Appliance-Based Fuzzing: Will Spirent Bite?

Thomas Ptacek | April 10th, 2006 | Filed Under: Bitching About Protocols, Industry Punditry

Now this sounds like Dug writing.

I have two reactions to appliance-based protocol fuzzers:

  1. I don’t understand why speed is going to be an important differentiator for these solutions. Say I want to test TLS. I can:

    • buy a Mu-4000, which is fast but may or may not actually fuzz X.509v3, or

    • call up Codenomicon, not pay the appliance premium, and buy something built on PROTOS, which has probably the best ASN.1 test suite available, or

    • wait for someone to publish the 12,000-file testcase suite for TLS handshake negotiation and run it through netcat for free

    Do I want the test suites to complete faster, or do I want them to find more vulnerabilities?

    If I want to test performance while under attack, why wouldn’t I just generate docile background traffic while running the tests?

  2. It’s not terribly hard to figure out the market opportunity here.

    About 1/3 of Spirent’s ‘05 revenue (310MM, of ~900MM) came from performance testing. 2/3 of that revenue went to vendors and service providers. Security testing:

    • skews slightly more into enterprise customers (companies do more security testing than performance testing), and

    • there are 100 times as many vendors who could “use” security testing (anybody who opens a socket, vs. anyone who forwards ethernet frames).

    And, unfortunately, your average enterprise software vendor is probably exactly the demographic who finds $50,000 of value in a plug-and-play appliance, instead of running PROTOS and Metasploit.

    Which is why Spirent cites security testing as their #1 growth driver in their investor summary. I’m waiting to see which of Codenomicon, Mu, or Breakingpoint they pick up for $50MM.

You want to remember that this kind of testing, while clearly valuable for IPS evaluation, is really geared at enterprise software. Things like Mu and BreakingPoint are going to do a good job of finding the next CommuniGate overflow, and, sure, they’ll uncover the occasional TippingPoint bug. But IPS testing is about evasion (being able to slip attacks past an IPS is almost as bad as being able to run code on it), and from what I can tell, the state of the art here is still open-source.

ps: the funny rumor I keep hearing is that BreakingPoint is actually hardware accelerated. Can this be true? Why?!

8 Comments so far

  • Dennis Cox

    April 10th, 2006 10:09 pm

    Yes we are using hardware acceleration, in fact ton’s of it. If you want to know why just drop me a line and I’ll be glad to explain.

  • Jason Meltzer

    April 10th, 2006 11:20 pm

    As a rather unbiased third party, I’d say take Dennis up on the offer… their tech sounds like it is far more than PROTOS+ISIC+blah+blah. Better yet, go see his talk at RECON and ask him there. I hear Montreal is lovely in June.

    Cheers!

  • Thomas Ptacek

    April 11th, 2006 1:16 am

    For what it’s worth: I have no doubt that bpsys will have the bestest protocol testing box in the entire universe.

    I just wonder whether it will be any more effective than the free alternatives.

  • Jared DeMott

    March 21st, 2007 4:30 pm

    For more such discussion see the mailling list:
    fuzzing@whitestar.linuxbox.org

  • Mike

    March 21st, 2007 11:50 pm

    In fact spirent did buy a security firm has been offering combo vulnerability/ fuzzing and performance solutions a few years now - anyone want to chat more I would be happy to give an overview

  • Thomas Ptacek

    March 22nd, 2007 12:09 am

    Which of Mu, Bpsys, or Codenomicon do you think you’ll buy?

  • meier

    September 14th, 2007 4:58 am

    codenomicon has the best protocol-awareness on the market. and its very transparent for the user. but very expensive

  • Thomas Ptacek

    September 14th, 2007 3:36 pm

    That may have been true a couple years ago, but they’re competing against a number of smart companies now.

    • Leave a reply