Fuzzing the Security Perimeters

1

Fuzzing the Security Perimeters

An Army of Wooden Horses t Y G t

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Ari Takanen


H2, 4/28/2008, 2:45 PM

at Your Gate

About the Speaker

Th P t R h d l t• The Past: Researcher and lecturer– University of Oulu– OUSPG/PROTOS research group

• The Present: Entrepreneur and Preacher– CTO of Codenomicon– 6-10 conference talks a year



Ari Takanen


H2, 4/28/2008, 2:45 PM

6 10 conference talks a year– Author of two books: VoIP and Fuzzing

2

Fuzzing Introduction



Ari Takanen


H2, 4/28/2008, 2:45 PM

One Fuzzing Definition

htt // iki di / iki/F t ti• http://en.wikipedia.org/wiki/Fuzz_testing• Fuzz testing or fuzzing is a software testing

technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions) the defects can be noted



Ari Takanen


H2, 4/28/2008, 2:45 PM

assertions), the defects can be noted.

3

Why Fuzzing

S it h t diti ll f d ti• Security has traditionally focused on reactive prevention, on the attacks and perpetrators

• Still, most security issues are actually programming flaws in the software

• Industry is just using the consumers as crash-(S G )



Ari Takanen


H2, 4/28/2008, 2:45 PM

test dummies (See e.g. Geekonomics)

Better Names for Fuzzing

S T i• Syntax Testing• Negative Testing• Robustness Testing• Grammar Testing



Ari Takanen


H2, 4/28/2008, 2:45 PM

4

Open Source Fuzzing

For some open source tools are good enough• For some, open source tools are good enough– You might not need to find all flaws, but finding one flaw is

enough proof-of-concept for the management– You have the time and expertise to use open source, even

though everyone in the company might resist• Example tools:

– Spike frameworkS ll f k



Ari Takanen


H2, 4/28/2008, 2:45 PM

– Sulley framework– PROTOS suites– Hundreds of others...

PROTOS? Test-Suite?

O l U i it S• Oulu University Secure Programming Group (OUSPG)– Research since 1996 at OUSPG

http://www.ee.oulu.fi/research/ouspg

– PROTOS test suite releases since 1999: WAP WSP WMLC HTTP



Ari Takanen


H2, 4/28/2008, 2:45 PM

1999: WAP-WSP, WMLC, HTTP-reply, LDAP, SNMP, SIP, H.323, DNS

5

Compared to Traditional Testing

T diti l f t / f t ti i• Traditional feature/conformance testing is focused on V&V:– Validation– Verification

• Performance testing looks for load-based defects



Ari Takanen


H2, 4/28/2008, 2:45 PM

• Both are based on requirements engineering and use-cases



Ari Takanen


H2, 4/28/2008, 2:45 PM

6



Ari Takanen


H2, 4/28/2008, 2:45 PM

Security Vulnerabilities

Software still contains security mistakes because it is not• Software still contains security mistakes because it is not being tested with unexpected inputs

• Fuzzing explores the infinite amount of negative tests that drive the system to crash-level faults

• It is like the “mis-use-cases” of the test and measurement practices

• Fuzzing simulates zero-day attacks or it can be thought



Ari Takanen


H2, 4/28/2008, 2:45 PM

Fuzzing simulates zero day attacks, or it can be thought to be a library of zero-days

• Test case numbers can easily reach millions per port

7



Ari Takanen


H2, 4/28/2008, 2:45 PM

What Fuzzing is not about: known vulnerabilities

• Vulnerability scanners– Look for known issues in standard operating systems

and widely used servers and clients– Typically passive probing and fingerprinting, but can

include hostile tests that aim at crashing the tested system



Ari Takanen


H2, 4/28/2008, 2:45 PM

y– Cannot find any unknown issues, and need regular

updating of threats

8

More on Fuzzing...See also upcoming book:

Fuzzing for Software Security Testing and Quality Assurance

by Ari Takanen Jared DeMott Charles Miller



Ari Takanen


H2, 4/28/2008, 2:45 PM

by Ari Takanen, Jared DeMott, Charles Millerpublished by Artech House, June 2008

What to Fuzz



Ari Takanen


H2, 4/28/2008, 2:45 PM

9

Perimeter Defenses

Fi ll d• Firewalls and gateways• VPNs and encryption mechanisms• IDS and incident detection tools• Authentication servers



Ari Takanen


H2, 4/28/2008, 2:45 PM

Firewall Fuzzing

Q Sh ld fi ll bl k ll f• Q: Should a firewall block all fuzz test cases?

• Q: How much application logic is built into the firewall?



Ari Takanen


H2, 4/28/2008, 2:45 PM

the firewall?

10

Using Fuzzing to Test FW Rules

Random fuzzing:• Random fuzzing: – Empty/Simple template: Fuzzing will check if the Firewall is at all

protocol aware– Known vulnerability: Fuzzing will check the integrity of the rules

for IDS-like capability (Network Access Control, NAC)– Model-based: Fuzzing will reveal the above plus the capability of

a B2BUA operation of a firewall to actually implement protocol cleaning



Ari Takanen


H2, 4/28/2008, 2:45 PM

g• And then you actually probably will crash the firewall

Application logic in FW

“A li ti L l” G t ALG• “Application Level” Gateway ALG• Session Border Controller SBC• Most firewalls are extremely protocol-aware• F-secure blogged about fatal flaws in 40 AV

products parsing archive files .... I wish we don't have to read same about FW soon



Ari Takanen


H2, 4/28/2008, 2:45 PM

– I wish we don t have to read same about FW soon

11



Ari Takanen


H2, 4/28/2008, 2:45 PM

VPN Fuzzing

Q C h VPN b h d b i• Q: Can the VPN be reached by anyone in the Internet?

• Q: When is a VPN client authenticated?



Ari Takanen


H2, 4/28/2008, 2:45 PM

12

Key Weakness = Key ExchangeEnormously complex! Think PKI! Think of the protocols• Enormously complex! Think PKI! Think of the protocols required!– ISAKMP/IKEv0– IKEv1– EAP, CHAP, ...

• Very few people know even to implement the features, how about the robustness of those protocols



Ari Takanen


H2, 4/28/2008, 2:45 PM

about the robustness of those protocols• Then there is the encryption, but I am not going there... ;)

IDS Fuzzing

Q Sh ld IDS d ll F• Q: Should an IDS detect all Fuzz test cases?

• Q: What protocols does an IDS dissect?



Ari Takanen


H2, 4/28/2008, 2:45 PM

13

Detecting All Attacks?

Typically impossible as all of you know• Typically impossible, as all of you know• Someone came to tell us that their IDS product can now

detect 95% of our test cases... Amazing!?• Rest of the tests? They can crash products but they look

completely valid... (e.g. firstname (+ lastname))

• Fuzzing can actually give surprising information on IDS



Ari Takanen


H2, 4/28/2008, 2:45 PM

• Fuzzing can actually give surprising information on IDS not detecting anything at all in some protocols

AAA Fuzzing

Q H d i h i i• Q: How exposed is an authentication server?

• Q: Where do most of the authentication requests come from?



Ari Takanen


H2, 4/28/2008, 2:45 PM

requests come from?

14

AAA is Hidden, but Always Available for Attack

• All requests coming from outside need to be authenticated

• A fuzz attack has been known to kick down a HLR, and through a VoIP request coming from Internet

• Peel the onion:– Test the AAA server as stand-alone



Ari Takanen


H2, 4/28/2008, 2:45 PM

– And then also through an application protocol– AAA attacks are very similar to SQL attacks

What to Expect



Ari Takanen


H2, 4/28/2008, 2:45 PM

15

All Stacks Can Crash

A l i l i f il d• Any protocol implementation can fail under negative testing

• The more complex the implementation, the more flaws there will be



Ari Takanen


H2, 4/28/2008, 2:45 PM

more flaws there will be

Data Anomalies

N d b d b l• No data can be trusted to be clean– Checksums and encryption do not help

• Data can also become corrupt– Even closed networks are not safe



Ari Takanen


H2, 4/28/2008, 2:45 PM

16

Anything Can Be Attacked

T i t d d t i t d f l t t• Tainted data is routed from one element to another– Think of SQL attacks

• Threat analysis is often done with the onion principle



Ari Takanen


H2, 4/28/2008, 2:45 PM

principle– Peel the onion, one layer at a time

Packets are Anonymous

Al f id ifi i• Almost every aspect of identification can be fooled on network protocol layers

• Message being exchanged before authentication are most dangerous



Ari Takanen


H2, 4/28/2008, 2:45 PM

authentication are most dangerous

17

Attack Variants

Th i fi it b f i t f• There are infinite number of variants for every anomaly/attack– And growth is exponential

• Detection is impossible



Ari Takanen


H2, 4/28/2008, 2:45 PM

– And very few solutions actively scan for all fingerprints

So, What Is Fuzzing About?



Ari Takanen


H2, 4/28/2008, 2:45 PM

18

Fuzzing is Penetration Test

B i f i ill t k t ti• By using fuzzing, you will take penetration testing to a new level

• It is already used by finance and government sectors in assessing their critical networks, with internal people



Ari Takanen


H2, 4/28/2008, 2:45 PM

Fuzzing is Acceptance Criteria

F i i d i th t t• Fuzzing is used in the procurement process to validate the reliability of critical components

• Already in the RFP’s of telecommunication companies



Ari Takanen


H2, 4/28/2008, 2:45 PM

19

Fuzzing is a Metric of Quality

F i i d b R&D d IT t th• Fuzzing is used by R&D and IT to measure the quality, in a repeatable fashion

• Fuzzing is often used in regression testing of vendor issued patches



Ari Takanen


H2, 4/28/2008, 2:45 PM

Reactive Security Is Dead

T d t l it d i t• Today, you cannot rely on security devices to catch all flaws anymore

• Fuzzing will enable you to crash-test the network enabled components and applications

• Without fuzzing, you are caught in the patch and penetrate race...



Ari Takanen


H2, 4/28/2008, 2:45 PM

penetrate race...

20

Summary

E t i f i i t if th t f i i• Enterprise fuzzing aims to verify that fuzzing is used as part of development of security devices

• Fuzzing security solutions has two purposes:– Find vulnerabilities in the defenses themselves– Test how effectively attacks are detected and blocked

• Still 80% of software fails with fuzzing



Ari Takanen


H2, 4/28/2008, 2:45 PM

Still, 80% of software fails with fuzzing– But does it also apply to security software?

CODENOMICON Cisco

Nortel

Alcatel

Siemens

Motorola

Mi ftMicrosoft

Verizon

ATT

Sprint

T-Systems

Symbian

Qualcomm



Ari Takanen


H2, 4/28/2008, 2:45 PM

Broadcom

…

21

PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS

THANK YOU – QUESTIONS?

“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them.

....Testers!

Break that software (as you must) anddrive it to the ultimate

- but don’t enjoy the programmer’s pain.”



Ari Takanen


H2, 4/28/2008, 2:45 PM

[from Boris Beizer]

Technology

Fuzzing the Security Perimeters