“ PerformFuzz” On Application’s Web Interface. Aniket Kulkarni Symantec , India.
Agenda <ul><li>Brief Overview. </li></ul><ul><li>Performance Testing, Fuzzing & Fuzzer. </li></ul><ul><li>What Can Be Fuzz...
Agenda Contd.. <ul><li>Impact On 3 rd  Party Components. </li></ul><ul><li>Case Study & Crash Analysis. </li></ul><ul><li>...
Brief Overview. <ul><li>Focus On “Performance & Security”. </li></ul><ul><li>Its attack, that affects application’s “Perfo...
What Is Performance Testing ? <ul><li>System check for Responsiveness, Throughput and Scalability, under given workload. <...
What’s Fuzzing &What Can Be Fuzzed ? <ul><li>Its technique to inject, random bad data into an application to see what brea...
<ul><li>Fuzzer is just a tool, that generates gibberish data. </li></ul><ul><li>Few fuzzers available are:  SPIKE, PEACH, ...
Common Defects By Fuzzing. <ul><li>Buffer Overflow. </li></ul><ul><li>Integer Overflow. </li></ul><ul><li>Invalid Memory R...
So, what’s PerformFuzz? <ul><li>It’s  a Packet Fuzzing. </li></ul><ul><li>Increasing “Render Response Time” Applying Multi...
How PacketPort Fuzzing Is Done ? <ul><li>Way-1:  Trapping valid packets, detecting  magic strings, modifying those and res...
But, How Performance Degrades ? <ul><li>Defensive Security Talk, Need To Research Attacks & Then Mitigation. </li></ul><ul...
View: Ideal & Malicious Packet. <ul><li>Ideal Network Packet. </li></ul><ul><li>Malicious Network Packet. </li></ul>
Impact On 3 rd  Party Components. <ul><li>Fuzzing target is  http://ip address: port no/ </li></ul><ul><li>Sometimes, web ...
Case Study & Crash Analysis. <ul><li>Description: </li></ul><ul><li>Fuzzing  was performed by, sending random packets to t...
Best Practices To Avoid Such Issues. <ul><li>Server Side Validation. </li></ul><ul><li>Latest OS & Application Vendor Patc...
What’s Out From This Presentation? <ul><li>DoER. </li></ul><ul><li>DoS. </li></ul><ul><li>Importance Of 3 rd  Party Compon...
Question To think ? <ul><ul><li>Is This Going to Hamper Cloud Clients ? </li></ul></ul><ul><ul><li>Anyway’s, That’s Under ...
Reference. <ul><li>http://msdn.microsoft.com/en-us/library/bb924356.aspx </li></ul><ul><li>http://peachfuzzer.com/PeachIns...
Questions <ul><li>? </li></ul>
The End. <ul><li>Thank You! </li></ul><ul><li>Aniket Kulkarni , </li></ul><ul><li>Product Security Group, Symantec. </li><...
Upcoming SlideShare
Loading in …5
×

Perform fuzz on appplications web interface

1,573 views

Published on

Session Presented at 2nd IndicThreads.com Conference On Software Quality held on 25-26 March 2011 in Pune, India. WEB: http://Q11.IndicThreads.com

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,573
On SlideShare
0
From Embeds
0
Number of Embeds
31
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Perform fuzz on appplications web interface

  1. 1. “ PerformFuzz” On Application’s Web Interface. Aniket Kulkarni Symantec , India.
  2. 2. Agenda <ul><li>Brief Overview. </li></ul><ul><li>Performance Testing, Fuzzing & Fuzzer. </li></ul><ul><li>What Can Be Fuzzed & Common Defects ? </li></ul><ul><li>What Is PerformFuzz ? </li></ul><ul><li>PacketPort Fuzzing. </li></ul><ul><li>How Fuzzing Degrades Performance ? </li></ul><ul><li>View Of Original & Malicious Packets. </li></ul>
  3. 3. Agenda Contd.. <ul><li>Impact On 3 rd Party Components. </li></ul><ul><li>Case Study & Crash Analysis. </li></ul><ul><li>Best Practices To Avoid such Potholes. </li></ul><ul><li>References. </li></ul>
  4. 4. Brief Overview. <ul><li>Focus On “Performance & Security”. </li></ul><ul><li>Its attack, that affects application’s “Performance & Availability”. </li></ul><ul><li>Security Test technique is, “Fuzzing” . </li></ul><ul><li>Target is, Application's Web interface. </li></ul><ul><li>Performance + Fuzzing = “PerformFuzz” . </li></ul>
  5. 5. What Is Performance Testing ? <ul><li>System check for Responsiveness, Throughput and Scalability, under given workload. </li></ul><ul><li>Outcome helps to decide: Production readiness, Evaluation of application against performance, Finding root cause of performance issues. </li></ul>
  6. 6. What’s Fuzzing &What Can Be Fuzzed ? <ul><li>Its technique to inject, random bad data into an application to see what breaks! </li></ul><ul><li>Any type of application inputs can be fuzzed: N/W Protocols, Files, GUI, Inter Process communication etc etc </li></ul><ul><li>Note : Aiming to fuzz application’s web interface, we will consider network protocolport fuzzing only, for current topic. </li></ul>
  7. 7. <ul><li>Fuzzer is just a tool, that generates gibberish data. </li></ul><ul><li>Few fuzzers available are: SPIKE, PEACH, DFUZ, GPF(General Purpose Fuzzer) & SULLEY </li></ul>What Is Fuzzer ? Fuzzer Input File File File File File File Software Application Original Input
  8. 8. Common Defects By Fuzzing. <ul><li>Buffer Overflow. </li></ul><ul><li>Integer Overflow. </li></ul><ul><li>Invalid Memory Reference. </li></ul><ul><li>Infinite Loop. </li></ul><ul><li>3 rd Party components May Sit, Compromising Application. </li></ul><ul><li>Degraded Performance Of Web Interface (DoER) </li></ul><ul><li>In quotes, it gives crash (Termed as DoS, Denial Of Service), if analyzed in-depth, one of above is detected. </li></ul>
  9. 9. So, what’s PerformFuzz? <ul><li>It’s a Packet Fuzzing. </li></ul><ul><li>Increasing “Render Response Time” Applying Multiple Fuzzing Instances is PerformFuzz. </li></ul><ul><li>Causes “DoER” & “DoS”. </li></ul><ul><li>Note: O nce attacker successfully slow down the performance, its key achievement for him to get confident of next stage, that it’s going to be a definite, crash! </li></ul>
  10. 10. How PacketPort Fuzzing Is Done ? <ul><li>Way-1: Trapping valid packets, detecting magic strings, modifying those and resending to respected target. </li></ul><ul><li>Way-2: Bombarding malicious packets automatically to respected target. </li></ul>
  11. 11. But, How Performance Degrades ? <ul><li>Defensive Security Talk, Need To Research Attacks & Then Mitigation. </li></ul><ul><li>Opting Way-2: Automated Bombarding. </li></ul><ul><li>Application Response With Single Fuzzing Instance. </li></ul><ul><li>Craft Instances, Till “Render Response Time” Is Increased. </li></ul><ul><li>Once Render Response Time Is Caught, Performance Is Tuned Negatively By Just Up & Down Of These instances. </li></ul>
  12. 12. View: Ideal & Malicious Packet. <ul><li>Ideal Network Packet. </li></ul><ul><li>Malicious Network Packet. </li></ul>
  13. 13. Impact On 3 rd Party Components. <ul><li>Fuzzing target is http://ip address: port no/ </li></ul><ul><li>Sometimes, web server get’s impacted. </li></ul><ul><li>Next is our own application. </li></ul><ul><li>Among “CIA”: A ( Availability ) of an application is hampered 100% </li></ul>
  14. 14. Case Study & Crash Analysis. <ul><li>Description: </li></ul><ul><li>Fuzzing was performed by, sending random packets to the port , on which “ABC” server was listening. Multiple network fuzzers were made to send random packets to the port simultaneously. It was observed degraded performance of application, increasing its render response time. Finally a crash was observed in JVM, bringing down tomcat, due to the race condition in JVM threads. The crash has been reproduced multiple times upto J6U21, which was latest java update when this was encountered for first time. </li></ul><ul><li>Crash Analysis! </li></ul>
  15. 15. Best Practices To Avoid Such Issues. <ul><li>Server Side Validation. </li></ul><ul><li>Latest OS & Application Vendor Patches. </li></ul><ul><li>Run Firewall & Intrusion Detectors. </li></ul><ul><li>Big Fish Have Implemented “CAPTCHA” </li></ul>
  16. 16. What’s Out From This Presentation? <ul><li>DoER. </li></ul><ul><li>DoS. </li></ul><ul><li>Importance Of 3 rd Party Components. </li></ul><ul><li>Might Be A Small Test, Under your Performance & Security Test Strategy. </li></ul>
  17. 17. Question To think ? <ul><ul><li>Is This Going to Hamper Cloud Clients ? </li></ul></ul><ul><ul><li>Anyway’s, That’s Under Research With Us, Let’s see What We Bring Up Next. </li></ul></ul>
  18. 18. Reference. <ul><li>http://msdn.microsoft.com/en-us/library/bb924356.aspx </li></ul><ul><li>http://peachfuzzer.com/PeachInstallation </li></ul><ul><li>http://openmaniak.com/wireshark_tutorial.php </li></ul><ul><li>http://www.wireshark.org/download.html </li></ul><ul><li>http://resources.infosecinstitute.com/intro-to-fuzzing/ </li></ul><ul><li>http://resources.infosecinstitute.com/fuzzer-automation-with-spike/ </li></ul><ul><li>http://windbg.info/doc/1-common-cmds.html#7_symbols </li></ul>
  19. 19. Questions <ul><li>? </li></ul>
  20. 20. The End. <ul><li>Thank You! </li></ul><ul><li>Aniket Kulkarni , </li></ul><ul><li>Product Security Group, Symantec. </li></ul><ul><li>[email_address] </li></ul>

×