Using Protocol Fuzzing to Harden Storage Systems and to Protect Them from 0-Day Attacks
Using protocol fuzzing to harden storage systems and to protect them from 0-day attacks
Mikko Varpiola Codenomicon Ltd. http://www.codenomicon.com/
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved.
INTRODUCTIONS
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 2
About the Speaker
Codenomicon Co-Founder (test suite developer No. 1) Been fuzzing software since 1998 Specialized in protocol fuzzing Key member in PROTOS research and of OUSPG research group First practical implementations of model based fuzzers Industry wide ASN.1 flaws Speaker in various conferences such as Blackhat, CanSecWest, and Techno Security
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 3
DEMO
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 4
What is Fuzzing
-- HD Moore
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 5
UNKNOWN VULNERABILITY MANAGEMENT
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 6
Software is Infrastructure
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 7
Reality as it is [still] today
Programmers are NOT known for writing secure, or bug free code!!!!
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 8
So say we all!
From 1995 to Q3 of 2008 Computer Emergency Response Team (CERT) had 44,074 known vulnerabilities cataloged based on reports from public sources and submitted data.
This means the potential of unknowns is most likely greater and the severity has escalated to current day
http://www.cert.org/stats/
That’s 9.28 new known vulnerabilities per day over past 13 years.
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 9
Unknown vs. Known vulnerabilities
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 10
Short history of [notable] exploitation of unknown vulnerabilities
Morris Worm* CodeRED* SQL Slammer* Stuxnet* Attacks on Sony Phone masters Xbox GoldenEye Wikileaks Anonynous (1994-1995) exploit for homebrew (operation LulZsec Citibank (1994) PROTOS games* Payback) EMC/RSA SecureID SNMP Multi-vendor Google.cn Lockheed Martin Test suite (operation Aurora) (and who others?) JPEG (and other static (2000-2001) Melissa Virus content exploits. Around Morgan Stanley? South Korea DoD (1999) 2004) French G-20 Indian Defense Canadian DoD (Apr, 2010) Rise and Fall of ID & IMF… records Theft. British Foreign Ministry Gawker Media Morto worm… (+1.5M records stolen…) First CyberWar. Omega Eng. Corp. Between Russia and Kaspersky AV (~2000) …. Estonia (2008)
Amazon, Ebay,… DDoS (~2000) Era of SQL injection, DDoS, spam and malware
1988 2001 2003 2010 2011
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 11
We are not keeping up...
An estimate of 4/5th of our security spending is on reactive technologies and less less than 1/5 on proactive measures!
Does that sound right?
( and by the way – reactive measures offer little or no defense against attacks based on unknown vulnerabilities )
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 12
Big picture – evolution of cyber threat
Organized cyber- State sponsored hacking Kinetic damage and kinetic response Early hacktivism and computer crime and computer crime Careful target Careful target selection 197x-1995 2000- 2009- 2010-
1995- 2011-
arget selection t
Pseudo - Random
Vandalism / 2nd generation “hacktivism” iHacktivism
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 13
Anatomy of a hack
Swordfish / http://www.imdb.com/title/tt0244244/
Sorry….Only in Hollywood!
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 14
Anatomy of a hack
Choose your target Study, analyse, identify Plan Implement Execute!
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 15
Anatomy of a hack
Choose your target Study, analyse, identify Plan Implement Execute!
People Defenses Ecosystem Organization Software used Software Hardware used Hardware
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 16
Anatomy of a hack
Choose your target Study, analyse, identify Plan Implement Execute!
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 17
Anatomy of a hack
Choose your target Study, analyse, identify Plan Implement & Test Execute!
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 18
Anatomy of a hack
Choose your target Study, analyse, identify Plan Implement & Test Execute!
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 19
Or just use a perfect backdoor
NOTE: Skillsets of exploiting and finding the bug is @crossroads or has already diverged.
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 20
Are you compliant, and...
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 21
UVM spells Unknown Vulnerability Management
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 22
We need to start building better SW
Everyone needs to start doing fuzzing and to manage their unknown vulnerabilities! We need Energy Star for Software fuzzing!
http://amphionforum.com/ http://www.ruggedsoftware.org/ http://www.safecode.org/
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 23
[Unknown] Vulnerability Management
2012
1995 - 2000 SATAN/SAINT Around 1998- 2000
Reactive Nessus, Qualys, HP, IBM, ISS Symantec,….
Known Vulnerability Management
Known vulnerability scanners and policy compliance tools Total Vulnerability Management Unknown Vulnerability Management (UVM)
SAST APPROACH DAST APPROACH Proactive ( 1980- ) ( 2000- ) PC Lint, OSS, Fuzzing Coverity, Fortify, IBM Ounce (OSS, Codenomicon, Labs, Microsoft,… Peach, Sulley,…)
Whitebox testing Blackbox testing
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 24
So I found UV – Now what? Remediate!
Fix the problem Update version of software Fix defect if you own the IP Report problem to affected vendor Isolate the device or subnet Write a rule/signature/policy for the IDS/IPS/Gateway/etc Turn the service off until issue resolved
Total Vulnerability Management Unknown Vulnerability Management (UVM) Proactive DAST APPROACH ( 2000- ) -> No source code needed -> Implementation language independent Fuzzing -> No false positives (e.g. crash is a crash) (OSS, Codenomicon, -> Meaningful remediation paths Peach, Sulley,…) -> Modern tools easy to use / operate
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 25
UVM Lifecycle
Test/Scan
Analyze/Identify Report
Protect/Remediate
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 26
We are getting there…
Federal/Mil. requirements: DoD DIACAP, NIST SP.800, DoD DIACAP (Common Criteria) http://iase.disa.mil/diacap/ … Private infrastructure: All major US carriers are fuzzing NIST SP.800 Verizon now requires it as lab entry http://csrc.nist.gov/publications/PubsSPs.html criteria Enterprise world following suit Amphion Forum Inustry forums SNIA MSFT Blutooth SIG
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 27
...and we need to build it right!
http://www.microsoft.com/security/sdl/default.aspx
Fuzzing in the Verification phase of the MS SDL
Modern SDLs such as Microsoft SDLC, new Cisco SDLC and BSIMM all recognize that fuzzing has a key role in creating a secure and rugged software.
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 28
Unknown (0-day) vulnerability
When 0-day exploit is seen in public, then flaw its exploiting becomes a known vulnerability and it is then added to known vulnerability tools and databases.
http://www.google.com/googlebooks/chrome/big_08.html Difference between security- and QA-bug is just who finds it!
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 29
Picture from http://blogs.abiss.gr/mgogoulos/entry/fuzzing_finding_vulnerabilities_in_software
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 30
What is fuzzing
http://www.google.com/googlebooks/chrome/big_10.html
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 31
What can be fuzzed, what are the failures?
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 32
Case study - filer
Applications: Anti Virus, ...
Access: SMB/CIFS, SMB2, SunRPC, NFSv2, NFSv3, NFSv4, iSCSI, FCoE, ...
Management: SNMPv1, SNMPv2c, SNMPv3, SSH, Telnet, HTTP TLS/SSL, IPMI,...
Operating system: IPv4 (ARP, IP, UDP, TCP, ICMP, IGMP), IPv6 (IP, ND, ICMP6, MLD, TCP, UDP), IPSEC, DNS, DHCP, NTP, ....
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 33
Fuzzing is a method to test software
Conformance
Performance Robustness
Interoperability
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 34
Fuzzing is fuzzy
There are several types of fuzzing! All find problems, others more effective than others DEFENSICS test suites perform Environment should dictate types used model based fuzzing Generational fuzzing Model based (RFC, specification) (fake model based via traffic capture) DEFENSICS Template (or mutation) based fuzzing traffic capture test suite (TCF) Traffic capture / replay fuzzing Performs traffic replay fuzzing Adaptive sample based fuzzing Random fuzzing DEFENSICS Universal Fuzzer (DUF)
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 35
Finally – lets not forget...
Rugged Software Manifesto – part #4 ( http://www.ruggedsoftware.org/ )
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 36
Thank You!
Go FuZZing!!!
Oh – Questions?
2011 Storage Developer Conference. © Codenomicon Ltd. Information contained herein is subject to change without notice. All Rights Reserved. 37