"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code

We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.

If you're serious about implementing protocols correctly, you need the Codenomicon tools."

-- Jeremy Allison,
   Co Creator of Samba



"Codenomicon has found a critical focus area which expands beyond web testing, where the XML industry has an opportunity to proactively assess the security holes contained in everyday services used by the general public. I would hope the industry warmly welcomes both the research results and an innovative testing solution to help diagnose the problems."

Prof. Howard A. Schmidt
former White House Cyber Security advisor & Codenomicon board member


DEFENSICS™ Universal Fuzzer   pdf

Introduction

New technologies are infested with reliability issues. The systems and protocols used in critical communication products are becoming increasingly complex. The release cycles are getting faster and new technologies are adopted before they have been thoroughly tested. The most thorough and systemic way to test software is Model-Based Stateful Fuzzing. However, even though Defensics provides smart Model-Based Fuzzers for over 200 protocols, there is not a ready model for every protocol. Developing a Model-Based test solution requires a protocol or file format specification, and, occasionally, products in the development phase are not specified in detail, or the specifications are proprietary and unavailable for testers.

DEFENSICS Universal Fuzzer™ complements our existing product range by providing new fuzz testing techniques to meet these testing challenges and to increase the test capability of Model-Based tests. The Universal Fuzzer is a file fuzzer that can generate security tests for any file structures based on a set of templates. These files can be samples of pictures, videos, documents, or even data packets from traffic captures.

File Fuzzing

Corrupt files are one of the oldest and most effective methods of attacking company networks. Simply clicking on weblink with malicious picture-files or opening harmless-looking PDF files sent as email attachments is enough to trigger these attacks.

Protocol Fuzzing

Defensics Universal Fuzzer can also test simple stateless protocols. The simplest form of attacking protocols is fuzzing simple request-response communications, or the first packets of complex message exchanges. Most protocol attacks do not require any user interaction, and therefore are often considered much higher risk than file-format based attacks.

Coverage

Test coverage is about how many of the unknown (zero-day) vulnerabilities are found with the chosen fuzzing techniques. Simply having coding errors or vulnerabilities in your software is enough to enable zero-day attacks. The attacks vary, but they all have in common is that the initial access is always enabled by a software vulnerability hiding in the code. These attacks against unknown, zero-day vulnerabilities have the most damaging effects, because there are no defenses against them.

See the Unknown Vulnerability Management resources to learn how you can find and mitigate these unknown (zero-day) vulnerabilities:
http://www.codenomicon.com/unknown/

Contact us for more information

Learn more about how DEFENSICS can reduce your risk of zero-day attacks
Sign up for our newsletter