Fuzzing to defuse APTs


13 July 2014
DDoS simulation

With advanced persistent threats (APTs) and other zero-day forces amassing, the IT security industry is re-working the old adage that attack is the best form of defence. The idea is for enterprises to ensure that their systems have been stress-tested for vulnerabilities and weaknesses and to have these rectified before the enemy strikes.

While organisations can keep themselves up to date with security technologies such as antivirus, firewalls and IPS/IDS(intrusion prevention/intrusion detection systems) and diligently install software patches to fortify themselves against known threats, it is the unidentified zero day vulnerabilities that is really spooking them.  The existence of these vulnerabilities is not known, so there are no defences against them. This leaves the enterprise exposed to APTs and other zero day exploits.

A whilte paper published recently by Codenomicon (the Fninish security company that discovered the Heartbleed SSL vulnerability) expounds on the use of a black box robustness-testing technique called fuzzing to mitigate these threats.

Fuzzing seeks to uncover unknown zero day vulnerabilities by triggering them with unexpected inputs. If the system fails or errors are returned, there is an exploitable vulnerability in the software.  “By finding zero day vulnerabilities proactively, networks can be made more robust against attacks, reducing the risk of advanced cyber attacks,” said the paper, co-written by Codenomicon’s Founder and Chief Research Officer Ari Takanen and Ami Juuso.

Because fuzzing requires thousands and even millions of misused cases to be created for each use case, it usually involves some degree of automation to generate either real-life inputs such as network traffic and files, or to create data elements using protocol models, or a combination of both.

Powerful protocol fuzzers are used in security products such as Ixia BreakingPoint FireStorm to emulate malformed data or provide too much data to see if anything breaks. This will unveil vulnerabilities that will need to be fixed.

According to Ixia, BreakingPoint is able to simulate120 Gbps of blended stateful application traffic, 90 million concurrent TCP sessions, 3 million TCP sessions per second and 24 Gbps of SSL bulk encryption with any cipher. The combination of authentic DoS and DDoS traffic with the network’s real-world mix of applications, exploits and malformed traffic will give enterprises insights into the effects of DDoS attacks on applications, individual devices, networks and the data centre as a whole.

Recommended best practices for fuzzing include making it an acceptance condition in software procurement, incorporating fuzzing throughout the software development process, and also carrying it out in the production environment. This last scenario should be handled with greater care as it is essentially simulating an attack on a live system, and should only be done after extensive testing and in the presence of support personnel, said Codenomicon.