Fuzzing101: Unknown vulnerability management for Telecommunications


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fuzzing101: Unknown vulnerability management for Telecommunications

  1. 1. Codenomicon Fuzzing 101 webinar<br />15 March 2011<br />Juha-Matti Tirilä<br />Tero Rontti<br />Unknown Vulnerability Management for Telecommunications<br />
  2. 2. About the speakers <br />Juha-MattiTirilä<br />Security researcher<br />robustness testing methods, quality management processes, software security economics<br />Collaboration with University of Oulu researchers<br />Background in applied mathematics and software development. <br />TeroRontti<br />Security specialist <br />Security testing tools for Codenomicon products for seven years<br />Extensive experience in telecommunication security testing tools, VoIP and IMS in particular. <br />
  3. 3. Outline<br />About Codenomicon and Fuzzing101<br />About the speakers<br />Why we are here: prevent serious software deployment mistakes from happening!<br />Introduction to Telecommunications: the trends and attack vectors<br />Unknown vulnerability management<br />A case study: MPEG2-TS<br />Questions and answers<br />
  4. 4. About Codenomicon & Fuzzing 101<br />Fuzzing 101:<br />The webcast series for fuzzing industry<br />Vendor neutral presentations on fuzzing technologies and use-cases<br />Includes invited speakers from the industry<br />Codenomicon:<br />Fuzzing research since 1996<br />2001, Spinoff from University of Oulu<br />50-100% annual growth in number of customers and revenues in fuzzing industry<br />
  5. 5. Some Helpful Definitions<br />Vulnerability – a weakness in software, a bug<br />Threat/Attack – exploit/worm/virus against a specific vulnerability<br />Protocol Modeling – Technique for explaining interface message sequences and message structures<br />Fuzzing– process and technique for security testing<br />Anomaly – abnormal or unexpected input<br />Failure – crash, busy-loop, memory corruption, or other indication of a bug in software<br />
  6. 6. The Challenge: Unknown Vulnerabilities Are Everywhere<br />
  7. 7. Telecommunications<br />Telephony<br />Broadcasting<br />TV<br />Radio<br />Networked IT communications<br />Internet, VoIP, IPTV, New Generation Networks, triple play, Growing number of smartphones, need to support legacy technologies<br /><ul><li>Growing complexity, growing number of technologies and interfaces, the transition from IPv4 to IPv6
  8. 8. Problems
  9. 9. Need for more testing, quality assurance, interoperability checks... Guaranteed</li></li></ul><li>Attack vectors in telecommunications<br />
  10. 10. Smartphone security<br /><ul><li>Mobiles resemble computers in all aspects, except the level of protection.
  11. 11. Until now, the lack of suitable hacking tools and motivation has protected mobiles.
  12. 12. But mobile internet and the growing amount of critical information stored on handheld devices is changing the situation
  13. 13. Hackers exploit coding errors, e.g., to enslave phones into botnets.
  14. 14. Convergence of both hardware and software platforms  risk</li></li></ul><li>Next Generation Network security<br /><ul><li>Critical Interfaces:</li></li></ul><li>Software testing: approaches<br />
  15. 15. Robustness testing<br />Robustness testing: testing if a system is able to function in a reasonable manner under unexpected or invalid circumstances<br />E.g. not crash, no unauthorized privilege escalation, no confidential data exposure etc. <br />
  16. 16. Specification vs. implementation<br />
  17. 17. Robustness testing: the two approaches<br />In theory<br />Either<br />Logically deduce that nothing catastrophic ever happens, for any input <br />OR<br />Test every possible input and monitor the software <br />In practice:<br />Both approaches to some extent<br />Question: <br />How well do you think you are doing, considering the complexity and amount of the code you are using or developing?<br />It is the practically infinite input space that makes 100% robustness unattainable <br />
  18. 18. Definition of fuzzing<br />Fuzzing is a technique for <br />intelligently and <br />automatically<br /> generating and passing into a target system <br />valid and <br />invalid <br /> message sequences to see if the system breaks<br />
  19. 19. Types of fuzzing<br />Random fuzzing<br />Apple 1980’s<br />Barton P. Miller 1980’s, 1990’s<br />Template based fuzzing<br />Capture traffic OR use sample files OR...  create mutated test cases<br />Specification based fuzzing<br />Model the specification, inject anomalies, transmit to target system<br />
  20. 20. Fuzzing in the Microsoft SDL<br />
  21. 21. Fuzzing Is Becoming Widely Adapted<br />Commonly used by hackers<br />Majority of all vulnerabilities are found using fuzzing<br />First adapted by equipment manufacturers in 2001<br />E.g. 80% of top network equipment manufacturers today depend on Codenomicon testing solutions<br />Since 2005, most new adapters were service providers<br />Most leading USA telecom service providers have integrated Codenomiconfuzzing into acceptance tests<br />During 2008-2010, fuzzing was adapted by critical infrastructure and Enterprise end-users<br />SCADA industry<br />Finance<br />Government<br />On-line commerce<br />
  22. 22. Unknown vulnerability management: goal<br />Unknown Vulnerability Management (UVM) is a framework<br />For helping you understand the overall process of applying proper testing procedures<br />For underlining the importance of good testing management <br />For unifying the terminology so that communication concerning security testing is facilitated<br />For helping you understand that a well designed testing program should be considered loss prevention, and not an extra cost<br />For emphasizing that security is like quality: it has to be incorporated throughout – it cannot be added into a product afterwards.<br />
  23. 23. Challenges with Vulnerability Management<br />Detect Vulnerabilities as they are found<br />Not as they emerge, they are in the hiding already<br />Most costs are in patch deployment<br />Crisis management, each update needs immediate attention<br />Ad-hoc deployment is prone to errors<br />Maintenance downtime can be expensive<br />New patches emerge several times a week<br />No time to test the patch<br />
  24. 24. Cost-benefit of proactive security testing<br />
  25. 25. Unknown vulnerability management: overview<br />Process of:<br />Detecting attack vectors<br />Finding zero-day vulnerabilities<br />Building defenses<br />Performing patch verification<br />Deployment in one big security push<br />
  26. 26. Phase 1: Attack Surface Analysis<br />Tools:<br />Port scanners<br />Resource scanners<br />Network analyzers<br />Insight<br />Codenomicon Network Analyzer identifies what needs to be tested within your network<br />Record traffic at multiple points in your network<br />Automatically visualize the network<br />You can drill up and down from looking at high-level visualizations to inspecting the corresponding packet data<br />Real time analysis<br />Reveal hidden interfaces and possible exploits<br />
  27. 27. Phase 2: Test<br />Fuzzing means crash-testing<br />Discover both known and previously unknown vulnerabilities with unparalleled efficiency. <br />Specification-based tools for over 200 protocols<br />Tools contain all the possible protocol messages and structures<br />Genuinely interoperate with the tested system exposing vulnerabilities even in deeper protocol layers<br />General purpose fuzzers<br />Defensics XML Fuzzer can test all XML applications. <br />The Traffic Capture Fuzzer uses real traffic<br />Generic File Format Fuzzer tests all file formats.<br />
  28. 28. Phase 3: Report<br />Codenomicon test suites generate different reports for different audiences<br />Management reports provide an high-level overview of the test execution<br />Log files and spreadsheets help you to identify troublesome tests and to minimize false negatives<br />Individual tests by augmenting the already extensive test case documentation with PCAP traffic recordings<br />Remediation Packages can be send to third parties for automated reproduction<br />
  29. 29. Phase 4: Mitigate<br />Mitigation tools quickly and easily reproduce vulnerabilities, perform regression testing and verify patches<br />The tools automatically generate reports, which contain risk assessment and CWE values for the found vulnerabilities and direct links to the test suites that triggered the vulnerabilities<br />Identification of the test cases that triggered the vulnerability is critical <br />The test case documentation can be used to create tailored IDS rules to block possible zero-day attacks.<br />
  30. 30. UVM: Conclusion (1/2)<br />Vulnerability management in not about known vulnerabilities, and testing all of them<br />The solution is to find unknown vulnerabilities that are relevant to you<br />All critical devices and systems need testing<br />Databases and backend systems<br />Operator’s network and broadcasting infrastructure<br />Web service infrastructure<br />Email and VPN<br />Mobile handsets<br />Share information between R&D and IT teams on best practices and tools<br />
  31. 31. UVM: Conclusion (2/2)<br />Security is not about security mechanisms<br />For full security analysis, you should study:<br />Threats<br />Attacks<br />Vulnerabilities<br />Architectures<br />Countermeasures<br />Unknown Vulnerability Management is about identification and elimination of zero-day vulnerabilities<br />Security is a process not a product!<br />
  32. 32. Case study: MPEG2-TS<br />We will demonstrate the <br />First steps of deploying our test tool<br />A player crash caused by a fuzzed file<br />Note: it is not just a player level issue: MPEG2 streams need to be parsed at various nodes in a streaming contexts, and crashes on these nodes could be critical for QoS. <br />
  33. 33. PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS<br />“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them. ....Testers!Break that software (as you must) anddrive it to the ultimate- but don’t enjoy the programmer’s pain.”<br />[from Boris Beizer]<br />THANK YOU – QUESTIONS?<br />