Get Fuzzy – Hunting for Zero Days with Spirent

Spirent

Even for those of us who are not hackers by trade, I strongly suspect that as geeks we’ve all at some point played around with a web form or a URL string and thought “Hey, I wonder what happens if I type a stupidly long string or a bunch of jibberish here – can I break the app?” Just me? Ok. Well what if there were a friendly off-the-shelf tool that could help you test your applications and protocols and look for zero day vulnerabilities?

mudynamics

Meet Mu Dynamics, a Sunnyvale, CA based company with a focus on application and performance testing. Never heard of them? Don’t worry about it, because Mu Dynamics was acquired in April 2012 by Spirent Communications, plc., and I’ll wager you’ve heard of Spirent. Mu Dynamics had a tool that does just this kind of testing, and Spirent took the opportunity at Network Field Day 4 to give us a quick demonstration of the product’s capabilities.

So What’s The Product?

Good question. If you look on Spirent’s web site, I think you would find it difficult to quickly identify which of their products might help you find zero day vulnerabilities. The short answer is that Spirent’s Avalanche product supports it via their ThreatEx capability, and now there’s also Spirent Studio Security, which is the product we were shown at NFD4.

Competition

Spirent is of course not the only game in town – for high end testing products, Ixia is the obvious main competitor, and Mu Dynamics was in competition with companies like BreakingPoint Systems. It probably won’t come as a shock then to hear that in August 2012, Ixia completed their acquisition of BreakingPoint.

Target Audience

I have to assume that the Studio Security product is aimed largely at Enterprises and software houses with app development. Spirent did not dwell on a need for the hardware appliances, but actually appliances seem to be necessary. In addition to a management VM instance you’ll need at least one of either the Spirent Studio 8000 (4×10/100/1000 copper + 4x1Gbps SFP) or 8010 (4 x 1Gbps SFP + 4x10Gbps SFP+). Some brief research suggests that while these appliances seem to be relatively cheap compared to a full scale test rig, I don’t think they are something that the average home hacker will get their hands on for nefarious purposes, which might be a good thing. I can’t get exact prices, because the Spirent site doesn’t list them. In fact, the Spirent web site barely acknowledges that these appliances exist outside the datasheet for Studio Security. Try a Google search – really.

What’s A Zero Day Anyway?

A zero day threat is a vulnerability that has been discovered but has not yet been disclosed, and is thus not patched at the time it is used. A zero day exploit would be something that utilized that new vulnerability to attack systems which would be effectively unprotected from the attack, unless additional tools were in play that might detect suspicious activity (if you’re lucky). As a side note, TechTarget just published a news item about a Symantec study examining zero day vulnerabilities in the wild, and how long they can be out there before being disclosed – it’s worth a read, especially for the references to all the zero day exploits they identified that still have not (or had not) been disclosed.

Fuzzing

One way to find new (zero day) vulnerabilities, is to poke and prod your software using a technique called fuzzing, or Fuzz Testing. Fuzzing essentially takes the inputs your application or protocol is expecting, and messes with them – putting in values that shouldn’t be there, using option structures in an unsupported fashion, sending options together that should be mutually exclusive, and so on. Effectively, you are testing the limits of the protocol and sending deliberately malformed packets. To do this by hand would be impractical, so having a software tool that can methodically tamper with data is a great thing.

Demo

Spirent’s demo involved running a Jabber server as an end point, then fuzzing the login process using an appliance to find a new vulnerability. You can watch the demo here:

The key takeaways from the demo as I see it are:

  • Spirent Studio Security has a tool that watches when the target process is killed by the fuzzing, and can restart the application process again so that the attack can be repeated (to test for consistency) and so that the rest of the test set can be run.
  • At the end you’ll have a nice report showing where problems were found, and you can fix the problems, then fuzz the application again to make sure the fixes worked.
  • The testing is automated, but still has to be parameterized first – you, or Spirent – need to know something about the protocols or APIs involved in order to know how to fuzz them.
  • You can grab captures of HTTP transactions and Spirent can create attack models based on those captures.
  • Once you find a vulnerability, the ‘Remediation Toolkit’ helps you package up a PCAP of the attack, a report, and other information to pass over to developers so they can replicate the problem and fix it.

One More Thing?

Studio Security goes beyond fuzzing. The Studio Performance product allows you to test your applications and security devices by generating traffic based on profiles you select – a mix of general application traffic and attacks. Similar in some ways to the new Axon product (more on that in a forthcoming post) the traffic playback is put together kind of like a playlist where you select ‘tracks’ of data to play when testing. Spirent’s TestCloud has hundreds of applications you can simulate to mirror what you have in production, or potentially to test a newer version of an application before rolling it out. From what they said, they’re hoping that TestCloud will really be a ‘cloud-sourced’ resource (haha, see what I did there) where users can upload test cases and traffic profiles that other people can use, thus rapidly broadening the potential base of products and versions. In this mode, you’re running traffic between two appliances, and testing, say, a firewall or IDS/IDP in between. Again, the management platform runs separately from the appliances, either in a VM, or on a Spirent TestCenter appliance.

Conclusions

I’m still not entirely clear on the relative merits of ThreatEx compared to Studio Security, but if the idea is to offer a fuzzing capability at a lower entry point, then I’m all for it. The demo is slick, but I think glosses somewhat over the underlying requirements to make this work – it feels “point and click simple” because the profiles already exist for the app they test in the demonstration, but it’s not clear what level of overhead (and cost) would be involved in customizing an attack profile for an in-house developed application which, surely, will be the biggest use case. Once you’ve got those hurdles out the way though, you can’t argue with the simplicity of setting up and running the test – click play, then go get coffee while it runs unsupervised. If this is a need you have, then certainly it’s worth a look. Perhaps the win here is taking fuzzing to new levels of friendliness, and steering users away from having to hack up configuration files to test applications.

It looks like Spirent’s Studio Security product has the potential to be a helpful ally when security testing applications and protocols, but since I haven’t had the opportunity to run a test hands on from concept to execution I’m going to say that the jury must remain out on how simple it continues to be once you buy it. For testing traffic through security devices, the apparent overlap between this product and the new Spirent Axon has me somewhat puzzled because point and click playback of traffic to test a network seems to be a strong point for both. Being able to blend in security attacks is an interesting twist, and depending on pricing, would Studio Security end up being a more flexible product compared to the Axon?

Definitely an interesting product, and more time is needed to figure out where it fits in Spirent’s product family, and how it overlaps with other products they already sell. Without a clear place in the line up, and significantly better presence on Spirent’s website, this could be a great product that gets overlooked all too easily.

Get Some Other Points of View

Here are some blog posts from other NFD4 delegates so you can get their take on Spirent Studio Security:

I’ll update this list as I become aware of other posts, and these are good blogs to subscribe to even if security testing isn’t your primary interest!

Disclosure

Spirent was a presenter at Networking Field Day 4, and while I received no compensation for my attendance at this event, my travel, accommodation and meals were provided. I was explicitly not required or obligated to blog, tweet, or otherwise write about or endorse the sponsors, but if I choose to do so I am free to give my honest opinions about the vendors and their products, whether positive or negative.

Please see my Disclosures page for more information.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.