CODENOMICON NEWSLETTER 2010/06
Hello Fellow Innovators!
At Codenomicon, we believe that innovation is the key to success. IP rights protect innovations, thus they are worth celebrating. In fact they deserve their own day. Have you heard about the World IP Day? It is arranged every year on April 26th. Why not mark it down now in your calendar for next year?
The World Intellectual Property Organization (WIPO) is a specialized agency of the United Nations. The World IP Day was established by the WIPO countries ten years ago to raise awareness of how patents, copyright, trademarks and designs impact daily life and to increase understanding of how protecting IP rights helps promote creativity and innovation. Indeed, the purpose is to celebrate creativity, and the contribution made by creators and innovators to the development of societies across the globe. Thus, we should encourage respect for the IP rights of others.
This year's theme for the day was "Innovation - Linking the World". Speakers at the main event of Finland's World IP Day celebrations underlined the need for increased public-private collaboration and called for a new wave of creativity to help power business growth. In connection with the main event, the Innovation Parliament held its opening session, which was also a development session, at the Aalto Design Factory. What could be a better and more inspiring place to hold such a meeting! The Design Factory was founded as a part of the the new Aalto university as 'a facility driven by passion, coaching and inspiration of the mind'. For more information, please see: http://aaltodesignfactory.fi/the-place/. Those of you who do not know, Aalto University is the new innovation university located in Helsinki and named after the famous Finnish architect, Alvar Aalto. It was created by combining three different universities, embracing all areas of science. What could be a better setting for new innovations!
The purpose of the national innovation parliament is to create an independent forum for discussion and to influence the Finnish innovation field. Like in most countries, in Finland there are a lot of challenges to be met in the future in the fields of health care, security, finance. The purpose of this parliament is to create a network of people, who have the know-how and the desire to take on these challenges. The membership of the parliament is a personal invitation, and therefore, it is a great honor to me personally!
In the opening and development session about 70 participants from all over the country and from completely different fields of expertise participated. It was very exciting to interact with people from such different backgrounds, most of whom, I probably would not have otherwise met. This type of setting can lead to really new and revolutionary ideas. We worked in small groups on a few key items identified to be bottlenecks for innovation. Two of them caught my interest as they are close to my heart also. First, how to improve co-operation between academic institutions and companies? Secondly, what kind of improvements would we need to help fund innovations and their utilization? Big questions that we will continue working on in the future sessions.
Already this first session made a very good impression on me. We are on the right track and this is something that is really needed. The parliament will start its actual operations in the upcoming fall and the aim is to have 200 dedicated members at that time. The work will mostly take place online, with plenary sessions to be held only once or twice a year.
Let's Innovate and leave an imprint for the future! Codenomicon plans to do that both nationally, on European level and also globally. That is what corporate citizenship is all about.
Tuija, Innovation Parliamentarian for Finland
New Defensics Engine 3.10.0
The next major update to Defensics 3 engine is just around the corner, or perhaps already out by the time you read this. We are launching the 3.10.0 version of the suite monitor. The Defensics engine, also called Suite Monitor is the Defensics GUI component shared by all products, and which provides an easy to use interface for controlling our fuzzing test tools and test suites. The new version brings you a wide range of improvements over earlier test generator releases.
The new test case scaling functionality enables you to scale the amount of test cases up or down based on intelligent anomaly profiles, thus helping you focus on product security risks that are most critical to you. If you have more time for testing, and want to verify you products against requirements with predefined amount of test cases before being able to pass the test, you can scale the number of test cases upwards. You can also scale downwards if you have less time, but still want to make sure the highest risk issues are covered. The functionality will be gradually rolled out to most popular protocol testers.
The new improved test project creation function enables you to bundle test executions into easy to manage projects, which will help automatically generate relevant test reports. This is useful if your device supports a wide range of interfaces and protocols, and you need to package the test results together, and manage the project as one entity.
The wireless scanner functionality has enabled us to finally integrate some of our wireless tools into the test engine. So, now you can also benefit from our improved test result features when using our best selling fuzzers for Bluetooth and WLAN (WiFi).
The test performance has also improved. For example, the theoretical speed limit for HTTP server tests is around 1,000 fuzz tests per second per test suite. In practice, using an old commodity multi-core machine running several tests in parallel, the latest engine reached about 5,000 HTTP test cases per second. More complex stateful protocols with complex functionality such as SSL/TLS the same setup was able to run about 500 full hand-shake sequences per second. Actually, the biggest challenge for the performance setup was finding fast enough test targets.
We are eager to hear what you think about our new Defensics engine.
For better and faster testing!
For more information on Defensics, see:
MedSec: Fuzzing the Bluetooth Health Device Profile (HDP)
Medical applications are often perceived as isolated mechanical devices, even tough they increasingly resemble computers. Yet, even though testing the security of computers is seen as a necessity, the security testing of medical applications is largely ignored.
People around the world have come to depend on modern medical applications such as implantable pacemakers, insulin pumps and remote health monitoring systems. Such devices are increasingly connected to different networks to help doctors and other health care professionals provide better care for their patients. In addition, the increasing availability of wireless data communication in these devices makes it possible to administer such treatment to the patients practically around the clock, wherever they are. With the introduction of Bluetooth SIG's Health Device Profile (HDP), Bluetooth is fast becoming a de facto method of wireless data transfer in the medical device space.
Bluetooth itself provides sophisticated traditional security measures such as encryption and authentication to protect the often very personal data being transferred. However, the devices used to send the messages are still just computers and Bluetooth, like other method of wireless data transfer, exposes them to the outside world, potentially allowing them to be hacked, spied-on or remotely crashed. While a vulnerability causing the crash of a device could be considered a mere inconvenience in other type of devices, in the medical space such flaws can have potentially life-threatening consequences caused either by the invalid operation of a life supporting device or unintentional mistreatment due to invalid or missing patient data provided by the device after a crash.
It is worth noting that while protecting the device against deliberate hacking attempts is very important, the primary goal of fuzzing medical devices is to ensure that the devices in question are protected against errors in protocol implementations. In a Bluetooth network, the devices communicate with wide range of different implementations. Unfortunately most protocol implementations are not bug-free, and thus they can send messages which contain invalid data or even unexpected messages. With robustness testing you can verify that your implementation can handle these cases without any problems.
HDP is relatively new profile among Bluetooth profiles and thus most of the implementations are new and have not seen a lot of testing. This increases the possibility of implementation bugs. Furthermore, HDP uses new features of L2CAP, like ERTM (specified in Bluetooth 2.1 amendment specification), which might also be insufficiently tested. Hence, it is very important to not only test the robustness of HDP implementation but also the protocol layers below it.
Codenomicon is introducing the HDP test suite to their already comprehensive offering of Bluetooth test suites. The HDP test suite enables you to test the robustness and reliability of various kinds of implementations in the medical device space, covering different IEEE specified device specifications such as blood pressure monitors, weight scales, glucose meters and heart rate monitors.
The new Defensics Bluetooth HDP test suite enables you to test the security and reliability of the Bluetooth implementations of medical devices, before they are deployed. The earlier you discover vulnerabilities, the cheaper and easier it is to fix them. Moreover, by testing proactively you can fix vulnerabilities before any problems occur, thus improving customer satisfaction and avoiding any damages to sales or reputation.
When you care about quality, fuzz your products before deployment!
Jukka and Tommi, Development Team
For more information on Bluetooth test suite:
Fuzz testing can catch bugs before they turn into vulnerabilities
Fuzz testing is important for ensuring the security and robustness of software, because it can find unknown bugs,which no other testing technique can find. These unknown bugs potentially cause the most havoc in systems, because they are no ready fixes for them. Fuzzing is also efficient testing method: It finds bugs fast and stresses the most exposed parts of the software. Intelligent fuzzing tools require shorter test run times, because they reduce the amount test cases needed for testing systems thoroughly. Thus, it is possible to test your systems for example with every build. In the following, I will explain why it is so important to test continuously.
In March 2010, OpenSSL fixed and announced a vulnerability (CVE-2010-0740) which affected the versions 0.9.8f to 0.9.8m. Codenomicon's CROSS team checked the OpenSSL vulnerability with our TLS fuzzer software, and the issue was quickly reproduced by running it with default settings. The team found multiple different test cases to reproduce the issue. The bug was in a piece of code used to process invalid values in the protocol's version number, and it should really have been caught by any fuzzer.
Sometimes small and harmless looking changes in the source code can have big impact on software's performance, security and robustness. In this case, the bug produced should not get past the development and QA testing processes. That is why it is important to fuzz test at least every release of the software, as a part of an automated build-test or a regression test. Automatically running nightly or weekly fuzz testing within the development branches makes it easier to catch the bugs earlier, and to save money and time. More importantly, it will keep your software out of vulnerability feeds and ensure that your users stay happy!
For the QA specialists out there, you will immediately notice that this is what regression testing is all about. The key requirements from regression testers, which have always guided the design and implementation of Codenomicon Defensics, are unattended use, reproduction capability, command-line usage, integration into ALL scripting environments and optimized test execution times. When all these are in place, the regression test automation keeps your software secure, automatically. Nightly, weekly or build-time regression tests are the best place for repeatable fuzzing.
Find your bugs, before your users do!
Ossi, Codenomicon CROSS team
Yet Another CROSS Discovery: SCTP in Linux Kernel
As part of the CROSS initiative of the Codenomicon Labs, we test a lot of open source software. The most recent advisory released by CERT-FI concerns SCTP INIT message handling by Linux kernel. The vulnerability allows a remote attacker to cause a Denial of Service by sending single SCTP message containing a malformed INIT chunk to a vulnerable system. The vulnerability affects only systems which have SCTP kernel module loaded and SCTP port listening for connections. This is most commonly seen in telecommunication systems, where Linux is more often the platform used to run the appliances. Although CERT-FI advisory currently only lists some Linux distributions, we would not be surprised if some telecommunication vendors equipment would also be impacted. Stay tuned for updates to the CERT-FI advisory.
If you happen to use SCTP, we recommend you take a look at the SCTP test suite:
For more information on the SCTP vulnerability, see CERT-FI advisory here:
Crash Test Party
The first Codenomicon Crash Test Party was a success. Around thirty students and researchers spent an evening testing various devices and applications using Codenomicon tools. They could bring any test targets with them, and test them. They discovered what our specialists already know: robustness testing is fun and easy, when you have right tools. Anyone can do it! Everyone participating commented that this was really useful for their studies and something like this should be part of computer engineering and computer science curriculum.
Since Codenomicon is a university spin-off, quite a few of the students were familiar with the company, but only a few had used the tools before. Only less than 10% of the participants had ever used our tools, or any similar tools. Yet, with the help of only the installation manual that we provide with our tools, they were able to download the licenses and start testing. In just one hour from arriving to the party location, everyone had tests running.
And, test they did: Using Codenomicon tools they were able to disturb the operation of browsers, servers, routers, mobile phones, set-top boxes and various other applications. Codenomicon provided small rewards from getting the tools running, finding their first crash, updating their test plan and uploading results to the backend collaboration portal, and logging into the customer portal IM system. By the end of the evening, everyone had received their Codenomicon 'Go Hack Yourself' T-shirt, which was the reward for finding the first crashing test case.
The event goes to show that testing with Defensics tools is easy, and moreover, it is fun. Inspired by the success of our first Crash Test Party, we are now planning a second event. We are also considering doing similar events to our key customers and with our local partners across the globe. Come along and discover the fun of robustness testing!
Note: Due to Codenomicon's strict disclosure policy, none of the vulnerability details are disclosed.
We Bricked Your Phone
At Codenomicon, we have been busy upgrading our Bluetooth test suites. As a part of tool development, we have also spent tested various Bluetooth profiles on modern smartphones. Since Bluetooth is nowadays a standard feature in mobile phones and a lot of people rely on Bluetooth, for example, for streaming music to wireless headphones, synchronizing calendar entries and sending pictures on personal computers, it is very important to ensure that the Bluetooth profile implementations work properly.
We noticed that it is not too hard to get a phone to crash or to render the Bluetooth implementation nonfunctional with our test cases. In some cases, the phone even went into a state where simply rebooting or removing the battery would not help. We had to ship some phones to be reflashed after a few days of suffering in the hands of our testing department.
What makes Bluetooth so vulnerable, is the complexity of the technology paired with unclear specifications. For example, most Bluetooth profiles require pairing, but the L2CAP and SDP profiles are accessible without any security measures at all. Thus, a couple of L2CAP messages is all you need to make a phone crash or stop accepting any further Bluetooth connections. These messages can be sent without any prior pairing by anyone within the Bluetooth range.
Currently, it is advisable to turn off the Bluetooth connection whenever you are not using it. However, with Codenomicon Defensics the vulnerabilities in the Bluetooth implemenatations can be discovered making them more robust and rendering such security advice obsolete.
This was not the first time fuzzing was used to "brick a phone". Even before Codenomicon was established, WAP protocols were tested as a part of the widely acclaimed PROTOS research project and also then, some handsets corrupted their flash memories and required re-programming to fix them. The same also happened to e.g. Network Interface Cards in the past, when their IPv4 and IPv6 implementations were tested.
Back in the days of 2G, there were almost no reliability issues with mobile phones. But as phones start to resemble computers more and more it is increasingly dangerous to live this false sense of security. The introduction of 4G/LTE networks will deliver the final blow by introducing all the problems of the internet into the telecommunication world. Is your company ready?
Stay ahead of the curve!
Olli and Jukka, Codenomicon CROSS team
Next Fuzzing 101 Webinar
This year, Codenomicon restarted hosting its popular Fuzzing 101 Webinar series. In the past, Codenomicon has had security celebrities participate in our webcasts and some of the recordings are still available for viewing on our website. This year, we have had several webcasts with both interesting talks and lot's of interesting questions from the audience. The recordings of latest webcasts will be made available during June 2010, and we will also see if we can find some of our past webcasts and re-release them for you. For the latest update on Fuzzing 101 webcasts, point your browser here: http://www.codenomicon.com/resources/webcasts.shtml
I have been happy to notice that the interest for Codenomicon Webinars is greater than ever. Earlier this year, we had a webcast on fuzzing in the software development lifecycle. In that webcast we walked through a common software development process and highlighted the important things you need to consider, if you want to get the best out of fuzzing in software security. In the latest webcast, Jessy Cavazos from Frost & Sullivan gave an overview of the fuzzing market, which was then followed by a talk about Codenomicon perspectives on users of fuzzing tools. The webcast concluded with an interesting case study from the Codenomicon Crash Test Party.
The next webcast is arrangered on Tuesday July 6th. In the webcast, we will explore the field of Zero-Day Vulnerability Management. We will look at the process of analyzing and testing your system for zero day weaknesses, and also show how you can test and verify that known vulnerabilities are really effectively patched by software updates from vendors. Register for the webcast now, by clicking on the following link:
Join us and learn more about managing unknown threats!
Codenomicon at Blackhat Las Vegas
Codenomicon is arranging its annual customer meeting customer in Las Vegas, a day before the Blackhat event. As many security enthusiasts come together in Las Vegas during that week, it is the perfect time to also catch up on the latest news from the Whitehat side of things.
Codenomicon customer event will feature speakers from leading software companies and device manufacturers, explaining their product security practices. In the event we will also feature our zero day vulnerability management capability, and features from the latest software releases. Our partners will explain how their solutions complement the Codenomicon products. In all, the event features best speakers in the industry, and is worth joining even if you are not interested in the Blackhat event. Event is free for Codenomicon users.
If you are a user of Codenomicon tools, you should have received an invite from Codenomicon. But if you have not and are interested to join, please contact your sales representative and ask them for an invitation. Also, please let us know, if you want to schedule a one-on-one meeting with Codenomicon CTO Ari Takanen or one of our other team members during the Blackhat week.
Codenomicon at CommunicAsia
Codenomicon took part in the CommunicAsia exhibition in Singapore June 15-19 as apart of the Finnish pavilion. Since the first exhibition in 1979, CommunicAsia has managed to establish itself as one of the most influential exhibitions within the communication technology sector. The exhibition caters for large variety of companies and organizations within technology market ranging from satellite manufacturers and mobile software developers to government authorities and research centers. The exhibition also attracts a good crowd of visitors.
Our main goal for the exhibition was to raise awareness on fuzzing. Fuzzing is still a relatively new technique and very few of the people we talked to at the exhibition had heard about Fuzzing before, and they were surprised to hear that such a "self-hacking" solution exists. Somebody even claimed that products from their country do not contain any vulnerabilities at all, well they must then have fuzzing well integrated into their SDLCs.
A number of IPTV application providers were exhibiting at the show and there was a lot of interest for our IPTV testing tool. Another key are of interest was our solutions for 3G/4G-LTE networks. With new technologies like IPTV or LTE networks, there are a lot of unknown vulnerabilities and interoperability issues. Such issues cannot be found with traditional testing methods creating a need for proactive testing methods, like fuzzing. Vulnerabilities are impossible to avoid, but with Defensics they are easier to find and identify.
How did you first learn about fuzzing?
Ami, Marketing team
For latest news from Codenomicon, see:
It's what you don't know that makes you vulnerable
More information on Codenomicon:
More information on Codenomicon Defensics™:
Request Codenomicon Defensics™ evaluation version:
More information on Codenomicon Network Analyzer:
More information on Fuzzing: