"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code
We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.
If you're serious about implementing protocols correctly, you need the Codenomicon tools."
-- Jeremy Allison,
Co Creator of Samba
The DEFENSICS Advantage
The Architecture and Methodology
Codenomicon’s technology spans more than 10 years with a security research heritage derived from Finland’s Oulu University Secure Programming Group and first generation PROTOS test tools. Years later, the world-proven Codenomicon DEFENSICS security and robustness test platform remains unmatched in its ability to find quality, resiliency and security exposures quickly within the broadest array of applications. Codenomicon has been recognized by the industry for its innovations in systematic blackbox negative testing capabilities – proven through a unique, systematic, repeatable and rigorous test methodology.
In Blackbox testing, a test is conducted by providing inputs and monitoring outputs without having to rely on internal application design details. Robustness means the capability of a system to operate when subjected to anomalous inputs, attacks or other adverse environmental conditions. Robustness testing can reveal protocol implementation flaws that can generate issues ranging from anomalous responses and system degradation to system failure – which, if not discovered and resolved, can be exploited to result in a zero-day attack or becoming a publicly known vulnerability. Protocols refer to the set of rules that describe how to transmit and process data. The level of risk associated with an implemented protocol, whether it is an open or custom protocol, is relative to the protocol’s novelty, popularity, exposure, complexity, integration difficulty and update frequency.
Many organizations and developers are experiencing protocol implementation flaws in products, services and infrastructure that present considerable availability and security liabilities – least of which causing damage to reputation and financial loss. The challenge in protocol robustness testing is how to effectively target the infinite amount of possible inputs, how to overcome the difficulties of reaching deeper inside the protocol and to ensure the applicability of the tests later for regression testing.
Simply put – how can you materially advance quality and security test capabilities with modest investments in resources and time, with more assured flaw discovery results, and with expedited means for resolution and validation?
The DEFENSICS test platform is based on unique technologies and expertise that enable an intelligent targeting of robustness flaws. The system intelligently asserts targeted attack patterns against applications utilizing a patented Attack Simulation Engine (ASE) and deep protocol modeling techniques to overcome robustness test challenges – DEFENSICS achieves unparalleled efficiency in exposing both known and unknown vulnerabilities. ASE is the industry’s first and only state-aware attack engine that simulates the peers of a tested system and drives any protocol implementation through state machines to conduct a variety of systematic attacks when the target is at its weakest state. This simulation capability enables testing of complex protocol dialogues, not just the initial messages or limited sequences.
The deep protocol models provides the source material for crafting test cases for the message level anomalies that push the target systems to the limits and quite often over the edge. Codenomicon’s test material creation incorporates more than ten years of experience in breaking protocols and refining automation capabilities of the Attack Simulation Engine. The rules provided to the ASE automate protocol messages transformation on both structure and field levels. Structure level transformations include anomalies like reordered or out of context fields, removed or unexpected fields and loop or recursion constructs. Field level transformations are, for example, overflows, underflows and format character anomalies. DEFENSICS also utilizes out-of-context messages, like incomplete sequences, reordered sequences and removed or repeated messages, to further test implementations. The methodology, with three levels of anomalies – sequence, message structure and field-level, enables DEFENSICS to yield highly accurate targeting on the most vulnerable portions of the protocol, while maintaining broad coverage through automatic test case generation.
In short, if a product or service under test passes DEFENSICS inspection – risk management and quality assurance is strong.