secfuzz fuzz testing security protocols
play

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad - PowerPoint PPT Presentation

May 23, 2023 •277 likes •454 views

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH Zurich Motivation Input universe Invalid inputs Well-formed inputs Security protocol implementation Abnormal behaviors Behaviors May expose

  1. SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH Zurich

  2. Motivation Input universe Invalid inputs Well-formed inputs Security protocol implementation Abnormal behaviors Behaviors May expose vulnerabilities 19.09.2015 Institute of Information Security / ETH Zurich 2

  3. Fuzz-testing Security Protocols Collect well-formed inputs  Internet Step 1  Source code (white-box)  Model (model-based) Mutate the inputs Step 2  Fuzz operators Execute the inputs and check for failures Step 3  E.g. memory errors, broken invariants 19.09.2015 Institute of Information Security / ETH Zurich 3

  4. Challenges Responder Initiator KE A , N A Fresh KE A , N A KE B , N B Fresh KE B , N B Enc(K, Auth) Compute key K = Hash(KE A , KE B , Secret) ... Challenges:  Encrypted messages  Security protocols are stateful  Messages are non-replayable 19.09.2015 Institute of Information Security / ETH Zurich 4

  5. System Under SecFuzz: Setting Test Initiator Responder Dynamic analysis Fuzzer Log file Key advantages:  Light-weight and modular approach  Fresh messages  Fuzzer can decrypt messages 19.09.2015 Institute of Information Security / ETH Zurich 5

  6. Input Mutation A fuzz operator:  Mutates a well-formed input.  The mutated input is likely to expose vulnerabilities. The fuzz operators should produce mutated inputs that expose common programming mistakes. 19.09.2015 Institute of Information Security / ETH Zurich 6

  7. Input Structure An input consists of:  a sequence of messages  a message consists of fields 19.09.2015 Institute of Information Security / ETH Zurich 7

  8. Fuzz operators  Message fuzz operators  Insert random (well-formed) message  Field fuzz operator  Insert random field  Remove field  Duplicate field  Modify field 19.09.2015 Institute of Information Security / ETH Zurich 8

  9. Fuzz-testing Security Protocols Collect well-formed inputs  Internet Step 1  Source code (white-box)  Model (model-based) Mutate the inputs Step 2  Fuzz operators Execute the inputs and check for failures Step 3  E.g. memory errors, broken invariants 19.09.2015 Institute of Information Security / ETH Zurich 9

  10. Detecting vulnerabilities SUT Initiator Responder Dynamic analysis Fuzzer Log file  The dynamic analysis monitors the SUT and reports failures.  Memory errors are a common source of vulnerabilities:  Tools: Valgrind's Memcheck, IBM's Purify 19.09.2015 Institute of Information Security / ETH Zurich 10

  11. Internet Key Exchange Case Study Experiment 1 Test subject: OpenSwan v2.6.35 Results: Discovered a previously unknown use-after-free vulnerability. Experiment 2 Test subject: ShrewSoft's VPN Client for Windows v2.1.7 Results: Discovered a previously unknown unhandled exception vulnerability . 19.09.2015 Institute of Information Security / ETH Zurich 11

  12. SUT Fuzz-testing OpenSwan OpenSwan OpenSwan (responder) (initiator) Valgrind SecFuzz Log file  SUT: OpenSwan v2.6.35  A popular IPSec implementation for Linux.  Dynamic analysis: Valgrind's Memcheck  Detects different types of memory access errors.  Fuzzer: SecFuzz , implemented using Python / Scapy. 19.09.2015 Institute of Information Security / ETH Zurich 12

  13. OpenSwan: IKE Implementation details SUT Initiator Responder Phase 1 Phase 1 state Propose SAs Crypto Access helper Done Accepted SA Ack SA established 19.09.2015 Institute of Information Security / ETH Zurich 13

  14. OpenSwan: Use-after-free Vulnerability SUT Initiator Responder Invalid memory access Phase 1 Freed Phase 1 Memory state Propose SAs Crypto Access helper Close Session The vulnerability was reported and a security patch was released in CVE-2011-4073. 19.09.2015 Institute of Information Security / ETH Zurich 14

  15. ShrewSoft's VPN Client: Unhandled Exception SUT Initiator Responder Propose SAs Accepted SA KE I : ”0123”, N I KE R : “\0”, N R Unhandled exception The vulnerability details will appear in CVE-2012-0784. 19.09.2015 Institute of Information Security / ETH Zurich 15

  16. Related Approaches Key Requirements:  Stateful exploration  Encryption handling Approach Model-based White-box SecFuzz Task Generate inputs Needs a model Needs the Needs a running source code implementation Execute inputs Concretization Solve crypto Immediate constraints 19.09.2015 Institute of Information Security / ETH Zurich 16

  17. 19.09.2015 Institute of Information Security / ETH Zurich 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

Empowering Security Teams ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure EDSA Certification Communication/Network Robustness Testing (CRT) CRT examines the capability of the device to

859 views • 33 slides
Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory

812 views • 42 slides
Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 1 / 21 Introduction What is this lecture about? How do we find bugs in programs? ... by

363 views • 21 slides
RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

3/31/17 TOPICS 2 RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing: selection, prioritization T est input generation CS580A5 SPRING 2017 Fault localization SUDIPTO GHOSH Automatic program

276 views • 3 slides
Fuzz Testing for Fun and Profit Presented by:

Fuzz Testing for Fun and Profit Presented by:

W3 Testing at Scale Wednesday, October 2nd, 2019 11:30 AM Fuzz Testing for Fun and Profit Presented by: Melissa Benua

441 views • 11 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley & MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
TAIC PART 2010 Linguistic Security Testing for Textual Protocols Authors Ben Kam, Tom Dean

TAIC PART 2010 Linguistic Security Testing for Textual Protocols Authors Ben Kam, Tom Dean

TAIC PART 2010 Linguistic Security Testing for Textual Protocols Authors Ben Kam, Tom Dean Queens University, Canada Linguistic Security Testing for Textual Protocols Goals and History 1. Protocol Tester Protocol Tester Group

720 views • 17 slides
Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS & IoT Roland Groz, Jean-Luc Richier, Maxime Puys, Laurent Mounier Univ. Grenoble Alpes LIG/Vasco + Vrimag/PACSS Kobe Universit

1.02k views • 33 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho Lee, Insu Yun, Wen Xu, Byoungyoung Lee, Youngtae Yun, Taesoo Kim USENIX Annual Technical Conference July 14, 2017 The Affiliated Institute of ETRI

812 views • 46 slides
LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity Oss-Fuzz Overview Continuous Fuzzing of our import filters Thanks to Google we get to use their infrastructure and resources

542 views • 26 slides
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song , Insik Shin KAIST, * Purdue, UCR 1 Memory error glibc: getaddrinfo Heartbleed Shellshock

659 views • 47 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Harvesting Logs and Events Using MetaCentrum Virtualization Services Radoslav Bod, Daniel

Harvesting Logs and Events Using MetaCentrum Virtualization Services Radoslav Bod, Daniel

Harvesting Logs and Events Using MetaCentrum Virtualization Services Radoslav Bod, Daniel Kouil CESNET EGI Community Forum, April 2013 Agenda Introduction Collecting logs Log Processing Advanced analysis Resume

601 views • 44 slides
2 Workloa d? 3 OLTP 4 OLAP OLTP 4 OLAP OLTP Streaming 4 Scan- OLAP OLTP Streaming

2 Workloa d? 3 OLTP 4 OLAP OLTP 4 OLAP OLTP Streaming 4 Scan- OLAP OLTP Streaming

2 Workloa d? 3 OLTP 4 OLAP OLTP 4 OLAP OLTP Streaming 4 Scan- OLAP OLTP Streaming oriented 4 Scan- OLAP OLTP Streaming Archiving oriented 4 Scan- Log- OLAP OLTP Streaming Archiving processing oriented 4 Scan- Log-

1.09k views • 105 slides
Creating LaTeX and HTML documents from within Stata using texdoc and webdoc Ben Jann University

Creating LaTeX and HTML documents from within Stata using texdoc and webdoc Ben Jann University

Creating LaTeX and HTML documents from within Stata using texdoc and webdoc Ben Jann University of Bern, ben.jann@soz.unibe.ch Nordic and Baltic Stata Users Group meeting Oslo, September 13, 2016 Ben Jann (University of Bern) texdoc/webdoc

563 views • 22 slides
Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log Analyzer kees@neo4j.com Query Log dbms.logs.query.enabled=true # If the execution of query takes more time than this threshold, # the query is

1.12k views • 27 slides
Investigation into file size distribution and its effect on disk server performance Brain Davies

Investigation into file size distribution and its effect on disk server performance Brain Davies

Investigation into file size distribution and its effect on disk server performance Brain Davies STFC Rutherford Appleton Laboratory Your university or experiment logo here The Issue and Problem Site needs to drain hardware for

306 views • 7 slides
MapReduce Andrew Crotty Alex Galakatos What is MapReduce? MapReduce is a framework for:

MapReduce Andrew Crotty Alex Galakatos What is MapReduce? MapReduce is a framework for:

MapReduce Andrew Crotty Alex Galakatos What is MapReduce? MapReduce is a framework for: parallelizable problems large datasets cluster/grid computing Background Google project Implemented many special-purpose computations

373 views • 26 slides
Precimonious & HiFPTuner Tuning Assistant for Floating-Point Precision Ignacio Laguna,

Precimonious & HiFPTuner Tuning Assistant for Floating-Point Precision Ignacio Laguna,

Precimonious & HiFPTuner Tuning Assistant for Floating-Point Precision Ignacio Laguna, Harshitha Menon Lawrence Livermore National Laboratory Michael Bentley, Ian Briggs, Pavel Panchekha, Ganesh Gopalakrishnan University of Utah Hui Guo,

1.11k views • 45 slides
Towards a Methodology for Benchmarking Edge Processing Frameworks Pedro Silva, Alexandru Costan,

Towards a Methodology for Benchmarking Edge Processing Frameworks Pedro Silva, Alexandru Costan,

Towards a Methodology for Benchmarking Edge Processing Frameworks Pedro Silva, Alexandru Costan, Gabriel Antoniu Inria, IRISA France Invited Talk, BenchCouncil19, Denver, November 2019 Data Shifts to the Edge By 2022 Gartner predicts that

332 views • 21 slides

More recommend