"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code
We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.
If you're serious about implementing protocols correctly, you need the Codenomicon tools."
-- Jeremy Allison,
Co Creator of Samba
Codenomicon Whitepaper
Browser Security Case Study:
Assessing Internet Browser Security with Fuzzing Tools
Tuomo Untinen, Jukka Taimisto,
Anna-Maija Juuso and Ari Takanen
info@codenomicon.com
Codenomicon Ltd.
Summary
The Internet is used to provide a growing number of services like online banking and shopping, which transfer confidential information over the internet. This development has heightened user sensitivity to security violations. Most users use browsers to access these online services making browsers a critical part of the Internet communication infrastructure. A browser's reputation can be lost for a long time, if news of security vulnerabilities reaches the users. Thus, it is in the interest of browser vendors to test the security and robustness of their products proactively, before any problems occur.
The biggest factor in browser security is undeniably the user. If users were to act in a more responsible manner, most security violations could probably be avoided. After all, it is the user, who opens suspicious sites and downloads content from unreliable sources. However, security violations would be much harder to do, if there were not any flaws in the software. To device an attack, hackers need to find a vulnerability to exploit. These vulnerabilities are mistakes made during the implementation of the browser. Attackers search for such vulnerabilities by sending malicious inputs through the browser's public interface (most commonly through HTTP Response). If the operation of the browser is disrupted or it crashes, then there is a bug in the software.
In this paper we describe how robustness testing techniques can be used to assess the security and robustness of internet browsers. In a case study, we analyze the robustness of five major browsers, none of which pass the security test. In the tests, potential attack scenarios are simulated by sending anomalous inputs to the tested browsers using a robustness testing method called fuzzing. None of the browsers passed the tests.
Fuzzing is a very representative security testing method; it is essentially doing what the hackers do, but before them. Fuzz tests achieve unparalleled efficiency in finding unknown vulnerabilities, because unlike traditional security testing methodologies, they are not based on earlier vulnerabilities, but on protocol models. Unknown or zero-day vulnerabilities are a problem, because their existence is not known and there are no ready patches for them. It's what you don't know that makes you vulnerable.
> Contact Codenomicon to know more about assessing Internet browser security with fuzzing tools
