|
||
|
Codenomicon Defensics™
Codenomicon Ltd.: » Defensics™ home page
Information on Fuzzing:
Evaluation version: |
|
|
CODENOMICON NEWSLETTER 2010/02
Hello, Dear Readers!Hello to all our customers, partners, current and future users of our tools! Those of you who subscribe to our tools, I hope you noticed our 3.9 release of the Defensics3 monitor! Again, the update comes with a wide variety of cool features. Here is a summary of new features for both 3.8 and 3.9: improved integration of the traffic capture fuzzer, improved documentation on found vulnerabilities, major speed improvements, extended editing capabilities for sequences, and automated test generation for all user-augmented protocol messages and elements. In addition to using the latest test suites (the protocol models) it is recommended that you always use the latest suite monitor. The suite monitor is the actual engine that creates test cases, so each update to the monitor can bring new improved test coverage in addition to bringing you the latest test automation functionalities. We would like to thank all our users for the excellent feedback on features, and the recommendations for new features. Unfortunately we cannot implement everything, but a large chunk of our new cool features have been initially brought to our attention by our active user-base. Please keep the feedback coming! We like to think that our R&D is customer driven. And, as the features are recommended by our customers, it hopefully also means that the features are useful for our end-users! In this newsletter, you can find a lot of examples on how important it is to have a close relationship with our customers. The usability of our tools and their easy integration into software development practices, have made Codenomicon a member of the Microsoft SDL. The vulnerabilities our developers find in open source projects, as part of the CROSS initiative show how we are part of the open source community. A fast growing segment of our users come from the consulting and security auditing companies, and we like to keep these users happy by introducing new tool suite packages tailored for their needs. And finally, the first free tool for FTP fuzzing will help those that have not yet used our tools to really see the benefit of model-based fuzzing, free of charge. Software: Shake Before Use! Lauri, head of R&D Codenomicon Fuzzing Tools and SDLThe Security Development Lifecycle (SDL) is the industry-leading software security assurance process. It was originally created by Microsoft in 2004 and since then, it has been used to achieve measurable security improvements in their flagship products. As a new member of the Microsoft SDL Pro Network, Codenomicon helps development organizations adopt automated security testing (fuzzing) into their SDL and embed security and robustness into their software and development culture. Codenomicon specializes in fuzzing, and provides tools, training and consulting in the area of software security. Fuzzing is also the focus of Codenomicon in the SDL. Fuzzing should be taken in to account in each and every phase in the SDL. In training, requirements and design, you need to understand the concepts of attack surface, threat modeling and security testing. This helps you to target your fuzz tests against the open interfaces, and to select the right tools before the actual tests begin. The earlier you start testing (perhaps even in the unit tests conducted by programmers themselves) the better the results you will get both in terms of total costs for found security issues, and test efficiency and coverage. Finally, in the verification step the main focus is effectively executing the fuzz tests, and efficiently processing all discoveries for thorough security updates before (and after) the launch of the software. Let's get everyone involved in fuzzing! Ari, CTO For more information on how fuzzing is used in SDL, see Codenomicon resources and whitepapers at: http://www.codenomicon.com/sdl-fuzzing/ Microsoft announcement on new SDL Pro members, including Codenomicon: http://blogs.msdn.com/sdl/archive/2010/02/02/three-new-announcements.aspx Microsoft featured story: http://www.microsoft.com/presspass/features/2010/feb10/02-02SecurityDevelopmentLifecycle.mspx CROSS BugHi everybody! This is Tuomo and Olli from the Codenomicon's CROSS team. A few weeks back, we were running the Codenomicon IPv6 Robustness Test Suite against a Linux test target, which was used by our fellow co-workers. After the suite had ran for a while, our co-worker started yelling to us: "What is going on here? My Linux got blackscreen!". We realized that the test case must have crashed the Linux test target and we started to narrow down what had really happened. We noticed that the Linux target had stopped responding and the only way to make it recover was to reboot it. Since the target Linux we were using was a bit old, we tried test suite against a newer version of Linux with a newer kernel. We also included test targets with several other Linux Distributions to ensure that the vulnerability was not just specific to that one Linux Distribution. We were surprised to find out that all the test targets crashed with the same test case meaning that the old vulnerability was back in the latest Linux kernel. After some careful analysis, we noticed that the flaw we found had already been discovered and reported as CVE-2007-4567. This case shows just how important regression testing is. It is not enough to just fix a vulnerability, after it has been discovered. The flaw might appear again and that is why regression testing needs to be done. The goal of our CROSS (Codenomicon Robust Open Source Software) project is to make the world a better place by finding flaws and vulnerabilities in open source software and reporting them to CERT-FI, which co-ordinates the effort to fix the flaws. We are proud be a part of the effort to make open source projects more robust and secure. The members of our CROSS team members are experienced hackers, but we are no black hatters, our only goal is to improve the quality of code. Using Codenomicon DEFENSICS tools our CROSS testing team has found flaws in such open source projects as Apache, OpenSSL, GnuTLS, Squid, and NetBSD. Happy Testing! Tuomo and Olli, Codenomicon CROSS team For a list of CROSS-found issues, see: http://www.codenomicon.com/labs/advisories/ Howard to the White HouseCodenomicon board member Howard A. Schmidt was appointed the White House Cybersecurity Coordinator in early January by President Barack Obama. In his new post Mr. Schmidt will be in charge of, e.g., developing the cybersecurity strategy of the USA, and promoting research and development in the field of security. Schmidt joined the Codenomicon board in 2007. But he became acquainted with the people behind Codenomicon already in 2000, when the Oulu University Secure Programming Group (OUSPG) reported its findings on ASN.1 vulnerabilities and their effects on SNMP implementations. Codenomicon is proud to have had a distinguished expert like Mr. Schmidt on its company board. Although, due to his new position, he is no longer able to continue as a board member, Schmidt is very positive toward Codenomicon and he will continue to communicate with us in the future. Good luck for Howard from all of us at Codenomicon! Ari, CTO For more information: http://www.codenomicon.com/news/press-releases/2009-12-23.shtml Defensics test suite package for penetration testersIn penetration testing, one or more testers are called in to test whether it is possible to gain access into a system from the outside. It is a fairly resource consuming method of testing, as the testing tools are generally created ad-hoc. Nevertheless, it has its purpose. Frequently, penetration testing is used to justify the need for more extensive testing. Fuzzing automates the tests performed manually in penetration testing. Thus, fuzzing tools can be used to test systems more thoroughly. In addition, they can be used in penetration testing to make the tests faster and less-resource consuming. This April, at the Infosec exhibition in London, Codenomicon will be launching a new Defensics test suite package, which is especially designed for penetration testers. The test suite package is revolutionary in that it combines model-based fuzzing of the most common communication protocols with traffic capture based tests for proprietary protocols and XML applications. Thus, the test suite package enables you to test standard protocol implementations, proprietary protocol extensions and XML applications. Penetration testing requires substantial knowledge of protocols and systems from the testers, whereas in Fuzzing the expertise can be built into the tools, thus the tests can even be performed by relatively inexperienced testers. In addition, Fuzzing improves test coverage, because model-based tests unlike traffic capture ?based tests cover the entire protocol implementation, and not just a sample of it. The Defensics test platform enables you to execute multiple tests simultaneously, making testing quick and easy. The Defensics test suite package is the perfect solution for getting started with zero-day discovery. It contains XML and Traffic capture fuzzers, enabling you to test both protocol and application level implementations, and model-based fuzzers for other frequently used protocols like HTTP, to allow you to perform more thorough penetration testing. See you at Infosec! Ashley, Codenomicon UK Register here for Infosecurity Europe: http://www.infosec.co.uk/codenomicon Free release of FTP Server test toolCodenomicon's origins are in University research and the PROTOS releases were free for everyone to use. The goals of the original research project was to raise awareness on security vulnerabilities and to help organizations fix these problems. True to this heritage, Codenomicon's award winning DEFENSICS tools family has been available free of charge for Open Source projects under CROSS initiative for two years now. Now that more and more Codenomicon tools are being migrated to the latest platform generation, DEFENSICS 3, we've decided to take another step towards contributing back to the community and we will start releasing selected tools from the older platform generation free of charge. Our first choice for a free release is FTP. In addition to its continued importance in various different networks, it provides an easy-to-setup target for anyone wishing to learn more about fuzzing. Happy bug hunting! Sami, Product Management To acquire a free copy of FTP tool, please email sales@codenomicon.com with the subject: "Free FTP Test Suite", or fill in our Evaluation Request Form at: http://www.codenomicon.com/evaluation/ and tick "Free FTP Test Suite". New white papers from CodenomiconWhite paper on Zero-Day vulnerabilities: How to Really Avoid Zero-Day Attacks - Build Security In, Don't Add itHardening new technologies with traditional vulnerability auditing methods is becoming increasingly challenging. Fast software release cycles and greater complexity coined with decreasing control over the code creation process due to use of third party code and outsourcing increase the likelihood of new and unique security vulnerabilities, wrong configurations and unwanted backdoors in software. At the same time, discovering new bugs is becoming a growing problem. More and more vulnerabilities are never disclosed publicly. Instead, they are sold and distributed within underground hacker communities. As a result, software development companies can no longer rely on the user community to find bugs. Instead, they have to take a more active role in ensuring the security of their products and services. White paper on Fuzzing Metrics: Fuzzing Challenges: Metrics and CoverageThe idea behind fuzzing is fairly simple: it is a functional black-box testing technique, in which unexpected, abnormal inputs, called fuzzers, are generated and then fed to the system under test (SUT) and the behavior of the SUT is monitored. If the SUT crashes, then there is a bug in the software. However, different fuzzing methods differ from each other in how the fuzzing is done, and this has a significant impact on both the metrics and the coverage of the tests. In this paper, we will look at four different fuzzing techniques, namely random fuzzing, block-based fuzzing, traffic capture fuzzing and model-based fuzzing, and discuss test metrics and coverage in each case. We will also introduce the terms precision and accuracy to discuss the differences between different fuzzing techniques. Latest News
For latest news from Codenomicon, see: It's what you don't know that makes you vulnerableMore information on Codenomicon:More information on Codenomicon Defensics™:More information on Fuzzing:Request Codenomicon Defensics™ evaluation version: |
| Codenomicon Ltd. | www.codenomicon.com | info@codenomicon.com |