From: Johannes Berg <johannes@sipsolutions.net>
To: Ben Greear <greearb@candelatech.com>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: Re: Break-it testing for wifi
Date: Tue, 22 Nov 2016 11:56:55 +0100 [thread overview]
Message-ID: <1479812215.9021.3.camel@sipsolutions.net> (raw)
In-Reply-To: <a60dac22-655e-ea93-61c2-73db05a47572@candelatech.com> (sfid-20161121_171042_142074_00CD9837)
On Mon, 2016-11-21 at 08:10 -0800, Ben Greear wrote:
> I am thinking about adding some sort of framework to wpa_supplicant
> and/or the mac80211 stack to allow purposefully creating bad station
> behaviour in order to test robustness of APs.
I'm interested in this.
Have you seen the fuzzer stuff in wpa_s/hostapd?
See
https://w1.fi/cgit/hostap/commit/?id=7d3f18d72c3c883112ee927fc402c0eaed09ff65
for example for something Jouni did after our discussions recently.
> Some ideas so far:
>
> 1) Allow supplicant to do bad state-machine transitions (start 4-way
> before associating, for instance).
Why would you do that? In order to test the AP implementation?
> 2) Randomly corrupt mgt frames in driver and/or mac80211 stack
> and/or supplicant.
I think fuzzing the input path for those frames would be more useful
than just corrupting things.
> 3) Possibly allow user to make specific corruptions. This would
> probably be in supplicant
> only, and I am not sure how this would be configured. Maybe
> allow user to over-ride
> existing IEs and add bogus ones of their own choosing.
No idea what you really mean by this :)
> 4) Maybe some specific tests like putting in over-flow sized lengths
> of IEs.
Again, fuzzing would cover this?
> Has anyone done anything similar they would like to share?
>
> Johannes: Any interest in having such a framework in upstream
> kernels?
I suspect you have something entirely different in mind, like testing a
(remote) AP implementation?
All of the local testing is probably better done via hwsim?
johannes
next prev parent reply other threads:[~2016-11-22 10:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-21 16:10 Break-it testing for wifi Ben Greear
2016-11-21 16:28 ` Mohammed Shafi Shajakhan
[not found] ` <CALLGbR+q=QKLgXj6jYJ_jUdvrh2GcOk_3NkndTf2JWZsOqzecQ@mail.gmail.com>
2016-11-21 17:19 ` Ben Greear
2016-11-22 10:56 ` Johannes Berg [this message]
2016-11-22 16:59 ` Ben Greear
2016-11-23 22:29 ` Jouni Malinen
2016-11-28 14:28 ` Johannes Berg
2016-11-28 15:14 ` Ben Greear
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1479812215.9021.3.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.