Upload
codenomicon
View
1.108
Download
1
Tags:
Embed Size (px)
Citation preview
© 2011 Codenomicon. all rights reserved.
Codenomicon Fuzzing 101 webinar
15 March 2011
Juha-Matti Tirilä
Tero Rontti
Unknown Vulnerability Management for Telecommunications
© 2011 Codenomicon. all rights reserved.
About the speakers
Juha-Matti Tirilä• Security researcher
– robustness testing methods, quality management processes, software security economics
• Collaboration with University of Oulu researchers
• Background in applied mathematics and software development.
Tero Rontti• Security specialist • Security testing tools for
Codenomicon products for seven years
• Extensive experience in telecommunication security testing tools, VoIP and IMS in particular.
© 2011 Codenomicon. all rights reserved.
Outline
• About Codenomicon and Fuzzing101• About the speakers• Why we are here: prevent serious software deployment mistakes from
happening!• Introduction to Telecommunications: the trends and attack vectors• Unknown vulnerability management• A case study: MPEG2-TS• Questions and answers
© 2011 Codenomicon. all rights reserved.
About Codenomicon & Fuzzing 101
• Fuzzing 101:– The webcast series for
fuzzing industry– Vendor neutral
presentations on fuzzing technologies and use-cases
– Includes invited speakers from the industry
• Codenomicon:– Fuzzing research since
1996– 2001, Spinoff from
University of Oulu– 50-100% annual growth
in number of customers and revenues in fuzzing industry
© 2011 Codenomicon. all rights reserved.
Some Helpful Definitions
• Vulnerability – a weakness in software, a bug• Threat/Attack – exploit/worm/virus against a specific vulnerability• Protocol Modeling – Technique for explaining interface message
sequences and message structures• Fuzzing – process and technique for security testing• Anomaly – abnormal or unexpected input• Failure – crash, busy-loop, memory corruption, or other indication of a
bug in software
© 2011 Codenomicon. all rights reserved.
The Challenge: Unknown Vulnerabilities Are Everywhere
© 2011 Codenomicon. all rights reserved.
Telecommunications
• Telephony• Broadcasting
– TV– Radio
• Networked IT communications– Internet, VoIP, IPTV, New Generation Networks, triple play, Growing
number of smartphones, need to support legacy technologies Growing complexity, growing number of technologies and interfaces,
the transition from IPv4 to IPv6 Problems Need for more testing, quality assurance, interoperability checks...
Guaranteed
© 2011 Codenomicon. all rights reserved.
Attack vectors in telecommunications
© 2011 Codenomicon. all rights reserved.
Smartphone security
• Mobiles resemble computers in all aspects, except the level of protection.
• Until now, the lack of suitable hacking tools and motivation has protected mobiles. • But mobile internet and the growing amount of critical information stored on
handheld devices is changing the situation
• Hackers exploit coding errors, e.g., to enslave phones into botnets. • Convergence of both hardware and software platforms risk
© 2011 Codenomicon. all rights reserved.
Next Generation Network security
• Critical Interfaces:
© 2011 Codenomicon. all rights reserved.
Software testing: approaches
© 2011 Codenomicon. all rights reserved.
Robustness testing
• Robustness testing: testing if a system is able to function in a reasonable manner under unexpected or invalid circumstances– E.g. not crash, no unauthorized privilege escalation, no confidential data
exposure etc.
© 2011 Codenomicon. all rights reserved.
Specification vs. implementation
© 2011 Codenomicon. all rights reserved.
Robustness testing: the two approaches
• In theory– Either
• Logically deduce that nothing catastrophic ever happens, for any input
– OR• Test every possible input and monitor the software
• In practice:– Both approaches to some extent
• Question: – How well do you think you are doing, considering the complexity and
amount of the code you are using or developing?• It is the practically infinite input space that makes 100% robustness
unattainable
© 2011 Codenomicon. all rights reserved.
Definition of fuzzing
• Fuzzing is a technique for – intelligently and – automatically
generating and passing into a target system – valid and – invalid
message sequences to see if the system breaks
© 2011 Codenomicon. all rights reserved.
Types of fuzzing
• Random fuzzing– Apple 1980’s– Barton P. Miller 1980’s, 1990’s
• Template based fuzzing– Capture traffic OR use sample files OR... create mutated test cases
• Specification based fuzzing– Model the specification, inject anomalies, transmit to target system
© 2011 Codenomicon. all rights reserved.
Fuzzing in the Microsoft SDL
© 2011 Codenomicon. all rights reserved.
Fuzzing Is Becoming Widely Adapted
• Commonly used by hackers– Majority of all vulnerabilities are found using fuzzing
• First adapted by equipment manufacturers in 2001– E.g. 80% of top network equipment manufacturers today depend on
Codenomicon testing solutions• Since 2005, most new adapters were service providers
– Most leading USA telecom service providers have integrated Codenomicon fuzzing into acceptance tests
• During 2008-2010, fuzzing was adapted by critical infrastructure and Enterprise end-users– SCADA industry– Finance– Government– On-line commerce
© 2011 Codenomicon. all rights reserved.
Unknown vulnerability management: goal
• Unknown Vulnerability Management (UVM) is a framework– For helping you understand the overall process of applying proper testing
procedures– For underlining the importance of good testing management – For unifying the terminology so that communication concerning security
testing is facilitated– For helping you understand that a well designed testing program should be
considered loss prevention, and not an extra cost– For emphasizing that security is like quality: it has to be incorporated
throughout – it cannot be added into a product afterwards.
© 2011 Codenomicon. all rights reserved.
Challenges with Vulnerability Management
• Detect Vulnerabilities as they are found– Not as they emerge, they are in the hiding already
• Most costs are in patch deployment– Crisis management, each update needs immediate attention– Ad-hoc deployment is prone to errors– Maintenance downtime can be expensive– New patches emerge several times a week– No time to test the patch
© 2011 Codenomicon. all rights reserved.
Cost-benefit of proactive security testing
© 2011 Codenomicon. all rights reserved.
Unknown vulnerability management: overview
• Process of:– Detecting attack vectors– Finding zero-day vulnerabilities– Building defenses– Performing patch verification– Deployment in one big security push
© 2011 Codenomicon. all rights reserved.
Phase 1: Attack Surface Analysis
• Tools:– Port scanners– Resource scanners– Network analyzers– Insight
• Codenomicon Network Analyzer identifies what needs to be tested within your network– Record traffic at multiple points in your network– Automatically visualize the network– You can drill up and down from looking at high-level visualizations to
inspecting the corresponding packet data– Real time analysis– Reveal hidden interfaces and possible exploits
© 2011 Codenomicon. all rights reserved.
Phase 2: Test
• Fuzzing means crash-testing• Discover both known and previously
unknown vulnerabilities with unparalleled efficiency.
• Specification-based tools for over 200 protocols– Tools contain all the possible protocol messages
and structures– Genuinely interoperate with the tested system
exposing vulnerabilities even in deeper protocol layers
• General purpose fuzzers– Defensics XML Fuzzer can test all XML applications. – The Traffic Capture Fuzzer uses real traffic– Generic File Format Fuzzer tests all file formats.
© 2011 Codenomicon. all rights reserved.
Phase 3: Report
• Codenomicon test suites generate different reports for different audiences
• Management reports provide an high-level overview of the test execution
• Log files and spreadsheets help you to identify troublesome tests and to minimize false negatives
• Individual tests by augmenting the already extensive test case documentation with PCAP traffic recordings
• Remediation Packages can be send to third parties for automated reproduction
© 2011 Codenomicon. all rights reserved.
Phase 4: Mitigate
• Mitigation tools quickly and easily reproduce vulnerabilities, perform regression testing and verify patches
• The tools automatically generate reports, which contain risk assessment and CWE values for the found vulnerabilities and direct links to the test suites that triggered the vulnerabilities
• Identification of the test cases that triggered the vulnerability is critical • The test case documentation can be used to create tailored IDS rules
to block possible zero-day attacks.
© 2011 Codenomicon. all rights reserved.
UVM: Conclusion (1/2)
• Vulnerability management in not about known vulnerabilities, and testing all of them
• The solution is to find unknown vulnerabilities that are relevant to you• All critical devices and systems need testing
– Databases and backend systems– Operator’s network and broadcasting infrastructure– Web service infrastructure– Email and VPN– Mobile handsets
• Share information between R&D and IT teams on best practices and tools
© 2011 Codenomicon. all rights reserved.
UVM: Conclusion (2/2)
• Security is not about security mechanisms• For full security analysis, you should study:
– Threats– Attacks– Vulnerabilities– Architectures– Countermeasures
• Unknown Vulnerability Management is about identification and elimination of zero-day vulnerabilities
• Security is a process not a product!
© 2011 Codenomicon. all rights reserved.
Case study: MPEG2-TS
• We will demonstrate the – First steps of deploying our test tool– A player crash caused by a fuzzed file
• Note: it is not just a player level issue: MPEG2 streams need to be parsed at various nodes in a streaming contexts, and crashes on these nodes could be critical for QoS.
© 2011 Codenomicon. all rights reserved.
PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS
THANK YOU – QUESTIONS?
“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them.
....Testers!
Break that software (as you must) anddrive it to the ultimate
- but don’t enjoy the programmer’s pain.”
[from Boris Beizer]