The document discusses zero day vulnerability management, emphasizing the need for proactive security measures and effective fuzzing techniques for detecting and remediating vulnerabilities. It details the fuzzing process, including types of fuzzing methodologies, and the importance of mapping the attack surface and testing against known vulnerabilities. Additionally, it highlights the challenges in vulnerability management and the significance of continuous monitoring and tailored intrusion detection systems.

1. Zero Day Vulnerability Management Fuzzing 101 Ari Takanen, CTO of Codenomicon July 6th, 2010

2. Fuzzing 101: The webcast series for fuzzing industry Vendor neutral presentations on fuzzing technologies and use-cases Includes invited speakers from the industry Codenomicon: Fuzzing research since 1996 2001, Spinoff from University of Oulu 50-100% annual growth in number of customers and revenues in fuzzing industry About Fuzzing 101 and Codenomicon

3. About Ari Takanen The Past: Researcher and Lecturer 1998-2002 University of Oulu OUSPG/PROTOS research group Software Quality related lectures The Present: Entrepreneur and Evangelist 2001-today CTO of Codenomicon Evangelist: 10 conference talks every year Author of two books: VoIP Security Fuzzing

4. Agenda Intro: Zero Day Vulnerability Management Demo in Theory Threat analysis with Network Analyzer Automated ZD detection with Fuzzing ZD remediation using IDS/IPS Patch verification with known vulnerability data Demo in Practice

5. Zero Day Vulnerability Management Moving from Reactive to Proactive

6. Security View: Window of Vulnerability SW - under vulnerability analysis SW - after product release SW - after the vulnerability process TIME BUG APPEARS RELEASE BUG FOUND VULN FOUND VULN REPORT VULN FIX AVAIL. PATCH RELEASE ADVISORY RELEASE PATCH INSTALL Zero Exposure Limited Exposure Public Exposure

7. Challenges with Vulnerability Management Detect Vulnerabilities as they are found Not as they emerge, they are in the hiding already Most costs are in patch deployment Crisis management, each update needs immediate attention Ad-hoc deployment is prone to errors Maintenance downtime can be expensive New patches emerge several times a week No time to test the patch

8. Security Vulnerability = Just A Bug

9. Codenomicon Labs Test Results http://www.codenomicon.com/labs/results

10. Some Helpful Definitions Vulnerability – a weakness in software, a bug Threat/Attack – exploit/worm/virus against a specific vulnerability Protocol Modeling – Technique for explaining interface message sequences and message structures Fuzzing – process and technique for security testing Anomaly – abnormal or unexpected input Failure – crash, busy-loop, memory corruption, or other indication of a bug in software

11. Zero Day Vulnerability Management (ZDVM) Process of: Detecting attack vectors Finding zero-day vulnerabilities Building defenses Performing patch verification Deployment in one big security push

12. Test Setup for ZDVM Virtual setups are easiest to control Install two or three guest machines: Host running test targets Network analyzer Test station running the test tools Host running IDS/IPS such as Snort

13. Practice Targets: Known Vulnerable Software

14. Practice Targets: Betas and other bad quality stuff WinSip Proxy is a good target for SIP fuzzing practice

15. Threat Analysis using Network Analyzers Identify and prioritize!

16. Network Analysis for ZDVM Problem today: NMAP only detects open server-side ports (not shown today!) Instead of depending on network scanning and architecture designs, network analyzer based approach builds network diagram from real-life network traffic Possible to detect all attack vectors and map the attack surface (protocol interfaces) Extract any communications easily for reproduction and testing

18. Network Analyzer % sudo vmnet-sniffer -w demo.pcap vmnet8

19. What Can You Do With Visual Analyzers 24/7 Multi-point recording Instant reproduction data of any incidents or customer failures in the network Forensics toolkit extension Rootkit and Backdoor monitoring And then the attack surface mapping we talked about More examples when we get to traffic capture fuzzing

20. Fuzzing for Zero Days What you need to know to prepare for zero day discovery

21. Fuzz Test Effectiveness against WiFi

22. Fuzzing In Short Fuzzing means crash-testing Also called: Negative testing Robustness testing Grammar testing Based on sending systematically broken (rarely random) inputs to a software, in order to crash it We will ignore random mutator fuzzers for now Two techniques of smart model-based fuzzers: Template-based Specification-based

23. Model Based Fuzzing Techniques Template Based Fuzzing Quality of tests is based on the used seed and modeling technique Very quick to develop, but slow to run Editing requires deep protocol know-how Good for testing around known vulnerabilities Specification Based Fuzzing Full test coverage Always repeatable Short test cycle, more optimized tests Easy to edit and add tests

24. Precision is about attack surface/protocol coverage All interfaces/protocols tested? All message sequences tested? All message structures tested? All data definitions tested? All “tags” (values) tested? Accuracy is about anomaly coverage Anomaly categories? SQL? Buffer overflow? All values: 0..65k, a..z, 0x00..0x255 ? Combinations of anomalies? Coverage

25. Anomaly Coverage Selection

26. FTP Fuzzing

27. Results

28. SIP Fuzzing & Results WinSip breaks with almost with any imaginable fuzz test case

29. Traffic Capture Fuzzing

30. Traffic Capture Fuzzing Results Test against samba seems to find zero-day

31. Zero Day Remediation Using IDS/IPS Block only what needs to be blocked!

32. Problem with IDS/IPS Intrusion Detection Systems can only handle limited amount of fingerprints Most of those monitored fingerprints are irrelevant to your specific production system In the demo, the Snort IDS system is used to monitor traffic Default VoIP ruleset is used first Then Codenomicon additions in local.rules are loaded

33. Blocking Zero Days with IDS/IPS By default, Snort does not detect any of the attacks against WinSip Proxy With tailored rules, all effective attacks can be blocked DEFENSICS SIP UAS WINSIP PROXY SNORT IDS

34. Load Snort default

35. Attack WinSip – Snort Does Not Detect

36. Alert Raised by Codenomicon Ruleset

37. Patch Verification for Known Issues Do you trust the vendor patches?

38. Blind Trust on Known Vulnerabilities Most patches are released in a hurry Vulnerability data is not necessarily available for testing variants of the bug Configuration can affect test results Combining vulnerability feeds with traffic capture fuzzing will test the vulnerable software the patches issued by vendors the security defenses

39. Patch Verification with Vulnerability Feeds

40. Fuzzing with Known Vulnerabilities With PCAP, you can just load it in the traffic capture fuzzer With other POC exploits, you run them and collect the PCAP with Network Analyzer, and then fuzz it

41. Conclusions Vulnerability management in not about known vulnerabilities, and testing all of them Blocking all vulnerabilities (attacks) does not work The solution is to find out what is relevant to you, and block those proactively Process is simple: Map the attack surface Test for both zero days and known issues Remediate with tailored IDS rules This should be continuous process even after deployment

42. Our Book On Fuzzing! http://www.fuzz-test.com/book/ Takanen, DeMott and Miller: “Fuzzing for Software Security Testing and Quality Assurance” Aimed at the general public, you do not need to be a security specialist to read this book Purpose of the book is to teach next-gen testing approaches to: Software practitioners Security engineers Academics

43. PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS THANK YOU – QUESTIONS? “ Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them. .... Testers! Break that software (as you must) and drive it to the ultimate - but don’t enjoy the programmer’s pain.” [from Boris Beizer]