Fuzzing the Security Perimeters An Army of Wooden Horses atYt Your G at e

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

About the Speaker

• The P as t: R esearc her an d lec turer – University of Oulu – OUSPG/PROTOS research group • The Present: Entrepreneur and Preacher – CTO of Codenomicon – 6-10 conference talks a year – Author of two books: VoIP and Fuzzing

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

1 Fuzzing Introduction

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

One Fuzzing Definition

• http:// en.wiki pe dia.org /w iki/Fuzz_t esti ng • Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted.

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

2 Why Fuzzing

• SithtditillfdSecurity has traditionally focused on reac tive prevention, on the attacks and perpetrators • Still, most security issues are actually programming flaws in the software • Industry is just using the consumers as crash- test dummies (See e.g. G eekonomics)

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Better Names for Fuzzing

• STiSyntax Testing • Negative Testing • Robustness Testing • Grammar Testing

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

3 Open Source Fuzzing

• For some , open source tools are good enough – You might not need to find all flaws, but finding one flaw is enough proof-of-concept for the management – You have the time and expertise to use open source, even though everyone in the company might resist • Example tools: – Spike framework – SllSulley framewor k –PROTOS suites – Hundreds of others...

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

PROTOS? Test-Suite?

• OlOulu UiUnivers itSity Secure Programming Group (OUSPG) – Research since 1996 at OUSPG http://www.ee.oulu.fi/research/ous pg – PROTOS test suite releases since 1999: WAP -WSP, WMLC , HTTP- reply, LDAP, SNMP, SIP, H.323, DNS

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

4 Compared to Traditional Testing

• TditilftTraditional feature /conf ormance t esti tiing is focused on V&V: – Validation – Verification • Performance testing looks for load-based defects • Both are based on requirements engineering and use-cases

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

5 Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Security Vulnerabilities

• Software still contains security mistakes because it is not being tested with unexpected inputs • Fuzzing explores the infinite amount of negative tests that drive the system to crash-level faults • It is like the “mis-use-cases” of the test and measurement practices • Fuzzing simulates zero-day attacks , or it can be thought to be a library of zero-days • Test case numbers can easily reach millions per port

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

6 Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

What Fuzzing is not about: known vulnerabilities • Vulnerability scanners – Look for known issues in standard operating systems and widely used servers and clients – Typically passive probing and fingerprinting, but can include hostile tests that aim at crashing the tested system – Cannot find any unknown issues, and need regular updating of threats

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

7 More on Fuzzing... See also upcoming book: Fuzzing for Software Security Testing and Quality Assurance by Ari Takanen, Jared DeMott, Charles Miller published by Artech House, June 2008

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

What to Fuzz

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

8 Perimeter Defenses

• Firewa lls an d gateways • VPNs and encryption mechanisms • IDS and incident detection tools • Authentication servers

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Firewall Fuzzing

• QShldfillblkllfQ: Should a firewall block all fuzz test cases?

• Q: How much application logic is built into the firewall?

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

9 Using Fuzzing to Test FW Rules

• Random fuzzing: – Empty/Simple template: Fuzzing will check if the Firewall is at all protocol aware – Known vulnerability: Fuzzing will check the integrity of the rules for IDS-like capability (Network Access Control, NAC) – Model-based: Fuzzing will reveal the above plus the capability of a B2BUA operation of a firewall to actually implement protocol cleaning • And then you actually probably will crash the firewall

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Application logic in FW

• “App lica tion Leve l” Ga teway ALG • Session Border Controller SBC • Most firewalls are extremely protocol-aware • F-secure blogged about fatal flaws in 40 AV products parsing archive files .... – I wish we don' t have to read same about FW soon

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

10 Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

VPN Fuzzing

• Q: C an t he VPN be reac he d by anyone in the Internet?

• Q: When is a VPN client authenticated?

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

11 Key Weakness = Key Exchange

• Enormously complex! Think PKI! Think of the protocols required! – ISAKMP/IKEv0 – IKEv1 – EAP, CHAP, ... • Very few people know even to implement the features, how about the robustness of those protocols • Then there is the encryption, but I am not going there... ;)

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

IDS Fuzzing

• QShldQ: Should an IDSdIDS detect a llFll Fuzz test cases?

• Q: What protocols does an IDS dissect?

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

12 Detecting All Attacks?

• Typically impossible, as all of you know • Someone came to tell us that their IDS product can now detect 95% of our test cases... Amazing!? • Rest of the tests? They can crash products but they look completely valid... (e.g. firstname (+ lastname))

• Fuzzing can actually give surprising information on IDS not detecting anything at all in some protocols

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

AAA Fuzzing

• QHQ: How expose did is an aut hent icat ion server?

• Q: Where do most of the authentication requests come from?

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

13 AAA is Hidden, but Always Available for Attack • All requests coming from outside need to be authenticated • A fuzz attack has been known to kick down a HLR, and through a VoIP request coming from Internet • Peel the onion: – Test the AAA server as stand-alone – And then also through an application protocol – AAA attacks are very similar to SQL attacks

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

What to Expect

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

14 All Stacks Can Crash

• AlilifildAny protocol implementation can fail under negative testing

• The more complex the implementation, the more flaws there will be

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Data Anomalies

• NdNo data can be truste d to be c lean – Checksums and encryption do not help • Data can also become corrupt – Even closed networks are not safe

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

15 Anything Can Be Attacked

• TitddtiTainted data is rout tdfed from one el ement tt to another – Think of SQL attacks

• Threat analysis is often done with the onion principle – Peel the onion, one layer at a time

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Packets are Anonymous

• Almost every aspect o f ident ificat ion can be fooled on network protocol layers

• Message being exchanged before authentication are most dangerous

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

16 Attack Variants

• There are in fin ite num ber o f var ian ts for every anomaly/attack – And growth is exponential

• Detection is impossible – And very few solutions actively scan for all fingerprints

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

So, What Is Fuzzing About?

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

17 Fuzzing is Penetration Test

• By usi ng fuzzi ng, you w ill ta ke pene tra tion testing to a new level • It is already used by finance and government sectors in assessing their critical networks, with internal people

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Fuzzing is Acceptance Criteria

• FiiFuzzing is use dithd in the procuremen t process to validate the reliability of critical components • Already in the RFP’s of telecommunication companies

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

18 Fuzzing is a Metric of Quality

• FiiFuzzing is use dbR&DdITtd by R&D and IT to measure the quality, in a repeatable fashion • Fuzzing is often used in regression testing of vendor issued patches

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

Reactive Security Is Dead

• TdToday, you canno t rel y on secur itdity dev ices to catch all flaws anymore • Fuzzing will enable you to crash-test the network enabled components and applications • Without fuzzing, you are caught in the patch and penetrate race...

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

19 Summary

• EtEnterpri se f uzzi ng ai ms t o verif ifthtfy that fuzzi ng i s used as part of development of security devices • Fuzzing security solutions has two purposes: – Find vulnerabilities in the defenses themselves – Test how effectively attacks are detected and blocked • Still, 80% of software fails with fuzzing – But does it also apply to security software?

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

CODENOMICON Cisco Nortel Alcatel Siemens Motorola Microso ft Verizon ATT Sprint T-Systems Symbian Qualcomm Broadcom …

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

20 PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS

THANK YOU – QUESTIONS?

“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them. .... Testers! Break that software (as you must) and drive it to the ultimate - but don’t enjoy the programmer’s pain.” [from Boris Beizer]

Ari Takanen QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. Fuzzing the Security Perimeters H2, 4/28/2008, 2:45 PM

21