Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication.

Published byGertrude Hines Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication."— Presentation transcript:

1 Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication

2 2 Copyright © Microsoft Corp 2006 Security Testing Intended functionality Traditional faults Actual software functionality Unintended, undocumented or unknown functionality Weak authn Poor Defenses BO in authn Extra ‘functionality’ No authn Missing Defenses

3 3 Copyright © Microsoft Corp 2006 Testing Like an Attacker: ‘Footprint’ the Application Δ

4 4 Copyright © Microsoft Corp 2006 Fuzz Testing Fuzz Testing is the methodical application of malformed data in a search for vulnerabilities Find security & reliability issues efficiently

5 5 Copyright © Microsoft Corp 2006 How to Fuzz (1 of 4) Determine all the entry points to your code Network ports and protocols Files and file types Rank them by privilege level and accessibility Anonymous, user, admin Remote, local Run your app under Application Verifier

6 6 Copyright © Microsoft Corp 2006 How to Fuzz (2 of 4) For ALL file formats you consume Build a collection of valid files Tweak a file at random using a tool Load the file into your application Observe! Crash? Memory spike? For all network ports For all network ports Use a rogue client/server

7 7 Copyright © Microsoft Corp 2006 How to Fuzz (3 of 4) Examples of ‘tweaking’ a file Write a random series of bytes Flip two adjacent bytes Look for ASCII/Unicode text and then set the trailing NULL to non-NULL Set size values to random numbers Set integer to negative number Etc…

8 8 Copyright © Microsoft Corp 2006 How to Fuzz (4 of 4) Network fuzzing Build a rogue front-end to your app (client and server) Tweak bits at random ClientServer ‘pure evil’

9 9 Copyright © Microsoft Corp 2006 Attack Ideas Rule #1 – There are no rules If you provide a client to access the server, don’t use it! Mimic the client in code If you rely on a specific service, build a bogus one

10 10 Copyright © Microsoft Corp 2006 “Bang for the Buck” Attack Ideas Consume files? Try device names and ‘..’ Look for: hangs, access to other files Fuzz data structures Look for: AVs or memory leaks (appverifier) Look for PII data in information disclosure threats grep for ‘should’ and ‘assume’ in the code :) ActiveX (especially Safe For Scripting) Look at each method/property and ask, “What could a bad guy do?”

11 11 Copyright © Microsoft Corp 2006 “Bang for the Buck” Attack Ideas Look for privilege-elevation boundaries Pushing data from low-priv to high-priv process SYSTEM Admin: Full Control Everyone: Read Everyone: Write

12 12 Copyright © Microsoft Corp 2006  Use fuzzers for all consumed resources (files, net protocols etc.)  100,000 iterations per data type  Tools! Tools! Tools! Security Testing Checklist

Download ppt "Copyright © Microsoft Corp 2006 Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication."

Similar presentations

Network Systems Sales LLC

Network Systems Sales LLC
Windows NT server and workstation Name: Li Shen Course: COCS541 Instructor: Mort Anvari.

Windows NT server and workstation Name: Li Shen Course: COCS541 Instructor: Mort Anvari.
The “Everything Developer Security” Talk Michael Howard Principal Security Program Manager Microsoft Corp.

The “Everything Developer Security” Talk Michael Howard Principal Security Program Manager Microsoft Corp.
By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.

By Skyler Onken.  Who am I?  What is Fuzzing?  Usual Targets  Techniques  Results  Limitations  Why Fuzz?  “Fuzzing the Web”?  Desired Solution.
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.

Copyright © Microsoft Corp 2006 Introduction to Threat Modeling Michael Howard, CISSP Senior Security Program Manager Security Engineering and Communication.
Application Security 2007 Annual Security Training Kansas State University.

Application Security 2007 Annual Security Training Kansas State University.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
INTERNET A collection of networks. History ARPANet – developed for security of sending in case of a nuclear attack IDEA – the system would not go down.

INTERNET A collection of networks. History ARPANet – developed for security of sending in case of a nuclear attack IDEA – the system would not go down.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.

Peer-to-Peer Technology and Security Issues By Raul Rodriguez, Arash Zarrinbakhsh, Cynthia Roger and Phillip Shires College of Business Administration.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Introduction to the Application.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Introduction to the Application.
Introduction to Network Programming and Client-Server Design.

Introduction to Network Programming and Client-Server Design.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
File Transfer Protocol (FTP)

File Transfer Protocol (FTP)

Similar presentations

Ads by Google