1 / 15

Fuzzing And The SDL

MSDN Webcast - SDL Process. Fuzzing And The SDL. Agenda. Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com. How Fuzzers Work (Dumb). FUZZER. How Fuzzers Work (Smart). FUZZER. All about the bugs!.

tangia
Download Presentation

Fuzzing And The SDL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MSDN Webcast - SDL Process Fuzzing And The SDL

  2. Agenda • Fuzzing & The SDL • Integration of fuzzing • Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com

  3. How Fuzzers Work (Dumb) FUZZER

  4. How Fuzzers Work (Smart) FUZZER

  5. All about the bugs! • …Or really Bug Cost… • Fuzzing is about finding bugs • Fuzzing is repeatable • Integrate into automated testing • Fuzzing *should* be easy on the wallet • Cost per Bug

  6. What are we finding? • Bugs that cause crashes, access violations • Memory corruption • Overflows • Type issues • DOS issues • Memory consumption • Process Hangs

  7. Who uses fuzzing? • Security researchers • Majority of publicly released bugs • Top software firms in there SDL • Microsoft • Adobe • Etc.

  8. What is SDL? Microsoft’s Secure Development Lifecycle Integration of security into development life cycle Microsoft uses SDL on all shipping products

  9. SDL Phases • Requirements • Security Kickoff • Training • Design • Best practices • Threat modeling • Architecture review • Implementation • Use security dev tools • Best practices • Security tools built • Verification • Security response plan • Security push • Pen testing • Source review • Fuzzing • Release • Support & Servicing • Response execution • Security servicing

  10. Fuzzing & SDL • Microsoft requires fuzzing on: • Non-executable file formats • Protocol stacks, RPC, DCOM, etc • Basically, any parser that operates on data that originates from a lesser privileged principal (trust boundary) • Fuzzing integrating into the Verification phase and the security push

  11. Fuzzing & SDL • Deterministic fuzzing • Full run required • Non-deterministic “random” fuzzing • 250,000 to 500,000 iterations with no new faults • No recommendation on minimum code coverage

  12. Fuzzing & SDL • Complements other verification elements • Does not replace Penetration Testing • Does not replace Source Code Review • Long term repeatable process • Initial investment should be re-usable

  13. Numerous Fuzzing Options Open Source Commercial • Peach • Sully • Fuzzware • MiniFuzz • Etc. • beSTORM • Codenomicon • Mu Security

  14. Open Source vs. Commercial Open Source Commercial • Custom formats • Custom protocols • Zero upfront cost • Hidden costs • Developing models • Support/Training • Existing well known file format or network protocol • Graphics formats • Video formats • Common protocols • Upfront costs • $15K to $100K

  15. Thanks! Michael Eddington Leviathan Security Group, inc. mike@dejavusecurity.com http://phed.org http://peachfuzzer.com http://dejavusecurity.com

More Related