Tuesday | 2 December, 2008

Opinions

Mu Security Analyzer

Mu-4000 fuzzer shines with wizard-driven test configuration, intelligent workflow, excellent vulnerability profiling, and auto-generated zero-day exploits

Roger A. Grimes (InfoWorld) 04 January, 2008 07:28:03

Mu-4000 Security Analyzer: The Mu-4000 uses published vulnerabilities, existing external scripts, and a stateful fuzzer to find security weaknesses and performance limitations in network devices and applications. The Mu-4000 carefully monitors how the target device responds to protocol mutations -- dynamically generated packet streams designed to find software implementation flaws by violating the state, structure, or semantics of a given protocol specification.

Getting started: From the home page of the Mu-4000's Web-based UI, users can examine previously collected results, create new analyses, create and edit analysis templates, and configure and administer the appliance. A status window at the top of the page shows currently running processes, and lets you toggle among them.

Setting up the test: After you set the IP addresses of the Mu-4000 interfaces and targets, configuring a protocol mutation attack starts with establishing a successful protocol-layer connection to the target. For example, in this view the multi-step exchange required to establish an SSH session is shown on the left, while the detail of a selected message is shown on the right. If you select a mutate-able message, you can then choose from a variety of mutation options and see how the mutation changes the packet.

More on the mutation explorer: The more complex the protocol, the more difficult it is to find the right protocol configuration settings to create a successful connection. The mutation explorer helps point the way by listing the sequence of steps in the protocol exchange, highlighting exactly where failures occur, and decoding the protocol exchange down to the field level. The decodes show valid ranges for each field and the effect of the mutation on the formerly pristine packet.

Setting up monitors: Monitors allow users to observe what's happening inside the target device during a test. A monitor might use a serial console connection to the target, or an inline SSH or Telnet connection over the attack interface, or a separate system connected to the target by other means. A fault inspector, shown, is a command monitor that observes the output of a process, a script, or any other command run inside the target or a proxy monitor machine. Fault isolation is triggered based on pre-defined "interesting" output.

Target CLI: When setting up a monitor for a target that has a command line interface, it's useful to log in to the target manually and run some commands, check the output of a program, or examine the format of a log file. The Mu-4000 creates an interactive CLI inside the browser that is functionally equivalent to running a terminal emulation session from a laptop. Here we see the output resulting from typing the "top" command in the target-CLI window.

Event triggers: The Mu-4000 can execute a series of events at almost any stage of a lights-out analysis process. For example, if a fault is found in a long-running analysis, the Mu-4000 could log into a nearby system and run a script to send an SMS message to your cell phone. Here, the Mu-4000 is configured to record the output of the "top" command whenever it performs the valid test case, so as to track the activities of the top processes during the analysis.

Running the analysis: The next step is to run the analysis. As the Mu-4000 generates its test cases, an engine log monitors the progress in real time. After the analysis completes, users can look back at the recorded response-time or latency data (including the minimum, mean, median, and maximum values for each variant), as well as any fault conditions, collected for each protocol attack that comprised the analysis.

Investigating faults: The fault viewer provides detailed information on how the protocol works and how the Mu-4000 performed the testing. It also allows you to see the metadata associated with each fault, including a packet capture, a proof-of-concept exploit in the form of a Linux executable, a manager-friendly report, the engine log showing the fault isolation procedure, and an XML file detailing the protocol exchange.

Repeatable results: All aspects of an analysis configuration can be saved as editable and shareable XML templates. These templates are easy to re-run to show repeatable results (as shown by the first two analyses here) or to verify a fix. After a patch or update is made available, simply locate the original analysis and click the "Rerun" link.

10 of 10

Repeatable results: All aspects of an analysis configuration can be saved as editable and shareable XML templates. These templates are easy to re-run to show repeatable results (as shown by the first two analyses here) or to verify a fix. After a patch or update is made available, simply locate the original analysis and click the "Rerun" link.

Return to the article

Market Place

POS POS is the leading value-added distributor of point of sale & point of service technologies in ANZ.

Find out how to win an IPod Touch with ARN.

Become a Lenovo Legend Now! Join the sales incentive exclusively for Lenovo Business Partners.

Power through the disruptions: Uninterruptibility from Eaton!

Kaspersky Internet Security 2009 released - with virtual keyboard for safe entry of passwords. Try it..

More >

More >

More >

More >

ARN Distributor Directory

Find distributors by name
Find distributors by vendor
Find distributors by location

ARN Vendor Directory

Find vendors by name | Find by category

Salary Calculator Market Watch ARN Library Virtualisation

ARN Library

Read Material

Bankstown Council streamlines their IT with Microsoft® Windows Server® 2008

Deciding it was time for more streamlined operations, Bankstown Council teamed up with OSS Infotech, a Microsoft Gold Certified Partner. The solution included Microsoft Windows Server, Microsoft SQL Server® and Microsoft Exchange®.

Sponsored Links

Job seekers Get job alerts | Post your resume online | Interview tips | Ask Kate

Advertisers Click here to advertise your jobs to thousands of job seekers monthly.

Subscribe to ARN

ARN has been the premier provider of information to the Australian IT channel for more than 12 years. As the only weekly publication dedicated to the channel, ARN produces timely, accurate news and analysis about IT business issues, products and services, new technology and market opportunities.

Opinions

Telstra accuses Optus of NBN non-compliance

HP partners at the races

Samsung cuts distributors

MYOB says no to Manhattan takeover

Alphawest cuts 33 staff

HP partners at the races

The top must-follow Twitter feeds

2008 geek gadget gift guide

Folding screen for mobile phones unveiled

10 great Christmas gifts for tight budgets

Green IT: Beyond the hype

Virtual desktops

SLIDESHOW: Future on the rack

Consolidate, virtualise, automate

Will datacentre issues disappear into the cloud?

Niche ICT skills still in demand despite economic downturn

MYOB says no to Manhattan takeover

Telstra accuses Optus of NBN non-compliance

Oakton appoints new ACT sales, client management head

Alphawest cuts 33 staff

Networking

Storage

Datacentre

Security

Virtualisation

Bankstown Council streamlines their IT with Microsoft® Windows Server® 2008

Opinions

Not a member?

Bankstown Council streamlines their IT with Microsoft® Windows Server® 2008

Buying Guides

Buying Guides

Latest Products