protocol fuzzing past, present, future

Similar documents
protocol fuzzing past, present, future

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101

Peach Fuzzer Platform

*[Bug hunting ] Jose Miguel Esparza 7th November 2007 Pamplona S21sec

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

The Advantages of Block-Based Protocol Analysis for Security Testing

Penetration Testing with Kali Linux

ensuring security the way how we do it

Attack and Defense Techniques

Sergey Bratus Trust Lab, Dartmouth College

hackers 2 hackers conference III voip (in)security luiz eduardo cissp, ceh, cwne, gcih

Testing for Security

Vulnerability Assessment and Penetration Testing

Will Dormann: Sure. Fuzz testing is a way of testing an application in a way that you want to actually break the program.

How To Understand A Network Attack

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

A Link Layer Discovery Protocol Fuzzer

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

June 2014 WMLUG Meeting Kali Linux

Debugging With Netalyzr

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

How I Learned to Stop Fuzzing and Find More Bugs

The Hacker Strategy. Dave Aitel Security Research

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

ACHILLES CERTIFICATION. SIS Module SLS 1508

Improving Web Vulnerability Scanning. Daniel Zulla

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

Chapter 8 Security Pt 2

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Attacking VoIP Networks

Security Tools - Hands On

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Application Denial of Service Is it Really That Easy?

Learn Ethical Hacking, Become a Pentester

Session 3: Security in a Software Project

How to make free phone calls and influence people by the grugq

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

Security of IPv6 and DNSSEC for penetration testers

Web Application Firewalls: What the vendors do NOT want you to know SHAKACON III

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Application Intrusion Detection

Playing with Web Application Firewalls

How I DOS ed My Bank. (DTMF Input Processing Easy DOS Attacks via Phone Lines)

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Attacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Stateful Firewalls. Hank and Foo

Topics in Network Security

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

CS5008: Internet Computing

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

Security Testing Summary of Next-Generation Enterprise VoIP Solution: Unify Inc. OpenScape SBC V8

Attack and Defense Techniques 2

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

Sample Report. Security Test Plan. Prepared by Security Innovation

Web Application Penetration Testing

Penetration Testing - a way for improving our cyber security

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Defense in Depth: Protecting Against Zero-Day Attacks

The Sulley Framework: Basics By loneferret

Hands-on Security Tools

FTP Peach Pit Data Sheet

The A-to-Z of CyberSecurity as a Kid Understands It

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

How To Protect Your Network From Attack From Outside From Inside And Outside

The VoIP Vulnerability Scanner

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

OWASP OWASP. The OWASP Foundation Selected vulnerabilities in web management consoles of network devices

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

SNMP Peach Pit Data Sheet

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Newsletter - September T o o l s W a t c h T e a m NJ OUCHN & MJ SOLER

Fuzzing in Microsoft and FuzzGuru framework

Intrusion Detection System

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Intrusion Detection Systems

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Integrating Tools Into the SDLC

Web Applications Security: SQL Injection Attack

Malicious Network Traffic Analysis

CIT 380: Securing Computer Systems

First Line of Defense to Protect Critical Infrastructure

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

Transcription:

protocol fuzzing past, present, future luiz eduardo senior systems & security engineer leduardo (at) musecurity.com gts x - são paulo Mu Security, Inc. All Rights Reserved Copyright 2007

agenda history of fuzzing protocol fuzzing fuzzable or not? non-sense fuzzing session-based fuzzing / stateful-based fuzzing tools techniques challenges getting creative packet fun predictions resources 2

hi network security guy regular speaker at security conferences wlan at security conferences (defcon, blackhat, chaos computer congress, etc) networking goon @ defcon infosec certifications buff and don t believe anything i say! ( tm bruce potter) ok, at least question yourself (and others) about it 3

abrindo parênteses josé: eita, de novo!!! fuzzing????? puxa luiz, traduza isso! luiz: zé, não dá nem em inglês tem um significado mas vamos tentar: fuzzing é a técnica (ou arte) de enviar entradas não válidas para qualquer tipo de mecanismo de entrada. todo mecanismo de entrada deveria simplesmente descartar entradas inválidas, mas isso não acontece. então, fuzzing se tornou a técnica de exercitar os programas existentes* para entradas inválidas. parecido com uma técnica conhecida como: Análise do valor limite (ou boundary value analysis (BVA)) 4

fuzzing history created @ university of madison in 1989 by professor barton miller and his crew why? buzz word in the past few years not just a http thing file format fuzzing application fuzzing sorta hope to find 0 days and 5

terms/ keywords/ etc malformed / semi-malformed/ invalid input random target exception-handling mutations instrumentation art / creativity agents negative-testing changed the mentality of: but.. that packet doesn t follow the rfc spec or hmmmmm but people are not supposed to send these packets 6

Visunrdansting TM vulnerability scanners protocol fuzzing exploitation tools 7

wait! what s this 0 day thing? 8

(con)fuzzable or not? 9

mainstreaming fuzzing best bang for the buck numerous bugs found in the past few years some of them make the news others probably not growth in the number of specific tools number of vulnerabilities increase, number of exploits not that much 10

corporate fuzzing again, nothing new. but if you don t fuzz, someone else will fuzzing became a common practice (regardless if it s done correctly or not) delivering products / services with basic testing is no longer acceptable There is no time! Well.. Being reactive sux 11

so protocol fuzzing, shall we? anything that has an input could be considered protocol fuzzing but protocol abuse test robustness of the target from instability to crashes (or to remote code execution) if it s already hard for one to follow the rfc spec, how about the anything but? 12

ohhh, there is a difference fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! fuzzers are not va scanners! 13

what to break in a protocol? structure state semantics Buffer Overflow Integer Overflow Invalid Message Format String Fragmented Field Invalid Header Null Character Wrong Encoding Invalid Index Invalid String Recursion Truncated Underflow Missing Field Mixed Case Out of Order Self-Reference Too Many Fields Invalid Offset 14

what protocols to fuzz? all of them, of course but what s the buzz? what s new? what s not mature? sip scada ipv6 wireless bluetooth videogames 15

non-sense fuzzing 16

session-based fuzzing first you establish a channel with the target and then start fuzzing at that level it could be the tony-montana-style fuzzing to certain tcp/udp port too but, somehow interacting w/ the target based on the protocol is more Corleone-style 17

stateful-based fuzzing one step above (simply) establishing a session (aka: better than Michael Corleone) on-the-fly fuzzing/ reading the target s mind (possible) better fault isolation (possible) better code exercise * 18

attack techniques random database (mix?) stateful 19

some of the usual challenges fault isolation the bug behind the bug slow protocol implementations monitor the target (memory leaks/ cpu spikes/ some type of redundancy) monitor processes/ child processes 20

tools manual testing spike / written in c/ block-based approach protos / java / different fuzzers peach / python / written while drinking beer at ph-neutral antiparser / python/ fuzzer and fault injection tool dfuz / c sulley/ parallel fuzzing capabilities /legos 21

commercial bestorm codenomicom hydra mu security thread-x 22

getting creative / how to break test stuff use different fuzzing tools use the same fuzzing tool (parallel fuzzing) use a framework to integrate other stuff (traffic gen, nmap, exploitation tools, etc) use a framework to integrate agents for monitoring well use any tools available 23

packets 24

packets (cont) 25

packets (again) 26

packets (again) 27

packets (yeah yeah) 28

packets (one more?) 29

packets (cont) 30

packets (last one) 31

(con)fuzzing state of the security community bad defense in depth implementations (and possibly concepts) again. lots of security is ONLY based on known attacks critical infrastructure (?) fuzzing is not the red pill, but certainly has helped changing the way people think 32

The future creativity is key : use the brain, for anything better integration with other tools most people already got fuzzing more intelligence has to be incoporated to protocol fuzzing protocol/ application adaptation offline protocol fuzzing/ protocol correlation (and playback?) redundant system testing fuzzing through tunnels proxy-fuzzing (not a-la spike proxy) fuzz through/ on/ with non-standard media types (traffic shapers, etc) anything is fuzzable 33

resources http://labs.musecurity.com book: fuzzing: brute force vulnerability discovery: pedram et al http://fuzzing.org http://www.hacksafe.com.au/blog/2006/08/21/fuzz-testing-tools-and-techniques/ http://www.immunitysec.com/downloads/advantages_of_block_based_analysis.pdf fuzzing mailing list by gadi evron http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing 34

muito obrigado leduardo (at) musecurity.com 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information