Fuzzing101: Unknown vulnerability management for Telecommunications

© 2011 Codenomicon. all rights reserved.

Codenomicon Fuzzing 101 webinar

15 March 2011

Juha-Matti Tirilä

Tero Rontti

Unknown Vulnerability Management for Telecommunications


About the speakers

Juha-Matti Tirilä• Security researcher

– robustness testing methods, quality management processes, software security economics

• Collaboration with University of Oulu researchers

• Background in applied mathematics and software development.

Tero Rontti• Security specialist • Security testing tools for

Codenomicon products for seven years

• Extensive experience in telecommunication security testing tools, VoIP and IMS in particular.


Outline

• About Codenomicon and Fuzzing101• About the speakers• Why we are here: prevent serious software deployment mistakes from

happening!• Introduction to Telecommunications: the trends and attack vectors• Unknown vulnerability management• A case study: MPEG2-TS• Questions and answers


About Codenomicon & Fuzzing 101

• Fuzzing 101:– The webcast series for

fuzzing industry– Vendor neutral

presentations on fuzzing technologies and use-cases

– Includes invited speakers from the industry

• Codenomicon:– Fuzzing research since

1996– 2001, Spinoff from

University of Oulu– 50-100% annual growth

in number of customers and revenues in fuzzing industry


Some Helpful Definitions

• Vulnerability – a weakness in software, a bug• Threat/Attack – exploit/worm/virus against a specific vulnerability• Protocol Modeling – Technique for explaining interface message

sequences and message structures• Fuzzing – process and technique for security testing• Anomaly – abnormal or unexpected input• Failure – crash, busy-loop, memory corruption, or other indication of a

bug in software


The Challenge: Unknown Vulnerabilities Are Everywhere


Telecommunications

• Telephony• Broadcasting

– TV– Radio

• Networked IT communications– Internet, VoIP, IPTV, New Generation Networks, triple play, Growing

number of smartphones, need to support legacy technologies Growing complexity, growing number of technologies and interfaces,

the transition from IPv4 to IPv6 Problems Need for more testing, quality assurance, interoperability checks...

Guaranteed


Attack vectors in telecommunications


Smartphone security

• Mobiles resemble computers in all aspects, except the level of protection.

• Until now, the lack of suitable hacking tools and motivation has protected mobiles. • But mobile internet and the growing amount of critical information stored on

handheld devices is changing the situation

• Hackers exploit coding errors, e.g., to enslave phones into botnets. • Convergence of both hardware and software platforms risk


Next Generation Network security

• Critical Interfaces:


Software testing: approaches


Robustness testing

• Robustness testing: testing if a system is able to function in a reasonable manner under unexpected or invalid circumstances– E.g. not crash, no unauthorized privilege escalation, no confidential data

exposure etc.


Specification vs. implementation


Robustness testing: the two approaches

• In theory– Either

• Logically deduce that nothing catastrophic ever happens, for any input

– OR• Test every possible input and monitor the software

• In practice:– Both approaches to some extent

• Question: – How well do you think you are doing, considering the complexity and

amount of the code you are using or developing?• It is the practically infinite input space that makes 100% robustness

unattainable


Definition of fuzzing

• Fuzzing is a technique for – intelligently and – automatically

generating and passing into a target system – valid and – invalid

message sequences to see if the system breaks


Types of fuzzing

• Random fuzzing– Apple 1980’s– Barton P. Miller 1980’s, 1990’s

• Template based fuzzing– Capture traffic OR use sample files OR... create mutated test cases

• Specification based fuzzing– Model the specification, inject anomalies, transmit to target system


Fuzzing in the Microsoft SDL


Fuzzing Is Becoming Widely Adapted

• Commonly used by hackers– Majority of all vulnerabilities are found using fuzzing

• First adapted by equipment manufacturers in 2001– E.g. 80% of top network equipment manufacturers today depend on

Codenomicon testing solutions• Since 2005, most new adapters were service providers

– Most leading USA telecom service providers have integrated Codenomicon fuzzing into acceptance tests

• During 2008-2010, fuzzing was adapted by critical infrastructure and Enterprise end-users– SCADA industry– Finance– Government– On-line commerce


Unknown vulnerability management: goal

• Unknown Vulnerability Management (UVM) is a framework– For helping you understand the overall process of applying proper testing

procedures– For underlining the importance of good testing management – For unifying the terminology so that communication concerning security

testing is facilitated– For helping you understand that a well designed testing program should be

considered loss prevention, and not an extra cost– For emphasizing that security is like quality: it has to be incorporated

throughout – it cannot be added into a product afterwards.


Challenges with Vulnerability Management

• Detect Vulnerabilities as they are found– Not as they emerge, they are in the hiding already

• Most costs are in patch deployment– Crisis management, each update needs immediate attention– Ad-hoc deployment is prone to errors– Maintenance downtime can be expensive– New patches emerge several times a week– No time to test the patch


Cost-benefit of proactive security testing


Unknown vulnerability management: overview

• Process of:– Detecting attack vectors– Finding zero-day vulnerabilities– Building defenses– Performing patch verification– Deployment in one big security push


Phase 1: Attack Surface Analysis

• Tools:– Port scanners– Resource scanners– Network analyzers– Insight

• Codenomicon Network Analyzer identifies what needs to be tested within your network– Record traffic at multiple points in your network– Automatically visualize the network– You can drill up and down from looking at high-level visualizations to

inspecting the corresponding packet data– Real time analysis– Reveal hidden interfaces and possible exploits


Phase 2: Test

• Fuzzing means crash-testing• Discover both known and previously

unknown vulnerabilities with unparalleled efficiency.

• Specification-based tools for over 200 protocols– Tools contain all the possible protocol messages

and structures– Genuinely interoperate with the tested system

exposing vulnerabilities even in deeper protocol layers

• General purpose fuzzers– Defensics XML Fuzzer can test all XML applications. – The Traffic Capture Fuzzer uses real traffic– Generic File Format Fuzzer tests all file formats.


Phase 3: Report

• Codenomicon test suites generate different reports for different audiences

• Management reports provide an high-level overview of the test execution

• Log files and spreadsheets help you to identify troublesome tests and to minimize false negatives

• Individual tests by augmenting the already extensive test case documentation with PCAP traffic recordings

• Remediation Packages can be send to third parties for automated reproduction


Phase 4: Mitigate

• Mitigation tools quickly and easily reproduce vulnerabilities, perform regression testing and verify patches

• The tools automatically generate reports, which contain risk assessment and CWE values for the found vulnerabilities and direct links to the test suites that triggered the vulnerabilities

• Identification of the test cases that triggered the vulnerability is critical • The test case documentation can be used to create tailored IDS rules

to block possible zero-day attacks.


UVM: Conclusion (1/2)

• Vulnerability management in not about known vulnerabilities, and testing all of them

• The solution is to find unknown vulnerabilities that are relevant to you• All critical devices and systems need testing

– Databases and backend systems– Operator’s network and broadcasting infrastructure– Web service infrastructure– Email and VPN– Mobile handsets

• Share information between R&D and IT teams on best practices and tools


UVM: Conclusion (2/2)

• Security is not about security mechanisms• For full security analysis, you should study:

– Threats– Attacks– Vulnerabilities– Architectures– Countermeasures

• Unknown Vulnerability Management is about identification and elimination of zero-day vulnerabilities

• Security is a process not a product!


Case study: MPEG2-TS

• We will demonstrate the – First steps of deploying our test tool– A player crash caused by a fuzzed file

• Note: it is not just a player level issue: MPEG2 streams need to be parsed at various nodes in a streaming contexts, and crashes on these nodes could be critical for QoS.


PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS

THANK YOU – QUESTIONS?

“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them.

....Testers!

Break that software (as you must) anddrive it to the ultimate

- but don’t enjoy the programmer’s pain.”

[from Boris Beizer]

Fuzzing101: Unknown vulnerability management for Telecommunications

Technology

fuzzing technologies

fuzzing research

growing number of technologies

software development

codenomicon products

outlineabout codenomicon

growing number of smartphones

legacy technologies