During past few months, Synopsys R&D has been busy with improving the Defensics instrumentation capabilities. Focus has been given to providing more powerful tools for controlling and monitoring the status of the system under test (SUT). Fuzzing is an effective testing technique but it is sometimes hard to detect an exact testcase or sequence which caused the failure in SUT. For setting up better diagnostic for SUT and enabling improved information flow from test target to Defensics test solution, we have developed the Defensics Agent Instrumentation Framework.
Posted in Fuzz Testing | Comments Off on Defensics Agent Framework
What a difference a few weeks makes in the software security world. When the Heartbleed bug was publicly disclosed a short while ago, the reaction was swift and fairly consistent. It was identified as a real problem, not FUD, and systems were being patched VERY quickly. Often time when a security vulnerability is announced we try to answer questions such as:
Posted in Fuzz Testing, Web Application Security | Comments Off on What the Heartbleed bug should be teaching us
By now, you’ve surely heard about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL 1.0.1 through 1.0.1f (inclusive). The vulnerability has been present in OpenSSL since December 2011. Many websites have discussed the details of the bug, and I will not go into the deep technical details here. I will describe the bug at a high level, and then discuss the impact of the bug and what you should do about it. In the remainder of this post, I’ll refer to “vulnerable versions of OpenSSL” as simply OpenSSL.
Overview of the Heartbleed vulnerability
Although the bug that causes the Heartbleed vulnerability is in the OpenSSL library, it has nothing to do with the SSL/TLS protocols themselves. It involves code that handles the heartbeat extension (RFC 6520) for TLS/DTLS. The heartbeat messages can be sent even before a TLS handshake is completed. RFC 6520 states:
However, a HeartbeatRequest message SHOULD NOT be sent during handshakes… The receiving peer SHOULD discard the message silently, if it arrives during the handshake.
Due to the use of ‘SHOULD,’ these are recommendations and not requirements. OpenSSL apparently responds to heartbeat requests even before the handshake is completed. So, even servers that require client certificates for authentication are vulnerable.
Posted in Fuzz Testing, Web Application Security | Comments Off on Heartbleed vulnerability: What should you do?