MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing...
Transcript of MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing...
![Page 1: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/1.jpg)
FUZZING AND THE SDLMSDN Webcast - SDL Process
![Page 2: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/2.jpg)
Agenda
Fuzzing & The SDL Integration of fuzzing Importance of fuzzing
Michael EddingtonDéjà vu [email protected]
![Page 3: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/3.jpg)
3
How Fuzzers Work (Dumb)
FUZZER
![Page 4: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/4.jpg)
4
How Fuzzers Work (Smart)
FUZZER
![Page 5: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/5.jpg)
All about the bugs!
…Or really Bug Cost… Fuzzing is about finding bugs Fuzzing is repeatable
Integrate into automated testing Fuzzing *should* be easy on the
wallet Cost per Bug
![Page 6: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/6.jpg)
What are we finding?
Bugs that cause crashes, access violations Memory corruption Overflows Type issues
DOS issues Memory consumption Process Hangs
![Page 7: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/7.jpg)
Who uses fuzzing?
Security researchers Majority of publicly released bugs
Top software firms in there SDL Microsoft Adobe Etc.
![Page 8: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/8.jpg)
8
What is SDL?
Microsoft’s Secure Development Lifecycle
Integration of security into development life cycle
Microsoft uses SDL on all shipping products
![Page 9: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/9.jpg)
9
SDL Phases
Requirements Security Kickoff Training
Design Best practices Threat modeling Architecture review
Implementation Use security dev tools Best practices Security tools built
Verification Security response
plan Security push
Pen testing Source review Fuzzing
Release Support & Servicing
Response execution Security servicing
![Page 10: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/10.jpg)
10
Fuzzing & SDL
Microsoft requires fuzzing on: Non-executable file formats Protocol stacks, RPC, DCOM, etc Basically, any parser that operates on
data that originates from a lesser privileged principal (trust boundary)
Fuzzing integrating into the Verification phase and the security push
![Page 11: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/11.jpg)
Fuzzing & SDL
Deterministic fuzzing Full run required
Non-deterministic “random” fuzzing 250,000 to 500,000 iterations with no
new faults
No recommendation on minimum code coverage
![Page 12: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/12.jpg)
Fuzzing & SDL
Complements other verification elements Does not replace Penetration Testing Does not replace Source Code Review
Long term repeatable process Initial investment should be re-usable
![Page 13: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/13.jpg)
Numerous Fuzzing Options
Open Source Commercial
Peach Sully Fuzzware MiniFuzz Etc.
beSTORM Codenomicon Mu Security
![Page 14: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/14.jpg)
Open Source vs. CommercialOpen Source Commercial
Custom formats Custom protocols Zero upfront cost Hidden costs
Developing models Support/Training
Existing well known file format or network protocol Graphics formats Video formats Common protocols
Upfront costs $15K to $100K
![Page 15: MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing Michael Eddington Déjà vu Security mike@dejavusecurity.com.](https://reader036.fdocuments.us/reader036/viewer/2022082710/56649dd35503460f94aca4e3/html5/thumbnails/15.jpg)
Thanks!
Michael EddingtonLeviathan Security Group, [email protected]
http://phed.orghttp://peachfuzzer.comhttp://dejavusecurity.com