14.1 C
London
Thursday, November 23, 2017
Home Tags Fuzzing

Tag: Fuzzing

Neural fuzzing can help uncover bugs in software better than traditional tools, company says.
Move along. Nothing to see here.

By the way, try this flash drive in your laptop, ta The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkal...
Linux 4.14 release candidate five is out. "Go out and test," says Linus Torvalds.
But he's not at all keen on Santa Claus or fairies Linus Torvalds release notification for Linux 4.14's fifth release candidate contains an interesting aside: the Linux Lord says fuzzing is making a big difference to the open source operating system.…
More than 4.8 billion automated tests show that certain industriesmdash;such as industrial control systems and the Internet of Thingsmdash;remain fertile ground for vulnerability researchers.
Microsoft's enterprise customers can soon use its Azure-hosted fuzzing service to ferret out bugs in their own Windows and Linux applications.
Chocolate Factory bearing gifts to improve open source projects Google wants more open source projects to include fuzzing during their development cycle, and to help things along, it's announced a rewards program that goes as high as US$20,000.…
Oracle is patching a long list of different vulnerabilities in its software portfolio.

This time, it's the Oracle E-Business Suite that is getting the most patches. Oracle is out with its first Critical Patch Update (CPU) for 2017 and it's a big one.
I...
Segfault, segfault black out Smart meters are 'dangerously insecure', according to researcher Netanel Rubin, with insecure encryption and known-pwned protocols - and, worryingly, attacks reach all the way to making them explode. The utility hacker and founder of Vaultra derided global governmental efforts to install the meters as reckless, saying the "dangerous" devices are a risk to all connected smart home devices. Smart meters can communicate with devices inside homes, such as air conditioners, fridges, and the like.

A hacker who could break into the meters could control those, potentially unlocking doors. They could also manipulate the meter's code to cause fires, something that's trivially easy at mains a.c. voltages. "An attacker who controls the meter also controls its software, allowing them to literally blow the meter up. "If an attacker could hack your meter, he could have access to all the devices connected to the meter. "The smart meter network in its current state is completely exposed to attackers." Rubin acknowledged some complaint over fear-mongering from the security audience at the Chaos Communications Congress in Hamburg, Germany, but says his description of exploding boxes is to deliver the message of smart metre insecurity to the wider public. He fended off comments that triggering explosions through hacking was not possible, saying it had been acknowledged in the US [The Register could not at the time of writing independently verify that claim]. The physical security of the meter is strong, but hackers still have plenty of wireless vectors to attack. Rubin lists smart meters' use of Zigbee or GSM protocols, often left insecure and unencrypted, or at best secured with the GPRS +A5 algorithm which is known to be broken for more than five years. Attackers can also broadcast over the top of meters' comms protocols forcing all units in an area to connect to malicious base stations using hardcoded credentials. The access grants hackers direct access to the smart meter firmware for deep exploitation. "All meters of the same utility use the same APN credentials," Rubin told the applauding audience. "One key to rule them all." Worse, Rubin found smart meters add home devices handing over the critical network key without first checking if the gadgets should be added.

This opens an avenue for attackers to masquerade as home devices, steal the key, and impersonate the meter. You can communicate with and control any device in the house from way across the street, open up locks, cause a short in the electricity system, whatever we want to do. "A simple segmentation fault is enough to crash the meter, causing a blackout at the premises," Rubin says. He says the attack vectors would have been erased if proper encryption was used, and the network was segmented instead of treated as a "giant LAN". Youtube Video The attacks were in 2009 realised in Puerto Rico when hackers caused some US$400 million in billing fraud. Rubin says meters ability to communicate with internal smart home devices is only the first step as utilities expand in the future to form city-wide mesh networks with city smart appliances. "The entirety of the electricity grid, your home, your city, and everything in between will be in control of your energy utility, and that's a bit scary. About 40 percent of the smart metre market is held by Itron, Landis and Gyr, and Elster. The European Union wants to replace more than 70 percent of electricity meters with smart versions at a cost of €45 billion.

There are already some 100 million meters are installed globally. Rubin expects a sharp increase in hacking attempts, and called on utilities to "step up". He released an open source fuzzing tool to help security researchers test their own meters. "Reclaim your home, before someone else does." ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub
A new Google program aimed at continuously fuzzing open source software has already detected over 150 bugs. The program, OSS-Fuzz, currently in beta mode, is designed to help unearth programming errors in open source software via fuzz testing.

Fuzz testing, or fuzzing is when bits of randomly generated code is inputted into programs as a means to discover code and security flaws. Chrome security engineers Oliver Chang and Abhishek Arya, Google software engineers Kostya Serebryany and Mike Aizatsky, and Meredith Whittaker, who leads Google’s Open Source Research group, announced the project last Thursday. Our fuzzing-as-a-service for opensource software is now in beta! https://t.co/wYPxBNeEgO — Kostya Serebryany (@kayseesee) December 1, 2016 The program was developed with help from the Core Infrastructure Initiative, a Linux Foundation collaborative that counts Cisco, Facebook, and Microsoft among its members. “Open source software is the backbone of the many apps, sites, services, and networked things that make up ‘the internet.’ It is important that the open source foundation be stable, secure, and reliable, as cracks and weaknesses impact all who build on it,” the engineers wrote Thursday, “OSS-Fuzz’s goal is to make common software infrastructure more secure and stable by combining modern fuzzing techniques with scalable distributed execution.” The project is built on fuzzing engineers such as libFuzzer, sanitizers, AddressSanitizer and a distributed fuzzing infrastructure that catalogs fuzz statistics called ClusterFuzz. The program has identified bugs in projects pcre2, libchewing and FFmpeg so far.

Even more impressive is that Google claims OSS-Fuzz is cranking out four trillion test cases a week. Engineers say FreeType, an open source library that’s used to display text, is a perfect example of what OSS-Fuzzing can achieve. One of FreeType library’s developers, Werner Lemburg, adopted OSS-Fuzz early on.
In October, after a heap buffer overflow was identified in the library, OSS-Fuzz notified the maintainer, who went on to fix the bug.
It was confirmed fixed by OSS-Fuzz the same day, Google says. While the program is in its infancy, developers and open source proponents have lauded Google for the program. Alex Gaynor, who writes a lot of open source code and previously served as the director of the Python Software Foundation and the Django Software Foundation, tested OSS-Fuzz late last week and called the experience “extremely good.” “I definitely think it’s something that every OSS project should take a look at,” Gaynor told Threatpost Monday. Gaynor, who penned a blog entry around his experience on Saturday, used OSS-Fuzz to test libyaml, a C library YAML 1.1 parser and emitter that’s the basis for both Python and Ruby’s YAML libraries.

The program ran 17 billion testcases against the library in under a day, according to Gaynor, roughly 30 days of CPU time in less than a calendar day. While developers have to build fuzzers specific to their project, OSS-Fuzz does most of the work, Gaynor says. He added that in his short experience, sending pull requests for projects is easy enough. The program will file any bugs it discovers privately and leave a comment when it thinks a crash has been fixed.
It makes the bug public seven days after it’s been fixed and even “handles automatically rebuilding when the upstream source changes,” Gaynor points out. “It was almost no work to write a fuzzing function and get it running, and OSS-Fuzz handles tons of the details around making fuzzing at scale practical; this makes the experience far more pleasant than if I’d jerry–rigged something together myself,” Gaynor, who currently works for the United States Digital Service–part of the Executive Office of the President, wrote. Gaynor said Monday the only area OSS-Fuzz might need a slight tweak in is its user interface. “In terms of areas for improvement, the biggest one would be the UI used for looking at stats and crash reports, which needs a bit more polish for non-internal audiences,” Gaynor said. Open source software experts like Jim Zemlin, executive director at the Linux Foundation, also took time to laud the project on Twitter last week. This is making the internet more secure with thanks to @mer__edith and Google team.

Devs should check this out: https://t.co/kaPfbytvw6 — jzemlin (@jzemlin) December 1, 2016 Now that the program has been announced, Google claims its main focus is fostering OSS-Fuzz usage. The company is encouraging open source projects, as long as they have a large user base, to join OSS-Fuzz.

By doing so, developers would have to subject themselves to Google’s 90-day disclosure deadline but they’d also be joining a rich open source community, the engineers say. While often viewed as a nuisance, low level bugs like buffer overflow and use-after-free vulnerabilities can have a pivotal impact on software security, especially in the open source realm. Vulnerabilities in libStageFright, a software library coded in C++; part of the Android Open Source Project, led to a series of bugs last year which went on to enable remote code execution and privilege escalation. The venture is one of the latest efforts from the CII to bolster open source software security.

Earlier this year the consortium unveiled a badge program designed to help developers self-certify their projects.

The program, which counted GitLab, Node.js, and OpenSSL as early adopters, encourages open source software to follow best practices and self-disclose their security aspects. The CII was also behind the Open Crypto Audit Project, which was responsible for last year’s TrueCrypt audit and also helped fund the current large scale audit of OpenSSL.
Building software securely requires a verifiable method of reproduction and that is why the Linux Foundation's Core Infrastructure Initiative is supporting the Reproducible Builds Project. In an effort to help open-source software developers build more secure software, the Linux Foundation is doubling down on its efforts to help the reproducible builds project.

Among the most basic and often most difficult aspects of software development is making sure that the software end-users get is the same software that developers actually built."Reproducible builds are a set of software development practices that create a verifiable path from human readable source code to the binary code used by computers," the Reproducible Builds project explains.Without the promise of a verified reproducible build, security can potentially be compromised, as the binary code might not be the same as the original developer intended.

The Reproducible Builds project benefits from the support of the Linux Foundation's Core Infrastructure Initiative (CII).CII was founded in the aftermath of the open-source Heartbleed SSL vulnerability in 2014, as a way to help provide resources and direction in a bid to secure open-source code. CII has raised over $5.5 million from financial backers including Adobe, Bloomberg, Hewlett-Packard, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco. In June 2015, CII announced its initial support for the Reproducible Builds effort, providing the project with $200,000 in funding. Now CII is committing to renewing its support for Reproducible Build with an additional $225,000."The first chunk of funding helped deliver reproducibility-related debugging tools such as diffoscope," Nicko van Someren, CTO of the Linux Foundation, told eWEEK.The diffoscope open-source tool provides developers with an in-depth comparison of files, archives and directories.
Van Someren added that CII's initial support of Reproducible Builds also enabled the project to spend significant time investing in a reliable and flexible framework for testing the reproducibility of software packages within Debian and other operating systems."Using this framework, combined with efforts from the rest of the Reproducible Builds Project, has resulted in 91 percent of the packages within the testing Debian distribution becoming reproducible," Van Someren said.With the renewed support for Reproducible Builds, Van Someren said that in addition to enabling the project to 'double-down' on the previous efforts, his expectation is that new tools will also be built.

Additionally the plan is to rework the documentation for upstream open-source projects as well as to experiment and ultimately deliver tools to end-users."For example, users may wish to forbid installation of packages on their system that are not reproducible," he said.While the ability to have reproducible builds is an important component of ensuring secure software, the delivery mechanism by which software gets to users also needs to be secure.
In January 2016, the popular open-source Drupal content management system (CMS), used by WhiteHouse.gov among others notable deployments, came under criticism for not providing a secure update mechanism.The challenge in that case, as with many others, is that the software wasn't always being delivered over an HTTPS encrypted link.CII is working to also help improve security in the area of secure software delivery in several ways. One of those ways is through the Let’s Encrypt project, which is an effort to provide free SSL/TLS certificates for websites.
Van Someren noted that Let's Encrypt helps developers in setting up HTTPS servers and getting certificates as simply as possible. Let's Encrypt is operated as a Linux Foundation Collaborative Project.CII also has a Best Practices Badge for Open Source Projects."One of the requirements for achieving the badge is for the project to be in control of a HTTPS server from which the project can be downloaded," Van Someren said. "So far 45 projects have been awarded a badge, with more than 200 in process of obtaining one."In addition to renewing funding for the Reproducible Builds project, CII also recently renewed funding for The Fuzzing Project, False-Positive-Free Testing Project, OpenSSL, OpenSSH, Network Time and Best Practices Badging Projects.

The CII is also likely to expand its supported projects roster with more than 20 projects currently in the process of submitting applications."The CII Steering Committee will of course assess these once they have been submitted and will award funds as budget allows," Van Someren said. "Our total grant budget is $1.6 million annually."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.