MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing...
15
FUZZING AND THE SDL MSDN Webcast - SDL Process
Transcript of MSDN Webcast - SDL Process. Agenda Fuzzing & The SDL Integration of fuzzing Importance of fuzzing...
FUZZING AND THE SDLMSDN Webcast - SDL Process
Agenda
Fuzzing & The SDL Integration of fuzzing Importance of fuzzing
Michael EddingtonDéjà vu [email protected]
3
How Fuzzers Work (Dumb)
FUZZER
4
How Fuzzers Work (Smart)
FUZZER
All about the bugs!
…Or really Bug Cost… Fuzzing is about finding bugs Fuzzing is repeatable
Integrate into automated testing Fuzzing *should* be easy on the
wallet Cost per Bug
What are we finding?
Bugs that cause crashes, access violations Memory corruption Overflows Type issues
DOS issues Memory consumption Process Hangs
Who uses fuzzing?
Security researchers Majority of publicly released bugs
Top software firms in there SDL Microsoft Adobe Etc.
8
What is SDL?
Microsoft’s Secure Development Lifecycle
Integration of security into development life cycle
Microsoft uses SDL on all shipping products
9
SDL Phases
Requirements Security Kickoff Training
Design Best practices Threat modeling Architecture review
Implementation Use security dev tools Best practices Security tools built
Verification Security response
plan Security push
Pen testing Source review Fuzzing
Release Support & Servicing
Response execution Security servicing
10
Fuzzing & SDL
Microsoft requires fuzzing on: Non-executable file formats Protocol stacks, RPC, DCOM, etc Basically, any parser that operates on
data that originates from a lesser privileged principal (trust boundary)
Fuzzing integrating into the Verification phase and the security push
Fuzzing & SDL
Deterministic fuzzing Full run required
Non-deterministic “random” fuzzing 250,000 to 500,000 iterations with no
new faults
No recommendation on minimum code coverage
Fuzzing & SDL
Complements other verification elements Does not replace Penetration Testing Does not replace Source Code Review
Long term repeatable process Initial investment should be re-usable
Numerous Fuzzing Options
Open Source Commercial
Peach Sully Fuzzware MiniFuzz Etc.
beSTORM Codenomicon Mu Security
Open Source vs. CommercialOpen Source Commercial
Custom formats Custom protocols Zero upfront cost Hidden costs
Developing models Support/Training
Existing well known file format or network protocol Graphics formats Video formats Common protocols
Upfront costs $15K to $100K
Thanks!
Michael EddingtonLeviathan Security Group, [email protected]
http://phed.orghttp://peachfuzzer.comhttp://dejavusecurity.com
