1

“PerformFuzz” On

Application’s Web Interface.

Aniket KulkarniSymantec, India.

2

Agenda

Brief Overview.

Performance Testing, Fuzzing & Fuzzer.

What Can Be Fuzzed & Common Defects ?

What Is PerformFuzz ?

Packet\Port Fuzzing.

How Fuzzing Degrades Performance ?

View Of Original & Malicious Packets.

3

Agenda Contd..

Impact On 3rd Party Components.

Case Study & Crash Analysis.

Best Practices To Avoid such Potholes.

References.

4

Brief Overview.

Focus On “Performance & Security”.

Its attack, that affects application’s “Performance & Availability”.

Security Test technique is, “Fuzzing”.

Target is, Application's Web interface.

Performance + Fuzzing = “PerformFuzz”.

5

What Is Performance Testing ?

System check for Responsiveness, Throughput and Scalability, under given workload.

Outcome helps to decide: Production readiness, Evaluation of application against performance, Finding root cause of performance issues.

6

What’s Fuzzing &What Can Be Fuzzed ? Its technique to inject, random bad data into an

application to see what breaks!

Any type of application inputs can be fuzzed: N/W Protocols, Files, GUI, Inter Process communication etc etc

Note : Aiming to fuzz application’s web interface, we will consider network protocol\port fuzzing only, for current topic.

7

• Fuzzer is just a tool, that generates gibberish data.

• Few fuzzers available are: SPIKE, PEACH, DFUZ, GPF(General Purpose Fuzzer) & SULLEY

7

What Is Fuzzer ?

File

Fuzzer

FileFileFileFileFile

Input

SoftwareApplication

OriginalInput

8

Common Defects By Fuzzing. Buffer Overflow.

Integer Overflow.

Invalid Memory Reference.

Infinite Loop.

3rd Party components May Sit, Compromising Application.

Degraded Performance Of Web Interface (DoER)

In quotes, it gives crash (Termed as DoS, Denial Of Service), if analyzed in-depth, one of above is detected.

9

So, what’s PerformFuzz?

It’s a Packet Fuzzing.

Increasing “Render Response Time” Applying Multiple Fuzzing Instances is PerformFuzz.

Causes “DoER” & “DoS”.

Note: Once attacker successfully slow down the performance, its key achievement for him to get confident of next stage, that it’s going to be a definite, crash!

10

How Packet\Port Fuzzing Is Done ? Way-1: Trapping valid packets, detecting

magic strings, modifying those and resending to respected target.

Way-2: Bombarding malicious packets automatically to respected target.

11

But, How Performance Degrades ? Defensive Security Talk, Need To Research

Attacks & Then Mitigation.

Opting Way-2: Automated Bombarding.

Application Response With Single Fuzzing Instance.

Craft Instances, Till “Render Response Time” Is Increased.

Once Render Response Time Is Caught, Performance Is Tuned Negatively By Just Up & Down Of These instances.

12

View: Ideal & Malicious Packet.

Ideal Network Packet.

Malicious Network Packet.

13

Impact On 3rd Party Components. Fuzzing target is http://ip address: port no/

Sometimes, web server get’s impacted.

Next is our own application.

Among “CIA”: A ( Availability ) of an application is hampered 100%

14

Case Study & Crash Analysis.

Description:

Fuzzing was performed by, sending random packets to the port , on which “ABC” server was listening. Multiple network fuzzers were made to send random packets to the port simultaneously. It was observed degraded performance of application, increasing its render response time. Finally a crash was observed in JVM, bringing down tomcat, due to the race condition in JVM threads. The crash has been reproduced multiple times upto J6U21, which was latest java update when this was encountered for first time.

Crash Analysis!

15

Best Practices To Avoid Such Issues.Server Side Validation.Latest OS & Application Vendor

Patches.Run Firewall & Intrusion Detectors.Big Fish Have Implemented

“CAPTCHA”

16

What’s Out From This Presentation?DoER.DoS.Importance Of 3rd Party Components.Might Be A Small Test, Under your

Performance & Security Test Strategy.

17

Question To think ?

o Is This Going to Hamper Cloud Clients ?o Anyway’s, That’s Under Research With Us,

Let’s see What We Bring Up Next.

18

Reference.

• http://msdn.microsoft.com/en-us/library/bb924356.aspx

• http://peachfuzzer.com/PeachInstallation

• http://openmaniak.com/wireshark_tutorial.php

• http://www.wireshark.org/download.html

• http://resources.infosecinstitute.com/intro-to-fuzzing/

• http://resources.infosecinstitute.com/fuzzer-automation-with-spike/

• http://windbg.info/doc/1-common-cmds.html#7_symbols

19

Questions

?

20

The End.

Thank You!Aniket Kulkarni,

Product Security Group, Symantec.

Aniket_Kulkarni@symantec.com