Docstoc

DEFEND. THEN DEPLOY

Document Sample
DEFEND. THEN DEPLOY Powered By Docstoc
					                DEFEND. THEN DEPLOY.

                         Penetration Testing
                        and Fuzzing in SDLC

                              EC-Council
                       Hacker Halted Miami 2010

                            Ari Takanen,
                         CTO of Codenomicon

                            Oct 14th, 2010




WWW.CODENOMICON.COM
                  About Ari Takanen

       The Past: Researcher and Lecturer
         •    1998-2002
         •    University of Oulu
         •    OUSPG/PROTOS research group
         •    Software Quality related lectures

       The Present: Entrepreneur and Evangelist
         •    2001-today
         •    CTO of Codenomicon
         •    Evangelist: 10 conference talks every year
         •    Author of two books:
               •  VoIP Security
               •  Fuzzing


WWW.CODENOMICON.COM
                                                           2	


                Example:
                Where is Fuzzing in Microsoft SDL?




                                Fuzzing happens in the	


                             Verification phase of the SDL	





WWW.CODENOMICON.COM
                                Typical Fuzzing Process




Identify 	

                 Input 	

      Sending 	

    Target 	

   Exception 	


                                                                                        Report	


interfaces	

              generation	

   inputs	

      analysis	

   analysis	






                WWW.CODENOMICON.COM
                Fitting the Fuzzing Process into the SDLC




WWW.CODENOMICON.COM
                          Pre-Verification Phases



    http://www.codenomicon.com/sdl-fuzzing/


    Focus areas:
     •    Attack surface and threat modeling
     •    Test requirements for fuzzing
     •    Interface design and specification
     •    Implement observability
     •    Use of (fuzzer) models as interop target
     •    Use in Unit Testing by programmers




          WWW.CODENOMICON.COM
                          Fuzzing in the Verification Phase



    http://www.codenomicon.com/sdl-fuzzing/


    Focus areas:
     •    Responsibility for Fuzzing
     •    Test prioritization, plan and documentation
     •    Test execution, automation
     •    Reporting, and failure reproduction for developers
     •    Regression testing




          WWW.CODENOMICON.COM
                            Post-Verification



    http://www.codenomicon.com/sdl-fuzzing/


    Focus areas:
     •    Prepare for vulnerability discovery using third-party tools
     •    Feedback of reported problems back to development and testing
     •    Constant automated regression tests
     •    Fuzzing at customer deployment configurations




            WWW.CODENOMICON.COM
                  What You Need To Do This Yourself

       Install Java Runtime
       Download our free FTP fuzzer:
         •    https://www.codenomicon.com/download/ftp/
         •    Username: codenomicon
         •    Password: HH2010
         •    (note that this account is valid only for few days!)
       Find a test target:
         •    For Linux, you can try e.g. wzdftpd 0.8.0
         •    (or basically any small FTP server in sourceforge)


       10 minutes, and you should be doing fuzzing!
       30 minutes later, you should be done with tests…


WWW.CODENOMICON.COM
                                                                     9	


                  Security View: Window of Vulnerability
                                        TIME
        SW - after product release
                                               BUG APPEARS
                             Zero              RELEASE
                           Exposure            BUG FOUND


    SW - under vulnerability analysis
                                               VULN FOUND
                         Limited               VULN REPORT
                        Exposure               VULN FIX AVAIL.


SW - after the vulnerability process
                                               PATCH RELEASE
                       Public                  ADVISORY RELEASE
                      Exposure                 PATCH INSTALL


WWW.CODENOMICON.COM
                                                                  10	


                  Security Vulnerability = Just A Bug




WWW.CODENOMICON.COM
                                                        11	


                  Some Helpful Definitions

       Vulnerability – a weakness in software, a bug
       Threat/Attack – exploit/worm/virus against a
        specific vulnerability
       Protocol Modeling – Technique for explaining
        interface message sequences and message
        structures
       Fuzzing – process and technique for security
        testing
       Anomaly – abnormal or unexpected input
       Failure – crash, busy-loop, memory corruption,
        or other indication of a bug in software

WWW.CODENOMICON.COM
                                                         12	


                  Fuzzing In Short

       Fuzzing means crash-testing
       Also called:
         •    Negative testing
         •    Robustness testing
         •    Grammar testing
       Based on sending systematically broken
        (rarely random) inputs to a software, in order
        to crash it
       We will ignore random mutator fuzzers for now
       Two techniques of model-based fuzzers:
         •    Template-based
         •    Specification-based

WWW.CODENOMICON.COM
                                                         13	


                  Model Based Fuzzing Techniques

       Template Based Fuzzing
         •    Quality of tests is based on the used seed and
              modeling technique
         •    Very quick to develop, but slow to run
         •    Editing requires deep protocol know-how
         •    Good for testing around known vulnerabilities

       Specification Based Fuzzing
         •    Full test coverage
         •    Always repeatable
         •    Short test cycle, more optimized tests
         •    Easy to edit and add tests


WWW.CODENOMICON.COM
                                                               14	


                        Fuzzing Process
                  Step 1: Prepare Test Targets




WWW.CODENOMICON.COM
                  Test Setup

       Virtual setups are easiest to control


       Install two or three guest machines:
         •    Test station running the tools
         •    Network analyzer (separate host or same as above)
         •    Host running test targets




WWW.CODENOMICON.COM
                                                                  16	


                  Known Vulnerable Software




WWW.CODENOMICON.COM
                                              17	


                                      Install Test Target(s)

                                     % wget (install package)	


                                     % ./configure	


                                     % sudo make install	


                                     % cd /usr/local/etc/	


                                     % sudo cp users.sample users	


Run Test Target(s)                   % cd	




% sudo pkill ftp	


% sudo wzdftpd –s &	


% sudo tail –f /usr/local/var/log/	


                     wzdftpd/wzd.log	




       WWW.CODENOMICON.COM
                                                                       18	


                       Fuzzing Process
                Step 2: Map the attack surface




WWW.CODENOMICON.COM
                  Network Analysis for Pentests

       Problem today: NMAP only detects open
        server-side ports (not shown today!)


       Instead of depending on network scanning
        and architecture designs, network analyzer
        based approach builds network diagram from
        real-life network traffic
       Possible to detect all attack vectors and map
        the attack surface (protocol interfaces)
       Extract any communications easily for
        reproduction (and further fuzzing)

WWW.CODENOMICON.COM
                                                        20	


                                                                2
                  Network Analyzer

       % sudo vmnet-sniffer -w demo.pcap vmnet8	






WWW.CODENOMICON.COM
                                                     21	


WWW.CODENOMICON.COM
                     Fuzzing Process
            Step 3: Launch your favorite fuzzer




WWW.CODENOMICON.COM
                  FTP Fuzzing




WWW.CODENOMICON.COM
                                24	


                  Results




WWW.CODENOMICON.COM
                            25	


                      Traffic Capture Fuzzing




WWW.CODENOMICON.COM
                                                26	


                  Traffic Capture Fuzzing Results

          Test against samba seems to find zero-day




WWW.CODENOMICON.COM
                                                       27	


                  Fuzz Test Effectiveness against WiFi




WWW.CODENOMICON.COM
                                                         28	


                       Coverage

      Precision is about attack          Accuracy is about
       surface/protocol coverage           anomaly coverage


      All interfaces/protocols           Anomaly categories?
       tested?                             SQL? Buffer overflow?
      All message sequences              All values: 0..65k, a..z,
       tested?                             0x00..0x255 ?
      All message structures             Combinations of
       tested?                             anomalies?
      All data definitions tested?
      All “tags” (values) tested?
     WWW.CODENOMICON.COM
                                                                   29	


                Anomaly Coverage Selection




WWW.CODENOMICON.COM
                          Fuzzing Scalability



    Software-based Fuzzers scale for all testing needs
     •    The throughput depends only on the available hardware
     •    The entire Network Under Test (NUT) can be virtualized
     •    Software fuzzers can attack every interface, and against all
          protocol layers
           •  XML
           •  HTTP
           •  TLS
           •  TCP/IP




          WWW.CODENOMICON.COM
                      Generating Load with Defensics

                          Full model-based message
                           sequences
                          Options for monitoring,
                           instrumentation, fuzzing, …
                          Amount of available CPUs and
                           Logging Level impact performance
                          Some speed records (test cases per
                           second):
                           •    TLS: 2.400 tc/s
                           •    IPv6: 4.500 tc/s
                           •    HTTP: 16.000 tc/s
                           •    DNS: 41.000 tc/s (with capture replay)


WWW.CODENOMICON.COM

                                                                         3
NOTE: 50x CPU UTILIZATION WITH ANOMALOUS TRAFFIC	


     WWW.CODENOMICON.COM
                  Our Book On Fuzzing!

                           http://www.fuzz-test.com/book/
                           Takanen, DeMott and Miller:
                            “Fuzzing for Software Security
                            Testing and Quality Assurance”
                           Aimed at the general public, you do
                            not need to be a security specialist
                            to read this book
                           Purpose of the book is to teach
                            next-gen testing approaches to:
                            •    Software practitioners
                            •    Security engineers
                            •    Academics

WWW.CODENOMICON.COM
                                                               34	


                PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS

                 THANK YOU – QUESTIONS?


                “Thrill to the excitement of the chase!
                 Stalk bugs with care, methodology,
                  and reason. Build traps for them.
                                      ....
                                  Testers!
                Break that software (as you must) and
                          drive it to the ultimate
                 - but don’t enjoy the programmer’s
                                    pain.”
                            [from Boris Beizer]


WWW.CODENOMICON.COM

				
DOCUMENT INFO
sdfgsg234 sdfgsg234 http://
About