ykpang beyondsecurity com fuzz testing for embedded
play

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security - PowerPoint PPT Presentation

Empowering Security Teams ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure EDSA Certification Communication/Network Robustness Testing (CRT) CRT examines the capability of the device to


  1. Empowering Security Teams ykpang@beyondsecurity.com

  2. Fuzz Testing for Embedded Device Security Assurance (EDSA)

  3. ISASecure EDSA Certification

  4. Communication/Network Robustness Testing (CRT) • “ CRT examines the capability of the device to • adequately maintain essential functions while being subjected to: • normal and erroneous network protocol traffic at normal to extremely high traffic rates (flood conditions). ISASecure.org • ANSI and IEEE have defined robustness as the degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions • - Wikipedia

  5. FUZZING RANDOM TESTING, BLACK BOX TESTING The standard definition of Fuzzing (according to the Standard Glossary of Software Engineering Terminology, IEEE ) is “ The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.”

  6. Fuzzing  Trigger system errors and faults by sending invalid data intentionally  The best way to find “zero day vulnerabilities”  Many global companies use fuzzing as part of the developing process Microsoft Security Development Lifecycle (SDL)

  7. For Programmers Inputs are the triggers for outputs OUTPUT LOGIC INPUT For Attackers Inputs trigger possible problems Unhandled (Unexpected) LOGIC INPUT Unexpected Consequence “Unexpected input causes unexpected results.” (Possible Vulnerability) (Michael Sutton)

  8. Test Coverage All the input space Vulnerable Unit test Unit s test Unit s Unit test test s s QA Code/Spec

  9. Smart and Dumb Fuzzing • Dumb Fuzzers • has no built-in intelligence about the program being fuzzed • generates completely random input

  10. Smart Fuzzers like beSTORM • has knowledge of the input format (e.g. a protocol definition or rules for a file format) • generates mostly valid input and only fuzz parts of the input within that known format

  11. beSTORM MAIN COMPONENTS beSTORM Client and Monitor module

  12. Protocol test coverage - beSTORM  Generate comprehensive test cases to cover the entire protocol  Crawl through the entire protocol tree (beSTORM combinatorically goes through all possible test cases)  With comprehensive test coverage, beSTORM detects all vulnerabilities

  13. Monitoring for Possible Vulnerabilities • A powerful monitor detects if even the slightest buffer overflow, format string, or memory exception occurs • Runs automatically until all test scenarios are exhausted, trying the most probable combinations first

  14. Other forms of Monitor – Waveform Monitor

  15. beSTORM main features Export a “Proof of Concept” Perl script  Recreate the vulnerabilities without needing beSTORM  Perl script is platform independent This site can not be reached

  16. ISCI EDSA ARP Testing Specs

  17. EDSA ARP Fuzzing Project Walkthru

  18. Select ARP fuzzing

  19. ARP Fuzz Testing Configuration

  20. Select EDSA ARP Test Requirements

  21. Select Built-in Monitor & Start

  22. ARP Load Testing Completed

  23. beSTORM REPORTING  Detailed result report

  24. Smart Fuzzers like beSTORM • has knowledge of the input format (e.g. a protocol definition or rules for a file format) • generates mostly valid input and only fuzz parts of the input within that known format

  25. Generation Fuzzer Working with 61850 MMS Protocol

  26. Snippets of 61850 MMS Scripts

  27. beSTORM USE CASES Critical Infrastructure, certified by the ISA Security Compliance Institute (ISCI) as an approved ‘CRT Test Tool’ for use in the ISASecure EDSAv1 and EDSAv2 beSTORM, used in the automotive industry for the new driverless security testing. Supports CANBus, CAN- FD,UDS, DoCAN, new generation of automotive head-end units and all types of ECUs Product Development and Lab Certification, Beyond Security is a member of the Microsoft SDL Pro Network that specialize in application security and have substantial experience and expertise with the methodology and technologies of the SDL

  28. FIND 0 DAYS WITH beSTORM LOCATE FAULTS AND SECURITY VULNERABILITIES Using Fuzzing method to detect zero day vulnerabilities before they are publicly discovered . TEST ANY TARGET • API • Servers • DLL • Clients • Libraries • Applications/Software • PLC • Hardware FULL TOOL SUITE 2 ND Generation fuzz engine • • Self Learning Module and Propriety software testing • System Under Test monitoring engines • Auto generation of proof of concept attacks • Easy to customize

  29. BeSTORM ADVANTAGES • Provides the highest control and transparency for your testing of any tool in the market • beSTORM, real fuzzing, and protocol description, field by field. No test cases, real Fuzzing! • Using the monitor, attach like a debugger, tells beSTORM there’s an exception and exactly where and when problem is found (step back and forth). Then export and exploit via Python. Engineering can then test offline • Monitor if application is answering with icmp ping, there’s also a process monitor, providing detailed additional DUT information. • Monitor via API, and when there’s a failure beSTORM can notify you via email • beSTORM consolidated reports shows: • exactly what problems were found. • Shows everything that was tested and why. • Shows all settings and tests that were done – Great for testing certification • Adjust t you our spee eed: adjust how many ses essio ions/sec. • lower speed for slow devices • Increase speed for time constraints, • Prioritize the parts of your protocols you want tested first • Change testing granularity • Proprietary protocols, smart and intuitive Self-Learning. Add your own protocols

  30. Thank you! KNOW THAT YOU’RE SAFE

Recommend


More recommend