Upload
gertrude-hines
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright © Microsoft Corp 2006
Introduction to Security TestingIntroduction to Security Testing
Shawn HernanShawn HernanSecurity Program ManagerSecurity Program ManagerSecurity Engineering and Security Engineering and CommunicationCommunication
22
Copyright © Microsoft Corp 2006
Security TestingSecurity Testing
Intendedfunctionality
Traditionalfaults
Actualsoftwarefunctionality
Unintended,undocumentedor unknown functionality
Weak authn
PoorPoorDefensesDefenses
BO in authn
ExtraExtra‘functionality’‘functionality’
No authn
Missing Missing DefensesDefenses
33
Copyright © Microsoft Corp 2006
Testing Like an Attacker:Testing Like an Attacker:‘Footprint’ the Application‘Footprint’ the Application
ΔΔ
44
Copyright © Microsoft Corp 2006
Fuzz TestingFuzz Testing
Fuzz Testing is the methodical application Fuzz Testing is the methodical application of malformed data in a search for of malformed data in a search for vulnerabilitiesvulnerabilities
Find security & reliability issues efficientlyFind security & reliability issues efficiently
55
Copyright © Microsoft Corp 2006
How to Fuzz (1 of 4)How to Fuzz (1 of 4)
Determine all the entry points to your codeDetermine all the entry points to your code
Network ports and protocolsNetwork ports and protocols
Files and file typesFiles and file types
Rank them by privilege level and Rank them by privilege level and accessibilityaccessibility
Anonymous, user, adminAnonymous, user, admin
Remote, localRemote, local
Run your app under Application VerifierRun your app under Application Verifier
66
Copyright © Microsoft Corp 2006
How to Fuzz (2 of 4)How to Fuzz (2 of 4)
For ALL file formats you consumeFor ALL file formats you consume
Build a collection of valid filesBuild a collection of valid files
Tweak a file at random using a toolTweak a file at random using a tool
Load the file into your applicationLoad the file into your application
Observe!Observe!Crash? Memory spike?Crash? Memory spike?
For all network portsFor all network ports
Use a rogue client/serverUse a rogue client/server
77
Copyright © Microsoft Corp 2006
How to Fuzz (3 of 4)How to Fuzz (3 of 4)
Examples of ‘tweaking’ a fileExamples of ‘tweaking’ a file
Write a random series of bytesWrite a random series of bytes
Flip two adjacent bytesFlip two adjacent bytes
Look for ASCII/Unicode text and then set the Look for ASCII/Unicode text and then set the trailing NULL to non-NULLtrailing NULL to non-NULL
Set size values to random numbersSet size values to random numbers
Set integer to negative numberSet integer to negative number
Etc…Etc…
88
Copyright © Microsoft Corp 2006
How to Fuzz (4 of 4)How to Fuzz (4 of 4)
Network fuzzingNetwork fuzzing
Build a rogue front-end to your app (client and Build a rogue front-end to your app (client and server)server)
Tweak bits at randomTweak bits at random
ClientServer
‘pu
re e
vil’
99
Copyright © Microsoft Corp 2006
Attack IdeasAttack Ideas
Rule #1 – There are no rulesRule #1 – There are no rules
If you provide a client to access the server, If you provide a client to access the server, don’t use it!don’t use it!
Mimic the client in codeMimic the client in code
If you rely on a specific service, If you rely on a specific service, build a bogus onebuild a bogus one
1010
Copyright © Microsoft Corp 2006
““Bang for the Buck” Attack IdeasBang for the Buck” Attack Ideas
Consume files?Consume files?Try device names and ‘..’Try device names and ‘..’
Look for: hangs, access to other filesLook for: hangs, access to other files
Fuzz data structuresFuzz data structures
Look for: AVs or memory leaks (appverifier)Look for: AVs or memory leaks (appverifier)
Look for PII data in information disclosure Look for PII data in information disclosure threatsthreats
grep for ‘should’ and ‘assume’ in the code :)grep for ‘should’ and ‘assume’ in the code :)
ActiveX (especially Safe For Scripting)ActiveX (especially Safe For Scripting)Look at each method/property and ask, “What Look at each method/property and ask, “What could a bad guy do?”could a bad guy do?”
1111
Copyright © Microsoft Corp 2006
““Bang for the Buck” Attack IdeasBang for the Buck” Attack Ideas
Look for privilege-elevation boundariesLook for privilege-elevation boundaries
Pushing data from low-priv to high-priv processPushing data from low-priv to high-priv process
SYSTEMSYSTEM
Admin: Full ControlAdmin: Full ControlEveryone: ReadEveryone: Read
Everyone: WriteEveryone: Write
1212
Copyright © Microsoft Corp 2006
Use fuzzers for Use fuzzers for allall consumed resources (files,
consumed resources (files, net protocols etc.)
net protocols etc.) 100,000 iterations per data
100,000 iterations per data typetype
Tools! Tools! Tools!
Tools! Tools! Tools!
Security Testing Checklist