// JSON-LD for Wordpress Home, Articles and Author Pages. Written by Pete Wailes and Richard Baxter. // See: http://builtvisible.com/implementing-json-ld-wordpress/

Archive for January, 2011

Fuzzing – A Powerful Technique for Software Security Testing

Friday, January 21st, 2011

I was participating in a code review today and was reminded by a senior architect, who started working as an intern for me years ago, of a testing technique I had used with one of his first programs.  He had been assigned to create a basic web application that collected some data from a user and wrote it to a database.  He came into my office, announced it was done and proudly showed it to me.  I walked over to the keyboard, entered a bunch of junk and got a segmentation fault in response.

Although I didn’t have a name for it, that was a standard technique I used when evaluating applications.  After all, the tried and true paths, expected inputs and easy errors will be tested early and often as the developer exercises the application using the basic use cases.  As Boris Beizer said, “The high-probability paths are always tested if only to demonstrate that the system works properly.” (Beizer, Boris. Software Testing Techniques. Boston, MA: Thomson Computer Press, 1990: 76.)

It is unexpected input that is useful when looking to find untested paths through the code. If someone shows me an application for evaluation the last thing I need to worry about is using it in an expected fashion, everyone else will do that.  In fact, I default to entering data outside the specification when looking at a new application.  I don’t know that my team always appreciates the approach.  They’d probably like to see the application work at least once while I’m in the room.

These days there is a formal name for testing of this type, fuzzing.  A few years ago I preferred calling it “gorilla testing” since I liked the mental picture of beating on the application. (Remember the American Tourister luggage ad in the 1970s?)  But alas, it appears that fuzzing has become the accepted term.

Fuzzing involves passing input that breaks the expected input “rules”.  Those rules could come from some formal requirements, such as a RFC, or informal requirements, such as the set of parameters accepted by an application.  Fuzzing tools can use formal standards, extracted patterns and even randomly generated inputs to test an application’s resilience against unexpected or illegal input.

(more…)

Tag, You’re It!

Wednesday, January 12th, 2011

The Internet is full of examples of simplifications creating vulnerabilities.  A good number of these can be represented as indirection enablers.  IP addresses, domain names, URIs, tiny URLs, QR Codes and now Microsoft tags.  Each of these serves the purpose of simplifying and decoupling.  We have seen many exploits for the first four, what about these last two?

As you likely know, QR Codes and Microsoft tags are graphical images targeted at print media, though there is no reason they can’t be used in an online fashion.  They are most often presented as rectangular graphics (examples below).  The reason for using them is to provide an easy way for someone to access a web page (or other online resource) related to the printed content.  Since these images represent character data they can also be used to house information, like contact details, that do not require online access to interpret.

The use case is simple: install a special program that interprets the codes or tags; point the camera from a smart phone or computer at the graphic; and voilà, your phone presents a web page, phone number or other embedded content. Basically this avoids having to manually enter a URL.  Depending on a company’s marketing strategy this is a powerful feature since a particular ad might want to direct a person to a URL that embeds  information about the specific advertisement, media source, publication page and so forth.  Typing in a complicated URL would put off many people but this removes most of the effort while making the print media interactive.

The main issues with adoption are educating the public about the use of these codes and getting people to install the reader software.  Some of you may recall Radio Shack trying to do something similar several years ago.  They created a scanning device, given out for free, that people had to connect to their PCs.  They could then scan a specific item in a Radio Shack catalog or advertisement and be brought to a web page with detailed information and ordering instructions.

Although that particular attempt failed, these newer approaches have the advantages of being broadly available, leveraging a common accessory on a smart phone (camera) and providing benefits to more than one company.  It will be interesting to see if any of the competing standards catch on with the general public (beyond the two mentioned already there are others such as Data Matrix, Quickmark and PDF417).

My concern, however, isn’t whether these graphical links become popular, it is whether they present another security risk. I believe that they do, in a manner similar to Tiny URLs, yet possibly more insidious.

(more…)

How I Spent My Christmas Vacation

Wednesday, January 5th, 2011

(or Upgrading to Android and Windows 7)

The holidays are usually a time I can use to catch-up on some extra reading or research.  This year I had two major infrastructure changes that occupied my time.  I moved from my Blackberry Storm to an HTC Incredible and from my old Gateway M680 with Windows XP to a Dell Vostro 3700 running Windows 7.  It has been a bumpy couple of weeks getting my virtual life back in order.

Before getting into some of the details of the experiences, I’ll summarize by saying that both upgrades were worth the learning curve and associated frustration.  The Incredible’s hardware and the Android OS are orders-of-magnitude beyond the Storm in terms of usability, reliability, and functionality.  On my computer, Windows 7 (64-bit professional version) provides a clean and efficient environment.  The compatibility with 32-bit applications has worked flawlessly so far.

The phone journey…

I ordered the Incredible with the intention of switching over to it during the week before Christmas.  I would be off from work that week so any issues with email and calendar wouldn’t pose much risk.  However Verizon had other plans.  A day after the Incredible arrived they shut off my Storm.  This meant I had to get the Incredible going immediately.  This was during a week that I was traveling to Alabama and Vermont so I needed my cell phone working reliably.

I was pleasantly surprised at how quickly I was fully operational with the basic services (phone, email and calendar).  Blue Slate uses Google as our hosted email service so its ease of integration with the Android environment isn’t a surprise.  The phone setup process through Verizon has changed since I got my Storm several years ago.  Making on-line changes to my services is now simple.  I quickly expanded my data plan so that I could use the 3G Mobile feature of the Incredible while at the client’s site.  No issues at all!

My main disappointment with the Incredible is its battery life. With my Storm I could go days without recharging.  Now I have to recharge my phone every night.  I’ve gone through the “kill the app” phase and found that process doesn’t really help.  I use WiFi as much as possible since that is supposed to save battery life over using the cell connection to access email and internet services.  I keep the screen dimmed and turn off location services when they are not needed.

On the bright side, the variety of applications, including a nice SSH tool makes the phone amazingly versatile.  I don’t have to fire up my computer to check on a batch job or fix a basic database problem on our Linux servers.  The GPS services surpass my Magellan’s capabilities so I have one less device to carry with me on trips.

All in all I’m very pleased with my move to the Incredible.  I probably would have considered the iPhone but really prefer Verizon’s coverage.  This phone should serve me well for my 2-year contract.

The computer journey…

My new Dell arrived several weeks before Christmas.  I put off doing anything with it, knowing that the process of moving my virtual life, installed and configured over the course of 4 years on my trusty Gateway laptop, would be onerous.  I’m glad I waited.  Although the Dell is a great machine, the process of getting products installed (or obtaining newer versions) and getting files and configurations in place took several days.

(more…)