Security Testing

Question 1

What is penetration testing (pentesting)?

Answer 1

the process of attacking a piece of software with the purpose of finding security vulnerabilities.
aka
hacking with permission

Question 2

What is automated pen testing?

Answer 2

• fuzzing or fuzz testing

- a systematic and repeatable approach to pentesting,

Question 3

What is the aim of penetration testing?

Answer 3

To find vulnerabilities

Question 4

What is a vulnerability?

Answer 4

A security hole in the hardware or software (including operating system) of a system that provides the possibility to attack that system

Question 5

What are examples of vulnerabilities?

Answer 5

• gaining unauthorised access (unescaped SQL commands)
• stealing confidential information (weak, easy to guess passwords)
• modifying/corrupting critical data (buffer overflows that permit access to memory outside of the running process)
• crashing the system or make it unavailable to others (denial of service attack)

Question 6

What is an SQL injection?

Answer 6

(answer this mentally)

Question 7

What is a buffer overflow attack?

Answer 7

when data is written into a buffer (in memory) that is too small to handle the size of the data.

In some languages, the additional data simple overwrites the memory that is located immediately after the buffer. If carefully planned, attacker-generated data and code can be written here.

Question 8

What are some ways to prevent security attacks?

Answer 8

• defensive programming that checks for
  array bounds
• using programming languages that do this automatically
• finding and eliminating these problems via reviews and inspections
• letting hackers find them for us (not recommended)
• using verification techniques.

Question 9

What are examples of verification techniques?

Answer 9

fuzz testing

Question 10

What is fuzz testing?

Answer 10

a (semi-)automated approach for penetration testing that

involves the randomisation of input data to locate vulnerabilities.

Question 11

How does fuzz testing work?

Answer 11

• a fuzz testing tool (or fuzzer) generates many test inputs - it monitors the program behaviour on these inputs
• it looks for things such as exceptions, segmentation faults, and memory leaks; rather than testing for functional
  correctness.
• Typically, this is done live: that is, one input is generated, executed, and monitored, then the next input, and so on.

Question 12

What are the 3 techniques for fuzzing?

Answer 12

1. Random testing
2. Mutation-based fuzzing
3. Generation-based fuzzing

Question 13

What is random testing?

Answer 13

tests generated randomly according to some probability distribution (possible uniform) to permit a large amount of inputs to be generated in an fast and unbiased way.

Question 14

What are the advantages of random testing?

Answer 14

• often (but not always) cheap and easy to generate random tests, and cheap to run many such tests
  automatically.
• unbiased, unlike tests selected by humans. (useful for pentesting because the cases that are missed during programming are often due to lack of human understanding, and random testing may search these out)

Question 15

What are the disadvantages of random testing?

Answer 15

• A large number of test inputs may need to be generated in order to be confident that the input domain has been adequately covered.
• The distribution of random inputs simply misses the program faults
• It is highly unlikely to achieve good coverage.

Question 16

Why is it hard to achieve good coverage with random testing?

Answer 16

If you have a series of conditions, e.g. x==y, then the probability of being able to generate that case can be very very low.

Question 17

What is Mutation based fuzzing?

Answer 17

starting with a well-formed input and randomly modifying (mutating) parts of that input rating (possibly invalid) test inputs.
- can be random or based on some heuristics.

Question 18

What are the advantages of fuzzing?

Answer 18

• generally achieves higher code coverage than random testing.
• issue of tricky branches still occurs but is less likely if the valid inputs that are mutated have the correct values to get past the tricky branches.
• Even though the mutated tests may change these, some will change different parts of the input, and the e.g., checksum will still be valid.

Question 19

What are the disadvantages of fuzzing?

Answer 19

• The success is highly dependent on the valid inputs that are mutated.
• It still suffers from low code coverage due to unlikely cases (but not to the extent of random testing).

Question 20

What is generation based fuzzing?

Answer 20

using some specification of the input data, such as a grammar of the input to generate input as opposed to mutating existing input

• generate data that is correct syntactically to the language being tested
• generate data that is intelligent/ targeted as opposed to random

Question 21

What are the advantages of generation based fuzzers?

Answer 21

generally giving higher coverage as knowledge of the input protocol means that valid sequences of inputs can be generated that explore parts of the program (tricky branches)

Question 22

What are the disadvantages of generation based fuzzers?

Answer 22

• Compared to random testing and mutation fuzzing, it requires some knowledge about the input protocol.
• The setup time is generally much higher, due to the requirement of knowing the input protocol; although in some cases, the grammar may already be known (e.g., XML, RFC).

Question 23

What is a memory debugger?

Answer 23

a tool for finding memory leaks and buffer overflow

Question 24

Why are memory debuggers important?

Answer 24

because anomalies such as buffer overflows are difficult to observe using system behaviour
e.g. in stack buffer overflow, if the overflow is just by a few characters, it would be difficult to detect unless that particular part of memory is accessed again, which may not be the case.

Question 25

What issues are memory debuggers usually looking for?

Answer 25

1. Uninitialised memory
2. Freed memory
3. Memory overflows
4. Memory leaks

• references made to memory blocks that are uninitialised at the time of reference.
• reads and writes to/from memory blocks that have been freed.
• writes to memory blocks past the end of the block being written to.
• memory that is allocated but no longer able to be referenced.

Question 26

How do memory debuggers work?

Answer 26

By modifying the source code at compile type to include specific code that checks for memory issues; for example, by keeping track of a buffer size, and then inserting code directly before a write to check whether the memory being written is larger than the target buffer.

Question 27

What is the major downside to using memory debuggers?

Answer 27

performance cost - overhead of keeping track of the allocated memory, plus the checks made, is expensive.

Question 28

What is undefined behaviour?

Answer 28

something that a program does that causes its future behaviour to be unknown.

Question 29

What are examples of undefined behaviour in C?

Answer 29

• Buffer Overflow
• Dividing by 0
• Dereferencing a NULL pointer
• Overflowing a signed integer
• Underflowing a signed integer

Question 30

What 3 properties constitute data security?

Answer 30

1. Integrity
2. Confidentiality
3. Availability

Question 31

What is the integrity property of data security?

Answer 31

prevention of unauthorised data modification.

Question 32

What is the confidentiality property of data security?

Answer 32

prevention of unauthorised data disclosure.

Question 33

What is the availability property of data security?

Answer 33

ensuring attackers cannot deny legitimate access to data.

Question 34

Why is it harder to find security vulnerabilities that violate confidentiality?

Answer 34

integrity or availability violations ( e.g. when a program crashes due to a buffer overflow) are directly observable which is also why they can be caught via fuzzing.

However, the same is not always true for confidentiality violations and, for this reason, using testing to find such vulnerabilities is much harder.

Question 35

overt channels & covert channels

Answer 35

refer to notes