Rollout: Mu Makes Security Warm And Fuzzy

The Mu-4000 Analyzer helps IT sniff out software vulnerabilities--before the bad guys do.

Jordan Wiens, Contributor

January 9, 2008

4 Min Read



CLAIM:  By combining a built-in set of known vulnerabilities with a fuzzing engine capable of discovering unknown bugs by exploring the boundaries of protocols, the Mu-4000 appliance seeks to ensure that applications and devices are secure and robust.CONTEXT:  While there's no substitute for source-code analysis tools and good application development practices, fuzzing is an increasingly popular way to perform additional validation. And in environments where an existing embedded stack or platform is being used in a product, fuzzing or other black-box testing might be the only security analysis possible. BreakingPoint Systems also offers an appliance, and multiple commercial and open source software-based fuzzers compete as well.CREDIBILITY:  Mu provides an easy-to-use interface for creating complex testing situations quickly. While the cost may be steep, depending on protocol sets purchased, discovering vulnerabilities before deploying an application could be priceless.We put the Mu-4000 Security Analyzer to work, fuzzing a network-attached storage system

A tester that is supposed to crash its targets presents unique challenges. For example, if you crash the software under test and its host machine is toasted, too, you'll need to restart the box. Of course, the idea is that the fuzzer does its work without baby-sitting, so it needs to have the ability to restart the test conditions should it successfully kill something. The Mu-4000 addresses this through two in-line power ports that can automatically reboot downed devices. Alternatively, it can communicate with an SNMP-enabled power distribution unit to restart crashed targets.

Monitoring is important, too. If you're trying to crash a device, you need to know what different failure modes look like. To that end, the Mu-4000 has two serial ports for access to devices and comes with a number of prebuilt monitors to verify device operation.

In-line power control is a key distinguishing characteristic of a fuzzing appliance versus fuzzing software. Unless you have a remotely manageable protocol data unit that the software can use to restart a device under test, investing in an appliance may be worthwhile. While BreakingPoint Systems' BPS-1000 and BPS-10k appliances also support in-line power ports for local reboots, most of Mu's other competitors are software. Open source choices include Sully, GPF, and Spike, though these frameworks aren't nearly as easy to use, nor do they include some of the advanced features of the Mu-4000, including automatic response-time monitoring. On the commercial side, Beyond Security's beStorm and Codenomicon's Defensics software compete.

The other advantage of an appliance in the fuzzing world is speed. Fuzzing isn't supposed to be fast--the goal is to iterate through as many variants as possible. But an appliance can be tuned and tweaked, or in the case of the BreakingPoint Systems offerings, include custom hardware to speed up the process.

Of course, each product takes a slightly different approach to security analysis. Most include static vulnerability databases in addition to fuzzing, but vendors place different emphasis on each stage. The Mu-4000 is clearly more focused on the intelligent fuzzing aspect than static analysis. In fact, the base model doesn't even include static vulnerabilities, which are available as a $15,000-per-year add-on. The database (nearly 1,000 checks) is updated about every two weeks. A new feature in Mu's latest release is an attack time chart. Attacks that don't necessarily crash or hang a system but still exhibit some impact on performance might be worth investigating more closely. Being able to graph response times may also help detect memory leaks.

While the Mu-4000 didn't uncover any immediate problems in the network-attached storage system we tested in our lab, that might be because the storage vendor had done some fuzzing of its own before shipping the product. It's hard to fault a fuzzer for not finding problems where there may not be any, so we'll keep the Mu around for a bit to test future products that come through the lab. Watch for updates.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights