There's vulnerability assessment and penetrationtesting, but what about vulnerability analysis? Before you tell me thatI'm just playing with words, stop for a sec and consider: it's onething to assess what vulnerabilities may be in a system. It's quiteanother to analyze and understand them. Sometimes assessing is enough.All you really want to know is if the vulnerabilities are there.Certainly, you may want to attempt to exploit the vulnerabilities andsee if they can lead to penetration. That's today's standard practice.
However,suppose you want to perform a full analysis of how your system willrespond to various types of anomalous input. That’s a nice way to say"attacks" but, really, it is quite a bit more. A bit over a year ago,researchers at a Finnish university discovered a fundamental flaw inthe ASN.1 formalism. This formalism defines the protocol. If theformalism — and, by extension, the protocol — is flawed, anyimplementation of it will be flawed as well. The researchersdeveloped a set of test cases to analyze the flaw. These test casesconsisted — although the researchers didn’t use the term — of protocolmutations. These mutations, directed against software that implementedthe protocol, cause systems using it to crash. That was a surprisesince the initial hypothesis was that the attacks would allowpenetration. If they had used the new Mu 4000 from Mu Security, theywould have known exactly what to expect. The Mu 4000 is ananalysis tool, perhaps the most robust analysis tool of its type that Iever have seen. This is not your average scanner, nor is it apenetration tool (although to a limited degree it can do both). This isa tool that you can use to perform a full range of vulnerabilityanalyses on everything from a firewall to a piece of security software.In a nutshell, the Mu 4000 performs a wide variety of vulnerabilitytests from simple scans to protocol mutations. The scans useonly vulnerabilities from the past three or so years — sort of likeusing the WildList as an anti-virus benchmark. The protocol mutationsare everything from malformed packets to dangerous payloads and beyond.I usually hate that type of generalization, but this tool deserves it.As soon as you think that you’ve figured out what to do with it, youdiscover a new capability that lets you probe deeper into the systemunder test. This is a true industrial strength tool. It willtell you quickly and positively how your system will behave under awide variety of attacks and security-related failures or errors. If theprotocol mutations provided (and updated periodically) are not enoughfor you, write your own. And, if the system under analysis crashes as aresult of the testing, the Mu will restart it automatically and resumetesting. This is not a tool for the faint-hearted, however. Whileit is not difficult to use, for it to be effective you need tounderstand exactly what you are trying to learn. And, above all, youneed to understand protocols. The heart of the Mu 4000 is itsability to exercise software that is supposed to be implementing aprotocol in just about every way imaginable. The result is that youknow, in advance, how the protocol implementation will respond toalmost any kind of attack. You know because you have presented it withjust about every conceivable type of error, stress or exploit. And, youhave done this at the protocol level. So, if the software is notimplementing the protocol correctly — and, by extension, may be subjectto exploit — you’ll know it. The benefit? Goodbye zero-day exploits. Wemarried up the Mu 4000 with another tool I wrote about a few monthsback — the Amenaza SecureITree — and together they enabled solid,formal testing. With SecureITree we set up an attack tree and thenexecuted it with the Mu. While our test case was simplistic, the powerof this combination was obvious. Here’s the point: when youhave sophisticated, mission critical testing to do on a large scalenetwork, go big or stay home. The old paradigms of running a scannerand calling it a day are gone. When the survival of your organizationdepends on keeping your assets secure, the big guns are the order ofthe day. Mu 4000 certainly fills that bill. — Peter Stephenson Product: Mu 4000 Company: Mu Security, Inc. Price: Pricestarts at $50,000 for a usable configuration with on the order of 10protocols. A full protocol license for 12 months, including allprotocols shipped in those 12 months, is $250,000. There are about 50protocols supported today, plus published vulnerabilities (pricedseparately at $15,000). The base price includes ARP, IPv4, ICMPv4, TCP,UDP, TFTP, as well as the appliance, automated test harness, powerrestarters and 150 GB RAID array. What it does: Industrial strength vulnerability analysis at the protocol level What we liked: This is the most powerfulvulnerabilityanalysis tool I have used. Combined with complementary tools, such asCore Impact, SecureITree and I2’s link analyzer, there is just about nosecurity analysis you cannot perform on a system, device or software.This is a true, complete, automated test bed for security analysis ofprotocol-based systems. What we didn’t like: Therereally was nothing I didn’t like; however, I had to struggle with thehigh price of this product until I realized that in a very largenetwork, one protocol-related flaw that allowed a zero-day exploit tosucceed could cost the organization everything. In that context, theprice is very reasonable. Also, if you do not understand how networkswork at the protocol level, this tool will just frustrate you. Bottomline is the usual: if you want to solve very difficult problems, youfirst must understand the problem in depth. This tool is no exception. We award the Mu 4000 our SC Magazine Lab Approved award, the highest we offer.
