ファジング活用の手引き - IPA 独立行政法人 情報処理推進機構
Contents
1. 2 3 2 12. 2
3. 1 1 IPA http www ipa go jp security ciadr partnership_guide html 2013 2 3 1 3
4. 100 5 2 9 100 100
5. 5 2 3 5 2 1 52 1
6. e ITPA
7. LR 15 4 IPA IPA 2011 8 IPA 5 TPA 5 2 EE 3 3 1
8. 5 1 3 3 5 1 4
9. 3 2 4 IPA
10. IPA 4 Quality Assuarnce QA 6 1
11. 2 IPA 2011 8 6 3 6 2 6 4 IPA 1 2 2 9 B 0 7 C 0 9 D 3 6
12. 5 2 3 2 5 2 5 NG 5 2 5 OK NG HTTP HTTP
13. 100 100 200 1 2 9 5 2 5
14. IPA 2 1 AA 116 2 000 81 00 1700 29 mm 13 9 000 5 15 3 3 3 3 6 8 8 42
15. URL 2013 2 URL lt CANVAS gt fuzzer 27 EI SE OE Browser Fuzzer 3 BFF CERT Basic Fuzzing Framework cross fuzz cssdie CSS grammar fuzzer DOM Hanoi fuzzball2 27 TN DA CA SI RE AA SN I UE TD TC F CG A SKE A 43 http 7lcamtuf coredump cx canvas http www aldeid com wnikn Bf3 http www cert org download bff http 1camtuf coredump cx cross_fuzz 2011 1 15 http digntaloffense net tools see ess ess dne cssdie html URL HTML http www
16. 12 2 3 2 2 1 3 2 3
17. NR IPA GW2000 2 2012 2 6 6 1 2 1 83 3 7 5 EN 3 3 2 3
18. 2 3 IPA 10Q 1 5 2 8 1 3 2 1 3 8 5 2 8 10
19. 100 1000 956 100 901 1000 10 901 1000 960 5 2 11 1 951 960 956 5 2 11
20. 1 IPA 1 2 70 0 23 7 lt TCP IP ARP
21. 1 5 6 CE 3 1 1 1 2 2
22. 25 2 IPA IPA 5 2 5 5 2 5 5 2 2 IPA
23. IPA 2012 2 1
24. 5 2 2 1 fuzz 2 2 1 1
25. 1 5 2 6 IPA IPA 2 2 IPA
26. 2013 3 URL http Www ipa go D Security vuln fuzzing htm EE ss 1 EE 2 ND Cec 2 2 NR 3 3 1 3 kk 4 oe 6 ddd 6 6 2 3 ki 8 9 ET 2 0 DE 11 2 11 12 8 WT OR A Ri 14 DAI li i 16 2 33 19 MIO ce 19 5 IPA CO I TN SSSI 21 6 uci 38 6 CO LE ON UE 38 6 2 ki 40 A 41 41 TC RN 0 OK I TRSRNRNSNIIiiiIiu 43 oo 46 Microsoft
27. 2 3 IPA WV HS6 3 IPA
28. 6 2 e 10 20 Stuxnet25
29. 27 1 s 2 3 4 IPA IPA 5 i a IPA 6 A 0 0
30. 9 7 6 6 1 EO Microsoft Microsoft SDL Security Development Lifecycle Implementation 12 Verification 13 6 1 1 Establish Security Establish Design Use Approved Dynamic Incident Requirements Requirements Tools Analysis Response Plan Core Security Create Quality Analyze Attack Deprecate Unsafe Fuzz Final Security Execute Incident Training Gates Bug Bars Surface Functions Testing Review Response Plan Security amp Privacy Threat
31. IPA gt WAN LAN LAN MEO O WAN DHCP O 3 3 5 IPA 7 IPA WAN 18 5 5 1
32. 4 2 2 1 2 2 3 2 2 3 Web HTTP HTTP HTTP FF 2 2 92 O 2 2 2
33. 3 11 4 OS 5 2
34. 2 3 3 2 3 3 2012 9 TIPA IPA 3
35. 4 1PA http Www ipa go jp about technicalwatch 20120920 html 2013 2 10 3 IPA 3 1 IPA 3 1 1
36. 2 2 520
37. 5 2 8 HTTP CC COTE 5 2 3 24 IPA 1
38. 5 2 9 1 2 2 2 22 15 2 8 5 2 10 _ a TCP TCP TCP
39. 83 3 13 3 3 IPA 1 8 8 1 IPA 3 3 1 3 3 1
40. p 480 25 3 SDLC 3 3 2 IPA 2 5 IPA
41. 83 3 2 92 2 1 Taof Peach 14 100X 15X G5X K _ 3 3 2
42. 5 2 5 28 1 5 2 8 1
43. 2 2 2 2 2 2 2 2 2 GET HTTP 1 0 URI GET AAAAAAAAAAAAAAAAAAA URI GET s s s s HITP 1 0 HTTP GET HTTP 65537 2 2 2 3 fuzzer
44. 9 Codenomicon Defensics22 323 6 1 2 Concept plan Develop Validate Launch Response es Establish Security s Establsh Design Sjfer libraries s CSDL Security CSDL Compliance epProduct SeCUTity Requirements Requirements Static Analysis Testing Verificatior Inddent Response e Process eihreat Modeiing lImplement Security e Fuzz Testing oe 3 Party Software Vulnerab ty Requirements Requirements es Vulinersbility Mon tad erunctiona e 3rd Party Software festing Requirements Reg stration e Validate Sec urity Requirements 6 1 2 Cisco Secure Development Lifecycle Cisco Systems Cisco Secure Development Lifecycle 18 CERT CC CERT CC Blog A Security Comparison Microsoft Office vs Oracle Openoffice http wwwr cert org blogs certcc 2011 04 office_shootout_microsoft_o html 2013 2 19 Microsoft IDownload SDL MiniFuzz Hile Fuzzer http Www microsoft com en us download details aspx21d 21769 2013 2 20 Microsoft Download SDL Regex Fuzzer http Www microsoft com en us download details aspx21d 20095 2013 2 21 Oodenomicon IDEFENSICS Codenomicon Defens
45. ee IEC62443 ISASecure26 EDSA Embedded Device ON a IEC62443 ISASecure EDSA ISecurity Integration Test Robustness Test ISASecure EDSA 24 JVN JVN 55714408 Hhttp jvn jp jp VN55714408 2013 2 25 TPA IITPA http www ipa go jp about technicalwatch 20101217 html 2013 2 26 TSA Secure http www isasecure org 2013 2 40 AN
46. TPA 80 tcp TCP HTTP S1 2
47. IPA 3 2 2 IPA 3 2 1 QA 3 2 1 3 2 1 2 1
48. e 29 5 2 4 5 2 4 5 2 4 1
49. 44 http www metasplont com download Metasploit Framework http www metasplont com download Metasploit Framework http digtaloffense net tools hamachi hamachi html URL HTML http hotfuzz sourceftorge net Peach http nsic sourceforge net 2007 1 http wwwr thespanner co uk 2008 06 25 javascrpt protocol fuzzer http code google com p jsfuzzer http peachfuzzer com 2013 2 7 Peach 3 Release Candidate 1 RO1 2 3 8 https www ee oulu fi research ouspg Protos Test Suite http code google com p ref fuzz http www mncrosoft com en us download detanls aspx 1d 21769 http www mncrosoft com en us download detanls aspx21d 20095 http msdn microsoft com ja jp magazine ff646978 aspx 22 XSStag fuzzer http www thespanner co uk 2008706 18
50. 2011 8 2011 11 MV 9 2011 12 2012 2 2 5 2 2 8
51. 1 1 1 1 TCP HTTP TCP 100 HTTP TIPA MO EK HTTP HTTP
52. 3 MA 3 3 Ce SU Microsoft 6 1 3
53. 5 TPA rR A html 2013 2 6 2011 11 1 16 LAN WAN WAN WAN Ping WAN LAN HTTP 1 2 3 3 3 3
54. 3 5 1 1 1 9 5 1 2 19 2
55. CODENOMICON 0 URT http www codenomicon com defensics 2013 2 SPIRENI Communications Spirent Communications http www spirent com Ethernet_Testing Software Studio 2013 2 a 2012 4 Spirent Communications Mu Dynamics Inc Spirent Studio Mu 8000 41 RTIF c x Wurldtech Security Technologies Inc http www wurldtech com product_services discover_analyze achilles test_platform 2013 2 URL http www ixiacom jp products applications breaking point 2013 2 2012 8 NASDAQ XXIA BreakingPointSystems Inc BreakingPoint FireStorm Product Security Testing Suite A URL http www fourteenfortY Jp products raven 2013 2 42 IPA
56. Ao HTTP 5 2 10 2 2 2 9J 1
57. 2 8 2011 8 11 5 2 4 ARP x x DHCP O x x HTTP QO O ICMP O x x IP QO x x TCP O x x TELNET x x x 5 2 4 BNSIOMP
58. E 0 5 F 0 1 LAN WAN 2 2 1 1 2 1PA 4
59. TCP 5 2 6 5 2 7 TCP 5 2 7 27 IPA 5 2 83 5 2 3 OK NG OK NG
60. 2 1 1 2 2 2 2 1 JPBEG 6 NN HTTP CA 21 2 2 1 HTTP HTTP IP TCP CUI
61. OK NG 50 IP MAC 25 ee ARP
62. ya 1 2 A 2 9 B 0 7 C 0 9 D 3 6 E 0 F 1 0 1 LAN WAN 2 3 3 4 2011 12 2012 2 17 LAN WAN 7 3 3 5
63. 2 3 2 3 1 1 OUT 2 3 1 2 2 3 2
64. 9 TPA AA 21 5 2 2 IPA 5 1 8 5 2 2 5 2 2IPA
65. 5 2 2 ICMP Echo Request Ping Reply Reply TCP TCP SYN TCP TCP 26 80 tcp TCP 80 tcp TCP 80 tcp TCP 5 2 6
66. 956 956 901 1000 901 1000 100 10 951 960 10 1 956 5 2 11 1 5 2 12 Oo 5 2 12 94 2 1 1 5 2 13 Oo 5 2 13
67. 20 5 2 IPA 1PA 8 5 1 IPA 5 2 1 IPA 2011 8 2012 2 5 2 1 2011 2012 8 9 10 11 12 1 2 3 1 5 2 1
68. 18 1 3
69. Static Attack Surface Release Risk Assessment Modeling Analysis Review Archive 6 1 1 Microsoft Security Development Lifecycle Microsoft Software Development Security 1Office 2010 15 Microsoft Office OR 1800 9 16 CERT CO17 Microsoft Ofice Oracle OpenOfice Ofce 12 Microsoft http 7msdn microsoft com jap hbrary ms995349 aspx sd12_topic2 3 2018 2 13 Microsoft ISDL Process Verification http Www microsoft com security sdl discover verification aspx 2013 2 14 Microsoft Software Development Security Microsoft Security Development Lifecycle SDL http Www microsoft com se
70. squarefree com css grammar fuzzer 2009 2 12 http digtaloffense net tools domhano1 domhanon html URL HTML http www nologn org man p17action codeView amp codeld 54 2007 6 fuzz beacon fuzz_proberesp Hamachi HotFuzz ISICIP Stack Integrity Checker Javascript protocol fuzzer JSFuzzer PROTOS ref fuzz SDL MiniFuzz File Fuzzer SDL Regex Fuzzer 3 clause BSD license 3 clause BSD license 5MN2S MIT License BSD License MIT License Apache License 2 0 LAN LAN A VA SN OA mm 2 LD DL TI KR 2 NUM Fr NE ML MCAI 9 2
71. xss tag fuzzer 45 2012 3 27 2012 9 20 2013 8 18 1 1 2 p 4 2 p 17 3 3 4 1 3 2 38 A 46 PA H 201 2 3 27 1 2012 9 20 1 2 2013 3
72. curity sdl default aspx 2013 2 15 Microsoft Office O ce Microsoft Office 2010 Engineering Site Home TechNet Blogs http blogs technet com b office2010_jp archive 2011 06 28 fuzz testing in office aspx 2013 2 16 COMPUTERWORLD Microsoft runs fuzzing botnet finds 1 800 Office bugs Computerworld http www computerworld com s article 9174539 Microsoft_runs_fuzzing_botnet_finds_1 800_ Office bugs 2013 2 17CERT CC CERT Coordination Center 38 18 Microsofft 19 200 Ee Cisco SystemnS Cisco Systems CSLD Cisco Secure Development Lifecycle Validate
73. ics http www codenomicon com defensics 2013 2 22 Cisco Systems Release Note vA5 1 x Cisco ACE Application Control Engine Module Cisco Services Modulesl Cisco Systems http 7 www cnsco com en US docs nterfaces_modules services_modules ace vyA5 1 x release note ACE_mod r n A51x html 2013 2 23 Cisco Systems Cisco Secure Development Lifecycle CSDL Cisco Secure Development Lifecycle Cisco Systems http www cisco com web about security cspo csdl index html 2013 2 39 IPA JPCERT IPA 24
Download Pdf Manuals
Related Search