The document presents an overview of 'performfuzz', a technique combining performance testing and fuzzing to evaluate and enhance application security, particularly within web interfaces. It explores how fuzzing can identify vulnerabilities, such as buffer overflows and invalid memory references, through the injection of random data to stress-test application components. Additionally, it outlines best practices for mitigating performance degradation caused by fuzzing, emphasizing the importance of defensive security measures.

1. “ PerformFuzz” On Application’s Web Interface. Aniket Kulkarni Symantec , India.

2. Agenda Brief Overview. Performance Testing, Fuzzing & Fuzzer. What Can Be Fuzzed & Common Defects ? What Is PerformFuzz ? Packet\Port Fuzzing. How Fuzzing Degrades Performance ? View Of Original & Malicious Packets.

3. Agenda Contd.. Impact On 3 rd Party Components. Case Study & Crash Analysis. Best Practices To Avoid such Potholes. References.

4. Brief Overview. Focus On “Performance & Security”. Its attack, that affects application’s “Performance & Availability”. Security Test technique is, “Fuzzing” . Target is, Application's Web interface. Performance + Fuzzing = “PerformFuzz” .

5. What Is Performance Testing ? System check for Responsiveness, Throughput and Scalability, under given workload. Outcome helps to decide: Production readiness, Evaluation of application against performance, Finding root cause of performance issues.

6. What’s Fuzzing &What Can Be Fuzzed ? Its technique to inject, random bad data into an application to see what breaks! Any type of application inputs can be fuzzed: N/W Protocols, Files, GUI, Inter Process communication etc etc Note : Aiming to fuzz application’s web interface, we will consider network protocol\port fuzzing only, for current topic.

7. Fuzzer is just a tool, that generates gibberish data. Few fuzzers available are: SPIKE, PEACH, DFUZ, GPF(General Purpose Fuzzer) & SULLEY What Is Fuzzer ? Fuzzer Input File File File File File File Software Application Original Input

8. Common Defects By Fuzzing. Buffer Overflow. Integer Overflow. Invalid Memory Reference. Infinite Loop. 3 rd Party components May Sit, Compromising Application. Degraded Performance Of Web Interface (DoER) In quotes, it gives crash (Termed as DoS, Denial Of Service), if analyzed in-depth, one of above is detected.

9. So, what’s PerformFuzz? It’s a Packet Fuzzing. Increasing “Render Response Time” Applying Multiple Fuzzing Instances is PerformFuzz. Causes “DoER” & “DoS”. Note: O nce attacker successfully slow down the performance, its key achievement for him to get confident of next stage, that it’s going to be a definite, crash!

10. How Packet\Port Fuzzing Is Done ? Way-1: Trapping valid packets, detecting magic strings, modifying those and resending to respected target. Way-2: Bombarding malicious packets automatically to respected target.

11. But, How Performance Degrades ? Defensive Security Talk, Need To Research Attacks & Then Mitigation. Opting Way-2: Automated Bombarding. Application Response With Single Fuzzing Instance. Craft Instances, Till “Render Response Time” Is Increased. Once Render Response Time Is Caught, Performance Is Tuned Negatively By Just Up & Down Of These instances.

12. View: Ideal & Malicious Packet. Ideal Network Packet. Malicious Network Packet.

13. Impact On 3 rd Party Components. Fuzzing target is http://ip address: port no/ Sometimes, web server get’s impacted. Next is our own application. Among “CIA”: A ( Availability ) of an application is hampered 100%

14. Case Study & Crash Analysis. Description: Fuzzing was performed by, sending random packets to the port , on which “ABC” server was listening. Multiple network fuzzers were made to send random packets to the port simultaneously. It was observed degraded performance of application, increasing its render response time. Finally a crash was observed in JVM, bringing down tomcat, due to the race condition in JVM threads. The crash has been reproduced multiple times upto J6U21, which was latest java update when this was encountered for first time. Crash Analysis!

15. Best Practices To Avoid Such Issues. Server Side Validation. Latest OS & Application Vendor Patches. Run Firewall & Intrusion Detectors. Big Fish Have Implemented “CAPTCHA”

16. What’s Out From This Presentation? DoER. DoS. Importance Of 3 rd Party Components. Might Be A Small Test, Under your Performance & Security Test Strategy.

17. Question To think ? Is This Going to Hamper Cloud Clients ? Anyway’s, That’s Under Research With Us, Let’s see What We Bring Up Next.

18. Reference. http://msdn.microsoft.com/en-us/library/bb924356.aspx http://peachfuzzer.com/PeachInstallation http://openmaniak.com/wireshark_tutorial.php http://www.wireshark.org/download.html http://resources.infosecinstitute.com/intro-to-fuzzing/ http://resources.infosecinstitute.com/fuzzer-automation-with-spike/ http://windbg.info/doc/1-common-cmds.html#7_symbols

19. Questions ?

20. The End. Thank You! Aniket Kulkarni , Product Security Group, Symantec. [email_address]