Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Be Storm - Automated Application/Software Vulnerability Testing


Published on

beSTORM performs a comprehensive analysis, exposing security holes in your products during development and after release.
beSTORM represents a new approach to security auditing

Published in: Technology
  • Be the first to comment

Be Storm - Automated Application/Software Vulnerability Testing

  1. 1. Beyond Security Product presentation beSTORM Amit Shirolkar Avi Electronics & Networks Pvt Ltd
  2. 2. About Beyond Security <ul><li>Provides a vulnerability assessment & self-management solutions </li></ul><ul><li>Enables continuous network, server, database & application security </li></ul><ul><li>Operates, the 2nd largest IT security portal (1.5 million page views/month)‏ </li></ul><ul><li>Privately held & profitable </li></ul><ul><li>R&D office in Israel, sales offices in McLean, VA and Chicago, IL </li></ul><ul><li>Sales via distribution channels in 16 countries </li></ul>
  3. 3. - IT security portal <ul><li>Established in 1998 by Beyond Security's founders </li></ul><ul><li>Trusted by hackers & security pros </li></ul><ul><li>Provides a sustainable competitive advantage because Beyond Security learns about vulnerabilities first directly from hackers </li></ul><ul><li>2.3 M unique visitors in 2004 </li></ul><ul><li>1.5 M monthly page views </li></ul>
  4. 4. <ul><li>Intellectual Property based on </li></ul><ul><ul><li>5 years of ongoing R&D development </li></ul></ul><ul><ul><li>Compiling a knowledgebase of 7,500 vulnerabilities & over 3,000 attack scripts </li></ul></ul><ul><ul><li>Knowledge acquired from since 1998 </li></ul></ul><ul><ul><li>Participated in security product reviews of some of the most well-known vendors </li></ul></ul><ul><ul><li>Discovered and documented dozens of security holes by our own R&D team (see:‏ </li></ul></ul>Beyond Security knows vulnerabilities
  5. 5. What is a vulnerability? <ul><li>A security weakness in an application, operating system, network device or hardware </li></ul><ul><li>This weakness can be exploited to cause harm </li></ul><ul><li>Hundreds of vulnerabilities uncovered every year, many of them are actively exploited </li></ul><ul><li>With development cycles growing shorter, more vulnerabilities surface </li></ul><ul><li>Detecting vulnerabilities during development is difficult </li></ul><ul><li>Detecting them after development is costly </li></ul>
  6. 6. Fuzzing – a Quick Overview <ul><li>From Wikipedia: </li></ul><ul><li>Fuzz testing is a software testing technique. The basic idea is to attach the inputs of a program to a source of random data. If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct. </li></ul><ul><li>The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior. </li></ul>
  7. 7. Types of Fuzzing <ul><li>There are two main type of fuzzers </li></ul><ul><li>Standalone tools - specifically designed for a single protocol </li></ul><ul><ul><li>A non generic fuzzer for protocols such as: </li></ul></ul><ul><ul><ul><li>SNMP </li></ul></ul></ul><ul><ul><ul><li>SMTP </li></ul></ul></ul><ul><ul><ul><li>etc </li></ul></ul></ul><ul><li>Fuzzing Framework </li></ul><ul><ul><li>A generic fuzzer that supports adding of additional protocols with ease </li></ul></ul>
  8. 8. Types of Fuzzing - Continued <ul><li>Manual fuzzing </li></ul><ul><ul><li>Use normal client/server </li></ul></ul><ul><ul><li>Observe what happens </li></ul></ul><ul><ul><li>Look for interesting data (size fields, ...)‏ </li></ul></ul><ul><ul><li>Change some of this data </li></ul></ul><ul><ul><li>Observe what happens </li></ul></ul><ul><li>Semi-automatic fuzzing </li></ul><ul><ul><li>Have a tiny script/program </li></ul></ul><ul><ul><li>Do one run, see what happens </li></ul></ul><ul><li>Automatic fuzzing: </li></ul><ul><ul><li>Use a script/program and iterate over a lot of possible outputs (can be an endless loop)‏ </li></ul></ul><ul><ul><li>Just wait till something crashes </li></ul></ul>
  9. 9. Enter SPIKE (1 st Generation Fuzzing)‏ <ul><li>SPIKE is a preliminary tool; unstable and finds nearly no vulnerabilities </li></ul><ul><li>SPIKE deserves a lot of credit though, for it introduced Block-Based Protocol Analysis </li></ul>
  10. 10. 2 nd Generation Fuzzing <ul><li>What is a 2 nd generation fuzzer? </li></ul><ul><ul><li>Stable fuzzer - can run continuously for weeks or months </li></ul></ul><ul><ul><li>Actually find vulnerabilities </li></ul></ul><ul><ul><li>First test in ways that are likely to find results (80/20 – cover 20% which is likely to find 80% of the problems)‏ </li></ul></ul><ul><ul><li>Test with hundreds of thousands of attempts equal to tens of millions </li></ul></ul><ul><ul><li>Don’t just “throw AAAAA’s” </li></ul></ul><ul><ul><li>Distributed fuzzing </li></ul></ul><ul><ul><li>Discover flaws that don't cause crashes, by cause unexpected behavior </li></ul></ul><ul><ul><li>Generate intricate sessions – connect, get something from server, use it for next session ... </li></ul></ul><ul><ul><li>Support output forms of not just sockets – i.e. files </li></ul></ul><ul><ul><li>... </li></ul></ul>
  11. 11. What is beSTORM? 1/3 <ul><li>A unique approach to finding security holes during development: </li></ul><ul><li>A 2 nd generation fuzzer </li></ul><ul><li>Finds vulnerabilities by actually trying the attacks and seeing if they were successful </li></ul><ul><li>Tests at the network/protocol level </li></ul><ul><li>Exhaustively testing the full test-space rather than focusing on a limited number of scenarios </li></ul><ul><li>Stable and repeatable testing for security compliance checking </li></ul>
  12. 12. What is beSTORM? 2/3 <ul><li>beSTORM's strong points </li></ul><ul><li>Generates not just malformed packets but also sessions, malformed sessions include: </li></ul><ul><ul><li>Out of order sessions – the order at which packets from a session are sent is reversed or “randomized” </li></ul></ul><ul><ul><li>Overlapping sessions – the follow-up packet re-initiates or utilizes different values that it should have </li></ul></ul><ul><ul><li>Missing sessions – the session is never completed, or properly closed </li></ul></ul>
  13. 13. What is beSTORM? 3/3 <ul><li>beSTORM generates session containing: </li></ul><ul><ul><li>One or more malformed value found inside the packet(s) – non AlphaNumeric data if such is expected </li></ul></ul><ul><ul><li>One or more malformed relationship between values found inside the packet(s) – Size, description , etc related </li></ul></ul><ul><ul><li>Oversized value </li></ul></ul><ul><ul><li>Undersized value </li></ul></ul><ul><ul><li>Non-expected value – if a session number should have been written, a non-relevant data is provided, such as in the case of reuse of previously closed session number </li></ul></ul>
  14. 14. How Does beSTORM Work? 1/3 <ul><li>beSTORM works by fuzzing such protocols as: </li></ul><ul><ul><li>HTTP </li></ul></ul><ul><ul><li>SIP (VoIP)‏ </li></ul></ul><ul><ul><li>FTP, SMTP, etc </li></ul></ul><ul><li>Practically every possible protocol combination is sent to the application – in some cases as much as 10 10 or more combinations </li></ul><ul><li>Covers malformed requests as well as obscure protocol features </li></ul>
  15. 15. How Does beSTORM Work? 2/3 <ul><li>A powerful monitor detects if even the slightest buffer overflow, format string, or similar problem occurred </li></ul><ul><li>Runs automatically until the protocol is exhausted, trying the most probable combinations first </li></ul><ul><li>beSTORM modules are built to recognize the protocols' inner workings and to know whether one value affects another one </li></ul><ul><ul><li>This causes beSTORM to further test it with the relation of other values </li></ul></ul>
  16. 16. How Does beSTORM Work? 3/3 <ul><li>You can defined rules to exclude certain scenarios from occurring </li></ul><ul><ul><li>Don't overflow a certain value </li></ul></ul><ul><ul><li>Don't try to send data in out-of-order manner </li></ul></ul><ul><ul><li>etc </li></ul></ul><ul><li>Each module has its own rules which allows it to go through certain more probable combinations first </li></ul><ul><ul><li>For HTTP </li></ul></ul><ul><ul><ul><li>Overflow the URI </li></ul></ul></ul><ul><ul><ul><li>Overflow the Host header </li></ul></ul></ul><ul><ul><ul><li>etc </li></ul></ul></ul>
  17. 17. beSTORM at Work <ul><li>The following screenshot illustrates a malformed HTTP packets: </li></ul><ul><li>As can be seen more than one segment of the is malformed </li></ul>
  18. 18. beSTORM Eliminates Vulnerabilities <ul><li>The only technology to search and find security holes: </li></ul><ul><ul><li>During development </li></ul></ul><ul><ul><li>Without requiring the source code </li></ul></ul><ul><ul><li>In a methodical way that can be reproduced </li></ul></ul><ul><ul><li>Designed to be used by the developers or QA personnel </li></ul></ul>
  19. 19. Competition <ul><li>Source-code audit tools: </li></ul><ul><ul><li>Very high false-positives rate </li></ul></ul><ul><ul><li>Not scalable </li></ul></ul><ul><ul><li>Do not always integrate well with source-versioning applications used by customers </li></ul></ul><ul><ul><li>Cannot be used for certification/formal validation </li></ul></ul><ul><li>Consultants (home-made tools): </li></ul><ul><ul><li>Manual checks </li></ul></ul><ul><ul><li>Expensive </li></ul></ul><ul><ul><li>Cannot be done on frequent basis </li></ul></ul><ul><ul><li>Requires disclosing possibly sensitive information with a 3 rd party </li></ul></ul>
  20. 20. IIS Case Study <ul><li>When testing Microsoft's IIS web server, beSTORM detected the first buffer overflow vulnerability after only 4 ½ minutes </li></ul><ul><li>During those 4 ½ minutes, 160,000 attack combinations were tested </li></ul><ul><li>The buffer overflow was pinpointed and can be reproduced </li></ul><ul><li>The vulnerability leads to remote compromise of the machine running IIS </li></ul>
  21. 21. ISA Case Study <ul><li>When testing Microsoft's ISA server, beSTORM detected the first logging error vulnerability after only 10 minutes </li></ul><ul><li>During those 10 minutes, 500,000 attack combinations were tested </li></ul><ul><li>The logging error was pinpointed and reproduced by Microsoft, an advisory is in process of being released </li></ul><ul><li>The vulnerability allows attackers to corrupt the ISA server's log file with arbitrary characters that are normally filtered out </li></ul>
  22. 22. Aladdin Case Study <ul><li>Security leader turns to Beyond Security for security validation </li></ul><ul><li>Aladdin Knowledge Systems (ALDN) uses beSTORM to perform a security audit for their eSafe email content security solution to confirm their product is free from vulnerabilities or security weaknesses </li></ul><ul><li>beSTORM's SMTP module contains over 500,000 attack combinations </li></ul>
  23. 23. Aladdin Case Study <ul><li>Security leader turns to Beyond Security for security validation </li></ul><ul><li>“ Beyond Security's vulnerability audit confirms... eSafe 4 offers our customers a virtually impregnable defense against email-based security threats.” </li></ul><ul><li>Shimon Gruper, EVP Internet Technologies, Aladdin Knowledge Systems </li></ul>
  24. 24. Clients & Partners