security testing
play

Security Testing fuzzing protocol fuzzing m odel-based testing - PowerPoint PPT Presentation

Nov 29, 2022 •313 likes •865 views

Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen Testing Ingredients T ti I di t Two things are needed to test

  1. Security Testing fuzzing protocol fuzzing m odel-based testing autom ated reverse engineering autom ated reverse engineering Erik Poll Erik Poll Radboud University Nijmegen

  2. Testing Ingredients T ti I di t Two things are needed to test a SUT ( System Under Test) Two things are needed to test a SUT ( System Under Test) 1 . test suite , ie collection of input data 2 . a test oracle that decides if a test was ok or reveals an error, , i.e. some way to decide if the SUT behaves as we want A nice & simple test oracle: just seeing if the SUT crashes A nice & simple test oracle: just seeing if the SUT crashes Both defining test suite and test oracles can be a lot of work: for each individual test case the test oracle may need to be y tweaked by specifying exactly what should happen 2

  3. C Coverage Criteria C it i Measures of how good a test suite is Measures of how good a test suite is statement coverage • branch coverage • Statement coverage does not imply branch coverage; eg for g p y g ; g void f (int x, y) { if (x>0) {y++}; y--; } statement coverage needs 1 test case, branch coverage needs 2 More complex coverage criteria exists, eg MCDC (Modified • condition/ decision coverage) which is used in avionics g ) <#>

  4. P Possible Perverse Effect of Coverage Criteria ibl P Eff t f C C it i High coverage criteria may discourage defensive programming High coverage criteria may discourage defensive programming void m(File f){ if <security_check_fails> {throw (SecurityException)} try { <the main part of the method> } catch (SomeException) { <take some measures>; throw (SecurityException) } ( y p ) } } If th If the green defensive code is hard to trigger in tests, programmers d f i d i h d t t i i t t may be tempted (or forced) to remove it to improve coverage in testing... testing... 4

  5. S Security testing is HARD, in general it t ti i HARD i l Normal testing will look at right wanted behaviour for sensible Normal testing will look at right, wanted behaviour for sensible • • inputs, and some inputs on borderline conditions Security testing also involves looking for the wrong unwanted Security testing also involves looking for the wrong, unwanted • behaviour for really silly inputs Similarly, normal use of a system is more likely to reveal Si il l l f t i lik l t l • functional problems (users will complain) than than security problems (hackers won’t complain) 5

  6. S Security testing is HARD, in general it t ti i HARD i l all possible inputs normal . . . . input that triggers security bug . . . . inputs inputs 6

  7. JML JML annotations as test oracle t ti t t l Tools for runtime assertion checking of JML annotations can be used Tools for runtime assertion checking of JML annotations can be used when testing code instrumented with check to test annotations, which throw code instrumented with check to test annotations which throw • • special exceptions for violations effectively the annotations serve as test oracle effectively, the annotations serve as test oracle • • Benefits: Test oracle for free: you can test by sending random data T l f f b di d d • More precise and detailed feedback: adding • //@ invariant contents != null; //@ invariant contents != null; an application may crash with an Invariant Violation in line 18000 after 1 minute with runtime assertion checking, whereas otherwise it would crash NullpointerException in line 12000 after 5 minutes - pointing to the real origin of the problem, not the eventual effect 7

  8. S Symbolic Execution for test suites b li E ti f t t it Symbolic execution can be used to generate test suites with good Symbolic execution can be used to generate test suites with good • • coverage Basic idea symbolic execution: Basic idea symbolic execution: • instead of giving variables a concrete value (say 42), variables are given a symbolic value (say N), and the program is executed with i b li l ( N) d th i t d ith these symbolic values to see when certain program points are reached reached 8

  9. S Symbolic Execution b li E ti m(int x y){ m(int x,y){ x = x + y; y = y – x; if (2*y > 8) { .... ( y ) { } else if (3*x < 10){ ... } } 9

  10. S Symbolic Execution b li E ti m(int x y){ m(int x,y){ // let x == N and y == M // let x == N and y == M x = x + y; // x becomes N+M y = y – x; // y becomes M-(N+M) == -N if (2*y > 8) { .... ( y ) { // taken if 2*-N > 8, ie N < -4 // , } else if (3*x < 10){ ... // taken if N>=-4 and 3(M+N)<10 } } There are tools that given such sets of constraints try to produce test There are tools that, given such sets of constraints, try to produce test data that meets these constraints 10

  11. S Symbolic Execution b li E ti Symbolic execution can also be used for program verification: Symbolic execution can also be used for program verification: 1. symbolically execute a method (or piece of code) 2. assuming precondition (and invariant) on initial values, prove postcondition (and invariant) for final values p p ( ) 11

  12. 12 Fuzzing

  13. F Fuzzing i Fuzzing Fuzzing try really long inputs for string arguments to trigger segmentation faults and hence find buffer overflows faults and hence find buffer overflows Benefit: can be automated, because test suite of long inputs can be automatically generated, and test oracle is trivial: looking if the b t ti ll t d d t t l i t i i l l ki if th program crashes This original idea has been generalised to other settings: The general idea of fuzzing: using semi-random, automatically generated test data that is likely to trigger security problems g y gg y p 13

  14. Fuzzing in memory safe languages F i i f l For memory safe languages such as Java or C(+ + ) fuzzing can still For memory safe languages such as Java or C(+ + ), fuzzing can still reveal bugs in a VM, bytecode verifier, or libraries with native code Eg, fast graphics libraries often rely on native code Eg fast graphics libraries often rely on native code CVE reference: CVE-2007-0243 Release Date: 2007 01 17 Release Date: 2007-01-17 Sun Java JRE GIF Image Processing Buffer Overflow Vulnerability Critical: Highly critical Impact: System access Where: From remote g y p y Description: A vulnerability has been reported in Sun Java Runtime Environment (JRE), which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an i l bl t Th l bilit i d d t error when processing GIF images and can be exploited to cause a heap- based buffer overflow via a specially crafted GIF image with an image width of 0 width of 0. Successful exploitation allows execution of arbitrary code. 14

  15. Fil f File format fuzzing t f i Incorrectly formatted files or corner cases in file formats can cause Incorrectly formatted files, or corner cases in file formats can cause trouble Eg Eg GIF image with width 0 on previous slide • Microsoft Security Bulletin MS04-028 • Buffer Overrun in JPEG Processing (GDI+ ) Could Allow Code Execution Impact of Vulnerability : Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately Recommendation: Customers should apply the update immediately Root cause: a zero sized comment field, without content. 15

  16. F Fuzzing web-applications? i b li ti ? Could we fuzz a web application in the hope to find security flaws? Could we fuzz a web application in the hope to find security flaws? • • • SQL injection • XSS • ... What would be needed? • • test inputs that trigger these security flaws • test inputs that trigger these security flaws • some way of detecting if a security flaw occurred • looking at website response, or log files 16

  17. Fuzzing web-applications F i b li ti There are many tools to fuzz web-applications There are many tools to fuzz web-applications • • • Spike proxy, HP Webinspect, AppScan, WebScarab, Wapiti, w3af RFuzz WSFuzzer SPI Fuzzer Burp Mutilidae w3af, RFuzz, WSFuzzer, SPI Fuzzer Burp, Mutilidae, ... Some fuzzers crawl a website, generating traffic themselves, • other fuzzers modify traffic generated by some other means other fuzzers modify traffic generated by some other means. As usual, there will be false positives & negatives, eg • • false negative for SQL injection due to not recognizing some SQL database errors • false positives for XSS due to signalling a correctly quoted echoed response as XSS [ Frank van der Loo, Comparison of penentration testing tools for web applications, MSc thesis] 17

  18. P Protocol Fuzzing t l F i Protocol fuzzing based on known protocol format Protocol fuzzing based on known protocol format ie format of packets or messages Typical things to try in protocol fuzzing: trying out many/ all possible value for specific fields t i t / ll ibl l f ifi fi ld • esp undefined values, or values Reserved for Future Use (RFU) giving incorrect lengths, length that are zero, or payloads that are • too short/ long Tools for protocol fuzzing exist, eg SNOOZE Tools for protocol fuzzing exist, eg SNOOZE 18

  19. E Example : GSM protocol fuzzing l GSM t l f i GSM is a extremely rich & complicated protocol GSM is a extremely rich & complicated protocol • • 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied &amp; Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI

Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI

Alain MERLE CESTI LETI CEA Grenoble Alain.merle@cea.fr Security testing for hardware product : the security evaluations practice 1 DCIS/SASTI/CESTI Abstract What are you doing in ITSEFs ? Testing, Security testing, Attacks,

809 views • 23 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated

Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated

Security Testing beyond Functional Tests David Basin ETH Zurich June, 2017 Associated Publication: Mohammad Torabi Dashti, David Basin: Security Testing Beyond Functional Tests. ESSoS 2016. Security Testing

722 views • 38 slides
Software Security Process &amp; Testing a primer for quality professionals Fred Pinkett VP,

Software Security Process &amp; Testing a primer for quality professionals Fred Pinkett VP,

Software Security Process &amp; Testing a primer for quality professionals Fred Pinkett VP, Product Management Security Innovation About Security Innovation Application Security Experts 10+ years research on vulnerabilities Security

690 views • 49 slides
Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing Applying empirical results to reduce the cost of testing. Example: 2.5 year study ~ 20% lower test development cost and 20% - 50% better

479 views • 13 slides
Security Regression Addressing Security Regression by Unit Testing Christopher Grayson

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson

Security Regression Addressing Security Regression by Unit Testing Christopher Grayson @_lavalamp Introduction WHOAMI ATL Web development Academic researcher Haxin all the things (but I rlllly like networks) Founder

472 views • 35 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director

Broadcasting your attack: Security testing DAB radio in cars Andy Davis, Research Director Image: computerworld.com.au Agenda Who am I and why am I interested in security testing DAB? Overview of DAB How do we broadcast DAB?

790 views • 33 slides
ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

Empowering Security Teams ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure EDSA Certification Communication/Network Robustness Testing (CRT) CRT examines the capability of the device to

859 views • 33 slides
Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz

Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz

Shuntaint: Emulation-based Security Testing for Formal Verification Bruno Luiz ramosblc@gmail.com Black Hat Europe 2009 Overview Give a brief overview of the emulation- based security testing Introduction to VEX Formalism

376 views • 26 slides
Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela

Model-Based Security M. Ochoa Verification and Testing for F. Bouquet Smart-Cards J. Bottela E.Fourneret J.Jurjens P. Yousefi ARES 2011 OUTLINE Introduction Background UMLsec Model-based Testing Security in smart-card

356 views • 17 slides
liab flexhomes environmentally sustainable container homes /liabme /liabme

liab flexhomes environmentally sustainable container homes /liabme /liabme

building using containers are 35% less expensive | 55% faster to build | 75% more eco-friendly liab flexhomes environmentally sustainable container homes /liabme /liabme /company/liab-flexhomes about us using sustainable refurbished

506 views • 22 slides
Gregory M. Kapfhammer Department of Computer Science Allegheny College

Gregory M. Kapfhammer Department of Computer Science Allegheny College

Introduction Challenges Potential Way Forward Conclusion Empirically Evaluating Regression Testing Techniques: Challenges, Solutions, and a Potential Way Forward Gregory M. Kapfhammer Department of Computer Science Allegheny College

1.34k views • 90 slides
REPORTING NOTES for Mr. Uwe Petry, Head of the Economic Affairs Division, Permanent Mission of

REPORTING NOTES for Mr. Uwe Petry, Head of the Economic Affairs Division, Permanent Mission of

TRADE AND DEVELOPMENT BOARD Investment, Enterprise and Development Commission Tenth session Geneva, 3 December 7 December 2018 Item 3 (a) - Report of the Multi-year Expert Meeting (MYEM) on Investment, Innovation and Entrepreneurship for

175 views • 5 slides
January March 2019 May 10, 2019 CEO Juha Kalliokoski Interim CFO Milla Krpnen Table of

January March 2019 May 10, 2019 CEO Juha Kalliokoski Interim CFO Milla Krpnen Table of

Kamux Quarterly Results Presentation January March 2019 May 10, 2019 CEO Juha Kalliokoski Interim CFO Milla Krpnen Table of Contents Quarterly Results Presentation Q1/2019 Outlook and Financial Q1/2019 in Brief Financial

533 views • 24 slides
The Great Depression of 1929-1933 Facts, Theories and Lessons Cesar E. Tamayo Econ541- Economics

The Great Depression of 1929-1933 Facts, Theories and Lessons Cesar E. Tamayo Econ541- Economics

The Great Depression of 1929-1933 Facts, Theories and Lessons Cesar E. Tamayo Econ541- Economics - Rutgers Rutgers April 29, 2013 C.E. Tamayo (Rutgers) The Great Depression 1 / 33 April 29, 2013 1 / 33 Program The Great Depression in a

1.51k views • 131 slides
Center of Online Resources for Exhibitors (C (CORE) 1 Success occurs when opportunity meets

Center of Online Resources for Exhibitors (C (CORE) 1 Success occurs when opportunity meets

Center of Online Resources for Exhibitors (C (CORE) 1 Success occurs when opportunity meets preparation . - Zig Ziglar 2 Agenda MapYourShow CORE: Event Services Manual, Sponsorship PROCESS EXPO Checklist Freight Service

392 views • 20 slides
Using Survey Data to Evaluate Student Success TxAHEA 2019 Dr. Dan Su, Executive Director of

Using Survey Data to Evaluate Student Success TxAHEA 2019 Dr. Dan Su, Executive Director of

Using Survey Data to Evaluate Student Success TxAHEA 2019 Dr. Dan Su, Executive Director of Institutional Effectiveness &amp; Research Mary Cheek, Institutional Effectiveness Officer Assessing student success Use results Define to seek

218 views • 20 slides
Manufacturas Carretera de Mallabias/n E-48260 Ermua -Spain- Tlf: (34)943171612 Fax:

Manufacturas Carretera de Mallabias/n E-48260 Ermua -Spain- Tlf: (34)943171612 Fax:

Manufacturas Carretera de Mallabias/n E-48260 Ermua -Spain- Tlf: (34)943171612 Fax: (34)943171679 Email:info@manufacturasges.com www.manufacturasges.com www.manufacturasges.com Ermua Spain - GES was founded in 1940. - During that time GES

479 views • 21 slides

More recommend