Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2011 Codenomicon. all rights reserved. Robustness Testing: Discover unknown vulnerabilities with Testing & QA Ari Takanen Codenomicon Ltd.

Published bySophia Sharp Modified over 10 years ago

Similar presentations

Presentation on theme: "© 2011 Codenomicon. all rights reserved. Robustness Testing: Discover unknown vulnerabilities with Testing & QA Ari Takanen Codenomicon Ltd."— Presentation transcript:

1 © 2011 Codenomicon. all rights reserved. Robustness Testing: Discover unknown vulnerabilities with Testing & QA Ari Takanen Codenomicon Ltd.

2

3 © 2011 Codenomicon. all rights reserved. Be Proactive with Security Modern security testing is about finding unknown zero-day vulnerabilities in devices and software before and after release Provides a quick technique for security assurance for any device or software www.codenomicon.com/unknown/

4 © 2011 Codenomicon. all rights reserved. Security Vulnerability = Just A Bug

5 © 2011 Codenomicon. all rights reserved. Same Applies to (Legacy) Mobile Phones

6 © 2011 Codenomicon. all rights reserved. The Challenge

7 © 2011 Codenomicon. all rights reserved. Internet of Things = Future market for security and testing 1875 1900 1925 1950 1975 2000 2025 50 B 5.0 B ~0.5 B PLACES PEOPLE THINGS Inflection points Global Connectivity Personal Mobile Digital Society Sustainable World Source: Ericsson

8 © 2011 Codenomicon. all rights reserved. Codenomicon Labs Test Results http://www.codenomicon.com/labs/results

9 © 2011 Codenomicon. all rights reserved. Smart phone – attack surface WIRELESS: Bluetooth: L2CAP, RFCOMM, SDP, OPP, A2DP, AVRCP, PBAP, DUN,... WIRELESS: 802.11: 802.11a/b/g/n, WPA, WPA2,.. WIRELESS: GPRS, EDGE/3G GSM, SMS, MMS, SMIL, OTA updates,... PHYSICAL CONNECTIVITY: USB, SERIAL, MEMORY CARD, SIM,.. IP CONNECTIVITY: IPv4 (ARP, ICMP, IGMP, IP, UDP, TCP), IPv6 (IP, ICMP, ND, RD, SEND, MLD, TCP, UDP), HTTP, TLS/SSL, OCSP, RTSP, SIP/IMS, RTP/RTCP, SigComp, DNS, MDNS, DHCP, NTP, SOAP, REST/JSON, SMTP, POP3, IMAP4, WAP/WMLC,.. [WEB] APPLICATIONS: XML, DRM, HTML5 (CSS, HTML, Javascript), AT commands, inter process APIs/RPCs, MEDIA: AUDIO (AAC, MP3, MP4, 3GP, WAV,...), IMAGES (JPG, GIF, PNG, TIFF,...), VIDEO (MPG1, MPG2, MP4/H.264, WEBM,... ), ARCHIVES (ZIP, JAR, CAB,...), DOCUMENTS (PDF, DOC, PPT,..), X509, EMAIL (MIME, calendar, vcards,...), DRM, Flash, Java classes, Application installers,...

10 © 2011 Codenomicon. all rights reserved. Approaches to testing, how does fuzzing fit in? Feature/conformance testing Performance/load testing Robustness testing – Fuzzing – Static Code Analysis

11 © 2011 Codenomicon. all rights reserved. Microsoft SDL & fuzzing & static code analysis

12 © 2011 Codenomicon. all rights reserved. Microsoft SDL: Fuzz Here? Many organizations choose to deploy fuzzing in other parts of the SDL as well. Many organizations choose to deploy fuzzing in other parts of the SDL as well.

13 © 2011 Codenomicon. all rights reserved. Definition of fuzzing Fuzzing is a technique for – intelligently and – automatically generating and passing into a target system – valid and – invalid message sequences to see if the system breaks, and if it does, what it is that makes it break.

14 © 2011 Codenomicon. all rights reserved. Product Security Terminology Vulnerability – a weakness in software, a bug. Threat/Attack – exploit against a specific vulnerability Protocol Modeling – functional behavior, interface message sequences and message structures Anomaly – abnormal or unexpected input Failure – crash, busy-loop, memory corruption, or other indication of a bug in software

15 © 2011 Codenomicon. all rights reserved. Types of fuzzing Random fuzzing – Apple 1980s – Barton P. Miller 1980s, 1990s Template based fuzzing – Capture traffic OR use sample files OR... create mutated test cases Specification based fuzzing – Model the specification, inject anomalies, transmit to target system

16 © 2011 Codenomicon. all rights reserved. Example Fuzzing Session

17 © 2011 Codenomicon. all rights reserved. What kinds of bugs does it find?

18 © 2011 Codenomicon. all rights reserved. Why We Must Fuzz? Update Frequency Designing systems for very long operational and legacy device support, security? Try to secure devices that get infrequent updates or those needing very high severity updates out of band Always-on applications or devices will have to deal with live updates, no down-time and still function in rugged/robust environments Mission critical devices will bring their own unique set of requirements – guaranteed up-time, high security and immunity from updates being an attack source

19 © 2011 Codenomicon. all rights reserved. Fuzzing vs. Common Criteria Calculation of attack potential for Fuzzing tools: FactorOpen Source Fuzzers ScoreCommercial Fuzzers Score Elapsed Time to Exploitation less than a week 1less than a day0 ExpertiseExpert6Layman0 Knowledge of TOE Public0 0 Window of Opportunity Easy1 1 EquipmentStandard0Specialized4

20 © 2011 Codenomicon. all rights reserved. Attack Potential for Fuzzing Tools Attack potential for fuzzing tools is 5-8… What does that mean: 0-9 = Basic = AVA_VAN.1-5 should not fail 10+ = Enhanced Basic required at EAL4 All Common criteria evaluated products should survive basic attacks such as fuzz-testing?

21 © 2011 Codenomicon Ltd. 21 Example: Traffic Capture Fuzzing

22 © 2011 Codenomicon. all rights reserved. Models and Rules

23 © 2011 Codenomicon. all rights reserved. Scaling Fuzz Tests Robustness is also about performance, and therefore model-based tools have to be fast in generating test cases

24 © 2011 Codenomicon. all rights reserved. Testing In The Cloud Test the interior and exterior of the cloud, including services, devices, applications, and hypervisor stability

25 © 2011 Codenomicon. all rights reserved. Model-based Fuzz-Testing Examples [FUZZING] tools are *amazing*. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would *never* have found those bugs without the [FUZZING] tools. If you're serious about implementing protocols correctly, you need [FUZZING] tools. -- Jeremy Allison, Co Creator of Samba.

26 © 2011 Codenomicon. all rights reserved. Model-based Fuzz-Testing Examples

27 © 2011 Codenomicon. all rights reserved. Model-based Fuzz-Testing Examples

28 © 2011 Codenomicon. all rights reserved. Model-based Fuzz-Testing Examples

29 © 2011 Codenomicon. all rights reserved. Model-based Fuzz-Testing Examples

30 © 2011 Codenomicon. all rights reserved. Model-based Fuzz-Testing Examples

31 © 2011 Codenomicon. all rights reserved. Conclusions Why is fuzzing always an excellent choice for a testing solution... –... and sometimes the only feasible one? Easy to automate, systematic, top coverage, top efficiency Increasingly widely adopted, some contractors/customers require it Real life examples indicate: you will find security critical bugs by fuzzing

32 © 2011 Codenomicon, Ltd. 32 DEFEND. THEN DEPLOY. PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS THANK YOU – QUESTIONS? Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them..... Testers! Break that software (as you must) and drive it to the ultimate - but dont enjoy the programmers pain. [from Boris Beizer]

Download ppt "© 2011 Codenomicon. all rights reserved. Robustness Testing: Discover unknown vulnerabilities with Testing & QA Ari Takanen Codenomicon Ltd."

Similar presentations

Russ Housley IETF Chair LACNOG 4 October 2011 Successful Internet Protocol Development.

Russ Housley IETF Chair LACNOG 4 October 2011 Successful Internet Protocol Development.
Internet for multimedia content Yogendra Pal Chief Engineer, All India Radio.

Internet for multimedia content Yogendra Pal Chief Engineer, All India Radio.
TestIstanbul Conferences 2012 Parallel Execution of Fuzzing Test Suites Study of maximum throughput, resource consumption and bottlenecks for fast-speed.

TestIstanbul Conferences 2012 Parallel Execution of Fuzzing Test Suites Study of maximum throughput, resource consumption and bottlenecks for fast-speed.
The First Professional Manfacturer of Bluetooth Marketing Device in China BT-Pusher Bluetooth Marketing device Presentations BT-Pusher is a Trade Mark.

The First Professional Manfacturer of Bluetooth Marketing Device in China BT-Pusher Bluetooth Marketing device Presentations BT-Pusher is a Trade Mark.
Mobile Office Applications Name: SPB Rao Student Id: 59407R

Mobile Office Applications Name: SPB Rao Student Id: 59407R
UNIT-e futures and UNIT-e Mobile Ben Potter Systems Architect.

UNIT-e futures and UNIT-e Mobile Ben Potter Systems Architect.
Automated security testing with Flinder SEARCH-LAB Security Evaluation Analysis and Research Laboratory Ltd.

Automated security testing with Flinder SEARCH-LAB Security Evaluation Analysis and Research Laboratory Ltd.
Altman IM Ltd | | capture | convert | route | connect | workflow ScanPath provides enhanced scanning & document processing.

Altman IM Ltd | | capture | convert | route | connect | workflow ScanPath provides enhanced scanning & document processing.
DYNAMIC CONTENT MANAGEMENT Centriworks Lunch & Learn for.

DYNAMIC CONTENT MANAGEMENT Centriworks Lunch & Learn for.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Introduction to Software Testing

Introduction to Software Testing
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Norman Online Backup All your files Always available.

Norman Online Backup All your files Always available.
Make your messaging reliable use it Messaging. A single and global solution Send, receive and process any type of message through the appropriate channel.

Make your messaging reliable use it Messaging. A single and global solution Send, receive and process any type of message through the appropriate channel.
SMS Gateway OZEKI NG Document version: v.1.0.0. Adding SMS functionality to SysAid.

SMS Gateway OZEKI NG Document version: v Adding SMS functionality to SysAid.
Title goes here in Frutiger Bold, 25 points Subhead if any goes here in Frutiger Roman, 20 points Bullet copy in Frutiger Bold, 18 points Product Opportunities.

Title goes here in Frutiger Bold, 25 points Subhead if any goes here in Frutiger Roman, 20 points Bullet copy in Frutiger Bold, 18 points Product Opportunities.

Similar presentations

Ads by Google