces:
图1 Fuzz测试涉及的接口 (1) Application layer: The components exposed by the upper-layer application may accept external Intent input.
(2) System services: A large number of open interfaces of system services are called by upper-layer applications and undertake the core functions of the system.
(3) Network service: Socket communication is the main way for devices to transmit data to the outside world, and is a common remote attack surface.
(4) Kernel driver: Provide the upper layer with the ability to read and write/control devices through the ioctl (input/output control) system call.
For the above interfaces, Fuzz tests can find most common security problems: null pointers, out-of-bounds arrays, buffer overflows, integer overflows, format string vulnerabilities, resource allocation, lack of validity checks, and memory leaks. Compared with the urgent repair of vulnerabilities discovered after going online, it is a better choice for enterprises to expose common security problems before going online through Fuzz testing.
2. Fuzz test execution process and classification
The Fuzz test effect is well recognized in the industry, and its execution process is not complicated, usually divided into the following steps:
(1) Select high-risk modules as test targets.
(2) Based on the seed data, a large amount of test data is generated automatically or semi-automatically.
(3) Take the generated data as input and send it to the system under test for execution.
(4) Detect the state of the system under test (assertion, exception, process crash, error, logic error, restart, whether it can respond, whether the response is correct, whether the system is stable, etc.). (5) According to the results of each data execution, the mutation of the data is reversely guided to generate more effective data and cover more branches.
(6) According to the abnormal state of the system under test, determine whether there is a potential security loophole.
图2 Fuzz测试执行过程 According to the different key technologies used in the testing process, Fuzz testing can be divided into three categories: White Box Fuzz, Black Box Fuzz, and Gray Box Fuzz:
Among them, the black-box Fuzz test is the most efficient, without considering the internal logic structure, only focusing on the external structure of the program, it can quickly verify a large number of potential security threats.
For testers, black-box Fuzz testing is simple and easy to execute, but designing a systematic and complete testing solution based on business processes often requires huge investment, which is unaffordable for most enterprises. To help ecological partners solve these difficulties, DevEco Testing has launched an injection attack testing service.
3. DevEco Testing injection attack test
DevEco Testing injection attack testing is a black-box Fuzz automated testing service. When testing for injection attacks, treat the program as a black box that cannot be opened. Without considering the internal structure and characteristics of the program, the tester flexibly selects the interface for testing to check whether the program can properly receive input data and generate correct output information.
Currently, the injection attack testing service mainly provides the following capabilities:
1. The Fuzz test capability of the system service interface and network communication interface has been integrated to support simultaneous testing of multiple interface types in one task.
2. It supports fully automated testing of all SA interfaces and socket ports of the system, with zero use cases and zero learning costs.
3. The attack strength and attack authority can be customized, and the platform automatically switches the Fuzz test engine seamlessly based on the configuration.
4. It supports the plugging and unplugging of the mobile phone at any time during the test process, and can continue to perform the Fuzz test task after the device is reconnected.
The testing process of using DevEco Testing to inject attack testing services is also very simple, as shown below:
测试过程演示The key steps are as follows :
- Sort out the business and interfaces that receive external data input (generally follow the principles of adding/modifying, opening to the outside world, low authority, and being close to the attack entrance, and formulating risk priorities).
Analyze how the tested interface or business is called externally (no need to pay attention to how the business or interface is implemented, just focus on how it is called).
- Connect devices, create tasks and execute them.
- Check the exception log.
- Analyze whether there is a vulnerability based on anomaly.
- After fixing the vulnerability, retest the verification.
Test tip: According to the Fuzz test principle, the longer the test execution time, the more branches covered, and the deeper the test depth. However, product testing cannot be tested indefinitely, and it is necessary to balance the test duration and effect. According to Huawei's internal test experience, the test can be ended if the following two conditions are met:
- Reached basic stability: no new bugs are generated.
Achieving test sufficiency: meeting time or frequency requirements.
The specific test execution strategy should be determined by developers according to their own business conditions.4. Conclusion
At present, many developers ignore security issues in the product design and implementation stage, so that it is difficult to assess and control risks after going online. DevEco Testing advocates shifting security testing to the left to expose system and equipment vulnerabilities in a timely manner. By providing professional, easy-to-use, and open testing services, it helps OpenHarmony ecological partners avoid potential risks in advance. Those who are interested in the content of this issue can apply for a trial of the DevEco Testing injection attack testing service by clicking on the official account "Read the original text" and filling in the "Application for the Trial of DevEco Testing Testing Service".
More security testing solutions are coming soon, so stay tuned!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。