input attack trees - black hat · input attack trees heikki kortti, codenomicon, black hat japan,...
TRANSCRIPT
![Page 1: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/1.jpg)
INPUT ATTACK TREES
1Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
BlackHat Japan 2006Heikki Kortti, Codenomicon
Death of a thousand leaves
![Page 2: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/2.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
2
How are vulnerabilities discovered?
• Sheer luck
• Source code inspection
• Reverse engineering
• Observing program behaviour
• Trying malicious inputs
![Page 3: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/3.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
3
Why luck does not work
• Great if you have it, takes too long foreveryone else
• Does not detect bugs by the dozen
• Does not provide details on where the fault isand how likely it is to occur elsewhere
![Page 4: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/4.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
4
Inspection is slow and error-prone
• Software is complex
• Manual inspection takes ages
• Machine-assisted inspection finds falsepositives
• Source code may not be available
![Page 5: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/5.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
5
Reverse engineering reveals onlypart of the picture
• Great if you’re Halvar Flake, but too hard foreveryone else
• Simply a “smoked-glass” view
![Page 6: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/6.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
6
Observation is tedious
• Trying to assess security by observing howthe software functions is like trying to fix acuckoo clock with an axe
• Observation is very slow
• Creating suitable stimuli to which the softwareshould react is also very slow
![Page 7: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/7.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
7
Don’t be smart, be evil
• Trying out malicious inputs works well
• Complete coverage = infinite time
• Time can be reduced by generating inputsautomatically (fuzzing)
• Fuzzers can be
• simple (non-structured) or• intelligent (structured)
![Page 8: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/8.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
8
Ways to do input testing
• By hand
• Create a program that tries the inputs for you
• Create a program that creates programs thattry the inputs for you
T0 T1 T2 Tinfinity
![Page 9: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/9.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
9
The problem with simple fuzzing
• Fuzzing with random data is not enough forcomplex protocols like TLS or BGP
• A structural model of the protocol is needed
• “Intelligent fuzzing” or “robustness testing”
![Page 10: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/10.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
10
• At a minimum, a fuzzing model has to capturethe following:
• Field-level structures (8-bit integer, date field)• Packet-level structures (header+payload)• Context structures (packet sequences)• Dynamic behaviour (runtime calculations, crypto
functions, nonces, timestamps, lengths)
What makes a viable fuzzing model?
![Page 11: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/11.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
11
• Use existing models
• ABNF• ASN.1• XML
• Roll your own
• What makes a good model for designingeffective attacks?
Aiding the design of fuzzing models
![Page 12: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/12.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
12
• Well-known and proven methodology forobserving and assessing the security of anysystem
• Provides a good overall view of the securityof a system
• Risks and possible attacks can be viewed ata glance
Attack trees in general
![Page 13: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/13.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
13
Sample attack tree
Gain access todata in system
Breakphysical security
Breakvirtual security
Steal diskView data
with TempestExploit
vulnerabil ityCrack trusted
computer
Obtainpassword
Access systemconsole
![Page 14: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/14.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
14
• Input tree: all possible inputs for the definedinterface
• Attack tree: a catalogue of all possible attacksagainst a system
• Input attack tree: an input tree augmentedwith attacks against all input branches
• Charts all of the possible attacks against aninterface
Applying attack trees for input testing
![Page 15: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/15.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
15
• Easy to see which attacks have been tried
• Easy to see which attacks have not been tried
• Easy to see the vulnerable areas
• Easy to feed into a fuzzer generator forcreating tests automatically
Benefits for attackers
![Page 16: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/16.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
16
• What attacks do we need to protect against?
• What areas of the interface definition are toocomplex to get right?
• Have we tested all of our input handling code?
Benefits for defenders
![Page 17: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/17.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
17
• Easy to see which features are likely to bemisimplemented
• Easy to see what branches will be attackedand when
• Similar branches can be compared withexisting vulnerabilities
• Great feedback for the next release of theinterface definition
Benefits for designers
![Page 18: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/18.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
18
• Create an attack once, reuse infinitely
• Attacks against a particular datatype can beused again and again
• Examples: date fields, integers, ASCII andUTF-8 strings, C-style format strings, URIs,IPv4 and IPv6 addresses, regexes
Attack subtrees
![Page 19: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/19.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
19
Attaching attack subtrees
Length field
Try negativelength
Try largelength
Try zerolength
![Page 20: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/20.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
20
Length field attack subtree (detailed)
16-bit MSBlength field
0x10 0x00
…
0x00 0x40
0x00 0x20 0x20 0x00
0x00 0x10 0x40 0x00
0x00 0x0f 0x80 0x00
0x00 0x01 0xff 0xfe
0x00 0x00 0xff 0xff
![Page 21: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/21.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
21
• Looking at the attack tree already providesgood insights
• If tests are created automatically, you maywant to create more test cases around themore problematic areas
• More test cases = more problems found
• More test cases = more time for testing
Using the input attack tree
![Page 22: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/22.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
22
• Assign weights to branches
• Complex areas should be heavier
• An automated test generator can steer itselfbased on branch or leaf weights
• A light branch may merit only a few basic tests
• A very heavy branch needs really thoroughcoverage
Ways to focus the attacks
![Page 23: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/23.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
23
• Model the messages and messagesequences
• Create the potential malicious inputs for alldatatypes, structures and messages
• Attach attack subtrees to the main trunk
• Steer test case selection through weights
• Execute tests and observe the results
• The design and creation of a fuzzingframework and fuzzer have been omitted astrivial
Testing an implementation
![Page 24: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/24.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
24
Example: DNS input tree
DNS
Test client Zone transferTest server
![Page 25: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/25.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
25
Testing a DNS server
Test server
UseUDP
UseTCP
![Page 26: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/26.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
26
Testing a server over UDP
Issue query
Wait forresponse
Don’t waitfor response
Use UDP
![Page 27: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/27.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
27
Expanding an input tree to an inputattack tree
Issue query
Validquery
Invalidquery
![Page 28: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/28.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
28
• Issue invalid query
• Break lower level (UDP/TCP, IP, Ethernet)• Break DNS TCP length field (TCP only)• Break header• Break question section• Break answer section• Break authority section• Break additional section• Send response as query• Combine
Sample input attack tree for simpleDNS queries
![Page 29: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/29.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
29
• Surprisingly useful for some protocols
• Think complex, layered abominations likeSOAP, RPC, Corba, HTTP
• Practical example: breaking an UDPdatagram breaks a SIP implementation
Break lower level
![Page 30: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/30.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
30
• All length fields are delicious
• Use zero length
• Use too large lengths
• Use too small lengths
• Use negative lengths
Break DNS TCP length
![Page 31: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/31.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
31
• Bit-walk through all of the fields in the DNSheader
• Interesting branches:
• Try wrong and non-existing query types• Flip the AA, TC, RD, RA fields• Break the question/answer/authority/additional
counts
Break header
![Page 32: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/32.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
32
• Break QNAME
• Break QTYPE
• Break QCLASS
• Add more than one question
• Omit question section
• Underflow
Break question section
![Page 33: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/33.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
33
• Add one
• Break all possible RRs and their substructures
• Add more than one
• Underflow
Break answer/authority/additionalsections
![Page 34: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/34.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
34
• Answer section can contain any number ofRRs (resource records)
• RRs have complex substructures
• A server must parse the answer section alsoin queries
• Weigh down the branch with answer tests
Using weights
![Page 35: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/35.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
35
Weighing down the answer tests
Break RRs
Breaktype
BreakTTL
Add answersection
Breakclass
BreakRDATA
Breakowner
![Page 36: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/36.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
36
RDATA substructures are even moreinteresting
Break RDATA
PTR MX
CNAME
SOA
A NS
…
![Page 37: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/37.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
37
• Out-of-context messages in a sequence cansometimes be very effective
Send response as query
![Page 38: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/38.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
38
• Break question count and question section
• Break length and use underflow
• Use wrong length and illegal characters
• Break answer section and send answer asquery
• Break length and use invalid offsets
Combine any previous attacks
![Page 39: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/39.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
39
• Make labels longer than 63 octets
• Make label sequences longer than 255 octets
• Use a zero-length label in a non-root position
• Try asking for AXFR over UDP
• Use illegal characters
• Try non-specified types
• Try reserved values
• Try invalid combinations (source address =destination address, etc.)
Read the specification like the devilreads the Bible
![Page 40: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/40.jpg)
INPUT ATTACK TREES
40Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
CONCLUSIONS
![Page 41: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/41.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
41
• By viewing an interface as an input tree, wecan easily see what are its weak points
• Attacks can be attached to the tree easily
• Tests can be created by traversing the tree
• Tests can target complex areas more heavily
• Can be used for attack and defense
• Can be applied to testing any interface
Conclusions
![Page 42: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/42.jpg)
INPUT ATTACK TREES
Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
42
Schneier, Bruce: Attack Trees
http://www.schneier.com/paper-attacktrees-ddj-ft.html
Moore, Andrew; Ellison, Robert; Linger, Richard: Attack Modeling for
Information and Survivability
http://www.cert.org/archive/pdf/01tn001.pdf
Convery, Sean; Cook, David; Franz, Matthew: An Attack Tree for the
Border Gateway Protocol (obsoleted Internet draft)
http://tools.ietf.org/wg/rpsec/draft-ietf-rpsec-bgpattack/draft-ietf-rpsec-bgpattack-00.txt
Hares, Susan: BGP Attack Trees: Real World Examples
http://www.nanog.org/mtg-0306/pdf/hares.pdf
Inspiration
![Page 43: INPUT ATTACK TREES - Black Hat · INPUT ATTACK TREES Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-6 2006. 23 •Model the messages and message sequences •Create the potential](https://reader035.vdocuments.site/reader035/viewer/2022081406/5f139e8d145a8d40881347bf/html5/thumbnails/43.jpg)
INPUT ATTACK TREES
43Heikki Kortti, Codenomicon, Black Hat Japan, Oct 5-62006.
ANY QUESTIONS?
Heikki [email protected]
THANK YOU!