Fuzzing And The SDL - PowerPoint PPT Presentation

tangia
msdn webcast sdl process n.
Skip this Video
Loading SlideShow in 5 Seconds..
Fuzzing And The SDL PowerPoint Presentation
Download Presentation
Fuzzing And The SDL

play fullscreen
1 / 15
Download Presentation
Fuzzing And The SDL
181 Views
Download Presentation

Fuzzing And The SDL

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. MSDN Webcast - SDL Process Fuzzing And The SDL

  2. Agenda • Fuzzing & The SDL • Integration of fuzzing • Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com

  3. How Fuzzers Work (Dumb) FUZZER

  4. How Fuzzers Work (Smart) FUZZER

  5. All about the bugs! • …Or really Bug Cost… • Fuzzing is about finding bugs • Fuzzing is repeatable • Integrate into automated testing • Fuzzing *should* be easy on the wallet • Cost per Bug

  6. What are we finding? • Bugs that cause crashes, access violations • Memory corruption • Overflows • Type issues • DOS issues • Memory consumption • Process Hangs

  7. Who uses fuzzing? • Security researchers • Majority of publicly released bugs • Top software firms in there SDL • Microsoft • Adobe • Etc.

  8. What is SDL? Microsoft’s Secure Development Lifecycle Integration of security into development life cycle Microsoft uses SDL on all shipping products

  9. SDL Phases • Requirements • Security Kickoff • Training • Design • Best practices • Threat modeling • Architecture review • Implementation • Use security dev tools • Best practices • Security tools built • Verification • Security response plan • Security push • Pen testing • Source review • Fuzzing • Release • Support & Servicing • Response execution • Security servicing

  10. Fuzzing & SDL • Microsoft requires fuzzing on: • Non-executable file formats • Protocol stacks, RPC, DCOM, etc • Basically, any parser that operates on data that originates from a lesser privileged principal (trust boundary) • Fuzzing integrating into the Verification phase and the security push

  11. Fuzzing & SDL • Deterministic fuzzing • Full run required • Non-deterministic “random” fuzzing • 250,000 to 500,000 iterations with no new faults • No recommendation on minimum code coverage

  12. Fuzzing & SDL • Complements other verification elements • Does not replace Penetration Testing • Does not replace Source Code Review • Long term repeatable process • Initial investment should be re-usable

  13. Numerous Fuzzing Options Open Source Commercial • Peach • Sully • Fuzzware • MiniFuzz • Etc. • beSTORM • Codenomicon • Mu Security

  14. Open Source vs. Commercial Open Source Commercial • Custom formats • Custom protocols • Zero upfront cost • Hidden costs • Developing models • Support/Training • Existing well known file format or network protocol • Graphics formats • Video formats • Common protocols • Upfront costs • $15K to $100K

  15. Thanks! Michael Eddington Leviathan Security Group, inc. mike@dejavusecurity.com http://phed.org http://peachfuzzer.com http://dejavusecurity.com