• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Be Storm - Automated Application/Software  Vulnerability Testing
 

Be Storm - Automated Application/Software Vulnerability Testing

on

  • 789 views

beSTORM performs a comprehensive analysis, exposing security holes in your products during development and after release.

beSTORM performs a comprehensive analysis, exposing security holes in your products during development and after release.
beSTORM represents a new approach to security auditing

Statistics

Views

Total Views
789
Views on SlideShare
785
Embed Views
4

Actions

Likes
0
Downloads
17
Comments
0

2 Embeds 4

http://www.linkedin.com 2
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • - A new huge hole every 6-9 months -

Be Storm - Automated Application/Software  Vulnerability Testing Be Storm - Automated Application/Software Vulnerability Testing Presentation Transcript

  • Beyond Security Product presentation beSTORM Amit Shirolkar Avi Electronics & Networks Pvt Ltd www.AviElectronic.com www.BeyondSecurity.com www.SecuriTeam.com
  • About Beyond Security
    • Provides a vulnerability assessment & self-management solutions
    • Enables continuous network, server, database & application security
    • Operates SecuriTeam.com, the 2nd largest IT security portal (1.5 million page views/month)‏
    • Privately held & profitable
    • R&D office in Israel, sales offices in McLean, VA and Chicago, IL
    • Sales via distribution channels in 16 countries
  • SecuriTeam.com - IT security portal
    • Established in 1998 by Beyond Security's founders
    • Trusted by hackers & security pros
    • Provides a sustainable competitive advantage because Beyond Security learns about vulnerabilities first directly from hackers
    • 2.3 M unique visitors in 2004
    • 1.5 M monthly page views
    • Intellectual Property based on
      • 5 years of ongoing R&D development
      • Compiling a knowledgebase of 7,500 vulnerabilities & over 3,000 attack scripts
      • Knowledge acquired from SecuriTeam.com since 1998
      • Participated in security product reviews of some of the most well-known vendors
      • Discovered and documented dozens of security holes by our own R&D team (see: http://www.securiteam.com/advisories/)‏
    Beyond Security knows vulnerabilities
  • What is a vulnerability?
    • A security weakness in an application, operating system, network device or hardware
    • This weakness can be exploited to cause harm
    • Hundreds of vulnerabilities uncovered every year, many of them are actively exploited
    • With development cycles growing shorter, more vulnerabilities surface
    • Detecting vulnerabilities during development is difficult
    • Detecting them after development is costly
  • Fuzzing – a Quick Overview
    • From Wikipedia:
    • Fuzz testing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data. If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct.
    • The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.
  • Types of Fuzzing
    • There are two main type of fuzzers
    • Standalone tools - specifically designed for a single protocol
      • A non generic fuzzer for protocols such as:
        • SNMP
        • SMTP
        • etc
    • Fuzzing Framework
      • A generic fuzzer that supports adding of additional protocols with ease
  • Types of Fuzzing - Continued
    • Manual fuzzing
      • Use normal client/server
      • Observe what happens
      • Look for interesting data (size fields, ...)‏
      • Change some of this data
      • Observe what happens
    • Semi-automatic fuzzing
      • Have a tiny script/program
      • Do one run, see what happens
    • Automatic fuzzing:
      • Use a script/program and iterate over a lot of possible outputs (can be an endless loop)‏
      • Just wait till something crashes
  • Enter SPIKE (1 st Generation Fuzzing)‏
    • SPIKE is a preliminary tool; unstable and finds nearly no vulnerabilities
    • SPIKE deserves a lot of credit though, for it introduced Block-Based Protocol Analysis
  • 2 nd Generation Fuzzing
    • What is a 2 nd generation fuzzer?
      • Stable fuzzer - can run continuously for weeks or months
      • Actually find vulnerabilities
      • First test in ways that are likely to find results (80/20 – cover 20% which is likely to find 80% of the problems)‏
      • Test with hundreds of thousands of attempts equal to tens of millions
      • Don’t just “throw AAAAA’s”
      • Distributed fuzzing
      • Discover flaws that don't cause crashes, by cause unexpected behavior
      • Generate intricate sessions – connect, get something from server, use it for next session ...
      • Support output forms of not just sockets – i.e. files
      • ...
  • What is beSTORM? 1/3
    • A unique approach to finding security holes during development:
    • A 2 nd generation fuzzer
    • Finds vulnerabilities by actually trying the attacks and seeing if they were successful
    • Tests at the network/protocol level
    • Exhaustively testing the full test-space rather than focusing on a limited number of scenarios
    • Stable and repeatable testing for security compliance checking
  • What is beSTORM? 2/3
    • beSTORM's strong points
    • Generates not just malformed packets but also sessions, malformed sessions include:
      • Out of order sessions – the order at which packets from a session are sent is reversed or “randomized”
      • Overlapping sessions – the follow-up packet re-initiates or utilizes different values that it should have
      • Missing sessions – the session is never completed, or properly closed
  • What is beSTORM? 3/3
    • beSTORM generates session containing:
      • One or more malformed value found inside the packet(s) – non AlphaNumeric data if such is expected
      • One or more malformed relationship between values found inside the packet(s) – Size, description , etc related
      • Oversized value
      • Undersized value
      • Non-expected value – if a session number should have been written, a non-relevant data is provided, such as in the case of reuse of previously closed session number
  • How Does beSTORM Work? 1/3
    • beSTORM works by fuzzing such protocols as:
      • HTTP
      • SIP (VoIP)‏
      • FTP, SMTP, etc
    • Practically every possible protocol combination is sent to the application – in some cases as much as 10 10 or more combinations
    • Covers malformed requests as well as obscure protocol features
  • How Does beSTORM Work? 2/3
    • A powerful monitor detects if even the slightest buffer overflow, format string, or similar problem occurred
    • Runs automatically until the protocol is exhausted, trying the most probable combinations first
    • beSTORM modules are built to recognize the protocols' inner workings and to know whether one value affects another one
      • This causes beSTORM to further test it with the relation of other values
  • How Does beSTORM Work? 3/3
    • You can defined rules to exclude certain scenarios from occurring
      • Don't overflow a certain value
      • Don't try to send data in out-of-order manner
      • etc
    • Each module has its own rules which allows it to go through certain more probable combinations first
      • For HTTP
        • Overflow the URI
        • Overflow the Host header
        • etc
  • beSTORM at Work
    • The following screenshot illustrates a malformed HTTP packets:
    • As can be seen more than one segment of the is malformed
  • beSTORM Eliminates Vulnerabilities
    • The only technology to search and find security holes:
      • During development
      • Without requiring the source code
      • In a methodical way that can be reproduced
      • Designed to be used by the developers or QA personnel
  • Competition
    • Source-code audit tools:
      • Very high false-positives rate
      • Not scalable
      • Do not always integrate well with source-versioning applications used by customers
      • Cannot be used for certification/formal validation
    • Consultants (home-made tools):
      • Manual checks
      • Expensive
      • Cannot be done on frequent basis
      • Requires disclosing possibly sensitive information with a 3 rd party
  • IIS Case Study
    • When testing Microsoft's IIS web server, beSTORM detected the first buffer overflow vulnerability after only 4 ½ minutes
    • During those 4 ½ minutes, 160,000 attack combinations were tested
    • The buffer overflow was pinpointed and can be reproduced
    • The vulnerability leads to remote compromise of the machine running IIS
  • ISA Case Study
    • When testing Microsoft's ISA server, beSTORM detected the first logging error vulnerability after only 10 minutes
    • During those 10 minutes, 500,000 attack combinations were tested
    • The logging error was pinpointed and reproduced by Microsoft, an advisory is in process of being released
    • The vulnerability allows attackers to corrupt the ISA server's log file with arbitrary characters that are normally filtered out
  • Aladdin Case Study
    • Security leader turns to Beyond Security for security validation
    • Aladdin Knowledge Systems (ALDN) uses beSTORM to perform a security audit for their eSafe email content security solution to confirm their product is free from vulnerabilities or security weaknesses
    • beSTORM's SMTP module contains over 500,000 attack combinations
  • Aladdin Case Study
    • Security leader turns to Beyond Security for security validation
    • “ Beyond Security's vulnerability audit confirms... eSafe 4 offers our customers a virtually impregnable defense against email-based security threats.”
    • Shimon Gruper, EVP Internet Technologies, Aladdin Knowledge Systems
  • Clients & Partners