1 / 12

Introduction to Security Testing

Introduction to Security Testing. Shawn Hernan Security Program Manager Security Engineering and Communication. Actual software functionality. Traditional faults. Weak authn. BO in authn. No authn. Extra ‘functionality’. Poor Defenses. Missing Defenses. Intended functionality.

bijan
Download Presentation

Introduction to Security Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Security Testing Shawn Hernan Security Program Manager Security Engineering and Communication

  2. Actualsoftwarefunctionality Traditionalfaults Weak authn BO in authn No authn Extra‘functionality’ PoorDefenses Missing Defenses Intendedfunctionality Unintended,undocumentedor unknown functionality Security Testing

  3. Δ Testing Like an Attacker:‘Footprint’ the Application

  4. Fuzz Testing • Fuzz Testing is the methodical application of malformed data in a search for vulnerabilities • Find security & reliability issues efficiently

  5. How to Fuzz (1 of 4) • Determine all the entry points to your code • Network ports and protocols • Files and file types • Rank them by privilege level and accessibility • Anonymous, user, admin • Remote, local • Run your app under Application Verifier

  6. How to Fuzz (2 of 4) • For ALL file formats you consume • Build a collection of valid files • Tweak a file at random using a tool • Load the file into your application • Observe! • Crash? Memory spike? • For all network ports • Use a rogue client/server

  7. How to Fuzz (3 of 4) • Examples of ‘tweaking’ a file • Write a random series of bytes • Flip two adjacent bytes • Look for ASCII/Unicode text and then set the trailing NULL to non-NULL • Set size values to random numbers • Set integer to negative number • Etc…

  8. How to Fuzz (4 of 4) • Network fuzzing • Build a rogue front-end to your app (client and server) • Tweak bits at random Server Client ‘pure evil’

  9. Attack Ideas • Rule #1 – There are no rules • If you provide a client to access the server, don’t use it! • Mimic the client in code • If you rely on a specific service, build a bogus one

  10. “Bang for the Buck” Attack Ideas • Consume files? • Try device names and ‘..’ • Look for: hangs, access to other files • Fuzz data structures • Look for: AVs or memory leaks (appverifier) • Look for PII data in information disclosure threats • grep for ‘should’ and ‘assume’ in the code :) • ActiveX (especially Safe For Scripting) • Look at each method/property and ask, “What could a bad guy do?”

  11. Admin: Full ControlEveryone: Read Everyone: Write SYSTEM “Bang for the Buck” Attack Ideas • Look for privilege-elevation boundaries • Pushing data from low-priv to high-priv process

  12. Security Testing Checklist • Use fuzzers for all consumed resources (files, net protocols etc.) • 100,000 iterations per data type • Tools! Tools! Tools!

More Related