This document summarizes a webinar about fuzzing and unknown vulnerability management for telecommunications. The webinar was presented by Juha-Matti Tirilä and Tero Rontti from Codenomicon and covered topics like the growing complexity and attack vectors in telecommunications, definitions of fuzzing and different fuzzing techniques, challenges with vulnerability management, and a case study on fuzzing MPEG2-TS files. The goal of unknown vulnerability management is to have a framework for applying proper security testing procedures to identify vulnerabilities before they are discovered and exploited.

1. Codenomicon Fuzzing 101 webinar15 March 2011Juha-Matti TiriläTero RonttiUnknown Vulnerability Management for Telecommunications

2. About the speakers Juha-MattiTiriläSecurity researcherrobustness testing methods, quality management processes, software security economicsCollaboration with University of Oulu researchersBackground in applied mathematics and software development. TeroRonttiSecurity specialist Security testing tools for Codenomicon products for seven yearsExtensive experience in telecommunication security testing tools, VoIP and IMS in particular.

3. OutlineAbout Codenomicon and Fuzzing101About the speakersWhy we are here: prevent serious software deployment mistakes from happening!Introduction to Telecommunications: the trends and attack vectorsUnknown vulnerability managementA case study: MPEG2-TSQuestions and answers

4. About Codenomicon & Fuzzing 101Fuzzing 101:The webcast series for fuzzing industryVendor neutral presentations on fuzzing technologies and use-casesIncludes invited speakers from the industryCodenomicon:Fuzzing research since 19962001, Spinoff from University of Oulu50-100% annual growth in number of customers and revenues in fuzzing industry

5. Some Helpful DefinitionsVulnerability – a weakness in software, a bugThreat/Attack – exploit/worm/virus against a specific vulnerabilityProtocol Modeling – Technique for explaining interface message sequences and message structuresFuzzing– process and technique for security testingAnomaly – abnormal or unexpected inputFailure – crash, busy-loop, memory corruption, or other indication of a bug in software

6. The Challenge: Unknown Vulnerabilities Are Everywhere

7. TelecommunicationsTelephonyBroadcastingTVRadioNetworked IT communicationsInternet, VoIP, IPTV, New Generation Networks, triple play, Growing number of smartphones, need to support legacy technologiesGrowing complexity, growing number of technologies and interfaces, the transition from IPv4 to IPv6

8. Problems

9. Need for more testing, quality assurance, interoperability checks... GuaranteedAttack vectors in telecommunications

10. Smartphone securityMobiles resemble computers in all aspects, except the level of protection.

11. Until now, the lack of suitable hacking tools and motivation has protected mobiles.

12. But mobile internet and the growing amount of critical information stored on handheld devices is changing the situation

13. Hackers exploit coding errors, e.g., to enslave phones into botnets.

14. Convergence of both hardware and software platforms  riskNext Generation Network securityCritical Interfaces:Software testing: approaches

15. Robustness testingRobustness testing: testing if a system is able to function in a reasonable manner under unexpected or invalid circumstancesE.g. not crash, no unauthorized privilege escalation, no confidential data exposure etc.

16. Specification vs. implementation

17. Robustness testing: the two approachesIn theoryEitherLogically deduce that nothing catastrophic ever happens, for any input ORTest every possible input and monitor the software In practice:Both approaches to some extentQuestion: How well do you think you are doing, considering the complexity and amount of the code you are using or developing?It is the practically infinite input space that makes 100% robustness unattainable

18. Definition of fuzzingFuzzing is a technique for intelligently and automatically generating and passing into a target system valid and invalid message sequences to see if the system breaks

19. Types of fuzzingRandom fuzzingApple 1980’sBarton P. Miller 1980’s, 1990’sTemplate based fuzzingCapture traffic OR use sample files OR...  create mutated test casesSpecification based fuzzingModel the specification, inject anomalies, transmit to target system

20. Fuzzing in the Microsoft SDL

21. Fuzzing Is Becoming Widely AdaptedCommonly used by hackersMajority of all vulnerabilities are found using fuzzingFirst adapted by equipment manufacturers in 2001E.g. 80% of top network equipment manufacturers today depend on Codenomicon testing solutionsSince 2005, most new adapters were service providersMost leading USA telecom service providers have integrated Codenomiconfuzzing into acceptance testsDuring 2008-2010, fuzzing was adapted by critical infrastructure and Enterprise end-usersSCADA industryFinanceGovernmentOn-line commerce

22. Unknown vulnerability management: goalUnknown Vulnerability Management (UVM) is a frameworkFor helping you understand the overall process of applying proper testing proceduresFor underlining the importance of good testing management For unifying the terminology so that communication concerning security testing is facilitatedFor helping you understand that a well designed testing program should be considered loss prevention, and not an extra costFor emphasizing that security is like quality: it has to be incorporated throughout – it cannot be added into a product afterwards.

23. Challenges with Vulnerability ManagementDetect Vulnerabilities as they are foundNot as they emerge, they are in the hiding alreadyMost costs are in patch deploymentCrisis management, each update needs immediate attentionAd-hoc deployment is prone to errorsMaintenance downtime can be expensiveNew patches emerge several times a weekNo time to test the patch

24. Cost-benefit of proactive security testing

25. Unknown vulnerability management: overviewProcess of:Detecting attack vectorsFinding zero-day vulnerabilitiesBuilding defensesPerforming patch verificationDeployment in one big security push

26. Phase 1: Attack Surface AnalysisTools:Port scannersResource scannersNetwork analyzersInsightCodenomicon Network Analyzer identifies what needs to be tested within your networkRecord traffic at multiple points in your networkAutomatically visualize the networkYou can drill up and down from looking at high-level visualizations to inspecting the corresponding packet dataReal time analysisReveal hidden interfaces and possible exploits

27. Phase 2: TestFuzzing means crash-testingDiscover both known and previously unknown vulnerabilities with unparalleled efficiency. Specification-based tools for over 200 protocolsTools contain all the possible protocol messages and structuresGenuinely interoperate with the tested system exposing vulnerabilities even in deeper protocol layersGeneral purpose fuzzersDefensics XML Fuzzer can test all XML applications. The Traffic Capture Fuzzer uses real trafficGeneric File Format Fuzzer tests all file formats.

28. Phase 3: ReportCodenomicon test suites generate different reports for different audiencesManagement reports provide an high-level overview of the test executionLog files and spreadsheets help you to identify troublesome tests and to minimize false negativesIndividual tests by augmenting the already extensive test case documentation with PCAP traffic recordingsRemediation Packages can be send to third parties for automated reproduction

29. Phase 4: MitigateMitigation tools quickly and easily reproduce vulnerabilities, perform regression testing and verify patchesThe tools automatically generate reports, which contain risk assessment and CWE values for the found vulnerabilities and direct links to the test suites that triggered the vulnerabilitiesIdentification of the test cases that triggered the vulnerability is critical The test case documentation can be used to create tailored IDS rules to block possible zero-day attacks.

30. UVM: Conclusion (1/2)Vulnerability management in not about known vulnerabilities, and testing all of themThe solution is to find unknown vulnerabilities that are relevant to youAll critical devices and systems need testingDatabases and backend systemsOperator’s network and broadcasting infrastructureWeb service infrastructureEmail and VPNMobile handsetsShare information between R&D and IT teams on best practices and tools

31. UVM: Conclusion (2/2)Security is not about security mechanismsFor full security analysis, you should study:ThreatsAttacksVulnerabilitiesArchitecturesCountermeasuresUnknown Vulnerability Management is about identification and elimination of zero-day vulnerabilitiesSecurity is a process not a product!

32. Case study: MPEG2-TSWe will demonstrate the First steps of deploying our test toolA player crash caused by a fuzzed fileNote: it is not just a player level issue: MPEG2 streams need to be parsed at various nodes in a streaming contexts, and crashes on these nodes could be critical for QoS.

33. PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them. ....Testers!Break that software (as you must) anddrive it to the ultimate- but don’t enjoy the programmer’s pain.”[from Boris Beizer]THANK YOU – QUESTIONS?