fuzzing 101 webinar on zero day management
DESCRIPTION
In this webinar, we explore the process of zero-day vulnerability management from initial threat analysis to automated detection and remediation. We will demonstrate how easy it is to detect attack vectors and to quickly assess the reliability and security of those interfaces using general purpose fuzzing solutions. We will also show you how you can complement these solutions with known vulnerability data and do patch verification easily and cost-effectively. Finally, we will discuss how you can tailor your defenses to block zero day attacks, which is a key aspect of vulnerability management.TRANSCRIPT
![Page 1: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/1.jpg)
WWW.CODENOMICON.COM
Zero Day Vulnerability Management
Fuzzing 101
Ari Takanen, CTO of Codenomicon
July 6th, 2010
![Page 2: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/2.jpg)
WWW.CODENOMICON.COM2
Fuzzing 101:
• The webcast series for fuzzing industry
• Vendor neutral presentations on fuzzing technologies and use-cases
• Includes invited speakers from the industry
Codenomicon:
• Fuzzing research since 1996
• 2001, Spinoff from University of Oulu
• 50-100% annual growth in number of customers and revenues in fuzzing industry
About Fuzzing 101 and Codenomicon
![Page 3: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/3.jpg)
WWW.CODENOMICON.COM3
About Ari Takanen
The Past: Researcher and Lecturer• 1998-2002• University of Oulu• OUSPG/PROTOS research group• Software Quality related lectures
The Present: Entrepreneur and Evangelist• 2001-today• CTO of Codenomicon• Evangelist: 10 conference talks every year • Author of two books:
• VoIP Security• Fuzzing
![Page 4: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/4.jpg)
WWW.CODENOMICON.COM4
Agenda
Intro: Zero Day Vulnerability Management
Demo in Theory• Threat analysis with Network Analyzer• Automated ZD detection with Fuzzing• ZD remediation using IDS/IPS• Patch verification with known vulnerability data
Demo in Practice
![Page 5: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/5.jpg)
WWW.CODENOMICON.COM
Zero Day Vulnerability Management
Moving from Reactive to Proactive
![Page 6: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/6.jpg)
WWW.CODENOMICON.COM6
Security View: Window of Vulnerability
SW - under vulnerability analysis
SW - after product release
SW - after the vulnerability process
TIME
BUG APPEARSRELEASEBUG FOUND
VULN FOUNDVULN REPORTVULN FIX AVAIL.
PATCH RELEASEADVISORY RELEASEPATCH INSTALL
ZeroExposure
LimitedExposure
PublicExposure
![Page 7: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/7.jpg)
WWW.CODENOMICON.COM7
Challenges with Vulnerability Management
Detect Vulnerabilities as they are found• Not as they emerge, they are in the hiding already
Most costs are in patch deployment• Crisis management, each update needs immediate
attention• Ad-hoc deployment is prone to errors• Maintenance downtime can be expensive• New patches emerge several times a week• No time to test the patch
![Page 8: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/8.jpg)
WWW.CODENOMICON.COM8
Security Vulnerability = Just A Bug
![Page 9: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/9.jpg)
WWW.CODENOMICON.COM9
Codenomicon Labs Test Results
http://www.codenomicon.com/labs/results
![Page 10: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/10.jpg)
WWW.CODENOMICON.COM10
Some Helpful Definitions
Vulnerability – a weakness in software, a bug
Threat/Attack – exploit/worm/virus against a specific vulnerability
Protocol Modeling – Technique for explaining interface message sequences and message structures
Fuzzing – process and technique for security testing
Anomaly – abnormal or unexpected input
Failure – crash, busy-loop, memory corruption, or other indication of a bug in software
![Page 11: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/11.jpg)
WWW.CODENOMICON.COM11
Zero Day Vulnerability Management (ZDVM)
Process of:• Detecting attack vectors• Finding zero-day vulnerabilities• Building defenses• Performing patch verification• Deployment in one big security push
![Page 12: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/12.jpg)
WWW.CODENOMICON.COM12
Test Setup for ZDVM
Virtual setups are easiest to control
Install two or three guest machines:• Host running test targets• Network analyzer• Test station running the test tools• Host running IDS/IPS such as Snort
![Page 13: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/13.jpg)
WWW.CODENOMICON.COM13
Practice Targets:Known Vulnerable Software
![Page 14: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/14.jpg)
WWW.CODENOMICON.COM14
Practice Targets:Betas and other bad quality stuff
WinSip Proxy is a good target for SIP fuzzing practice
![Page 15: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/15.jpg)
WWW.CODENOMICON.COM
Threat Analysis using Network Analyzers
Identify and prioritize!
![Page 16: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/16.jpg)
WWW.CODENOMICON.COM16
Network Analysis for ZDVM
Problem today: NMAP only detects open server-side ports (not shown today!)
Instead of depending on network scanning and architecture designs, network analyzer based approach builds network diagram from real-life network traffic
Possible to detect all attack vectors and map the attack surface (protocol interfaces)
Extract any communications easily for reproduction and testing
16
![Page 17: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/17.jpg)
WWW.CODENOMICON.COM
![Page 18: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/18.jpg)
WWW.CODENOMICON.COM18
Network Analyzer
% sudo vmnet-sniffer -w demo.pcap vmnet8
![Page 19: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/19.jpg)
WWW.CODENOMICON.COM19
What Can You Do With Visual Analyzers
24/7 Multi-point recording
Instant reproduction data of any incidents or customer failures in the network
Forensics toolkit extension
Rootkit and Backdoor monitoring
And then the attack surface mapping we talked about• More examples when we get to traffic capture
fuzzing
![Page 20: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/20.jpg)
WWW.CODENOMICON.COM
Fuzzing for Zero Days
What you need to know to prepare for zero day discovery
![Page 21: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/21.jpg)
WWW.CODENOMICON.COM21
Fuzz Test Effectiveness against WiFi
![Page 22: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/22.jpg)
WWW.CODENOMICON.COM22
Fuzzing In Short
Fuzzing means crash-testing Also called:
• Negative testing• Robustness testing• Grammar testing
Based on sending systematically broken (rarely random) inputs to a software, in order to crash it
We will ignore random mutator fuzzers for now Two techniques of smart model-based fuzzers:
• Template-based• Specification-based
![Page 23: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/23.jpg)
WWW.CODENOMICON.COM23
Model Based Fuzzing Techniques
Template Based Fuzzing• Quality of tests is based on the used seed and
modeling technique• Very quick to develop, but slow to run• Editing requires deep protocol know-how• Good for testing around known vulnerabilities
Specification Based Fuzzing• Full test coverage• Always repeatable• Short test cycle, more optimized tests• Easy to edit and add tests
![Page 24: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/24.jpg)
WWW.CODENOMICON.COM24
Precision is about attack surface/protocol coverage
All interfaces/protocols tested?
All message sequences tested?
All message structures tested?
All data definitions tested?
All “tags” (values) tested?
Accuracy is about anomaly coverage
Anomaly categories? SQL? Buffer overflow?
All values: 0..65k, a..z, 0x00..0x255 ?
Combinations of anomalies?
Coverage
![Page 25: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/25.jpg)
WWW.CODENOMICON.COM25
Anomaly Coverage Selection
![Page 26: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/26.jpg)
WWW.CODENOMICON.COM26
FTP Fuzzing
![Page 27: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/27.jpg)
WWW.CODENOMICON.COM27
Results
![Page 28: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/28.jpg)
WWW.CODENOMICON.COM28
SIP Fuzzing & Results
WinSip breaks with almost with any imaginable fuzz test case
![Page 29: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/29.jpg)
WWW.CODENOMICON.COM29
Traffic Capture Fuzzing
![Page 30: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/30.jpg)
WWW.CODENOMICON.COM30
Traffic Capture Fuzzing Results
Test against samba seems to find zero-day
![Page 31: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/31.jpg)
WWW.CODENOMICON.COM
Zero Day Remediation Using IDS/IPS
Block only what needs to be blocked!
![Page 32: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/32.jpg)
WWW.CODENOMICON.COM32
Problem with IDS/IPS
Intrusion Detection Systems can only handle limited amount of fingerprints
Most of those monitored fingerprints are irrelevant to your specific production system
In the demo, the Snort IDS system is used to monitor traffic• Default VoIP ruleset is used first• Then Codenomicon additions in local.rules are
loaded
![Page 33: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/33.jpg)
WWW.CODENOMICON.COM33
Blocking Zero Days with IDS/IPS
By default, Snort does not detect any of the attacks against WinSip Proxy
With tailored rules, all effective attacks can be blocked
DEFENSICSSIP UAS WINSIP PROXY
SN
OR
T ID
S
![Page 34: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/34.jpg)
WWW.CODENOMICON.COM
Load Snort default
![Page 35: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/35.jpg)
WWW.CODENOMICON.COM
Attack WinSip – Snort Does Not Detect
![Page 36: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/36.jpg)
WWW.CODENOMICON.COM
Alert Raised by Codenomicon Ruleset
![Page 37: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/37.jpg)
WWW.CODENOMICON.COM
Patch Verification for Known Issues
Do you trust the vendor patches?
![Page 38: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/38.jpg)
WWW.CODENOMICON.COM38
Blind Trust on Known Vulnerabilities
Most patches are released in a hurry
Vulnerability data is not necessarily available for testing variants of the bug
Configuration can affect test results
Combining vulnerability feeds with traffic capture fuzzing will test• the vulnerable software• the patches issued by vendors• the security defenses
![Page 39: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/39.jpg)
WWW.CODENOMICON.COM39
Patch Verification with Vulnerability Feeds
![Page 40: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/40.jpg)
WWW.CODENOMICON.COM40
Fuzzing with Known Vulnerabilities
With PCAP, you can just load it in the traffic capture fuzzer
With other POC exploits, you run them and collect the PCAP with Network Analyzer, and then fuzz it
![Page 41: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/41.jpg)
WWW.CODENOMICON.COM41
Conclusions
Vulnerability management in not about known vulnerabilities, and testing all of them
Blocking all vulnerabilities (attacks) does not work
The solution is to find out what is relevant to you, and block those proactively
Process is simple:• Map the attack surface• Test for both zero days and known issues• Remediate with tailored IDS rules
This should be continuous process even after deployment
![Page 42: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/42.jpg)
WWW.CODENOMICON.COM42
Our Book On Fuzzing!
http://www.fuzz-test.com/book/
Takanen, DeMott and Miller: “Fuzzing for Software Security Testing and Quality Assurance”
Aimed at the general public, you do not need to be a security specialist to read this book
Purpose of the book is to teach next-gen testing approaches to:• Software practitioners• Security engineers• Academics
![Page 43: Fuzzing 101 Webinar on Zero Day Management](https://reader033.vdocument.in/reader033/viewer/2022061223/54c329c64a79596c478b461b/html5/thumbnails/43.jpg)
WWW.CODENOMICON.COM
PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS
THANK YOU – QUESTIONS?
“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them.
....Testers!
Break that software (as you must) anddrive it to the ultimate
- but don’t enjoy the programmer’s pain.”
[from Boris Beizer]