Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fuzzing 101 Webinar on Zero Day Management


Published on

In this webinar, we explore the process of zero-day vulnerability management from initial threat analysis to automated detection and remediation. We will demonstrate how easy it is to detect attack vectors and to quickly assess the reliability and security of those interfaces using general purpose fuzzing solutions. We will also show you how you can complement these solutions with known vulnerability data and do patch verification easily and cost-effectively. Finally, we will discuss how you can tailor your defenses to block zero day attacks, which is a key aspect of vulnerability management.

Published in: Technology
  • Be the first to comment

Fuzzing 101 Webinar on Zero Day Management

  1. 1. Zero Day Vulnerability Management Fuzzing 101 Ari Takanen, CTO of Codenomicon July 6th, 2010
  2. 2. <ul><li>Fuzzing 101: </li></ul><ul><ul><li>The webcast series for fuzzing industry </li></ul></ul><ul><ul><li>Vendor neutral presentations on fuzzing technologies and use-cases </li></ul></ul><ul><ul><li>Includes invited speakers from the industry </li></ul></ul><ul><li>Codenomicon: </li></ul><ul><ul><li>Fuzzing research since 1996 </li></ul></ul><ul><ul><li>2001, Spinoff from University of Oulu </li></ul></ul><ul><ul><li>50-100% annual growth in number of customers and revenues in fuzzing industry </li></ul></ul>About Fuzzing 101 and Codenomicon
  3. 3. About Ari Takanen <ul><li>The Past: Researcher and Lecturer </li></ul><ul><ul><li>1998-2002 </li></ul></ul><ul><ul><li>University of Oulu </li></ul></ul><ul><ul><li>OUSPG/PROTOS research group </li></ul></ul><ul><ul><li>Software Quality related lectures </li></ul></ul><ul><li>The Present: Entrepreneur and Evangelist </li></ul><ul><ul><li>2001-today </li></ul></ul><ul><ul><li>CTO of Codenomicon </li></ul></ul><ul><ul><li>Evangelist: 10 conference talks every year </li></ul></ul><ul><ul><li>Author of two books: </li></ul></ul><ul><ul><ul><li>VoIP Security </li></ul></ul></ul><ul><ul><ul><li>Fuzzing </li></ul></ul></ul>
  4. 4. Agenda <ul><li>Intro: Zero Day Vulnerability Management </li></ul><ul><li>Demo in Theory </li></ul><ul><ul><li>Threat analysis with Network Analyzer </li></ul></ul><ul><ul><li>Automated ZD detection with Fuzzing </li></ul></ul><ul><ul><li>ZD remediation using IDS/IPS </li></ul></ul><ul><ul><li>Patch verification with known vulnerability data </li></ul></ul><ul><li>Demo in Practice </li></ul>
  5. 5. Zero Day Vulnerability Management Moving from Reactive to Proactive
  6. 6. Security View: Window of Vulnerability SW - under vulnerability analysis SW - after product release SW - after the vulnerability process TIME BUG APPEARS RELEASE BUG FOUND VULN FOUND VULN REPORT VULN FIX AVAIL. PATCH RELEASE ADVISORY RELEASE PATCH INSTALL Zero Exposure Limited Exposure Public Exposure
  7. 7. Challenges with Vulnerability Management <ul><li>Detect Vulnerabilities as they are found </li></ul><ul><ul><li>Not as they emerge, they are in the hiding already </li></ul></ul><ul><li>Most costs are in patch deployment </li></ul><ul><ul><li>Crisis management, each update needs immediate attention </li></ul></ul><ul><ul><li>Ad-hoc deployment is prone to errors </li></ul></ul><ul><ul><li>Maintenance downtime can be expensive </li></ul></ul><ul><ul><li>New patches emerge several times a week </li></ul></ul><ul><ul><li>No time to test the patch </li></ul></ul>
  8. 8. Security Vulnerability = Just A Bug
  9. 9. Codenomicon Labs Test Results
  10. 10. Some Helpful Definitions <ul><li>Vulnerability – a weakness in software, a bug </li></ul><ul><li>Threat/Attack – exploit/worm/virus against a specific vulnerability </li></ul><ul><li>Protocol Modeling – Technique for explaining interface message sequences and message structures </li></ul><ul><li>Fuzzing – process and technique for security testing </li></ul><ul><li>Anomaly – abnormal or unexpected input </li></ul><ul><li>Failure – crash, busy-loop, memory corruption, or other indication of a bug in software </li></ul>
  11. 11. Zero Day Vulnerability Management (ZDVM) <ul><li>Process of: </li></ul><ul><ul><li>Detecting attack vectors </li></ul></ul><ul><ul><li>Finding zero-day vulnerabilities </li></ul></ul><ul><ul><li>Building defenses </li></ul></ul><ul><ul><li>Performing patch verification </li></ul></ul><ul><ul><li>Deployment in one big security push </li></ul></ul>
  12. 12. Test Setup for ZDVM <ul><li>Virtual setups are easiest to control </li></ul><ul><li>Install two or three guest machines: </li></ul><ul><ul><li>Host running test targets </li></ul></ul><ul><ul><li>Network analyzer </li></ul></ul><ul><ul><li>Test station running the test tools </li></ul></ul><ul><ul><li>Host running IDS/IPS such as Snort </li></ul></ul>
  13. 13. Practice Targets: Known Vulnerable Software
  14. 14. Practice Targets: Betas and other bad quality stuff <ul><li>WinSip Proxy is a good target for SIP fuzzing practice </li></ul>
  15. 15. Threat Analysis using Network Analyzers Identify and prioritize!
  16. 16. Network Analysis for ZDVM <ul><li>Problem today: NMAP only detects open server-side ports (not shown today!) </li></ul><ul><li>Instead of depending on network scanning and architecture designs, network analyzer based approach builds network diagram from real-life network traffic </li></ul><ul><li>Possible to detect all attack vectors and map the attack surface (protocol interfaces) </li></ul><ul><li>Extract any communications easily for reproduction and testing </li></ul>
  17. 18. Network Analyzer % sudo vmnet-sniffer -w demo.pcap vmnet8
  18. 19. What Can You Do With Visual Analyzers <ul><li>24/7 Multi-point recording </li></ul><ul><li>Instant reproduction data of any incidents or customer failures in the network </li></ul><ul><li>Forensics toolkit extension </li></ul><ul><li>Rootkit and Backdoor monitoring </li></ul><ul><li>And then the attack surface mapping we talked about </li></ul><ul><ul><li>More examples when we get to traffic capture fuzzing </li></ul></ul>
  19. 20. Fuzzing for Zero Days What you need to know to prepare for zero day discovery
  20. 21. Fuzz Test Effectiveness against WiFi
  21. 22. Fuzzing In Short <ul><li>Fuzzing means crash-testing </li></ul><ul><li>Also called: </li></ul><ul><ul><li>Negative testing </li></ul></ul><ul><ul><li>Robustness testing </li></ul></ul><ul><ul><li>Grammar testing </li></ul></ul><ul><li>Based on sending systematically broken (rarely random) inputs to a software, in order to crash it </li></ul><ul><li>We will ignore random mutator fuzzers for now </li></ul><ul><li>Two techniques of smart model-based fuzzers: </li></ul><ul><ul><li>Template-based </li></ul></ul><ul><ul><li>Specification-based </li></ul></ul>
  22. 23. Model Based Fuzzing Techniques <ul><li>Template Based Fuzzing </li></ul><ul><ul><li>Quality of tests is based on the used seed and modeling technique </li></ul></ul><ul><ul><li>Very quick to develop, but slow to run </li></ul></ul><ul><ul><li>Editing requires deep protocol know-how </li></ul></ul><ul><ul><li>Good for testing around known vulnerabilities </li></ul></ul><ul><li>Specification Based Fuzzing </li></ul><ul><ul><li>Full test coverage </li></ul></ul><ul><ul><li>Always repeatable </li></ul></ul><ul><ul><li>Short test cycle, more optimized tests </li></ul></ul><ul><ul><li>Easy to edit and add tests </li></ul></ul>
  23. 24. <ul><li>Precision is about attack surface/protocol coverage </li></ul><ul><li>All interfaces/protocols tested? </li></ul><ul><li>All message sequences tested? </li></ul><ul><li>All message structures tested? </li></ul><ul><li>All data definitions tested? </li></ul><ul><li>All “tags” (values) tested? </li></ul><ul><li>Accuracy is about anomaly coverage </li></ul><ul><li>Anomaly categories? SQL? Buffer overflow? </li></ul><ul><li>All values: 0..65k, a..z, 0x00..0x255 ? </li></ul><ul><li>Combinations of anomalies? </li></ul>Coverage
  24. 25. Anomaly Coverage Selection
  25. 26. FTP Fuzzing
  26. 27. Results
  27. 28. SIP Fuzzing & Results <ul><li>WinSip breaks with almost with any imaginable fuzz test case </li></ul>
  28. 29. Traffic Capture Fuzzing
  29. 30. Traffic Capture Fuzzing Results <ul><li>Test against samba seems to find zero-day </li></ul>
  30. 31. Zero Day Remediation Using IDS/IPS Block only what needs to be blocked!
  31. 32. Problem with IDS/IPS <ul><li>Intrusion Detection Systems can only handle limited amount of fingerprints </li></ul><ul><li>Most of those monitored fingerprints are irrelevant to your specific production system </li></ul><ul><li>In the demo, the Snort IDS system is used to monitor traffic </li></ul><ul><ul><li>Default VoIP ruleset is used first </li></ul></ul><ul><ul><li>Then Codenomicon additions in local.rules are loaded </li></ul></ul>
  32. 33. Blocking Zero Days with IDS/IPS <ul><li>By default, Snort does not detect any of the attacks against WinSip Proxy </li></ul><ul><li>With tailored rules, all effective attacks can be blocked </li></ul>DEFENSICS SIP UAS WINSIP PROXY SNORT IDS
  33. 34. Load Snort default
  34. 35. Attack WinSip – Snort Does Not Detect
  35. 36. Alert Raised by Codenomicon Ruleset
  36. 37. Patch Verification for Known Issues Do you trust the vendor patches?
  37. 38. Blind Trust on Known Vulnerabilities <ul><li>Most patches are released in a hurry </li></ul><ul><li>Vulnerability data is not necessarily available for testing variants of the bug </li></ul><ul><li>Configuration can affect test results </li></ul><ul><li>Combining vulnerability feeds with traffic capture fuzzing will test </li></ul><ul><ul><li>the vulnerable software </li></ul></ul><ul><ul><li>the patches issued by vendors </li></ul></ul><ul><ul><li>the security defenses </li></ul></ul>
  38. 39. Patch Verification with Vulnerability Feeds
  39. 40. Fuzzing with Known Vulnerabilities <ul><li>With PCAP, you can just load it in the traffic capture fuzzer </li></ul><ul><li>With other POC exploits, you run them and collect the PCAP with Network Analyzer, and then fuzz it </li></ul>
  40. 41. Conclusions <ul><li>Vulnerability management in not about known vulnerabilities, and testing all of them </li></ul><ul><li>Blocking all vulnerabilities (attacks) does not work </li></ul><ul><li>The solution is to find out what is relevant to you, and block those proactively </li></ul><ul><li>Process is simple: </li></ul><ul><ul><li>Map the attack surface </li></ul></ul><ul><ul><li>Test for both zero days and known issues </li></ul></ul><ul><ul><li>Remediate with tailored IDS rules </li></ul></ul><ul><li>This should be continuous process even after deployment </li></ul>
  41. 42. Our Book On Fuzzing! <ul><li> </li></ul><ul><li>Takanen, DeMott and Miller: “Fuzzing for Software Security Testing and Quality Assurance” </li></ul><ul><li>Aimed at the general public, you do not need to be a security specialist to read this book </li></ul><ul><li>Purpose of the book is to teach next-gen testing approaches to: </li></ul><ul><ul><li>Software practitioners </li></ul></ul><ul><ul><li>Security engineers </li></ul></ul><ul><ul><li>Academics </li></ul></ul>
  42. 43. PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS THANK YOU – QUESTIONS? “ Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them. .... Testers! Break that software (as you must) and drive it to the ultimate - but don’t enjoy the programmer’s pain.” [from Boris Beizer]