Fuzzing with Aegis

Aegis is a set of fuzzing test cases for ICS/SCADA protocols. The tests are written using several different methodologies to enhance test coverage:

It combines aspects of generational and mutational fuzzing to provide deep coverage of the target software.

Generic concepts

Aegis uses a plug-in architecture internally so that protocol modules and test cases can be easily added to the platform. For the user, this means that the generic concepts you learn for one module are applicable to another. These concepts are the same whether you are using the console or the studio (GUI).

Test flow

A single test case consists of a test message, preceded or followed by one more health checks.

<------> optional health check(s)

=======> test message

<------> optional health check(s)

This strategy will typically help the tester identify the exact test case that caused the target to fail. Sometimes, more complex bugs that involve subtle memory corruptions or non-deterministic behavior will require the use of a debugger or companion tooling as described in another section. Future versions of Aegis may "close the loop" with some of these application monitors to provide more direct feedback on fault analysis to the fuzzer.

Test case ids

Test cases are referred to by their incrementing numeric id. This id starts at zero, and increments to the number of the test cases in the procedure (minus one). You can skip to a particular test case at any time using the start parameter in the studio or console. When a start value is supplied, the fuzzer spins through the seeded random number generator and all of the test frames quickly without transmitting them. This ensures that you get the exact same frame within the procedure as if you had run through all the preceding tests.

Other configurable generic test options are described in the studio section of the documentation.

Communications

Aegis uses an abstract channel interface internally. Tests are unaware of how they are communicating with the target. You need to refer to your specific protocol and ensure that you have configured the communications appropriately. This release supports the following channels: