Security Testing: Fuzzing
Download as PPTX, PDF•1 like•3,002 views
The document discusses security testing through fuzzing, a technique that involves providing malformed inputs to software to uncover exceptions and vulnerabilities. It highlights the effectiveness of fuzzing in identifying security bugs, its simplicity, and low cost of implementation, including a demonstration of a basic fuzzing tool called Minifuzz. The presentation emphasizes that while fuzzing is useful, it should supplement other testing methods rather than replace them.
Security Testing: Fuzzing
- 1. Security Testing: Fuzzing Andrei Rubaniuk for Seattle Code Camp 2012
- 2. Agenda • Introduction • What is Fuzzing? • Why Fuzz? • How to Fuzz? • Fuzzing Demo • Q&A © 2012 Andrei Rubaniuk 2
- 3. Introduction Who am I? – Software Engineer in Mobile space since 2005 – Past Projects: SlovoEd (PalmOS), Symbian OS/UIQ, SCMDM, Zune, Windows Phone 7 and 7.5 © 2012 Andrei Rubaniuk 3
- 4. Introduction (continued) What am doing now? – At Microsoft since October 2008 – Current organization – Windows Phone • SDL Tools Team • Helping Windows Phone org to Fuzz their code © 2012 Andrei Rubaniuk 4
- 5. What is Fuzzing? • Testing technique that involves providing malformed inputs to software • Fuzzed (attacked) process is monitored for exceptions, crashes, memory leaks • Is commonly used to test programs that receive data from unsafe sources (i.e. e-mail client, browser, media player) © 2012 Andrei Rubaniuk 5
- 6. What is Fuzzing? (continued) • Attacked process usually has parser (network protocols, document viewers) • Especially useful against proprietary software as it does not require access to source code • Became widely used in the past 10-15 years © 2012 Andrei Rubaniuk 6
- 7. What is Fuzzing? (continued) • Is not a substitute for other types of testing (unit tests, BVTs/FVTs, stress, etc.) • Cannot prove that your code is bug free • But will increase confidence in the correctness of your code! © 2012 Andrei Rubaniuk 7
- 8. What is Fuzzing? (continued) • Types of Fuzzing – Mutational • Smart – knows/learns about the data it mutates • Dumb – mutates data with no regard to its format – Generational • Allows to define specific data format (i.e. file structure) © 2012 Andrei Rubaniuk 8
- 9. Why Fuzz? • Relatively simple testing technique • Very effective at finding security bugs (DoS, Buffer Overflow, etc.) – Widely used by pentesters and hackers – Required by Microsoft Secure Development Lifecycle (SDL) • Inexpensive to implement – There are many free and commercial products (from iDefense, Codenomicon, etc.) – You can quickly implement your own fuzzer! • It’s Fun! © 2012 Andrei Rubaniuk 9
- 10. How to Fuzz? • Choose attacked program • Make sure generated input thoroughly covers possible input space of attacked program – To be efficient it should have good code coverage • Start Fuzzing and be Patient – Lots of bugs are found only after 100K or even millions of iterations – For example, for File Fuzzing Microsoft SDL requires min 100K iterations © 2012 Andrei Rubaniuk 10
- 11. How to Fuzz? (continued) • Analyze found issues • Fuzzed data is your repro – open a bug! • Iterate and be Patient! © 2012 Andrei Rubaniuk 11
- 12. Fuzzing Demo: MiniFuzz • Free basic file fuzzing tool written by Microsoft SDL Team • Web: http://www.microsoft.com/security/sdl/adopt /tools.aspx © 2012 Andrei Rubaniuk 12
- 13. Fuzzing Demo: MiniFuzz (continued) © 2012 Andrei Rubaniuk 13
- 14. Fuzzing Demo: fuzzed code © 2012 Andrei Rubaniuk 14
- 15. Fuzzing Demo: Actual Demo © 2012 Andrei Rubaniuk 15
- 16. Q&A © 2012 Andrei Rubaniuk 16
- 17. Follow-up • Questions? Suggestions? Feedback? © 2012 Andrei Rubaniuk 17