What is penetration testing (pentesting)?
the process of attacking a piece of software with the purpose of finding security vulnerabilities.
aka
hacking with permission
What is automated pen testing?
- fuzzing or fuzz testing
- a systematic and repeatable approach to pentesting,
What is the aim of penetration testing?
To find vulnerabilities
What is a vulnerability?
A security hole in the hardware or software (including operating system) of a system that provides the possibility to attack that system
What are examples of vulnerabilities?
- gaining unauthorised access (unescaped SQL commands)
- stealing confidential information (weak, easy to guess passwords)
- modifying/corrupting critical data (buffer overflows that permit access to memory outside of the running process)
- crashing the system or make it unavailable to others (denial of service attack)
What is an SQL injection?
(answer this mentally)
What is a buffer overflow attack?
when data is written into a buffer (in memory) that is too small to handle the size of the data.
In some languages, the additional data simple overwrites the memory that is located immediately after the buffer. If carefully planned, attacker-generated data and code can be written here.
What are some ways to prevent security attacks?
- defensive programming that checks for
array bounds - using programming languages that do this automatically
- finding and eliminating these problems via reviews and inspections
- letting hackers find them for us (not recommended)
- using verification techniques.
What are examples of verification techniques?
fuzz testing
What is fuzz testing?
a (semi-)automated approach for penetration testing that
involves the randomisation of input data to locate vulnerabilities.
How does fuzz testing work?
- a fuzz testing tool (or fuzzer) generates many test inputs - it monitors the program behaviour on these inputs
- it looks for things such as exceptions, segmentation faults, and memory leaks; rather than testing for functional
correctness. - Typically, this is done live: that is, one input is generated, executed, and monitored, then the next input, and so on.
What are the 3 techniques for fuzzing?
- Random testing
- Mutation-based fuzzing
- Generation-based fuzzing
What is random testing?
tests generated randomly according to some probability distribution (possible uniform) to permit a large amount of inputs to be generated in an fast and unbiased way.
What are the advantages of random testing?
- often (but not always) cheap and easy to generate random tests, and cheap to run many such tests
automatically. - unbiased, unlike tests selected by humans. (useful for pentesting because the cases that are missed during programming are often due to lack of human understanding, and random testing may search these out)
What are the disadvantages of random testing?
- A large number of test inputs may need to be generated in order to be confident that the input domain has been adequately covered.
- The distribution of random inputs simply misses the program faults
- It is highly unlikely to achieve good coverage.
Why is it hard to achieve good coverage with random testing?
If you have a series of conditions, e.g. x==y, then the probability of being able to generate that case can be very very low.
What is Mutation based fuzzing?
starting with a well-formed input and randomly modifying (mutating) parts of that input rating (possibly invalid) test inputs.
- can be random or based on some heuristics.
What are the advantages of fuzzing?
- generally achieves higher code coverage than random testing.
- issue of tricky branches still occurs but is less likely if the valid inputs that are mutated have the correct values to get past the tricky branches.
- Even though the mutated tests may change these, some will change different parts of the input, and the e.g., checksum will still be valid.
What are the disadvantages of fuzzing?
- The success is highly dependent on the valid inputs that are mutated.
- It still suffers from low code coverage due to unlikely cases (but not to the extent of random testing).
What is generation based fuzzing?
using some specification of the input data, such as a grammar of the input to generate input as opposed to mutating existing input
- generate data that is correct syntactically to the language being tested
- generate data that is intelligent/ targeted as opposed to random
What are the advantages of generation based fuzzers?
generally giving higher coverage as knowledge of the input protocol means that valid sequences of inputs can be generated that explore parts of the program (tricky branches)
What are the disadvantages of generation based fuzzers?
- Compared to random testing and mutation fuzzing, it requires some knowledge about the input protocol.
- The setup time is generally much higher, due to the requirement of knowing the input protocol; although in some cases, the grammar may already be known (e.g., XML, RFC).
What is a memory debugger?
a tool for finding memory leaks and buffer overflow
Why are memory debuggers important?
because anomalies such as buffer overflows are difficult to observe using system behaviour
e.g. in stack buffer overflow, if the overflow is just by a few characters, it would be difficult to detect unless that particular part of memory is accessed again, which may not be the case.
