be storm - automated application/software vulnerability testing

www.BeyondSecurity.comwww.SecuriTeam.com

Beyond Security

Product presentation beSTORM

Amit ShirolkarAvi Electronics & Networks Pvt Ltd

www.BeyondSecurity.comwww.SecuriTeam.com

www.AviElectronic.com

www.BeyondSecurity.comwww.SecuriTeam.com www.AviElectronic.com

About Beyond Security

• Provides a vulnerability assessment & self-management solutions

• Enables continuous network, server, database & application security

• Operates SecuriTeam.com, the 2nd largest IT security portal (1.5 million page views/month)

• Privately held & profitable• R&D office in Israel, sales offices in McLean,

VA and Chicago, IL• Sales via distribution channels in 16 countries


SecuriTeam.com - IT security portal

• Established in 1998 by Beyond Security's founders

• Trusted by hackers & security pros• Provides a sustainable competitive advantage

because Beyond Security learns about vulnerabilities first directly from hackers

• 2.3 M unique visitors in 2004• 1.5 M monthly page views


Intellectual Property based on• 5 years of ongoing R&D development• Compiling a knowledgebase of 7,500 vulnerabilities

& over 3,000 attack scripts• Knowledge acquired from SecuriTeam.com since

1998• Participated in security product reviews of some of

the most well-known vendors• Discovered and documented dozens of security

holes by our own R&D team (see: http://www.securiteam.com/advisories/)

Beyond Security knows vulnerabilities


What is a vulnerability?

• A security weakness in an application, operating system, network device or hardware

• This weakness can be exploited to cause harm• Hundreds of vulnerabilities uncovered every

year, many of them are actively exploited• With development cycles growing shorter,

more vulnerabilities surface• Detecting vulnerabilities during development is

difficult• Detecting them after development is costly


Fuzzing – a Quick Overview

From Wikipedia:• Fuzz testing is a software testing technique.

The basic idea is to attach the inputs of a program to a source of random data. If the program fails (for example, by crashing, or by failing built-in code assertions), then there are defects to correct.

• The great advantage of fuzz testing is that the test design is extremely simple, and free of preconceptions about system behavior.


Types of Fuzzing

There are two main type of fuzzers• Standalone tools - specifically designed for a

single protocol• A non generic fuzzer for protocols such as:

• SNMP• SMTP• etc

• Fuzzing Framework• A generic fuzzer that supports adding of additional

protocols with ease


Types of Fuzzing - Continued

Manual fuzzing• Use normal client/server• Observe what happens• Look for interesting data (size fields, ...)• Change some of this data• Observe what happens

Semi-automatic fuzzing• Have a tiny script/program• Do one run, see what happens

Automatic fuzzing:• Use a script/program and iterate over a lot of possible

outputs (can be an endless loop)• Just wait till something crashes


Enter SPIKE (1st Generation Fuzzing)

• SPIKE is a preliminary tool; unstable and finds nearly no vulnerabilities

• SPIKE deserves a lot of credit though, for it introduced Block-Based Protocol Analysis


2nd Generation Fuzzing

• What is a 2nd generation fuzzer?• Stable fuzzer - can run continuously for weeks or months• Actually find vulnerabilities• First test in ways that are likely to find results (80/20 –

cover 20% which is likely to find 80% of the problems)• Test with hundreds of thousands of attempts equal to

tens of millions• Don’t just “throw AAAAA’s”• Distributed fuzzing• Discover flaws that don't cause crashes, by cause

unexpected behavior• Generate intricate sessions – connect, get something

from server, use it for next session ...• Support output forms of not just sockets – i.e. files• ...


What is beSTORM? 1/3

A unique approach to finding security holes during development:

• A 2nd generation fuzzer• Finds vulnerabilities by actually trying the

attacks and seeing if they were successful• Tests at the network/protocol level• Exhaustively testing the full test-space rather

than focusing on a limited number of scenarios• Stable and repeatable testing for security

compliance checking



beSTORM's strong points• Generates not just malformed packets but also

sessions, malformed sessions include:• Out of order sessions – the order at which packets

from a session are sent is reversed or “randomized”• Overlapping sessions – the follow-up packet re-

initiates or utilizes different values that it should have

• Missing sessions – the session is never completed, or properly closed



• beSTORM generates session containing:• One or more malformed value found inside the

packet(s) – non AlphaNumeric data if such is expected

• One or more malformed relationship between values found inside the packet(s) – Size, description , etc related

• Oversized value• Undersized value• Non-expected value – if a session number should

have been written, a non-relevant data is provided, such as in the case of reuse of previously closed session number


How Does beSTORM Work? 1/3

• beSTORM works by fuzzing such protocols as:• HTTP• SIP (VoIP)• FTP, SMTP, etc

• Practically every possible protocol combination is sent to the application – in some cases as much as 1010 or more combinations

• Covers malformed requests as well as obscure protocol features



• A powerful monitor detects if even the slightest buffer overflow, format string, or similar problem occurred

• Runs automatically until the protocol is exhausted, trying the most probable combinations first

• beSTORM modules are built to recognize the protocols' inner workings and to know whether one value affects another one• This causes beSTORM to further test it with the

relation of other values



• You can defined rules to exclude certain scenarios from occurring• Don't overflow a certain value• Don't try to send data in out-of-order manner• etc

• Each module has its own rules which allows it to go through certain more probable combinations first• For HTTP

• Overflow the URI• Overflow the Host header• etc


beSTORM at Work

• The following screenshot illustrates a malformed HTTP packets:

• As can be seen more than one segment of the is malformed


beSTORM Eliminates Vulnerabilities

• The only technology to search and find security holes:

During development Without requiring the source code In a methodical way that can be reproduced Designed to be used by the developers or QA

personnel


Competition

• Source-code audit tools:• Very high false-positives rate• Not scalable• Do not always integrate well with source-versioning

applications used by customers• Cannot be used for certification/formal validation

• Consultants (home-made tools):• Manual checks• Expensive• Cannot be done on frequent basis• Requires disclosing possibly sensitive information

with a 3rd party


IIS Case Study

• When testing Microsoft's IIS web server, beSTORM detected the first buffer overflow vulnerability after only 4 ½ minutes

• During those 4 ½ minutes, 160,000 attack combinations were tested

• The buffer overflow was pinpointed and can be reproduced

• The vulnerability leads to remote compromise of the machine running IIS


ISA Case Study

• When testing Microsoft's ISA server, beSTORM detected the first logging error vulnerability after only 10 minutes

• During those 10 minutes, 500,000 attack combinations were tested

• The logging error was pinpointed and reproduced by Microsoft, an advisory is in process of being released

• The vulnerability allows attackers to corrupt the ISA server's log file with arbitrary characters that are normally filtered out


Aladdin Case Study

• Security leader turns to Beyond Security for security validation

• Aladdin Knowledge Systems (ALDN) uses beSTORM to perform a security audit for their eSafe email content security solution to confirm their product is free from vulnerabilities or security weaknesses

• beSTORM's SMTP module contains over 500,000 attack combinations


Aladdin Case Study

Security leader turns to Beyond Security for security validation

“Beyond Security's vulnerability audit confirms... eSafe 4 offers our customers a virtually impregnable defense against email-based security threats.”

Shimon Gruper, EVP Internet Technologies, Aladdin Knowledge Systems


Clients & Partners

be storm - automated application/software vulnerability testing

Technology