|
||
|
Codenomicon Defensics™
Codenomicon Ltd.: » Defensics™ home page
Information on Fuzzing:
Evaluation version: |
|
|
CODENOMICON NEWSLETTER 2010/09
Dear Friend or Customer,The security solutions market is full of promises, but how many vendors can really deliver what they promise? The Vulnerability Assessment products on the market do a good job at helping you understand what versions and what patches you should be running to protect you systems against known vulnerabilities. But, how do you know that the fix/patch really fixes the problem and does not create new security threats? For example, fixing a buffer overflow by increasing the buffer does not really solve the problem. Attackers can easily work around such fixes by creating exploits for mutations of the original vulnerability. Surprisingly, many companies operate under the assumption that they can mitigate security problems simply by installing patches. Another challenge is protecting your systems against unknown vulnerabilities that have not been disclosed. Often, vulnerability assessment tools only work with vulnerabilities that have been discovered and published and cannot handle unknown vulnerabilities. Attackers proactively look for unknown vulnerabilities, because there are no patches available to stop them nor signatures to flag or stop them at the IDS or firewall. These Zero-Day attacks can go unnoticed for long periods of time. Codenomicon Defensics enables you to handle both these challenges. Fuzzing/Blackbox/Negative testing is an excellent way of testing your systems to find these unknown vulnerabilities. Once found the remediation package allows you to send them to your supplier or internal development team so that they can reproduce them and fix them. As a short term risk mitigation tactic, the test cases which caused the problem can easily be used to write rules for your IDS/Firewall so that you can monitor or block these attacks. The Codenomicon Traffic Capture Fuzzer (TCF) is a very effective way of testing how effective a patch is against the actual vulnerability and mutations of it. For example, you can take vulnerability feeds from Secunia, Telus Secuirty Labs or any other vulnerability database and then use the PCAPS of known vulnerabilities to produce fuzz test cases with the TCF. The TCF mutates the attack and allows you to test the reliability of patches and also to test around them for mutations of known vulnerabilities. This is also a great way to test and tune your IDS and or Firewall. Is Your Vulnerability Assessment/Management Program Based on Faith? Best regards, David Chartier, CEO of Codenomicon CodenomiCON 2010 - Bellagio Hotel - Las VegasCodenomicon and its partners annually sponsor an invite only event during the BlackHat / DEFCON conference. CodenomiCON 2010 was held at the Bellagio Hotel in Las Vegas, Nevada on July 27th. The event was once again a great success. There were insightful presentations on product security from Charlie Miller, Cisco, Microsoft, SafeCode.org, Rugged Software, Cigital, and Ari Takanen. Some of the highlights of the day included Cisco Systems' Erick Lee and John Qian's presentation on the Cisco Secure Development Lifecycle and Charlie Miller's presentation on "Babysitting an Army of Monkeys". Attendees also enjoyed hearing Bill Shihara and Andy Renk from Microsoft. Their presentation provided insight on "Optimizing your fuzzing with exploitable". Joshua Corman from Rugged Software gave an informative talk about the importance of product security. "It was great to see how all the presentations fit well into the Rugged Software development initiative presented by Joshua Corman", said David Chartier, Codenomicon, CEO. Miller's and Corman's presentations are now available on Youtube on the Codenomicon channel at http://il.youtube.com/user/codenomicon
After the presentations were completed Codenomicon hosted a cocktail party for the presenters and attendees. We look forward to hosting another successful event next year! If you want to find more about the event or inquire about speaking opportunities, please contact info@codenomicon.com. Greetings from the US office, Best Regards, Mary Ann Japanese Film Crew Visiting the Oulu OfficeA Japanese TV-group from BS-TBS channel visited Codenomicon on 4th of August. They were making a program about the global strengths of Finland. During their visit in Finland, the TV-group interviewed many influential Finns, including the current finance minister, Jyrki Katainen, and Matti Alahuhta, the CEO of the company Kone. In Oulu, the group also visited The Technical Research Center of Finland (VTT), the University of Oulu and Tekes, the Finnish Funding Agency for Technology and Innovation. The Oulu region is known for its cluster of innovative IT companies, which are largely spin-offs from university and VTT research and funded by Tekes. One of the most successful new technology companies in Oulu is Codenomicon, which was selected to represent the Oulu cluster in the program. Our VP of Operations Tuija Postari-Kivistö and Product Manager Sami Petäjäsoja, who is also responsible for the Asia-Pacific region, were interviewed for the program. The reporters were interested in our company history, technology and internationalism. But, above all, they seemed to be amazed that such state-of-the-art technology can be developed so far up north, something we here in Oulu take for granted. Greetings from our offices in the northern innovation capital! Peppi, from the EMEA Marketing team
Fuzzing 101 Webinar Recordings
Just click on the link below to view the webinar: http://www.codenomicon.com/resources/webcasts/20100706.shtml New Whitepaper ReleaseThe latest Codenomicon whitepaper looks at using fuzzing and static code analysis to ensure the security and robustness of your software. Fuzzing and static code analysis are both preemptive security testing, which look for vulnerabilities in software, so that they can be fixed, before the software is deployed. However, they have very different approach to achieving this. Firstly, as its name suggests static code analysis looks at static code, whereas fuzzing tests live implementations. Secondly, while static code analysis looks at the entire software implementation, fuzzing tests the system through an open interface. The differences in the approaches not only mean that fuzzing and static code analysis can capture different types of vulnerabilities and they can also be used enhance each other. The purpose of this whitepaper is to look at how fuzzing and static code analysis can be used together to achieve in even better test results. To read the whitepaper, please go to: Fuzzing and Static Code Analysis Whitepaper Two critical vulnerabilities found in OpenLDAP with Codenomicon toolsLast May, Codenomicon organized a Crash Test Party for students of computer engineering. More than 40 students from the University of Oulu participated. They were given temporary licenses for Codenomicon fuzzing tools, which they could use to test any devices they wanted. Many of the students chose open source software as test targets. After finding a security flaw, the students were rewarded with a "Go Hack Yourself" T-shirt. In just two hours almost all students had picked up their T-shirts and wore them proudly. The first bugs found at the Crash Test party have now been fixed and can be publicly disclosed. These bugs involve several flaws in OpenLDAP. The vulnerabilities were found by Ilkka Mattila and Tuomas Salomäki with the Codenomicon LDAPv3 test suite, which is an automated fuzzing tool for finding security flaws in any LDAP implementations. With the help of Codenomicon experts, the students reported the flaws to CERT-FI, who coordinated the release of the vulnerabilities between the vulnerability researchers and the affected vendors. The OpenLDAP server vulnerabilities found at the Crash Test Party were quickly understood to be serious. LDAP servers typically contain sensitive information, like account names and passwords and a vulnerability in the directory server could be abused to get unauthorized access to this information. Or, even worse, an arbitrary code execution vulnerability could be used to overwrite information, granting unauthorized access to construct a back door for services relying on the directory server information. Vulnerabilities in these LDAP servers are especially dangerous for organizations with directory services that are accessible to users that are not trusted. But, even if all the users are trustworthy, the attacker can compromise a user account and proceed to attack the directory server and gain access to the system. No authentication would have been required to attack the OpenLDAP vulnerabilities found. Thus, if attackers had had access to the directory service, for example through a compromised user account or web service, they would have been able to devise a denial of service attack by crashing the directory server or even gain rights for the directory server with the help of a maliciously crafted message. This is not the first time Codenomicon has been involved in fixing open source projects. The Codenomicon CROSS program provides open source projects with full access to Codenomicon's award-winning DEFENSICS testing solutions, helping the projects find and fix a large number of critical flaws very rapidly. Contact Codenomicon Labs at info@codenomicon.com for details on the CROSS program or to learn how to get your open source application tested. Happy Bug Hunting! Joonas from the Development Team Codenomicon finds the SMB Stack Exhaustion VulnerabilityIn our service assignments and together with our customers, we test a lot of commercial software and some of the findings are eventually published by the relevant vendors. The Microsoft Security Bulletin Summary for August 2010 lists a SMB Stack Exhaustion Vulnerability found by two of our researchers, Josh and Riku. The vulnerability (CVE-2010-2552) allows a remote attacker to execute code on a vulnerable system.
More information on this and other vulnerabilities found using Codenomicon Defensics can be found on Codenomicon Labs web pages: Latest News
For latest news from Codenomicon, see: It's what you don't know that makes you vulnerableMore information on Codenomicon:More information on Codenomicon Defensics™:Request Codenomicon Defensics™ evaluation version:More information on Codenomicon Network Analyzer:More information on Fuzzing:Codenomicon videos |
| Codenomicon Ltd. | www.codenomicon.com | info@codenomicon.com |
The Codenomicon Fuzzing 101 Webinars hosted by Codenomicon's CTO, Ari Takanen, have gained wide popularity with around hundred listeners every month. The webinars popularize state-of-the-art security testing research and also provide useful testing tips. After the last webinar there were a number of request for the webinar video. To enable easy access for all, we have downloaded the video into Youtube. The webinar is divided into ten 10 min videos, which have all been added to the same playlist.