Best Practices in Product Security - vtt.fi · remediate! report! 3 Test results, logs and...
Transcript of Best Practices in Product Security - vtt.fi · remediate! report! 3 Test results, logs and...
© CODENOMICON Confidential and Proprietary. 1
Best Practices in Product Security
for ICT/ICS
Ari Takanen CTO, Codenomicon
9 November, 2010
DEFEND. THEN DEPLOY.
© CODENOMICON Confidential and Proprietary. 2
Introduction to the topic
Traditionally only Hackers have used fuzzing to find bugs, and sometimes even reporting some of the findings
More and more found vulnerabilities become traded zero-day exploits, and are never reported publicly (Stuxnet is a good example)
As a solution, many product companies have started to integrate the same product security techniques to their software development • Static analysis tools automate code auditing • Fuzzing tools automate security testing
code build/test
Developer Test team
1 New code submitted for build
2 Integrated code tested for security and robustness with Fuzzing suites
report remediate
3 Test results, logs and environment variables sent to developers
4 Developers run Fuzzers to validate, identify issues and remediate
Fuzzing Cycle: Agile or Waterfall
© CODENOMICON Confidential and Proprietary. 5
Typical Fuzzing Process
Input generation
Sending inputs
Target analysis
Identify interfaces
Exception analysis Report
© CODENOMICON Confidential and Proprietary. 7
Secure Development Lifecycle
7
http://msdn.microsoft.com/en-us/security/dd219581.aspx
© CODENOMICON Confidential and Proprietary. 11
What Is Fuzzing? - The Original Definition
Just few years ago fuzzing was defined as:
“Fuzz testing or fuzzing is a software testing technique that provides random data (fuzz) to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted.”
From: http://en.wikipedia.org/wiki/Fuzz_testing
11
© CODENOMICON Confidential and Proprietary. 12
Robustness Testing = Smart Fuzzing
Robustness testing name used by ETSI and IEEE probably since early 80s
Since 1999, we stole the term for our model based negative testing
Also called: • grammar testing • syntax testing
Based on sending systematically broken (rarely random) inputs to a software, in order to crash it
12
© CODENOMICON Confidential and Proprietary. 14
Key Questions in regards to Fuzzing
Test Coverage: • Q: Which interfaces and protocols are tested? • A: Understanding of threat models and attack surface
are the most critical starting point to fuzzing
• Q: How well something is tested? • A1: Specification coverage explains how deep
knowledge the fuzzer has on a tested interface, and is typically represented by protocol models or protocol templates
• A2: Anomaly coverage explains how well each protocol element is tested, and is the hardest metric to measure
© CODENOMICON Confidential and Proprietary. 15
Industrial Protocols (diverse set)
SCADA specific: • Modbus/IP • Profinet/Profibus • Ethernet/IP, DeviceNet, ControlNet • DNP, DNPv3, ICCP • UCA 2.0 and IEC61850 (including IEC 60870-5) • Manufacturing Message Specification (MMS) • OPC-UA (Binary and HTTP+SOAP+WSS)
© CODENOMICON Confidential and Proprietary. 16
More Industrial Protocols
Traditional Internet protocols widely used everywhere: • IPv4 (ARP, UDP, TCP, ...) • FTP • HTTP • SNMP • RPC (DCERPC, Sun-RPC) • SMB • STP • NTP • BOOTP • LLDP (802.1AB Metro Ethernet) • RSTP - Rapid Spanning Tree Protocol
Then also wireless: WiFi, WiMAX
© CODENOMICON Confidential and Proprietary. 17
E2E Fuzzing: Fuzz the Entire System
Fuzzing needs to be conducted for the entire system, hence end-to-end (E2E).
Reduce down time by testing for unknowns
Real-life-like test lab always needed
© CODENOMICON Confidential and Proprietary.
Why Fuzzing? Product Comparisons?
Automotive industry (not any government) lead the design of crash test dummy • Makes market comparisons
between vehicles meaningful
Fuzzing “crash tests” software in similar manner • In ICT, you are stuck with
what you get, there are no updates to software
• Important to make market comparisons between software products
• Don’t expect clean results
© CODENOMICON Confidential and Proprietary.
PROACTIVE SECURITY AND ROBUSTNESS SOLUTIONS
THANK YOU – QUESTIONS?
“Thrill to the excitement of the chase! Stalk bugs with care, methodology, and reason. Build traps for them.
.... Testers!
Break that software (as you must) and drive it to the ultimate
- but don’t enjoy the programmer’s pain.”
[from Boris Beizer]