Rollout: Mu Makes Security Warm And Fuzzy

SURVIVE THE CRASH TEST

A tester that is supposed to crash its targets presents unique challenges. For example, if you crash the software under test and its host machine is toasted, too, you'll need to restart the box. Of course, the idea is that the fuzzer does its work without baby-sitting, so it needs to have the ability to restart the test conditions should it successfully kill something. The Mu-4000 addresses this through two in-line power ports that can automatically reboot downed devices. Alternatively, it can communicate with an SNMP-enabled power distribution unit to restart crashed targets.

Monitoring is important, too. If you're trying to crash a device, you need to know what different failure modes look like. To that end, the Mu-4000 has two serial ports for access to devices and comes with a number of prebuilt monitors to verify device operation.

In-line power control is a key distinguishing characteristic of a fuzzing appliance versus fuzzing software. Unless you have a remotely manageable protocol data unit that the software can use to restart a device under test, investing in an appliance may be worthwhile. While BreakingPoint Systems' BPS-1000 and BPS-10k appliances also support in-line power ports for local reboots, most of Mu's other competitors are software. Open source choices include Sully, GPF, and Spike, though these frameworks aren't nearly as easy to use, nor do they include some of the advanced features of the Mu-4000, including automatic response-time monitoring. On the commercial side, Beyond Security's beStorm and Codenomicon's Defensics software compete.

The other advantage of an appliance in the fuzzing world is speed. Fuzzing isn't supposed to be fast--the goal is to iterate through as many variants as possible. But an appliance can be tuned and tweaked, or in the case of the BreakingPoint Systems offerings, include custom hardware to speed up the process.

Of course, each product takes a slightly different approach to security analysis. Most include static vulnerability databases in addition to fuzzing, but vendors place different emphasis on each stage. The Mu-4000 is clearly more focused on the intelligent fuzzing aspect than static analysis. In fact, the base model doesn't even include static vulnerabilities, which are available as a $15,000-per-year add-on. The database (nearly 1,000 checks) is updated about every two weeks. A new feature in Mu's latest release is an attack time chart. Attacks that don't necessarily crash or hang a system but still exhibit some impact on performance might be worth investigating more closely. Being able to graph response times may also help detect memory leaks.

While the Mu-4000 didn't uncover any immediate problems in the network-attached storage system we tested in our lab, that might be because the storage vendor had done some fuzzing of its own before shipping the product. It's hard to fault a fuzzer for not finding problems where there may not be any, so we'll keep the Mu around for a bit to test future products that come through the lab. Watch for updates.