Beruflich Dokumente
Kultur Dokumente
Fuzzing: Background
12/2/2014
SOFTWARE IS INFRASTRUCTURE
Software is buggy, question is how many exploitable, known or unknown, vulnerabilities
are out there?
We are entering an age where software vulnerabilities can cause more kinetic damage
(impact on physical world) than ever before
12/2/2014
Proactive
Reactive
1999Nessus, ISS
DAST Approach
2000Fuzzing:
Codenomicon
Defensics
Whitebox testing
Blackbox testing
Total
Vulnerability
Management
12/2/2014
*) Source: http://www.forbes.com/sites/andygreenberg/2012/03/23/
shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
High monetary reward for zero-days attracting hackers to find them. Organisations need to invest for
discovery to harden their infrastructure.
2014 All Rights Reserved
12/2/2014
12/2/2014
12/2/2014
12/2/2014
UNKNOWN
VULNERABILITIES
2014 All Rights Reserved
12/2/2014
10
Any software processing input can be fuzzed: network interfaces, device drivers,
user interface.
2014 All Rights Reserved
12/2/2014
11
FUZZING PROCESS
Fuzzer
Anomaly sent
Normal
response
12/2/2014
Target
12
Fuzzer
Anomaly sent
GET http://[?aAaAaAaAaAa::0]
HTTP/1.1
Accept: image/gif, image/xxbitmap, image/jpeg, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Connection: Keep-Alive
12/2/2014
Target
13
EXPECTED RESULTS
The purpose of fuzzing is to find flaws
All the found issues are true implementation errors
Typical first indication of problem is target crash
Subset of found issues do have immediate security implications, others may become
exploitable over time
Typically, there are very few or no false positives with Fuzzing
12/2/2014
14
12/2/2014
15
12/2/2014
16
12/2/2014
17
Boundary conditions
Bad checksums, lengths
Troublesome strings
12/2/2014
18
GENERATIONAL FUZZING
Fully state aware testing for all
protocols
12/2/2014
19
system under
test
FIELD LEVEL
overflows
integer anomalies
crashes
denial of service
security exposures
degradation of service
thrashing
anomalous behavior
STRUCTURAL
underflows
repetition of
elements
unexpected elements
SEQUENCE
out of sequence
omissions
unexpected messages
repetition of messages
EXPOSE
VULNERABILITIES
SYSTEMATIC
REPEATABLE
INTELLIGENTLY
TARGETED
12/2/2014
20
12/2/2014
21
http://www.cisco.com/web/about/security/cspo/csdl/index.html
IEC 62443
Modern SDLs such as Microsoft SDLC,
Cisco SDLC, Adobe Secure Product Lifecycle (SPLC) and
BSIMM all recognize
that fuzzing has a key role in creating
a secure and rugged software. Furthermore
Its endorsed by giants like Google and IBM.
http://www.microsoft.com/security/sdl/default.aspx
http://www.adobe.com/security/splc/
http://www.ibm.com/developerworks/java/library/j-fuzztest/
http://www.google.com/googlebooks/chrome/
12/2/2014
22
12/2/2014
23
12/2/2014
24
(2) For each accessible network interface, network robustness testing shall include
fuzzing of all protocols implemented that are recommended or required to be
enabled for normal operation as defined in the security guidelines.
(3) The files or packets that will be "fuzzed" shall be automatically generated so
that a large number of test cases (in the thousands) can be executed.
12/2/2014
25
12/2/2014
26
12/2/2014
28
Heartbleed Discovery
12/2/2014
29
12/2/2014
30
FUZZ TESTING
Fuzzing: Negative testing technique for feeding invalid,
unexpected or random data to SUT
Goal is to find security vulnerabilities and other defects in SUT
File formats and protocol implementations
12/2/2014
31
12/2/2014
32
12/2/2014
HEARTBEAT PROTOCOL
12/2/2014
33
34
TLS SESSION
client
server
Client Hello
Server Hello
Server Certificate *
Server Key Exchange *
Certificate Request *
Server Hello Done
Client Certificate *
Client Key Exchange
Certificate Verify *
Change Cipher Spec
Client Finished
Heartbeat Request *
Heartbeat Response *
12/2/2014
35
12/2/2014
36
12/2/2014
37
12/2/2014
38
Decrypted payload:
12/2/2014
39
12/2/2014
40
12/2/2014
41
12/2/2014
42
12/2/2014
43
12/2/2014
44
12/2/2014
45
12/2/2014
46
12/2/2014
47
12/2/2014
48
HOW TO REACT
Workaround:
Disable Heartbeat functionality by recompiling OpenSSL with
Heartbeat flag off
Fix:
Upgrade OpenSSL library
Afterwards:
Create new secret and public key-pair
Apply for new certificates and revoke old certificates
Change passwords
12/2/2014
49
HOW TO REACT
Reduce the impact:
Forward secrecy (also known as perfect forward secrecy or PFS)
Random stack, zeroed heap, difficult to find keys
12/2/2014
50
Heartbleed aftermath
12/2/2014
51
UNPRECEDENTED AWARENESS
Heartbleed got more publicity than any vulnerability before
Upside
Community was able to react quickly and start mitigating problem
Raised awareness of importance of dealing security vulnerabilities in general
Downside
Haste in mitigation, leading to mistakes
Partly compounded by the fact that mitigation requires multiple steps
False sense of security
12/2/2014
52
12/2/2014
53
VENDOR
PRODUCT
SYSTEM
INTEGRATOR
END CUSTOMER
12/2/2014
54
12/2/2014
55
12/2/2014
57
Background
12/2/2014
58
12/2/2014
59
HEARTBLEED BUG
Example of elusive vulnerability
At first glance, only indication was
suspiciosly large size of server replies
Would be very hard for human to notice
from hundreds of thousands of lines from
test logs
Automation is needed
2014 All Rights Reserved
12/2/2014
60
12/2/2014
61
12/2/2014
62
12/2/2014
63
VPN TUNNEL
12/2/2014
64
12/2/2014
65
12/2/2014
66
12/2/2014
67
12/2/2014
68
12/2/2014
69
12/2/2014
70
12/2/2014
71
12/2/2014
72
12/2/2014
73
12/2/2014
74
Examples
12/2/2014
75
12/2/2014
76
12/2/2014
77
12/2/2014
78
AMPLIFICATION CHECK
Does the system configuration enable it to be used for DDoS attacks?
Defensics executes a valid session with system under test
In later tests, erraneous information is sent to system under test
- System under test parses the message data incorrectly, sends a
large amount of memory in response
Defensics compares received after-error message to valid message,
notices the data reeived is much larger. Check is flagged as warning
Example: Heartbleed, NTP Protocol amplification, DNS amplification
12/2/2014
79
Im at
192.98.1.2
Its about
choking the pipe
12/2/2014
Send me
DNS/NTP
Reply
80
THANKS!
End of Part III. Questions?
12/2/2014