Your SlideShare is downloading. ×

BeStorm Introduction


Published on

beSTORM is a security assessment tool that uncovers common security …

beSTORM is a security assessment tool that uncovers common security
vulnerabilities in products during the development cycle. Unlike today\'s
generation of vulnerability assessment tools, beSTORM does not look for certain
attack signatures or attempt to locate known vulnerabilities in products, but rather
performs an exhaustive analysis in order to uncover new and unknown
vulnerabilities in network products. beSTORM, the Second Generation Fuzzer from Beyond Security attempts to exhaustively
check the protocol implementation of applications.

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. beSTORM
  • 2.
    • We specialize in vulnerabilities
    About Beyond Security
  • 3.
    • We specialize in vulnerabilities
    • and develop tools to find them
    About Beyond Security
  • 4. Our Technology AVDS beSTORM
  • 5. Our Technology - AVDS AVDS Automated Vulnerability Detection System ("VA")‏ Know that your network is Safe‏ AVDS beSTORM
  • 6. Our Technology - SecuriTeam Security portal / Knowledge Source AVDS beSTORM
  • 7. Our Technology - beSTORM beSTORM Product testing ("fuzzing")‏ AVDS beSTORM
  • 8.  
  • 9. What is beSTORM
    • A unique approach to finding security holes in your products
    • A 2 nd generation fuzzer
    • Finds vulnerabilities by actually trying the attacks and seeing if they were successful
    • Tests at all the levels, including network, protocol, file, hardware, DLL and API
    • Exhaustively testing the full test-space rather than focusing on a limited number of scenarios
    • Stable and repeatable testing for security compliance checking
  • 10. Attack types
    • Generates attacks containing:
      • One or more malformed value found inside the packet(s) – non AlphaNumeric data if such is expected
      • One or more malformed relationship between values found inside the packet(s) – size, description
      • Oversized value
      • Undersized value
      • Non-expected value – if expecting a session number, use non-relevant data, e.g. reuse a previously closed session number
  • 11. What is tested
    • Generates not just malformed data but also sessions when network protocols are tested, malformed sessions include:
      • Out of order sessions – the order at which packets from a session are sent is reversed or “randomized”
      • Overlapping sessions – the follow-up packet re-initiates or utilizes different values that it should have
      • Missing sessions – the session is never completed, or properly closed
  • 12. “ Understanding” unknown protocols
    • Learns new protocols via “auto learning”:
  • 13. What is fuzzed
    • beSTORM works by fuzzing anything that accepts inputs:
      • HTTP, SIP (VoIP), FTP, SMTP, ...
      • GIF, BMP, TGA, ...
      • PE (EXE), UPX, ...
      • ActiveX and DLLs
    • Practically every possible combination is sent to the application – in some cases as much as 10 10 or more combinations
    • Covers malformed requests as well as obscure protocol features
  • 14. Monitoring for vulnerabilities
    • A powerful monitor detects if even the slightest buffer overflow, format string, similar memory exceptions
    • Runs automatically until the test scenarios is exhausted, trying the most probable combinations first
  • 15. API Fuzzing
    • Built-in DLL fuzzer allows you to easily test the internal workings of your software and hardware
  • 16. Example
    • This illustrates a malformed HTTP packets:
    • Note that more than one segment of the packet is malformed
  • 17. IIS Case Study
    • When testing Microsoft's IIS web server, beSTORM detected the first buffer overflow vulnerability after only 4 ½ minutes
    • During those 4 ½ minutes, 160,000 attack combinations were tested
    • The buffer overflow was pinpointed and can be reproduced
    • The vulnerability leads to remote compromise of the machine running IIS
  • 18. Real World usage
    • beSTORM – some examples of customers currently testing hardware
      • Juniper uses it to test its products
      • University of Amsterdam RFID using it to test RFID implementations
      • Ericsson uses it as part of their security testing
    • Testing file parsers
      • In a joint cooperation with Kasparsky, beSTORM “learned” the UPX standard and is now being actively used by Kasparsky to test the roughness of their antivirus programs.