secfuzz fuzz testing security protocols
play

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad - PowerPoint PPT Presentation

May 23, 2023 •277 likes •454 views

SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH Zurich Motivation Input universe Invalid inputs Well-formed inputs Security protocol implementation Abnormal behaviors Behaviors May expose

  1. SECFUZZ: Fuzz-testing Security Protocols Petar Tsankov, Mohammad Torabi Dashti, David Basin ETH Zurich

  2. Motivation Input universe Invalid inputs Well-formed inputs Security protocol implementation Abnormal behaviors Behaviors May expose vulnerabilities 19.09.2015 Institute of Information Security / ETH Zurich 2

  3. Fuzz-testing Security Protocols Collect well-formed inputs  Internet Step 1  Source code (white-box)  Model (model-based) Mutate the inputs Step 2  Fuzz operators Execute the inputs and check for failures Step 3  E.g. memory errors, broken invariants 19.09.2015 Institute of Information Security / ETH Zurich 3

  4. Challenges Responder Initiator KE A , N A Fresh KE A , N A KE B , N B Fresh KE B , N B Enc(K, Auth) Compute key K = Hash(KE A , KE B , Secret) ... Challenges:  Encrypted messages  Security protocols are stateful  Messages are non-replayable 19.09.2015 Institute of Information Security / ETH Zurich 4

  5. System Under SecFuzz: Setting Test Initiator Responder Dynamic analysis Fuzzer Log file Key advantages:  Light-weight and modular approach  Fresh messages  Fuzzer can decrypt messages 19.09.2015 Institute of Information Security / ETH Zurich 5

  6. Input Mutation A fuzz operator:  Mutates a well-formed input.  The mutated input is likely to expose vulnerabilities. The fuzz operators should produce mutated inputs that expose common programming mistakes. 19.09.2015 Institute of Information Security / ETH Zurich 6

  7. Input Structure An input consists of:  a sequence of messages  a message consists of fields 19.09.2015 Institute of Information Security / ETH Zurich 7

  8. Fuzz operators  Message fuzz operators  Insert random (well-formed) message  Field fuzz operator  Insert random field  Remove field  Duplicate field  Modify field 19.09.2015 Institute of Information Security / ETH Zurich 8

  9. Fuzz-testing Security Protocols Collect well-formed inputs  Internet Step 1  Source code (white-box)  Model (model-based) Mutate the inputs Step 2  Fuzz operators Execute the inputs and check for failures Step 3  E.g. memory errors, broken invariants 19.09.2015 Institute of Information Security / ETH Zurich 9

  10. Detecting vulnerabilities SUT Initiator Responder Dynamic analysis Fuzzer Log file  The dynamic analysis monitors the SUT and reports failures.  Memory errors are a common source of vulnerabilities:  Tools: Valgrind's Memcheck, IBM's Purify 19.09.2015 Institute of Information Security / ETH Zurich 10

  11. Internet Key Exchange Case Study Experiment 1 Test subject: OpenSwan v2.6.35 Results: Discovered a previously unknown use-after-free vulnerability. Experiment 2 Test subject: ShrewSoft's VPN Client for Windows v2.1.7 Results: Discovered a previously unknown unhandled exception vulnerability . 19.09.2015 Institute of Information Security / ETH Zurich 11

  12. SUT Fuzz-testing OpenSwan OpenSwan OpenSwan (responder) (initiator) Valgrind SecFuzz Log file  SUT: OpenSwan v2.6.35  A popular IPSec implementation for Linux.  Dynamic analysis: Valgrind's Memcheck  Detects different types of memory access errors.  Fuzzer: SecFuzz , implemented using Python / Scapy. 19.09.2015 Institute of Information Security / ETH Zurich 12

  13. OpenSwan: IKE Implementation details SUT Initiator Responder Phase 1 Phase 1 state Propose SAs Crypto Access helper Done Accepted SA Ack SA established 19.09.2015 Institute of Information Security / ETH Zurich 13

  14. OpenSwan: Use-after-free Vulnerability SUT Initiator Responder Invalid memory access Phase 1 Freed Phase 1 Memory state Propose SAs Crypto Access helper Close Session The vulnerability was reported and a security patch was released in CVE-2011-4073. 19.09.2015 Institute of Information Security / ETH Zurich 14

  15. ShrewSoft's VPN Client: Unhandled Exception SUT Initiator Responder Propose SAs Accepted SA KE I : ”0123”, N I KE R : “\0”, N R Unhandled exception The vulnerability details will appear in CVE-2012-0784. 19.09.2015 Institute of Information Security / ETH Zurich 15

  16. Related Approaches Key Requirements:  Stateful exploration  Encryption handling Approach Model-based White-box SecFuzz Task Generate inputs Needs a model Needs the Needs a running source code implementation Execute inputs Concretization Solve crypto Immediate constraints 19.09.2015 Institute of Information Security / ETH Zurich 16

  17. 19.09.2015 Institute of Information Security / ETH Zurich 17

Recommend

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

Empowering Security Teams ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure EDSA Certification Communication/Network Robustness Testing (CRT) CRT examines the capability of the device to

859 views • 33 slides
Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security Fuzz Testing Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory

812 views • 42 slides
Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 1 / 21 Introduction What is this lecture about? How do we find bugs in programs? ... by

363 views • 21 slides
RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

3/31/17 TOPICS 2 RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing: selection, prioritization T est input generation CS580A5 SPRING 2017 Fault localization SUDIPTO GHOSH Automatic program

276 views • 3 slides
Fuzz Testing for Fun and Profit Presented by:

Fuzz Testing for Fun and Profit Presented by:

W3 Testing at Scale Wednesday, October 2nd, 2019 11:30 AM Fuzz Testing for Fun and Profit Presented by: Melissa Benua

441 views • 11 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley & MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
TAIC PART 2010 Linguistic Security Testing for Textual Protocols Authors Ben Kam, Tom Dean

TAIC PART 2010 Linguistic Security Testing for Textual Protocols Authors Ben Kam, Tom Dean

TAIC PART 2010 Linguistic Security Testing for Textual Protocols Authors Ben Kam, Tom Dean Queens University, Canada Linguistic Security Testing for Textual Protocols Goals and History 1. Protocol Tester Protocol Tester Group

720 views • 17 slides
Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS

Testing security of CPS with Formal Methods Application (in progress) to industrial protocols IoS & IoT Roland Groz, Jean-Luc Richier, Maxime Puys, Laurent Mounier Univ. Grenoble Alpes LIG/Vasco + Vrimag/PACSS Kobe Universit

1.02k views • 33 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho

CAB-Fuzz: Practical Concolic Testing Techniques for COTS Operating Systems Su Yong Kim, Sangho Lee, Insu Yun, Wen Xu, Byoungyoung Lee, Youngtae Yun, Taesoo Kim USENIX Annual Technical Conference July 14, 2017 The Affiliated Institute of ETRI

812 views • 46 slides
LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity

LibreOffice oss-fuzz, crashtesting, coverity Overview Oss-Fuzz Crashtesting Coverity Oss-Fuzz Overview Continuous Fuzzing of our import filters Thanks to Google we get to use their infrastructure and resources

542 views • 26 slides
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han ,

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han , Byunggil Joe, Byoungyoung Lee * , Chengyu Song , Insik Shin KAIST, * Purdue, UCR 1 Memory error glibc: getaddrinfo Heartbleed Shellshock

659 views • 47 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Treatment Device Testing Protocols in the Garden State:

Treatment Device Testing Protocols in the Garden State:

Treatment Device Testing Protocols in the Garden State: Current Status of Laboratory Testing and Field Longevity Monitoring Washington Stormwater Center 2013

387 views • 16 slides
Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National University of Singapore 1 Thanks to organizers and ISSISP Steve Blackburn Adrian Herrera ISSISP Summer School 2018 Tony Hosking

1.17k views • 99 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad Torabi Dashtj, David Basin

Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad Torabi Dashtj, David Basin

Semi-valid Input Coverage for Fuzz Testjng Petar Tsankov , Mohammad Torabi Dashtj, David Basin Instjtute of Informatjon Security ETH Zurich Fuzz Testjng Testjng a PDF Viewer Pass / Fail PDF Viewer Valid inputs Test Oracle Are the PDF fjles

643 views • 39 slides

More recommend