Mu-4000 Security Analyzer: Security Gets Warm And Fuzzy

Deploying flawed software is expensive, and as more formerly internal-facing applications gain shiny new Web front ends, the need for secure coding practices is increasing. So how can you safely poke and prod your apps to see if they'll break -- or worse, open doors for attackers?

The most extensive -- and expensive -- computational attack tool: the mind of a human penetration tester or application security guru. On the development side, source-code analysis tools provide value. But if you have access to the app only once it's deployed or compiled, black-box testers, like static vulnerability scanning tools and fuzzers, are your best bet.

Fuzzers attempt to explore the boundaries of file formats, protocols, or interfaces. With dual uses in both quality assurance and security, fuzzers can make applications more robust. By combining intelligent templates of what protocols look like and modifying all mutable fields -- and sometimes even supposedly immutable ones -- fuzzers are especially good at crashing applications and devices, and they'll sometimes find exploitable conditions; for more on fuzzing see a primer here.

Data Privacy
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS | TUTORIALS | STRATEGY | MORE

We brought one fuzzing appliance, Mu Security's Mu-4000 Security Analyzer, into our University of Florida Real World Labs. This baby isn't inexpensive, starting at $40,000 and ranging up to $300,000 if you want the full set of protocols -- obviously not chump change. The 55 protocols offered at press time range from ARP to L2TP to VRRP. The Mu-4000 competes with open-source and commercial software fuzzers, many of which come with significantly fewer digits on their price tags.The Mu-4000 will be most useful for large embedded-device vendors that want to have multiple fuzzers banging away at their products. Among software vendors, it's best suited to those whose products do lots of protocol parsing.

Many software vendors serious about security build their own in-house fuzzers. This is especially true in environments that have developed custom protocols. While the Mu-4000 can be integrated into such an environment using an external attack generator -- another host that can be triggered to send attacks by the Mu -- any organization sophisticated enough to develop its own protocol fuzzer is probably more comfortable using one of the free open-source fuzzing frameworks to handle the management and automation aspects of the analysis process.

The value the Mu-4000 brings to the table includes its general framework that can manage automated testing, reboot devices, log performance responses, and more, but it'd be hard to justify the cost of the product with that alone. The primary draw for most will be its extensive protocol suites that allow the device to, out of the box, be up and running within minutes, throwing packets of every sort at apps to see how they handle them. The Mu's cost will vary based on what protocols are included, so whether the product can pull its weight for its price is heavily dependent on the environment.Surviving a Crash Test
A tester that is supposed to crash its targets presents some unique challenges. For example, if you crash the software under test and its host machine is toasted too, you'll need to restart the box. Of course, the idea is that the fuzzer does its work without babysitting, so it needs to have the ability to restart the test conditions should it successfully kill something. The Mu-4000 addresses this through two in-line power ports that can automatically reboot downed devices. Alternatively, it can communicate with an SNMP-enabled power distribution unit to restart crashed targets.

Monitoring is also important. If you're trying to crash a device, you need to know what different failure modes look like. To that end, the Mu-4000 has two serial ports for access to devices and comes with a number of prebuilt monitors to verify device operation such as syslog monitoring, command execution, and so on.

In-line power control is one of the greatest distinguishing characteristics of a fuzzing appliance versus fuzzing software. Unless you already have a remotely manageable PDU that the software can use to restart a device under test, investing in an appliance might be worthwhile. While BreakingPoint Systems' BPS-1000 and BPS-10k appliances also support in-line power ports for local reboots, most of Mu's other competitors are software-based.There are open-source choices as well, including Sully (www.fuzzing.org/fuzzing-software), GPF (www.vdalabs.com/tools/efs_gpf.html), and SPIKE (www.immunitysec.com/resources-freesoftware.shtml), though these frameworks aren't nearly as easy to use, nor do they include some of the advanced features of the Mu-4000, like automatic response time monitoring. On the commercial side, Beyond Security's beStorm and Codenomicon's Defensics software compete.

The other advantage of an appliance in the fuzzing world is speed. Fuzzing isn't supposed to be fast; the goal is to iterate through as many variants as possible. But an appliance can be tuned and tweaked, or in the case of BreakingPoint Systems' appliances, include custom hardware to speed up the process.

Of course, each product takes a slightly different approach to security analysis. Most include static vulnerability databases in addition to their fuzzing capabilities to find new vulnerabilities, but some place different emphasis on each stage. The Mu-4000 is clearly more focused on the intelligent fuzzing aspect than static analysis. In fact, the base-model doesn't even include static vulnerabilities, which are available as a $15,000-per-year add-on. The database (nearly 1,000 checks) is updated about every two weeks.

A new feature in Mu's latest release is an attack time chart. Attacks that don't necessarily crash or hang a system but still exhibit some impact on performance might be worth investigating more closely. Being able to graph response times may also help detect memory leaks.

While the Mu didn't uncover any immediate problems in the NAS we tested in our lab, that might be because the storage vendor had done some fuzzing of its own before shipping the product. It's hard to fault a fuzzer for not finding problems where there may not be any, so we'll keep the Mu around for a bit to test future products that come through the lab. Watch for updates.Jordan Wiens is a Network Computing contributing technology editor. Write to him at [email protected].