Fuzzing 101 Webinar on Zero Day Management

Zero Day Vulnerability Management Fuzzing 101 Ari Takanen, CTO of Codenomicon July 6th, 2010

Fuzzing 101:
The webcast series for fuzzing industry
Vendor neutral presentations on fuzzing technologies and use-cases
Includes invited speakers from the industry
Codenomicon:
Fuzzing research since 1996
2001, Spinoff from University of Oulu
50-100% annual growth in number of customers and revenues in fuzzing industry
About Fuzzing 101 and Codenomicon

About Ari Takanen
The Past: Researcher and Lecturer
1998-2002
University of Oulu
OUSPG/PROTOS research group
Software Quality related lectures
The Present: Entrepreneur and Evangelist
2001-today
CTO of Codenomicon
Evangelist: 10 conference talks every year
Author of two books:
VoIP Security
Fuzzing

Agenda
Intro: Zero Day Vulnerability Management
Demo in Theory
Threat analysis with Network Analyzer
Automated ZD detection with Fuzzing
ZD remediation using IDS/IPS
Patch verification with known vulnerability data
Demo in Practice

Zero Day Vulnerability Management Moving from Reactive to Proactive

Security View: Window of Vulnerability SW - under vulnerability analysis SW - after product release SW - after the vulnerability process TIME BUG APPEARS RELEASE BUG FOUND VULN FOUND VULN REPORT VULN FIX AVAIL. PATCH RELEASE ADVISORY RELEASE PATCH INSTALL Zero Exposure Limited Exposure Public Exposure

Challenges with Vulnerability Management
Detect Vulnerabilities as they are found
Not as they emerge, they are in the hiding already
Most costs are in patch deployment
Crisis management, each update needs immediate attention
Ad-hoc deployment is prone to errors
Maintenance downtime can be expensive
New patches emerge several times a week
No time to test the patch

Security Vulnerability = Just A Bug

Codenomicon Labs Test Results http://www.codenomicon.com/labs/results

Some Helpful Definitions
Vulnerability – a weakness in software, a bug
Threat/Attack – exploit/worm/virus against a specific vulnerability
Protocol Modeling – Technique for explaining interface message sequences and message structures
Fuzzing – process and technique for security testing
Anomaly – abnormal or unexpected input
Failure – crash, busy-loop, memory corruption, or other indication of a bug in software

Zero Day Vulnerability Management (ZDVM)
Process of:
Detecting attack vectors
Finding zero-day vulnerabilities
Building defenses
Performing patch verification
Deployment in one big security push

Test Setup for ZDVM
Virtual setups are easiest to control
Install two or three guest machines:
Host running test targets
Network analyzer
Test station running the test tools
Host running IDS/IPS such as Snort

Practice Targets: Known Vulnerable Software

Practice Targets: Betas and other bad quality stuff
WinSip Proxy is a good target for SIP fuzzing practice

Threat Analysis using Network Analyzers Identify and prioritize!

Network Analysis for ZDVM
Problem today: NMAP only detects open server-side ports (not shown today!)
Instead of depending on network scanning and architecture designs, network analyzer based approach builds network diagram from real-life network traffic
Possible to detect all attack vectors and map the attack surface (protocol interfaces)
Extract any communications easily for reproduction and testing

Network Analyzer % sudo vmnet-sniffer -w demo.pcap vmnet8

What Can You Do With Visual Analyzers
24/7 Multi-point recording
Instant reproduction data of any incidents or customer failures in the network
Forensics toolkit extension
Rootkit and Backdoor monitoring
And then the attack surface mapping we talked about
More examples when we get to traffic capture fuzzing

Fuzzing for Zero Days What you need to know to prepare for zero day discovery

Fuzz Test Effectiveness against WiFi

Fuzzing In Short
Fuzzing means crash-testing
Also called:
Negative testing
Robustness testing
Grammar testing
Based on sending systematically broken (rarely random) inputs to a software, in order to crash it
We will ignore random mutator fuzzers for now
Two techniques of smart model-based fuzzers:
Template-based
Specification-based

Model Based Fuzzing Techniques
Template Based Fuzzing
Quality of tests is based on the used seed and modeling technique
Very quick to develop, but slow to run
Editing requires deep protocol know-how
Good for testing around known vulnerabilities
Specification Based Fuzzing
Full test coverage
Always repeatable
Short test cycle, more optimized tests
Easy to edit and add tests

Precision is about attack surface/protocol coverage
All interfaces/protocols tested?
All message sequences tested?
All message structures tested?
All data definitions tested?
All “tags” (values) tested?
Accuracy is about anomaly coverage
Anomaly categories? SQL? Buffer overflow?
All values: 0..65k, a..z, 0x00..0x255 ?
Combinations of anomalies?
Coverage

Anomaly Coverage Selection

FTP Fuzzing

Results

SIP Fuzzing & Results
WinSip breaks with almost with any imaginable fuzz test case

Traffic Capture Fuzzing

Traffic Capture Fuzzing Results
Test against samba seems to find zero-day

Zero Day Remediation Using IDS/IPS Block only what needs to be blocked!

Problem with IDS/IPS
Intrusion Detection Systems can only handle limited amount of fingerprints
Most of those monitored fingerprints are irrelevant to your specific production system
In the demo, the Snort IDS system is used to monitor traffic
Default VoIP ruleset is used first
Then Codenomicon additions in local.rules are loaded

Blocking Zero Days with IDS/IPS
By default, Snort does not detect any of the attacks against WinSip Proxy
With tailored rules, all effective attacks can be blocked
DEFENSICS SIP UAS WINSIP PROXY SNORT IDS

Load Snort default

Attack WinSip – Snort Does Not Detect

Alert Raised by Codenomicon Ruleset

Patch Verification for Known Issues Do you trust the vendor patches?

Blind Trust on Known Vulnerabilities
Most patches are released in a hurry
Vulnerability data is not necessarily available for testing variants of the bug
Configuration can affect test results
Combining vulnerability feeds with traffic capture fuzzing will test
the vulnerable software
the patches issued by vendors
the security defenses

Patch Verification with Vulnerability Feeds

Fuzzing with Known Vulnerabilities
With PCAP, you can just load it in the traffic capture fuzzer
With other POC exploits, you run them and collect the PCAP with Network Analyzer, and then fuzz it

Conclusions
Vulnerability management in not about known vulnerabilities, and testing all of them
Blocking all vulnerabilities (attacks) does not work
The solution is to find out what is relevant to you, and block those proactively
Process is simple:
Map the attack surface
Test for both zero days and known issues
Remediate with tailored IDS rules
This should be continuous process even after deployment

Our Book On Fuzzing!
http://www.fuzz-test.com/book/
Takanen, DeMott and Miller: “Fuzzing for Software Security Testing and Quality Assurance”
Aimed at the general public, you do not need to be a security specialist to read this book
Purpose of the book is to teach next-gen testing approaches to:
Software practitioners
Security engineers
Academics

PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS THANK YOU – QUESTIONS? “ Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them. .... Testers! Break that software (as you must) and drive it to the ultimate - but don’t enjoy the programmer’s pain.” [from Boris Beizer]

Fuzzing 101 Webinar on Zero Day Management

by Codenomicon on Jul 16, 2010

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Fuzzing 101 Webinar on Zero Day Management Presentation Transcript