Fuzzing in Microsoft and FuzzGuru framework

Similar documents
Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Testing Tools using Visual Studio. Randy Pagels Sr. Developer Technology Specialist Microsoft Corporation

Getting started with API testing

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

*[Bug hunting ] Jose Miguel Esparza 7th November 2007 Pamplona S21sec

Introduction to Automated Testing

The Advantages of Block-Based Protocol Analysis for Security Testing

The Security Development Lifecycle

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

Peach Fuzzer Platform

Automate Your BI Administration to Save Millions with Command Manager and System Manager

Business Application Services Testing

OF 1.3 Testing and Challenges

Using WebLOAD to Monitor Your Production Environment

-.% . /(.0/ ) 53%/( (01 (%((. * 7071 (%%2 $,( . 8 / 9!0/!1 . # (3(0 31.%::((. ;.!0.!1 %2% . ".(0.1 $) (%+"",(%$.(6

Overview - Using ADAMS With a Firewall

Application Code Development Standards

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101

Protection profile of an industrial firewall

M3-R3: INTERNET AND WEB DESIGN

Java 7 Recipes. Freddy Guime. vk» (,\['«** g!p#« Carl Dea. Josh Juneau. John O'Conner

Web App Security Audit Services

SOFTWARE TESTING TRAINING COURSES CONTENTS

FSW QA Testing Levels Definitions

Cisco Secure PIX Firewall with Two Routers Configuration Example

Fig : Packet Filtering

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Adobe Systems Incorporated

U.S. Navy Automated Software Testing

Owner of the content within this article is Written by Marc Grote

ASSURING SOFTWARE QUALITY USING VISUAL STUDIO 2010

Application Security Testing

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

CheckPoint FireWall-1 Version 3.0 Highlights Contents

Overview - Using ADAMS With a Firewall

HP Service Virtualization

NFSv4.1 Server Protocol Compliance, Security, Performance and Scalability Testing - Implement RFC, Going Beyond POSIX Interop!

Job Reference Guide. SLAMD Distributed Load Generation Engine. Version 1.8.2

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Mobility Information Series

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Vulnerability Assessment and Penetration Testing

Barracuda Intrusion Detection and Prevention System

Copyrighted , Address :- EH1-Infotech, SCF 69, Top Floor, Phase 3B-2, Sector 60, Mohali (Chandigarh),

What is Web Security? Motivation

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Microsoft SDL: Agile Development

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Detecting SQL Injection Vulnerabilities in Web Services

Introduction to Web Services

Contents. Introduction and System Engineering 1. Introduction 2. Software Process and Methodology 16. System Engineering 53

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Overview of DatadiagramML

Securing EtherNet/IP Using DPI Firewall Technology

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

FTP Client Engine Library for Visual dbase. Programmer's Manual

Basic & Advanced Administration for Citrix NetScaler 9.2

Comparing the Effectiveness of Penetration Testing and Static Code Analysis

Evolutionism of Intrusion Detection

Web Application Security

Network Intrusion Detection Signatures, Part One by Karen Kent Frederick last updated December 19, 2001

Source Code Review Using Static Analysis Tools

Targeted attacks: Tools and techniques

UNCLASSIFIED CPA SECURITY CHARACTERISTIC WEB APPLICATION FIREWALLS. Version 1.3. Crown Copyright 2011 All Rights Reserved

Web Applications Testing

AXL Troubleshooting. Overview. Architecture

PROFESSIONAL SECURITY SYSTEMS

Strategic Information Security. Attacking and Defending Web Services

Christchurch Polytechnic Institute of Technology Information Systems Acquisition, Development and Maintenance Security Standard

The Hacker Strategy. Dave Aitel Security Research

Network Security - ISA 656 Application Firewalls

Owner of the content within this article is Written by Marc Grote

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

SoapUI NG Pro and Ready! API Platform Two-Day Training Course Syllabus

Integration of Hotel Property Management Systems (HPMS) with Global Internet Reservation Systems

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Automation and Control. CERN OpenLab 25 January 2010

Application Firewall Overview. Published: February 2007 For the latest information, please see

Web Services Implementation: The Beta Phase of EPA Network Nodes

Firewall Testing Methodology W H I T E P A P E R

Penetration Testing with Kali Linux

Java Program Vulnerabilities

4D Plugin SDK v11. Another minor change, real values on 10 bytes is no longer supported.

Guidance Regarding Skype and Other P2P VoIP Solutions

Application Firewalls

SimbaEngine SDK 9.4. Build a C++ ODBC Driver for SQL-Based Data Sources in 5 Days. Last Revised: October Simba Technologies Inc.

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

The presentation explains how to create and access the web services using the user interface. WebServices.ppt. Page 1 of 14

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

ODBC Driver User s Guide. Objectivity/SQL++ ODBC Driver User s Guide. Release 10.2

Transcription:

Fuzzing in Microsoft and FuzzGuru framework OWASP-IL May-2007 John Neystadt jney@microsoft.com Lead Program Manager Forefront Edge, Microsoft

Agenda Overview Introduction to Fuzzing FuzzGuru Architecture Demo Testing Designing Fuzzing Test Preparation for Fuzz Testing Performing Fuzz Testing Completing Fuzzing Coverage Fuzzing in ISA 2

Introduction to Fuzzing Tired of Code Reviews? Fuzz testing is about automatic testing of malformed input handling Fuzzing Target is code, not data. Its white box testing - no need to exhaust all data combinations, that code doesn t distinguish In the past dumb fuzzing was made to randomly corrupt bits of data., This penetrates only top data handling layers, since something basic (checksum, first fields) would be broken and inner code paths wouldn t be reached Smart is about systematic testing of all code paths that process data. Corrupt fields one by one, preserving general validity of the packet (Content-Length, Checksums, Base64 encoding, etc) 3

Case for Fuzzing Over 70% of security vulnerabilities Microsoft patched in 2006 were found by fuzzing Many open-source tools and some commercial products that do fuzzing of specific protocols or formats are available SDL - Microsoft Security Development Lifecycle Internal security bible mandatory for all Microsoft teams Mandates fuzzing for Files, RPC, DCOM, Network, ActiveXs as part of product development lifecycle 4

What I wanted to know about Fuzzing, but didn t dare to ask Fuzzing finds Access Violations and Buffer Overruns, not functional problems Fuzzing requests usually fail, since they are malformed Often fuzzing bugs are in clean-up code paths: leaks, synchronization and timing issues. Fuzz both client and server code simulating malicious server has high chance of finding bugs! If a bug happens when two independently fields are malformed, FuzzGuru will not find it Both C++ and C# (or Java) code should be fuzzed if it processes data from untrusted source 5

FuzzGuru Architecture FuzzGuru Development Framework Development Guide Schema Editor Simulator +Getting Started +SDK +Samples +Define Data Schema() +Define Fuzzing Test Cases() +Import XML XSDs() +Validate Schema Correctness() +Validate Template Parsing() +Simulate Fuzzing() Fuzzing Stress Framework Input Templates +Valid files +Network captures +Generated by test tool Ready Fuzzing Schemas HTTP GZIP SMTP FTP DNS SOCKS MIME Investigate the results +Fuzzing Traces +Code Coverage Analysis +Update Test Coverage 1. learn 2. define schema 4. simulate 3. prepare templates 2.1 reuse existing schemas 8. investigate the results 9. extend the framework Test Owner Test Automation Scripts or Test Harness Custom Test Tools 5. create fuzzing experiment configuration 7. develop automation use as command line implement custom experiments Fuzzing Experiment Configuration Editor +Define Fuzzing Experiments() 6. run manual test Command Line (fgcmd.exe) +Run Experiment() +Trace to DBMON() +Run in GUI() +View Traces in GUI() «datatype» Fuzzing Experiments +File Fuzzer (using fuzzing schema) +XML Fuzzer (using XSD schema) +TCP/UDP Clients/Servers +TCP / UDP Man-in-the-middle (Redirector) +Custom (implemented by user) +Run Fuzzing Stress() +Repro Bugs() +Provide Traces() use fuzzing API from test code Fuzzing Experiment Runner GUI «uses» Extensibility Interfaces «datatype» Data Elements +String (ANSI, Unicode) +Binary Data +Grouping Elements +XML +Custom (implemented by user) «datatype» Encoders +Unicode (UTF*) / Windows Char Set +Base 64 +Special XML Encoder +Custom (implemented by user) Data Fuzzing Framework «datatype» Relations +Presence +Buffer / Length +Group / Count +Custom (implemented by user) Fuzzing API «datatype» Fuzzers +String +Numeric +Numeric String +Unicode-specific +XML +Group Fuzzers +Custom Fuzzers 6

Designing Fuzzing Test Fuzzing a protocol - create schema or customize a ready one Define schema for parts of the protocol, need to be fuzzed More later Defining fuzzing Test Cases Fuzzing Test Cases choose a subset of schema (elements and fuzzers) to be applied for relevant scenario FuzzGuru command line tool gets test case id as parameter FuzzGuru API requires test case id to generate malformed packets Test Case can be used for focused fuzzing to test specific fixes Create fuzzing Templates Obtain real world data captures or generated by test programmatically Templates are equivalence classes, choose minimum number to cover all your scenarios Template must adhere to schema, you can use placeholder elements in schema to skip irrelevant parts Use FuzzGuru GUI Simulator to verify test cases and templates Verify template is parsed correctly See which fuzzers are chosen (simulator trace) Inspect output to inspect malformed requests 7

Manual or Automated Fuzz Testing FuzzGuru Experiments ready tools for common fuzzing scenarios Gets schema, mutation template and test case name Ready tcp/udp server/client, man-in-the middle redirector, file, xml modes Extensive - can develop custom experiments Generates stress of upto 500 tcp cps or 11,000 udp packets Supports recording/playback of repro buffer Generates perf counters Writes fuzzing traces to dbmon Manual Test Running (GUI) Define Experiment Configuration (FuzzGuru GUI, Tools Experiment Configuration Editor) Run experiments interactively (FuzzGuru GUI, Tools Experiment Runner) Scriptable Automation Define Experiment Configuration (FuzzGuru GUI, Tools Experiment Configuration Editor) Call experiments from command line interface (fgcmd.exe) Integrate into your own test tools Call DataFuzzer APIs from your own test tool, providing it schema, mutation template and test case name 8

Demo Run BinUrt2\DemoApp.exe Run HTTP Server Attack Demo See Demo\Readme.mhtml => Part2 for instructions Results (5 minutes each run): Scenario Iterations Bugs found Test Cases coverage Dumb Fuzzing without template 6500 0 out of 4 24% Dumb Fuzzing with template 11000 2 from 4 (hits: 0, 0, 2, 10) 56% Fuzzing with HTTP Demo Schema without template Fuzzing with HTTP Demo Schema with one template (valid) 700 (slow ) 2 from 4 (hits: 0, 0, 4, 8) 10200 4 from 4 (hits: 1, 7, 64, 143) 80% 100% 9

Completing Fuzzing Coverage (Code Coverage) After running a fuzzing test for a first round it is important to inspect whether all code paths were covered Magellan Code Coverage tool set is recommended You should not hunt the numbers, rather review all uncovered code paths Fuzzing should traverse to all branches that depend on untrusted data All parsing code should be covered All error handling and cleanup code should be covered Note: If there is no code to handle malformed data exist, Code Coverage will not help you! To add coverage, you may need: Extend test matrix and fuzzing tests additional configurations of the feature Add additional fuzzing templates Extend FuzzGuru with custom fuzzers or elements Metrics Expected to reach 75-85% code coverage of parsers code blocks Per fuzzed DLL: fuzzing usually adds 3%-6% blocks and 3%-8% arcs additional coverage to compared to stress Per fuzzed source file: fuzzing usually significantly adds the coverage of ~13%. Per fuzzed function: fuzzing usually significantly adds the coverage of over 17%. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information