fuzzing 101 webinar on zero day management

WWW.CODENOMICON.COM

Zero Day Vulnerability Management

Fuzzing 101

Ari Takanen, CTO of Codenomicon

July 6th, 2010

WWW.CODENOMICON.COM2

Fuzzing 101:

• The webcast series for fuzzing industry

• Vendor neutral presentations on fuzzing technologies and use-cases

• Includes invited speakers from the industry

Codenomicon:

• Fuzzing research since 1996

• 2001, Spinoff from University of Oulu

• 50-100% annual growth in number of customers and revenues in fuzzing industry

About Fuzzing 101 and Codenomicon


About Ari Takanen

The Past: Researcher and Lecturer• 1998-2002• University of Oulu• OUSPG/PROTOS research group• Software Quality related lectures

The Present: Entrepreneur and Evangelist• 2001-today• CTO of Codenomicon• Evangelist: 10 conference talks every year • Author of two books:

• VoIP Security• Fuzzing


Agenda

Intro: Zero Day Vulnerability Management

Demo in Theory• Threat analysis with Network Analyzer• Automated ZD detection with Fuzzing• ZD remediation using IDS/IPS• Patch verification with known vulnerability data

Demo in Practice

WWW.CODENOMICON.COM

Zero Day Vulnerability Management

Moving from Reactive to Proactive


Security View: Window of Vulnerability

SW - under vulnerability analysis

SW - after product release

SW - after the vulnerability process

TIME

BUG APPEARSRELEASEBUG FOUND

VULN FOUNDVULN REPORTVULN FIX AVAIL.

PATCH RELEASEADVISORY RELEASEPATCH INSTALL

ZeroExposure

LimitedExposure

PublicExposure


Challenges with Vulnerability Management

Detect Vulnerabilities as they are found• Not as they emerge, they are in the hiding already

Most costs are in patch deployment• Crisis management, each update needs immediate

attention• Ad-hoc deployment is prone to errors• Maintenance downtime can be expensive• New patches emerge several times a week• No time to test the patch


Security Vulnerability = Just A Bug


Codenomicon Labs Test Results

http://www.codenomicon.com/labs/results


Some Helpful Definitions

Vulnerability – a weakness in software, a bug

Threat/Attack – exploit/worm/virus against a specific vulnerability

Protocol Modeling – Technique for explaining interface message sequences and message structures

Fuzzing – process and technique for security testing

Anomaly – abnormal or unexpected input

Failure – crash, busy-loop, memory corruption, or other indication of a bug in software


Zero Day Vulnerability Management (ZDVM)

Process of:• Detecting attack vectors• Finding zero-day vulnerabilities• Building defenses• Performing patch verification• Deployment in one big security push


Test Setup for ZDVM

Virtual setups are easiest to control

Install two or three guest machines:• Host running test targets• Network analyzer• Test station running the test tools• Host running IDS/IPS such as Snort


Practice Targets:Known Vulnerable Software


Practice Targets:Betas and other bad quality stuff

WinSip Proxy is a good target for SIP fuzzing practice

WWW.CODENOMICON.COM

Threat Analysis using Network Analyzers

Identify and prioritize!


Network Analysis for ZDVM

Problem today: NMAP only detects open server-side ports (not shown today!)

Instead of depending on network scanning and architecture designs, network analyzer based approach builds network diagram from real-life network traffic

Possible to detect all attack vectors and map the attack surface (protocol interfaces)

Extract any communications easily for reproduction and testing

16

WWW.CODENOMICON.COM


Network Analyzer

% sudo vmnet-sniffer -w demo.pcap vmnet8


What Can You Do With Visual Analyzers

24/7 Multi-point recording

Instant reproduction data of any incidents or customer failures in the network

Forensics toolkit extension

Rootkit and Backdoor monitoring

And then the attack surface mapping we talked about• More examples when we get to traffic capture

fuzzing

WWW.CODENOMICON.COM

Fuzzing for Zero Days

What you need to know to prepare for zero day discovery


Fuzz Test Effectiveness against WiFi


Fuzzing In Short

Fuzzing means crash-testing Also called:

• Negative testing• Robustness testing• Grammar testing

Based on sending systematically broken (rarely random) inputs to a software, in order to crash it

We will ignore random mutator fuzzers for now Two techniques of smart model-based fuzzers:

• Template-based• Specification-based


Model Based Fuzzing Techniques

Template Based Fuzzing• Quality of tests is based on the used seed and

modeling technique• Very quick to develop, but slow to run• Editing requires deep protocol know-how• Good for testing around known vulnerabilities

Specification Based Fuzzing• Full test coverage• Always repeatable• Short test cycle, more optimized tests• Easy to edit and add tests


Precision is about attack surface/protocol coverage

All interfaces/protocols tested?

All message sequences tested?

All message structures tested?

All data definitions tested?

All “tags” (values) tested?

Accuracy is about anomaly coverage

Anomaly categories? SQL? Buffer overflow?

All values: 0..65k, a..z, 0x00..0x255 ?

Combinations of anomalies?

Coverage


Anomaly Coverage Selection


FTP Fuzzing


Results


SIP Fuzzing & Results

WinSip breaks with almost with any imaginable fuzz test case


Traffic Capture Fuzzing


Traffic Capture Fuzzing Results

Test against samba seems to find zero-day

WWW.CODENOMICON.COM

Zero Day Remediation Using IDS/IPS

Block only what needs to be blocked!


Problem with IDS/IPS

Intrusion Detection Systems can only handle limited amount of fingerprints

Most of those monitored fingerprints are irrelevant to your specific production system

In the demo, the Snort IDS system is used to monitor traffic• Default VoIP ruleset is used first• Then Codenomicon additions in local.rules are

loaded


Blocking Zero Days with IDS/IPS

By default, Snort does not detect any of the attacks against WinSip Proxy

With tailored rules, all effective attacks can be blocked

DEFENSICSSIP UAS WINSIP PROXY

SN

OR

T ID

S

WWW.CODENOMICON.COM

Load Snort default

WWW.CODENOMICON.COM

Attack WinSip – Snort Does Not Detect

WWW.CODENOMICON.COM

Alert Raised by Codenomicon Ruleset

WWW.CODENOMICON.COM

Patch Verification for Known Issues

Do you trust the vendor patches?


Blind Trust on Known Vulnerabilities

Most patches are released in a hurry

Vulnerability data is not necessarily available for testing variants of the bug

Configuration can affect test results

Combining vulnerability feeds with traffic capture fuzzing will test• the vulnerable software• the patches issued by vendors• the security defenses


Patch Verification with Vulnerability Feeds


Fuzzing with Known Vulnerabilities

With PCAP, you can just load it in the traffic capture fuzzer

With other POC exploits, you run them and collect the PCAP with Network Analyzer, and then fuzz it


Conclusions

Vulnerability management in not about known vulnerabilities, and testing all of them

Blocking all vulnerabilities (attacks) does not work

The solution is to find out what is relevant to you, and block those proactively

Process is simple:• Map the attack surface• Test for both zero days and known issues• Remediate with tailored IDS rules

This should be continuous process even after deployment


Our Book On Fuzzing!

http://www.fuzz-test.com/book/

Takanen, DeMott and Miller: “Fuzzing for Software Security Testing and Quality Assurance”

Aimed at the general public, you do not need to be a security specialist to read this book

Purpose of the book is to teach next-gen testing approaches to:• Software practitioners• Security engineers• Academics

WWW.CODENOMICON.COM

PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS

THANK YOU – QUESTIONS?

“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them.

....Testers!

Break that software (as you must) anddrive it to the ultimate

- but don’t enjoy the programmer’s pain.”

[from Boris Beizer]

fuzzing 101 webinar on zero day management

Technology