Software Integrity Blog

 

The ins and outs of fuzz testing with Defensics: Q&A

In our webinar, we talked about preparing for zero-day attacks using fuzz testing, as well as Defensics system compatibility, fuzzing techniques, and more.

The ins and outs of fuzz testing with Defensics: Q&A

Rikke and I here at Synopsys would like to give a warm thank-you to all who attended The Ins and Outs of Fuzzing webinar, and for the interactive and engaging Q&A session that followed. This blog post summarizes the webinar and the questions we answered after the presentation. Please reach out to us with any additional input or questions. We’d love to hear from you.

A few key fuzz testing takeaways

In this webinar, we addressed zero-day attacks and the importance of a robust and effective fuzzing tool. Here are a few of the main points:

What you don’t see CAN hurt you

Perhaps the most concise way to illustrate the importance of fuzzing is to conjure the image of an iceberg. The visible, measurable portion of the iceberg above the water’s surface represents known vulnerabilities in a system or application. These vulnerabilities have already been identified and categorized, and fixes or patches are available. The submerged and undeterminably large portion of the iceberg represents unknown vulnerabilities. These vulnerabilities, which usually go undetected and unmonitored, pose a potential threat of unmeasurable scale.

Known vulnerabilities are just the tip of the iceberg

Enter fuzz testing. Fuzz testing is the only security practice that addresses this unbounded risk. Fuzz testing mimics the actions of a hacker, burdening systems and applications with invalid and random data and exposing vulnerabilities that would otherwise remain exploitable. These threats can exist anywhere and everywhere and, without testing, might not be detected until it’s too late. You must take proactive action.

In today’s context, WordPress, still the world’s most-used CMS platform, is consistently exploited about once a month and suffers 60% of zero-day attacks. Most of these exploits stem from a lack of security governance and could be prevented with adequate and effective security practices. A successful application security approach includes best practices such as secure coding and wide-ranging testing (SAST, SCA, DAST, and IAST tools). The scale of this organization’s continued exposure underscores the need for vigorous security practices and places this issue at the forefront of security concerns today.

But aren’t standard security tools adequate?

In short, no. While some solutions are capable of detecting known vulnerabilities in your code and applications, they can’t detect unknown threats. As stated earlier, unknown vulnerabilities are not published or documented. So standard security tools that rely on databases of identified vulnerabilities aren’t capable of identifying unknowns. The only effective way to identify unknown vulnerabilities is to use a sophisticated mock-hacking technique, like fuzzing. Fuzzing imitates the activities of a hacker and exposes risks to your security team before a hacker can discover them.

Standard security tools that rely on databases of identified vulnerabilities aren’t capable of identifying unknowns

The cost of inaction

Further compounding the urgency to include fuzz testing in your security practices is the reality that not all software applications can be easily fixed and released. Complete systems, embedded firmware or chipsets, and medical devices and equipment are hard to test, and once they’re in deployment, exploit remediation requires massive resources. The cost and time needed for recalls, troubleshooting, and issuing replacements can have devastating effects not just on security but on product safety. Zero-day attacks come without warning and can have a drastic impact on your organization’s success.

Introducing Defensics

Synopsys’ Defensics fuzz testing solution tactically locates vulnerabilities, primarily unknown and zero-day, before you release your software, minimizing remediation time and costs and exposure to attack. Unlike other fuzzers on the market, Defensics has a deep understanding of input type, allowing it to generate custom tests to exploit key weaknesses through the lens of the rules that govern communication.

Since Defensics tests are likely to trigger vulnerabilities, security teams can efficiently identify and mitigate these vulnerabilities before they require costly patches and recalls.

Defensics has a proven track record that attests not only to the quality of our test suites but also to the overall quality of results that our customers can expect.

Fuzz testing Q&A

If your organization is lacking in zero-day attack preparedness, you should seriously consider adopting a fuzzing technique into your security practices. Watch the webinar for a more in-depth look at fuzzing and how Defensics can help you.

If you’ve already watched the webinar, thank you! Below are the questions and answers we covered at the end.

Questions and answers from the Defensics fuzzing webinar

Q: Can we use Defensics on Windows?

Yes, you can use Defensics on Windows or Linux. For the full list of requirements and supported platforms, please refer to our installation manual or tutorial on the Synopsys Community.

Q: Does Defensics support both CAN and automotive Ethernet?

Defensics has test suites available for CAN and CAN-FD, as well as a broad automotive Ethernet offering. You can find all the technologies that Defensics supports on our website. We are currently developing several new protocol test suites on top of automotive Ethernet. Contact sales for more details.

Q: Does Defensics use all fuzzing techniques? Or does it use different techniques based on the protocols used?

Defensics almost always uses generational fuzzing, which is the most effective way of finding unknown vulnerabilities. Random and template-based fuzzing do not provide full coverage or the depth of testing that specification-based fuzzing does. However, we have test suites, such as the SDK Express, that allow you to quickly model a proprietary protocol. Dissectors help build a rudimentary model of the protocol, after which you can use markup language to add dynamic behavior. This technique could be considered a hybrid between template and generational fuzzing. Lastly, we do have a protocol suite that takes a file as input and generates fuzzed variants, resembling random fuzzing.

Q: What format does Defensics export results in?

Defensics support various formats. The base report is in HTML, but the remediation package also contains other files—for example, a CSV file that specifies all the test cases and their pass/fail status. The package includes all the information required to rebuild the packet / test case, so developers can recreate an exact scenario to trigger the vulnerability. Besides the HTML overview, the zip file can also contain the packet capture of the traffic that went over the wire during the execution of the test case.

Q: My team can’t generate test cases in Defensics with Windows OS. It’s detecting more than one Ethernet adapter in the network adapter. Why is that?

You should be able to generate a test case just fine in Windows. If there are multiple network interfaces, you can select the target interface you want your test cases to go out over. In fact, if you specify the IP address of your target, Defensics should automatically pick the correct network interface connected to the same subnet of your target. If you experience any issues, please contact our support team, who can help you remediate that issue.

Now back to you

We love to hear from you at Synopsys. Your input helps shape our efforts and our products. Let us know: What fuzz testing tools are you using today? Are they open source or commercial? What do you use to your fuzzer to test for? Does it work well? What else would you like to see in a fuzzing tool?

Share your experience and insights with me. As always, feel free to reach out with any need for additional clarification or questions about how Defensics can help you!

Watch the webinar: The Ins and Outs of Fuzzing

 

More by this author