Please wait while the page is being loaded Skip this advertisement >
Tuesday | 7 October, 2008
ARN
Mu Security Analyzer
Mu-4000 fuzzer shines with wizard-driven test configuration, intelligent workflow, excellent vulnerability profiling, and auto-generated zero-day exploits
Roger A. Grimes (InfoWorld) 04 January, 2008 07:28:03
Page:

More on the mutation explorer: The more complex the protocol, the more difficult it is to find the right protocol configuration settings to create a successful connection. The mutation explorer helps point the way by listing the sequence of steps in the protocol exchange, highlighting exactly where failures occur, and decoding the protocol exchange down to the field level. The decodes show valid ranges for each field and the effect of the mutation on the formerly pristine packet.
More on the mutation explorer: The more complex the protocol, the more difficult it is to find the right protocol configuration settings to create a successful connection. The mutation explorer helps point the way by listing the sequence of steps in the protocol exchange, highlighting exactly where failures occur, and decoding the protocol exchange down to the field level. The decodes show valid ranges for each field and the effect of the mutation on the formerly pristine packet.
View all images
  • Mu-4000 Security Analyzer: The Mu-4000 uses published vulnerabilities, existing external scripts, and a stateful fuzzer to find security weaknesses and performance limitations in network devices and applications. The Mu-4000 carefully monitors how the target device responds to protocol mutations -- dynamically generated packet streams designed to find software implementation flaws by violating the state, structure, or semantics of a given protocol specification.
  • Getting started: From the home page of the Mu-4000's Web-based UI, users can examine previously collected results, create new analyses, create and edit analysis templates, and configure and administer the appliance. A status window at the top of the page shows currently running processes, and lets you toggle among them.
  • Setting up the test: After you set the IP addresses of the Mu-4000 interfaces and targets, configuring a protocol mutation attack starts with establishing a successful protocol-layer connection to the target. For example, in this view the multi-step exchange required to establish an SSH session is shown on the left, while the detail of a selected message is shown on the right. If you select a mutate-able message, you can then choose from a variety of mutation options and see how the mutation changes the packet.
  • More on the mutation explorer: The more complex the protocol, the more difficult it is to find the right protocol configuration settings to create a successful connection. The mutation explorer helps point the way by listing the sequence of steps in the protocol exchange, highlighting exactly where failures occur, and decoding the protocol exchange down to the field level. The decodes show valid ranges for each field and the effect of the mutation on the formerly pristine packet.
  • Setting up monitors: Monitors allow users to observe what's happening inside the target device during a test. A monitor might use a serial console connection to the target, or an inline SSH or Telnet connection over the attack interface, or a separate system connected to the target by other means. A fault inspector, shown, is a command monitor that observes the output of a process, a script, or any other command run inside the target or a proxy monitor machine. Fault isolation is triggered based on pre-defined "interesting" output.
  • Target CLI: When setting up a monitor for a target that has a command line interface, it's useful to log in to the target manually and run some commands, check the output of a program, or examine the format of a log file. The Mu-4000 creates an interactive CLI inside the browser that is functionally equivalent to running a terminal emulation session from a laptop. Here we see the output resulting from typing the "top" command in the target-CLI window.
  • Event triggers: The Mu-4000 can execute a series of events at almost any stage of a lights-out analysis process. For example, if a fault is found in a long-running analysis, the Mu-4000 could log into a nearby system and run a script to send an SMS message to your cell phone. Here, the Mu-4000 is configured to record the output of the "top" command whenever it performs the valid test case, so as to track the activities of the top processes during the analysis.
  • Running the analysis: The next step is to run the analysis. As the Mu-4000 generates its test cases, an engine log monitors the progress in real time. After the analysis completes, users can look back at the recorded response-time or latency data (including the minimum, mean, median, and maximum values for each variant), as well as any fault conditions, collected for each protocol attack that comprised the analysis.
  • Investigating faults: The fault viewer provides detailed information on how the protocol works and how the Mu-4000 performed the testing. It also allows you to see the metadata associated with each fault, including a packet capture, a proof-of-concept exploit in the form of a Linux executable, a manager-friendly report, the engine log showing the fault isolation procedure, and an XML file detailing the protocol exchange.
  • Repeatable results: All aspects of an analysis configuration can be saved as editable and shareable XML templates. These templates are easy to re-run to show repeatable results (as shown by the first two analyses here) or to verify a fix. After a patch or update is made available, simply locate the original analysis and click the "Rerun" link.
Related Stories
  • +

    Symantec SIM brings friends 08 January, 2008 10:33:19

    Symantec's SIM comes with an active network to help it analyze your events
    What is it, one might reasonably ask, that separates a SIM (security information manager) from a basic log-file aggregator? Both will, of course, aggregate log files, but a SIM must go further, gathering incident alerts and status conditions from a variety of network security and infrastructure sources. A good SIM will then add some intelligence to the mix, helping the security engineer figure out which information is worth his or her immediate attention and which can be ignored until time to pass a compliance audit.
  • +

    BMC, Bomgar team to speed trouble-ticket resolution 09 November, 2007 14:48:17

    Latest software adds support for SUSE, Red Hat, Ubuntu and Fedora Linux and Windows Mobile.
    Bomgar has allied itself with BMC Software so their platforms can talk to each other and make it simpler to resolve trouble tickets. Bomgar makes Bomgar Box, a remote-control appliance designed for help desks to take over remote machines for maintenance or in response to help calls.
  • +

    BGP bug bites Juniper software 19 December, 2007 08:09:41

    Bug lends itself to remote exploitation, could open way for denial-of-service attacks
    Juniper Networks has issued a security bulletin warning users of a bug in its UNOS router software.
  • +

    Enterasys introducing intrusion-detection system 08 October, 2007 07:31:29

    The product is available now with prices starting at US$175,000.
    Enterasys Networks next week is expected to roll out a 10Gbps intrusion detection and prevention system for its Dragon switches.
  • +

    Cisco IDs flaw in its Catalyst switches, 7600 Series routers 21 December, 2007 08:56:28

    Fixes and workarounds have been released
    Cisco is warning that a flaw in its Firewall Services Module could result in a reload of the module, or if exploited repeatedly, could result in a sustained denial-of-service attack.
ARN Directory | Distributors relevant to this article
Ingram Micro Australia , itX , MPA Systems , Unixpac
ARN Directory | Vendors relevant to this article
Red Hat
Additional Resources
ARN Library
white paper Click here for case studies, whitepapers and other useful vendor content

Newsletter Subscription

Sign up for our ARN newsletters!
The premier provider of daily news to the IT channel, covering business, technology, products, and services.
RSS Feeds

I first came across the Mu Security Analyzer when a co-worker on a multi-company government project raved about how the appliance found a zero-day vulnerability in an e-mail inspection device that was protecting a top secret government agency. It was a rather simple script bug in the other vendor's product, but it would have allowed uncontrolled code execution. The implication was that our top secret project could have been compromised by an external hacker running penetration tests against our e-mail services. Initially, the manufacturer of the compromised mail filter refused to believe that a weakness existed in its product. That is, until we sent the exploit, automatically generated by the Mu analyzer, that the vendor's engineers could run to see for themselves.

Mu Security's Mu-4000 is a 2U appliance with RAID-configured drives and redundant power supplies that scans other computer devices using known vulnerabilities and malformed (fuzzed) traffic. The goal is to locate both security vulnerabilities and performance problems in the network. The Mu-4000 is constantly updated with the latest published vulnerabilities, but these types of exploits are not the Mu-4000's strong point. Published Vulnerability Attacks (or PVAs as Mu Security calls them) only go back a maximum of three years and comprise slightly more than 1,000 exploits.

Fuzz buster

The Mu's ability to intelligently fuzz traffic is its strongest selling point. Unlike vulnerability scanners or penetration tools that check only for known vulnerabilities, fuzzing can uncover previously unknown vulnerabilities by hitting network devices with mutations of normal packets and commands. The Mu-4000 understands more than 50 different protocols (IPv4, IPv6, VoIP, SIP, CIFS, ICMP, and SSH, among others) and can generate malformed traffic in millions of ways. The Mu-4000 includes the capability to automatically restart hung hosts and capture packet traces (in pcap form) of both sent and received traffic. The Mu can also capture what is going on in the target device's network interface or management port, and fire off scripts or kickstart other monitoring devices when a particular event happens.

I ran the Mu-4000 with its 3.0 release code in a test lab against several popular security appliances and a variety of different computer platforms. The Mu-4000 configures like most any security appliance. You plug a computer into its front console port, connect to the Mu's SSL management port, and configure basic IP information. After that, you can connect using an Internet browser, configure the rest of the device, and start your testing.

The Mu-4000 runs on a modified version of CentOS (essentially Red Hat Linux), modified so its IP stack will not choke on all the malformed traffic it will be sending. When the device is first started, you must install a license file that specifies which protocols may be attacked. Access to the Mu-4000 can be divided between system admins, which have complete control of the device, and regular users, which can only see results from scans that they create and run. The Mu-4000 has four IP interfaces that can be used in target analysis, and the device can create the attacks or be used as a pass-through device to record information you're gathering with another tool.

Because the Mu-4000 is easily capable of sending millions of attack packets, testing projects can get complex in a hurry. To simplify the process, Mu Security has smartly configured all scanning activity around analysis templates. Creating and using a template is essentially a step-by-step process that the Mu-4000 leads you through while it defines attack types, monitors, and actions to take in response to events. You select protocols and a myriad of custom attack parameters in an attack template. Monitors allow you to capture more information on the target, including from its own management console and log files. For example, if your attack locks up the target, the Mu appliance can capture what the target device's SSH-enabled management console looked like at the moment the device froze. Event triggers allow you to kick off external network monitors or initiate events such as file downloads on remote systems.

Peerless profiles

The resulting template is an XML file that can be sent to other Mu-4000 users so they can duplicate your test. The management and configuration GUI is nearly flawless. It's helpful and wizard-driven to a fault. If you don't like GUIs, you can use XML files to drive the device instead.

When the Mu-4000 finds a vulnerability, it will duplicate the attack to confirm that it is re-creatable, and if so, will then step itself through the entire attack sequence to find out exactly which string of sent information caused the fault. Network packet captures are standard, and that information is included with the information gathered by other monitors to profile the problem. The Mu-4000 profiles security issues better than any other vulnerability assessment tool I've used. Reporting itself is good, but not excellent. Detailed and summary reports are included, but the Mu doesn't allow easy customization of reports, nor does it hook into Crystal Reports, for example.

Page:
ARN Directory | Distributors relevant to this article
Ingram Micro Australia , itX , MPA Systems , Unixpac
ARN Directory | Vendors relevant to this article
Red Hat
Market Place
Find out how to win an IPod Touch with ARN.
Kaspersky Internet Security 2009 released - with virtual keyboard for safe entry of passwords. Try it..
Worry-Free™ Business Security Advanced - Safer, smarter and simpler security.

ARN Member Login

 
Panel Sessions

  • ARN Panel Sessions: Day 3

    The last of our panel sessions recorded live at CeBIT 2008. Today, the topic is storage. Data is growing at an enormous rate, so what does the future hold?

Play
See all Panel Sessions videos >>
ARN news

  • Weekly Tech News Update: 7th October, 2008

    This week we're coming to you from the Ceatec show in Japan. It's a showcase for gadgets and gizmos galore from all of Japan's biggest electronics companies and this week we're going to be showing you the best of what the show has to offer.

Play
See all news >>
Channel Watch

  • Brian's bloopers

    It takes a long time to produce an episode of Channel Watch. Maybe you'll understand why after watching this...

Play
See all Channel Watch videos >>
Business Continuity & Disaster Recovery Zone

When an IT disaster occurs, how handy it would be to push a button and start again as if nothing had happened.
Discover and learn more about CA XOSoft today.
ARN Vendor Directory
 
Find vendors by name | Find by category
ARN Library
Dimension Data, La Trobe University and Windows Server 2008 partner to improve compliance

Read Material

Dimension Data, La Trobe University and Windows Server 2008 partner to improve compliance

La Trobe University partnered with Dimension Data to deploy Windows Server 2008 and Network Access Protection technology to improve their existing network security solution.

Sponsored Links