Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication.

Slides:

Advertisements

Similar presentations

Network Systems Sales LLC

Advertisements

Windows NT server and workstation Name: Li Shen Course: COCS541 Instructor: Mort Anvari.

The “Everything Developer Security” Talk Michael Howard Principal Security Program Manager Microsoft Corp.

By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Application Security 2007 Annual Security Training Kansas State University.

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

INTERNET A collection of networks. History ARPANet – developed for security of sending in case of a nuclear attack IDEA – the system would not go down.

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Introduction to the Application.

Introduction to Network Programming and Client-Server Design.

Computer Security and Penetration Testing

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

File Transfer Protocol (FTP)

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Ch. 31 Q and A CS332 Spring Network management more than just Ethernet Q: Comer mentions that network managers need to be able to account for different.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

MSDN Webcast - SDL Process. Agenda  Fuzzing & The SDL  Integration of fuzzing  Importance of fuzzing Michael Eddington Déjà vu Security

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

1 ISEC0511 Programming for Information System Security Lecture Notes #4 Security in Software Systems (cont)

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Testing for Software Security ECEN5053 Software Engineering of Distributed Systems University of Colorado, Boulder Testing for Software Security, Hebert.

Software Security CS461/ECE422 Spring Reading Material Chapter 12 of the text.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Copyright © Microsoft Corp 2006 Pragmatic Secure Design: Attack Surface Reduction Shawn Hernan Security Program Manager Security Engineering and Communication.

Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Software Security Testing Vinay Srinivasan cell:

Technology vocabulary slides assignment. Application Definition : A program or group of programs designed for end users. Application software can be divided.

The Changing World of Endpoint Protection

4BP1 Electronic & Computer Engineering Paul Gildea th Year Interim Project Presentation.

Operating System Security Fundamentals Dr. Gabriel.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Introduction A security scanner is a software which will audit remotely a given network and determine whether bad guys may break into it,or misuse it.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Wireless and Mobile Security

Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.

Performance Less responsive to the user Consumes resources from foreground applications Impacts boot, shutdown, and logoff Reliability Memory.

Introduction to Security Dr. John P. Abraham Professor UTPA.

TM 8-1 Copyright © 1999 Addison Wesley Longman, Inc. Client/Server and Middleware.

Copyright © Microsoft Corp 2006 The Security Development Lifecycle Eric Bidstrup, CISSP Group Program Manager Security Engineering and Communication.

Week-14 (Lecture-1) Malicious software and antivirus: 1. Malware A user can be tricked or forced into downloading malware comes in many forms, Ex. viruses,

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

By Brandon Barton & Eric Van Horn. What is Backtrack 4? Operating system Collection of many security tools world’s leading penetration testing and information.

Fuzz Testing (Fuzzing) Eng. Hector M Lugo-Cordero, MS CIS 4361 Jan 27, 2012.

Fuzzing Machine By Nikolaj Tolkačiov.

Application Communities

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Introduction to Information Security

Security Testing Methods

Secure Software Confidentiality Integrity Data Security Authentication

Kennesaw State University

Fuzzing fuzz testing == fuzzing

Introduction to Information Security

HTML Level II (CyberAdvantage)

GCED Exam Braindumps

Virtual machines benefits

HACKIN G CITRIX.

Engineering Secure Software

Presentation transcript:

Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication

2 Copyright © Microsoft Corp 2006 Security Testing Intended functionality Traditional faults Actual software functionality Unintended, undocumented or unknown functionality Weak authn Poor Defenses BO in authn Extra ‘functionality’ No authn Missing Defenses

3 Copyright © Microsoft Corp 2006 Testing Like an Attacker: ‘Footprint’ the Application Δ

4 Copyright © Microsoft Corp 2006 Fuzz Testing Fuzz Testing is the methodical application of malformed data in a search for vulnerabilities Find security & reliability issues efficiently

5 Copyright © Microsoft Corp 2006 How to Fuzz (1 of 4) Determine all the entry points to your code Network ports and protocols Files and file types Rank them by privilege level and accessibility Anonymous, user, admin Remote, local Run your app under Application Verifier

6 Copyright © Microsoft Corp 2006 How to Fuzz (2 of 4) For ALL file formats you consume Build a collection of valid files Tweak a file at random using a tool Load the file into your application Observe! Crash? Memory spike? For all network ports For all network ports Use a rogue client/server

7 Copyright © Microsoft Corp 2006 How to Fuzz (3 of 4) Examples of ‘tweaking’ a file Write a random series of bytes Flip two adjacent bytes Look for ASCII/Unicode text and then set the trailing NULL to non-NULL Set size values to random numbers Set integer to negative number Etc…

8 Copyright © Microsoft Corp 2006 How to Fuzz (4 of 4) Network fuzzing Build a rogue front-end to your app (client and server) Tweak bits at random ClientServer ‘pure evil’

9 Copyright © Microsoft Corp 2006 Attack Ideas Rule #1 – There are no rules If you provide a client to access the server, don’t use it! Mimic the client in code If you rely on a specific service, build a bogus one

10 Copyright © Microsoft Corp 2006 “Bang for the Buck” Attack Ideas Consume files? Try device names and ‘..’ Look for: hangs, access to other files Fuzz data structures Look for: AVs or memory leaks (appverifier) Look for PII data in information disclosure threats grep for ‘should’ and ‘assume’ in the code :) ActiveX (especially Safe For Scripting) Look at each method/property and ask, “What could a bad guy do?”

11 Copyright © Microsoft Corp 2006 “Bang for the Buck” Attack Ideas Look for privilege-elevation boundaries Pushing data from low-priv to high-priv process SYSTEM Admin: Full Control Everyone: Read Everyone: Write

12 Copyright © Microsoft Corp 2006  Use fuzzers for all consumed resources (files, net protocols etc.)  100,000 iterations per data type  Tools! Tools! Tools! Security Testing Checklist