IP Blog (RSS Feed)

Fuzzing Testing for Enhanced Security
How do you test against security threats you don't know exist? In a previous blog we looked at how testing with signatures can be used to reduce known security threats. However, for unknown threats, an alternative such as fuzzing testing needs to be employed. Fuzzing testing passes random data through network protocols, API calls, and file streams—virtually anywhere applications and devices receive inputs. One of the goals is to determine whether any of this random input can crash or hang an application, bring down a website or put a device in a compromised state.

Zero-Day Attacks
Another goal of fuzzing testing is to prevent zero-day attacks. These attacks derive their name from the fact that they take place before the related vulnerability is known – on "day zero" of awareness. Malicious attacks from hackers could exploit a new vulnerability they find, before your normal testing does. In fact, hackers use fuzzing attacks both to find and exploit new vulnerabilities.

"Attackers have long exploited the fact that even subtle variations in protocols can cause compromise or failure of networked devices," says David Newman, president of Benchmarking Consultancy Network Test. "Fuzzing technology helps level the playing field, giving implementers a chance to subject their systems to millions of variations in traffic patterns before the bad guys get a chance to."

Think Like a Hacker
Hackers are good at finding vulnerabilities. Why? Because they expend the effort needed to expose them. They know that traditional functional testing on your software has likely been completed. But they also know that millions of permutations of invalid random input many not have been tested. All it takes is one random string of input to cause a crash or hang. And it is easy for them to throw garbage input at your network. But since you are now thinking like a hacker, you can do the same – in controlled conditions – with fuzzing testing.

Hackers target and exploit many different attack vectors such as:
  • Web Browsers (HTTP)
  • Email Attachments (popular applications, movie files, graphic files, executables)
  • Network Protocols (vulnerabilities in FTP, DHCP, RSYNC, NTP)
  • VoIP and IPTV protocols
In its simplest form, fuzzing testing sends a random sequence, either as command line options or via protocol packets that have been randomly malformed, to the target being tested. As such, fuzzing testing can start out manually. But automation is required in order to get sufficient test coverage. Fuzzing testing tools can generate millions of variations or mutations in traffic patterns on the attack vector being tested. These tools apply "fuzzing" to the chosen test pattern and can literally test millions of permutations, making your network much more secure, while keeping your test team efficient.

Stay Ahead with Fuzzing Testing
Fuzzing testing does not replace traditional white box or black box quality processes, but rather complements them. Add fuzzing testing to your test arsenal to stay a day ahead of the hackers and their zero-day attacks.
By: Ankur Chadda - 3/7/2013 1:19:28 PM
Tags: Security Testing

 


Add a comment

Need help finding the product that's right for your business?

Contact us