News

LEADING BRAND IN SECURITY ASSESSMENT - ONWARD

How to solve unknown cybersecurity vulnerabilities and threats? Understanding the fuzz testing!

2021 / 08 / 23

Introduction

Covid-19 has brought revolutionary changes to the world. Trends such as home isolation, remote work and work from home have made the Internet of Things (IoT) a necessity, and made IoT closer to everyone's life. However, the rising demands not only bring business opportunities, but also pose great challenges to cybersecurity! In the past, hackers used to attack known vulnerabilities to achieve the purpose of intrusion, but now more and more attackers are gradually starting to use unknown vulnerabilities to launch zero-day attacks and their methods are gradually becoming mature. Attacking the defenseless IoT devices with malicious programs targeting unknown vulnerabilities has become the favorite of attackers. Therefore, the unknown vulnerabilities and vulnerabilities repairs of IoT products have become a high priority issue.

In addition to the cybersecurity risks caused by these potential attacks, brand owners attach importance to the cybersecurity of IoT devices, and have asked manufacturers to comply with cybersecurity regulations. For device manufacturers advancing in the international market, there are more international regulations that need to be followed. Consequently, the cybersecurity of IoT devices is a big challenge for manufacturers.

The key to making the IoT world a battlefield - Known/unknown vulnerability

As long as there is a vulnerability, hackers will try to exploit it to attack. Cybersecurity issues will arise when vulnerabilities are successfully exploited to pose a threat. It can be seen that in the entire attack chain, security vulnerabilities are the most basic source of cybersecurity problems. The vulnerabilities can be simply divided into two categories:

  • Known Vulnerability‮:

When it comes to known vulnerabilities, the most frequently mentioned is Common Vulnerabilities and Exposures (CVE). The vulnerability will be assigned a CVE number and announced through the U.S. National Vulnerability Database (NVD), whenever a new one is discovered. However, with the development of the Internet, more and more organizations will announce newly discovered vulnerabilities. Some researchers or hackers will even directly expose and publicly discuss the vulnerabilities they have discovered on the Internet. Such vulnerabilities may not have CVE numbers. 

  • Unknown Vulnerability‮:

Unknown vulnerabilities are existing vulnerabilities, but they have never been publicly exposed by any official organization or community.

If you want to reduce cybersecurity threats, the lowest cost but most important task is to find vulnerabilities and fix them in the software development stage. There are many tools on the market that can help developers find known vulnerabilities, but few people talk about unknown vulnerabilities. More precisely, few people pay attention to the existence of unknown vulnerabilities. However, unknown vulnerabilities are one of the potential risks that are most likely to cause major damage in the IoT era.

The spotter of unknown security vulnerabilities - Fuzz Testing

What is fuzzing

The main purpose of fuzzing is to find possible program errors and to detect security vulnerabilities in software or computer system. Its method is to input the automatically or semi-automatically generated test data into the tested target for testing, and monitor whether the program has abnormal conditions during the test, such as crash or assertion failed. Fuzz testing is currently one of the most effective technical methods to find unknown vulnerabilities.

Taking the communication protocol as an example, it mainly regulates the two endpoints of the communication, requiring both to comply with the execution and dialogue process, language and data format when exchanging data. The security and correctness of the data exchange process can be ensured when the communication endpoints really follow the specifications to send and receive data. However, in the network communication environment, a malicious third party may be connected through the network to send precisely adjusted content with specific intent to the data receiving end. The malformed content can cause harm including buffer overflow or injection.

What can be found by fuzzing

Let's take another example of watching TV programs to explain why security and correctness need to be emphasized in the process of data exchange between two communication endpoints.

1. Normal communication protocol
The normal transmission of the video data will allow the audience to view the protagonist who should exist in the program and be in an appropriate position.

Normal communication protocol

2. Through smart fuzz
If it is attacked during the video transmission and malformed data that does not conform to the protocol specification is entered into the video, it will be obvious that a role that does not belong to the program appears after the data transmission is completed.

Through smart fuzz

3. Through variant fuzz
If it is attacked during the video transmission and malformed data that does not conform to the protocol specification is entered into the video, a role that is well disguised but does not belong to the program will appear after the data transmission is completed.

Through variant fuzz

The main function of fuzzing is to find unknown vulnerabilities, especially serious security flaws. These vulnerabilities are also used by most hackers. Their purpose is to cause system crashes, memory leak and unhandled exception, and ultimately achieve service failure or control the system. During testing, if used with other methods such as Black Box Testing, it will be more effective to find unknown vulnerabilities.

Although fuzzing is a very effective method for finding major security flaws in the system, it is not a panacea. The security issues such as viruses, worms, Trojan horses, etc. are not the ones that it can find.

 

The technical depth of fuzzing

The technical difficulty of fuzzing is to create malformed data that must comply with the protocol specifications while causing problems on the receiving end.

1. The difficult choice between the number of test cases and time
Fuzzing can effectively find vulnerabilities, but it is quite complicated in actual use. Its technical difficulty is to create malformed data that not only conforms to the protocol specifications but also can cause problems at the receiving end as the basis for testing. Nowadays, the protocols are diversified and each protocol has different technical specifications. Without professional experience support, it is quite difficult to create valid test data. And, if there is no good test data for fuzzing, it will cause problems such as duplication of test cases, misjudgments, and lengthy test time.

2. The problem of continuous automated testing
Fuzzing is carried out through a large amount of data, so the testing process will take a long time. If the device under test (DUT) crashes due to an abnormality during the process, the test will be aborted. The test will not continue until the DUT is manually restarted. Therefore, if the test cannot be restarted automatically, it will increase the manpower burden and lengthen the overall test time.

3. High probability of misjudgment
The most troublesome thing for testers in fuzz testing is that there are often misjudgments. For example, due to the large amount of test packets, the DUT may be misjudged as a device abnormality when its response is too slow. Another example is a handshaking error that causes the device to react abnormally, or the unstable network environment in the test area caused the device to respond abnormally. The above conditions make testers have to use manual detection methods to confirm whether the abnormality is real security vulnerability one by one.

The Smart Fuzzing Dispatcher

The International Organization for Standardization (ISO) divides the computer network architecture into seven different layers. The first layer is the lowest layer in the model. The model is called Open Systems Interconnection Reference Model (now also abbreviated as OSI/RM). The Ethernet communication transmission is based on the rigorous data format definition and transmission sequence, so as to achieve a high degree of accuracy and efficiency. Therefore, the completion of the fuzz testing is not as simple as randomly adjusting a certain part of the data. In addition to compliance with the protocol at the layer, the integrity of the bottom protocol must also be considered. Onward Security uses the self-developed onFuzz architecture to implement layered processing of fuzz testing. The Fuzzing Pattern Generator is responsible for creating malformed data, and the Dispatcher is responsible for encapsulating malformed content into a standard bottom protocol. This architecture enables HERCULESSecDevice to support OSI fuzz testing from layer 2 to layer 7.

Powerful Fuzzer and Injector

Performance Booster

Another troublesome problem of fuzz testing is that the test process is not easy to understand and the test time is not easy to grasp. In the process of random generation and mutation, independent components generate random numbers for data separately, which is prone to random number collisions. Additionally, sending out the same malformed format content at different stages causes unnecessary loss of test resources and time. HERCULESSecDevice effectively eliminates the same malformed content through its unique patented technology. It reaches the upper limit of non-repetitive unique malformed content required by regulations, while speeding up the test time and improving the timeliness of the test.

SecDevis - Smart Fuzz explores unknown vulnerabilities

SecDevis - Smart Fuzz explores unknown vulnerabilities

Industrial Protocol Suite

The generative fuzz testing technology has good testing results, but the technical difficulty and high development cost affect the product price, causing the industry and equipment manufacturers to be unable to find a suitable test solution. HERCULESSecDevice is equipped with more than 60 communication protocols, which can provide complete test suites for cybersecurity practitioners to meet the test needs of industries such as Netcom, industrial control, medical and monitoring.‮!‬C

Taking the Picture Archiving and Communication System (PACS) as an example, it is a medical image transmission system for medical equipment, and used to store and transmit medical images, as auxiliary data for doctors' diagnosis or as a source for the medical record exchange. The main communication protocol of PACS for image transmission - Digital Imaging and Communications in Medicine (DICOM) is the exclusive protocol for medical equipment. DICOM is an application protocol based on TCP/IP, which communicates between departments. If you use a general network protocol format for testing, you may be able to detect the vulnerability of TCP, but cannot really detect the vulnerability of DICOM of the image exchange protocol. Fortunately, SecDevice can not only meet the general network vulnerability test, but also meet the fuzz testing requirements of the special protocol of medical equipment.

Support a wide range of communication protocols to meet the needs of different industries

通讯协定

International cybersecurity regulations add robustness to the requirements

In view of the need to enhance equipment safety, international regulations and standards have also formulated relevant input validation and testing requirements. The following highlights the robustness requirements of international regulations:

  • ETSI 303 645

According to the European Telecommunications Standards Institute (ETSI) EN 303 645 standard, the Provision 5.13 requires that the consumer IoT device software shall validate data input via user interfaces or transferred via Application Programming Interfaces (APIs) or between networks in services and devices.
Systems can be subverted by incorrectly formatted data or code transferred across different types of interface. Automated tools such as fuzzers can be used by attackers or testers to exploit potential gaps and vulnerabilities that emerge as a result of not validating data.

  • FDA

The FDA stipulates the requirements for submitting Risk Management Documentation in the validation report of the marketing approval. This is a comprehensive approach that considers both security and safety risk analysis in a meaningful way. It provides a summary of the assessment and mitigation activities that assure a device is reasonably secure. Besides, a description of the testing that was done to ensure the adequacy of cybersecurity risk controls (e.g. security effectiveness in enforcing the specified security policy, performance for required traffic conditions, stability and reliability as appropriate). The test report should include "robustness testing" and "boundary analysis".

  • IEC 62443

On February 27, 2019, the International Electrotechnical Commission (IECEE) released Part 4-2 (IEC 62443-4-2: 2019) on the security of industrial automation and control systems. Its fundamental requirement (No.3: System Integrity) and component requirement (No.3.54: Input Validation) both regulate the technical security requirements of industrial control equipment.

  • MDR

The Verification/Validation is described in Chapter 3.7 of MDCG 2019-16 Guidance on Cybersecurity for medical devices. MDR Annex I Section 17.2 and IVDR Annex I Section 16.2 require for devices that incorporate software or for software that are devices in themselves, that the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of the development life cycle, risk management, including cybersecurity, verification and validation. The primary means of security verification and validation is testing. Methods can include security feature testing, fuzz testing, vulnerability scanning and penetration testing. Additional security testing can be done by using tools for secure code analysis and tools that scan for open source code and libraries used in the product, to identify components with known issues.

  • TAICS

The Industrial Development Bureau of Taiwan's MOEA entrusts the Taiwan Association of Information and Communication Standards (TAICS) to formulate "Cybersecurity Standard for Video Surveillance System". According to the "Communication Protocols and Configuration Security" in Chapter 5.3.2, the error handling vulnerabilities shall not exist in the product's key communication protocol (such as RTSP, RTCP, RTP and TLS), including viewing the fields of message length, message identifier, key protocol attribute, etc., so that the product does not crash and terminate the service. The fuzz testing is the main test method for this requirement.

Is there a solution to the high-risk unknown vulnerabilities?

In the face of unknown vulnerabilities, it is a good way to use tools to scan during product development to discover potential security vulnerabilities. But a better way is to establish a product development process that meets regulations and implement security design principles at each stage. Meanwhile, automated tools are used for detection in the testing phase to reduce the cybersecurity risk of the product before it goes on the market, so that the product launch plan will not be delayed due to cybersecurity issues.

Automated detection tool to explore unknown vulnerabilities-HERCULES SecDevice

HERCULESSecDevice is an automated tool designed for the cybersecurity testing needs of IoT, IIoT and medical equipment products. The detection range includes known vulnerabilities, unknown vulnerabilities, webpage vulnerabilities, Wi-Fi vulnerabilities, Denial of Service (DoS) tests, backdoor tests, etc. It can support more than 60 protocols. Its diversified and extensive support can help connected products to effectively identify known and unknown vulnerabilities during the development process.

Excellent functions of HERCULES SecDevice are conducive to fuzz testing

Rich protocol support to meet industry testing needs

HERCULESSecDevice supports various protocols at the network level across layer 2 to layer 7 of the OSI model, including more than 60 protocols such as Core Network, IIoT, Web Application, VoIP/IMS, Wireless, etc. The richness of its support is sufficient to meet the testing needs of different industries, such as modbus/DNP3 commonly used in industrial control, RTSP/RTCP/RTP commonly used in security control, HTTP and Web Application that are prone to problems in Netcom devices, and Wi-Fi protocols commonly used in IoT devices. HERCULESSecDevice has a wide range of protocol support, which is not only suitable for IoT device manufacturers, but also suitable for laboratories that conduct security vulnerability detection for various industries. For the detailed protocol support of HERCULESSecDevice, please refer to the Datasheet.

Precise positioning technology provides test results with near-zero misjudgment

Although the fuzz testing often has misjudgments causing the problem of manual repeated verification, the unique abnormal positioning technology of HERCULESSecDevice can greatly reduce this kind of problems. When the DUT detects an abnormality, HERCULESSecDevice’s precise positioning method eliminates the false positive situation through active response analysis and repeated verification methods, ensuring that the abnormal conditions of the device do not occur randomly to reduce misjudgments, while reducing the time for manual screening of test results.

Perform automated security vulnerability scans on a regular and continuous basis

In order to meet market demand, the software update cycle is getting shorter, causing a great burden on the development and testing team. It is a challenge to complete cybersecurity testing in a limited time, while taking into account the quality of testing. Therefore, automated and reliable tool is essential for assistance. HERCULESSecDevice provides an integrated and easy-to-use interface, so that the regular testing process of each software revision and upgrade can no longer consume a lot of human resources. In addition, its built-in DUT restart function allows the tested device to automatically restart to continue the next test task when it encounters an abnormality and cannot continue the test work, thereby saving the time of waiting for manual restart.

Identify product vulnerabilities and cybersecurity risks in the early development stages

A complex IoT environment is composed of sensors, webcams, routers and servers. The hybrid network environment composed of these devices makes cybersecurity risks more diverse and has a wider impact. HERCULESSecDevice provides support for the main network communication protocols used in the operation of various connected devices, and uses fuzz testing technology to discover hidden cybersecurity vulnerabilities in the device. Taking the following figure as an example, HERCULESSecDevice will send variant packets conforming to the protocol according to different communication protocols, and continue to send different variant packets to the DUT and monitor its response. If there is an abnormal response, it means that a potential vulnerability of the device has been found. This approach can assist in troubleshooting during the design and testing stages, avoiding problems that are discovered after the device leaves the factory, while avoiding increased costs due to repairs and recalls.

Conclusion

In the environment of the IoT, known vulnerability scanning is the basic item of IoT device detection. However, solving product vulnerabilities and cybersecurity risks cannot rely solely on known vulnerability scans, especially for IoT devices with very different architectures and functions. It is necessary to explore the unknown vulnerabilities of IoT devices through a specially tailored fuzz testing tool to effectively prevent potential risks from becoming the tricky zero-day attacks in the future.