Download - Fuzzing 101 Webinar on Zero Day Management
WWW.CODENOMICON.COM
Zero Day Vulnerability Management
Fuzzing 101
Ari Takanen, CTO of Codenomicon
July 6th, 2010
WWW.CODENOMICON.COM2
Fuzzing 101:
• The webcast series for fuzzing industry
• Vendor neutral presentations on fuzzing technologies and use-cases
• Includes invited speakers from the industry
Codenomicon:
• Fuzzing research since 1996
• 2001, Spinoff from University of Oulu
• 50-100% annual growth in number of customers and revenues in fuzzing industry
About Fuzzing 101 and Codenomicon
WWW.CODENOMICON.COM3
About Ari Takanen
The Past: Researcher and Lecturer• 1998-2002• University of Oulu• OUSPG/PROTOS research group• Software Quality related lectures
The Present: Entrepreneur and Evangelist• 2001-today• CTO of Codenomicon• Evangelist: 10 conference talks every year • Author of two books:
• VoIP Security• Fuzzing
WWW.CODENOMICON.COM4
Agenda
Intro: Zero Day Vulnerability Management
Demo in Theory• Threat analysis with Network Analyzer• Automated ZD detection with Fuzzing• ZD remediation using IDS/IPS• Patch verification with known vulnerability data
Demo in Practice
WWW.CODENOMICON.COM
Zero Day Vulnerability Management
Moving from Reactive to Proactive
WWW.CODENOMICON.COM6
Security View: Window of Vulnerability
SW - under vulnerability analysis
SW - after product release
SW - after the vulnerability process
TIME
BUG APPEARSRELEASEBUG FOUND
VULN FOUNDVULN REPORTVULN FIX AVAIL.
PATCH RELEASEADVISORY RELEASEPATCH INSTALL
ZeroExposure
LimitedExposure
PublicExposure
WWW.CODENOMICON.COM7
Challenges with Vulnerability Management
Detect Vulnerabilities as they are found• Not as they emerge, they are in the hiding already
Most costs are in patch deployment• Crisis management, each update needs immediate
attention• Ad-hoc deployment is prone to errors• Maintenance downtime can be expensive• New patches emerge several times a week• No time to test the patch
WWW.CODENOMICON.COM8
Security Vulnerability = Just A Bug
WWW.CODENOMICON.COM9
Codenomicon Labs Test Results
http://www.codenomicon.com/labs/results
WWW.CODENOMICON.COM10
Some Helpful Definitions
Vulnerability – a weakness in software, a bug
Threat/Attack – exploit/worm/virus against a specific vulnerability
Protocol Modeling – Technique for explaining interface message sequences and message structures
Fuzzing – process and technique for security testing
Anomaly – abnormal or unexpected input
Failure – crash, busy-loop, memory corruption, or other indication of a bug in software
WWW.CODENOMICON.COM11
Zero Day Vulnerability Management (ZDVM)
Process of:• Detecting attack vectors• Finding zero-day vulnerabilities• Building defenses• Performing patch verification• Deployment in one big security push
WWW.CODENOMICON.COM12
Test Setup for ZDVM
Virtual setups are easiest to control
Install two or three guest machines:• Host running test targets• Network analyzer• Test station running the test tools• Host running IDS/IPS such as Snort
WWW.CODENOMICON.COM13
Practice Targets:Known Vulnerable Software
WWW.CODENOMICON.COM14
Practice Targets:Betas and other bad quality stuff
WinSip Proxy is a good target for SIP fuzzing practice
WWW.CODENOMICON.COM
Threat Analysis using Network Analyzers
Identify and prioritize!
WWW.CODENOMICON.COM16
Network Analysis for ZDVM
Problem today: NMAP only detects open server-side ports (not shown today!)
Instead of depending on network scanning and architecture designs, network analyzer based approach builds network diagram from real-life network traffic
Possible to detect all attack vectors and map the attack surface (protocol interfaces)
Extract any communications easily for reproduction and testing
16
WWW.CODENOMICON.COM
WWW.CODENOMICON.COM18
Network Analyzer
% sudo vmnet-sniffer -w demo.pcap vmnet8
WWW.CODENOMICON.COM19
What Can You Do With Visual Analyzers
24/7 Multi-point recording
Instant reproduction data of any incidents or customer failures in the network
Forensics toolkit extension
Rootkit and Backdoor monitoring
And then the attack surface mapping we talked about• More examples when we get to traffic capture
fuzzing
WWW.CODENOMICON.COM
Fuzzing for Zero Days
What you need to know to prepare for zero day discovery
WWW.CODENOMICON.COM21
Fuzz Test Effectiveness against WiFi
WWW.CODENOMICON.COM22
Fuzzing In Short
Fuzzing means crash-testing Also called:
• Negative testing• Robustness testing• Grammar testing
Based on sending systematically broken (rarely random) inputs to a software, in order to crash it
We will ignore random mutator fuzzers for now Two techniques of smart model-based fuzzers:
• Template-based• Specification-based
WWW.CODENOMICON.COM23
Model Based Fuzzing Techniques
Template Based Fuzzing• Quality of tests is based on the used seed and
modeling technique• Very quick to develop, but slow to run• Editing requires deep protocol know-how• Good for testing around known vulnerabilities
Specification Based Fuzzing• Full test coverage• Always repeatable• Short test cycle, more optimized tests• Easy to edit and add tests
WWW.CODENOMICON.COM24
Precision is about attack surface/protocol coverage
All interfaces/protocols tested?
All message sequences tested?
All message structures tested?
All data definitions tested?
All “tags” (values) tested?
Accuracy is about anomaly coverage
Anomaly categories? SQL? Buffer overflow?
All values: 0..65k, a..z, 0x00..0x255 ?
Combinations of anomalies?
Coverage
WWW.CODENOMICON.COM25
Anomaly Coverage Selection
WWW.CODENOMICON.COM26
FTP Fuzzing
WWW.CODENOMICON.COM27
Results
WWW.CODENOMICON.COM28
SIP Fuzzing & Results
WinSip breaks with almost with any imaginable fuzz test case
WWW.CODENOMICON.COM29
Traffic Capture Fuzzing
WWW.CODENOMICON.COM30
Traffic Capture Fuzzing Results
Test against samba seems to find zero-day
WWW.CODENOMICON.COM
Zero Day Remediation Using IDS/IPS
Block only what needs to be blocked!
WWW.CODENOMICON.COM32
Problem with IDS/IPS
Intrusion Detection Systems can only handle limited amount of fingerprints
Most of those monitored fingerprints are irrelevant to your specific production system
In the demo, the Snort IDS system is used to monitor traffic• Default VoIP ruleset is used first• Then Codenomicon additions in local.rules are
loaded
WWW.CODENOMICON.COM33
Blocking Zero Days with IDS/IPS
By default, Snort does not detect any of the attacks against WinSip Proxy
With tailored rules, all effective attacks can be blocked
DEFENSICSSIP UAS WINSIP PROXY
SN
OR
T ID
S
WWW.CODENOMICON.COM
Load Snort default
WWW.CODENOMICON.COM
Attack WinSip – Snort Does Not Detect
WWW.CODENOMICON.COM
Alert Raised by Codenomicon Ruleset
WWW.CODENOMICON.COM
Patch Verification for Known Issues
Do you trust the vendor patches?
WWW.CODENOMICON.COM38
Blind Trust on Known Vulnerabilities
Most patches are released in a hurry
Vulnerability data is not necessarily available for testing variants of the bug
Configuration can affect test results
Combining vulnerability feeds with traffic capture fuzzing will test• the vulnerable software• the patches issued by vendors• the security defenses
WWW.CODENOMICON.COM39
Patch Verification with Vulnerability Feeds
WWW.CODENOMICON.COM40
Fuzzing with Known Vulnerabilities
With PCAP, you can just load it in the traffic capture fuzzer
With other POC exploits, you run them and collect the PCAP with Network Analyzer, and then fuzz it
WWW.CODENOMICON.COM41
Conclusions
Vulnerability management in not about known vulnerabilities, and testing all of them
Blocking all vulnerabilities (attacks) does not work
The solution is to find out what is relevant to you, and block those proactively
Process is simple:• Map the attack surface• Test for both zero days and known issues• Remediate with tailored IDS rules
This should be continuous process even after deployment
WWW.CODENOMICON.COM42
Our Book On Fuzzing!
http://www.fuzz-test.com/book/
Takanen, DeMott and Miller: “Fuzzing for Software Security Testing and Quality Assurance”
Aimed at the general public, you do not need to be a security specialist to read this book
Purpose of the book is to teach next-gen testing approaches to:• Software practitioners• Security engineers• Academics
WWW.CODENOMICON.COM
PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS
THANK YOU – QUESTIONS?
“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them.
....Testers!
Break that software (as you must) anddrive it to the ultimate
- but don’t enjoy the programmer’s pain.”
[from Boris Beizer]