The concept of Attack Surface is a formal way for quantifying the exposure of a connected system. It’s a measure of exposure and not that of vulnerabilties. However, two aspects of Attack Surface, channels and protocols, are key in figuring out how to attack a system and where the failure points are. In the last blog about mutations, I wrote about how we can create reusable mutation objects that can be plugged into arbitrary protocols and how we can use code coverage as one metric for measuring the effectiveness of it. From a system level perspective, I want to introduce this new notion of Attack Surface Coverage.
Archive for Research
Heuristics for Packet Field Identification
When performing any type of protocol fuzzing, one must obtain three key pieces of information about the target protocol: structure, state and semantics. The structure of a network protocol is the format of the messages, which contains a series of fields which, at the simplest level, are integers and strings. When dealing with any protocol with public specifications, this information is easily obtained. However, what is one to do when the specs are not publicly available, say in the case of a proprietary industrial control and automation protocol?
Categories: Research
O.O.M.P.H.
Object Oriented Mutations for Protocol Hardening.
Seriously though, I want to write about the process through which we create mutations and how ultimately it gets linked up in an assorted set of seemingly unrelated protocols. The take aways (for the impatient) are that mutations are really unit-tests, but have their origins in the following:
- Protocol specification
- Code reviews
- Known vulnerabilities that other people have found
- Expertise
- Structure
- Semantics
- State
Categories: Mutations
