Automated security testing with Flinder

SEARCH-LAB Security Evaluation Analysis and Research Laboratory Ltd.

2 | 10

Automated security testing with Flinder

Danger of programming bugs

“Every interesting program contains at least one variable, at least one cycle and at least one bug.” – Murphy’s law

Global security danger of programming bugs Automated intrusions Virus spreading With the help of cracked computers it is possible to

operate illegal web servers distribute spam carry out phishing commit credit card fraud

Any application can contain a bug!

3 | 10

Automated security testing with Flinder

Security testing

Programming bugs

Security-relevant programming bugs

Typical security-relevant programming bugs

Exploitable security holes

FLINDER

4 | 10

Automated security testing with Flinder

Automated testing and verification

Formal verification Requires the specification of correct behavior

Static source code analysis Complexity problems Many false positives

Test-based evaluation Test vector generation Detection of typical bugs Detects true positives, but not necessarily all Can be used without the source code

5 | 10

Automated security testing with Flinder

Black-box & white-box testing

Black-box testing Analysis of concrete protocols Complex description of the input Fuzzing: manipulation of existing input

Less and scalable customization needs

White-box testing Test vector generation based

on source code evaluation Fault injection

6 | 10

Automated security testing with Flinder

Flinder features

Looks for typical security-relevant programming bugs Test-based evaluation

Black-box and white-box test modes From applications to complex protocols

Required from the developer Input Generator – according to the correct behavior Input format description (XML-based) Protocol Statechart (UML state machine)

Re-usable generic test algorithms for typical bugs Proactive, multiple-step testing considering former reactions of the

ToE

Cryptographic support Plug-ins for cipher and compression methods

7 | 10

Automated security testing with Flinder

Fuzzing...

By definition: fuzzing is algorithmic modification of binary input Fuzzing based on descriptors

Random fuzzing

Reactively iterating fuzzing

Different fuzzers Conformance checking

Stress test

Testing typical mistakes

8 | 10

Automated security testing with Flinder

... and more

Flinder can Parse and serialize protocol messages Decode and encode cryptograms, compressed data Follow complex protocols

like IPSec, TCP, SSL

Test Logic works on field level Generic test algorithms

can be applied for different ToEs, protocols, messages and fields without modification

9 | 10

Automated security testing with Flinder

Flinder modules

Input Generator TOE

IG Capturer

Parser

Protocol Logic

IG Actuator TOE Actuator

TOE Capturer IG Dispatcher

Serializer

Test Logic

TOE Dispatcher

10 | 10

Automated security testing with Flinder

Example typical mistakes

Buffer Overflow With successive

approximation

Signedness bug

Integer Overflow

Encoding bug Unicode bug

OK ERROR REJECTION

if ((unsigned int) i < 0)

if (i*256 <= 1024)