Codenomicon

Codenomicon
Codenomicon
Type Privately held company
Founded 2001
Headquarters Oulu, Finland
Area served worldwide
Products Robustness Testing Tools, Situation Awareness Tools
Services Security Testing Services, Network Analysis Services
Owner(s) Private (profitable since 2008)
Employees 70
Website codenomicon.com
Codenomicon
Codenomicon-logo-and-type2.png
Operating system Cross-platform
Type Computer security, Fuzzing, Robustness testing, Network Analysis
Website codenomicon.com

Codenomicon is a private company founded in late 2001, and develops robustness testing tools (also called fuzzing tools) for manufacturers, service providers, government/defense and enterprise customers. The company has raised Venture money mid 2000's and and has been profitable since 2008, with more than 40% growth in sales each year.[1] In 2011, the company acquired Clarified Networks, a situation awareness company.[2]

Codenomicon is based in Oulu, Finland (Europe), and has offices in Saratoga, California (US), Hong Kong (Asia/Pacific) and Singapore (Asia/Pacific).[3]

Codenomicon is also known for having t-shirts that say "GO HACK YOURSELF", which they usually have at their booth during security conferences. This comes from the goal of Codenomicon to enable testers and system administrators to find their own zero-day vulnerabilities, instead of depending on external security consultants, and special hacker skills.

Contents

Products

The product line of Codenomicon consists of a suite of 200+ independent network protocol testing solutions called DEFENSICS. Each protocol fuzzer can be licensed separately, or as a suite of protocols related to a specific technology such as IPTV, VoIP, Routing, Bluetooth, and several other communication domains.[4]

These tools have roots in the research done at the University of Oulu in the Secure Programming Group (OUSPG).[5] Whereas since 1999 the PROTOS project produced free software for testing about 10 protocols, Codenomicon has added support for much wider test coverage for about 200+ protocols, and is providing those tools under commercial licensing. PROTOS tools are still widely used.[6] PROTOS and Codenomicon testing approach, called robustness testing, is based around the idea of proactive protocol testing by injecting unexpected anomalies into the protocol message sequences, structures and data types; in essence, fuzzing with some intelligence behind the generated test data.

DEFENSICS includes test suites for 200+ protocols industry standard networks protocols such as SMTP, SNMP, BGP, IPv6, SSH and SIP. In addition there are also test suites for various Bluetooth profiles and Wireless LAN.[7] Codenomicon has also built nearly 100 customer proprietary fuzzers for special interfaces such as device API's and complex banking systems.

Robustness testing

Robustness testing is a model based fuzzing technique and over all Black box testing, an extension of syntax testing, that systematically will explore the input space defined by various communication interfaces or data formats, and will generate intelligent test cases that find crash-level flaws and other failures in software.[8] The technique was first described in a University of Oulu white paper on robustness testing published in 2000, by Kaksonen et al.,[9] and Licentiate Thesis by Kaksonen,[10] published in 2001. Fault injection and specification mutations were other names they used for the same approach.[11]

Codenomicon's Defensics Product line is also known as a "Fuzzer that does not fuzz"[12] - means - it uses smart anomalies instead of random Fuzzing structures. This enables fast test execution, extensive test documentation and better test coverage. Defensics tools address all fields in the protocols with all effective combinations of anomalies. Traditional fuzzing lacks this capability as with random inputs that would take too much time to be effective in fast paced test cycles.

History

Codenomicon and its founders have been developing fuzzing tools since 1996.

The first ideas for the engine were based on ideas the founders had while working at OUSPG, where systematic fuzzing was first used to break ASCII/MIME contents in email clients and web services.[13][14] Later, the same technique was applied to ASN.1 structures in such protocols as SNMP, LDAP and X.509.[15][16]

After Codenomicon was founded in 2001, its DEFENSICS product line has grown to cover over 200 industry-standard network protocols and file formats, including wireless interfaces such as Bluetooth and WLAN. DEFENSICS for XML provides an added capability for testing common XML-based protocols and file formats more efficiently than before.[17]

After founding Codenomicon, also PROTOS Test-Suites disclose they are running on top of Codenomicon engine.[18] The research side span out into PROTOS Genome.[19]

References

  1. ^ "Codenomicon Newsletter 2010/12". Codenomicon.com. http://www.codenomicon.com/news/newsletter/archive/2010-12.html#1. Retrieved 2011-11-03. 
  2. ^ "Acquisition Expands Codenomicon’s Offering of Proactive Defense Solutions. News on EON". Eon.businesswire.com. 2011-05-23. http://eon.businesswire.com/news/eon/20110523005695/en. Retrieved 2011-11-03. 
  3. ^ "Codenomicon history". Codenomicon.com. http://www.codenomicon.com/company/history.shtml. Retrieved 2011-11-03. 
  4. ^ "Codenomicon Test Suite Catalogue". Codenomicon.com. http://www.codenomicon.com/products/test-suites.shtml. Retrieved 2011-11-03. 
  5. ^ "OUSPG". Ee.oulu.fi. http://www.ee.oulu.fi/research/ouspg. Retrieved 2011-11-03. 
  6. ^ "PROTOS". Ee.oulu.fi. http://www.ee.oulu.fi/research/ouspg/protos. Retrieved 2011-11-03. 
  7. ^ "Codenomicon DEFENSICS Test Suites". Codenomicon.com. http://www.codenomicon.com/products/test-suites.shtml. Retrieved 2011-11-03. 
  8. ^ "LWN Security". Lwn.net. http://lwn.net/Articles/228366/. Retrieved 2011-11-03. 
  9. ^ "Kaksonen R., Laakso M., Takanen A. Vulnerability Analysis of Software through Syntax Testing. White paper. OUSPG 2001". Ee.oulu.fi. https://www.ee.oulu.fi/research/ouspg/PROTOS_WP2000-robustness. Retrieved 2011-11-03. 
  10. ^ "Kaksonen, Rauli. A Functional Method for Assessing Protocol Implementation Security (Licentiate thesis). Published in 2001 by Technical Research Centre of Finland, VTT Publications 447. 128 p. + app. 15 p. ISBN 951-38-5873-1 (soft back ed.) ISBN 951-38-5874-X (on-line ed.)." (PDF). http://www.vtt.fi/inf/pdf/publications/2001/P448.pdf. Retrieved 2011-11-03. 
  11. ^ "Kaksonen R., Laakso M., Takanen A.. "Software Security Assessment through Specification Mutations and Fault Injection". In Proceedings of Communications and Multimedia Security Issues of the New Century / IFIP TC6/TC11 Fifth Joint Working Conference on Communications and Multimedia Security (CMS'01) May 21-22, 2001, Darmstadt, Germany; edited by Ralf Steinmetz, Jana Dittmann, Martin Steinebach. ISDN 0-7923-7365-0". Ee.oulu.fi. http://www.ee.oulu.fi/research/ouspg/protos/analysis/CMS2001-spec-centered/. Retrieved 2011-11-03. 
  12. ^ Takanen, Ari (2009-08-11). "The Fuzzer That Does Not Fuzz". Crashatatime.blogspot.com. http://crashatatime.blogspot.com/2009/08/fuzzer-that-does-not-fuzz.html. Retrieved 2011-11-03. 
  13. ^ Mime bugs in Netscape.
  14. ^ "The buzz on the bug - How does the e-mail security bug affect Solaris users? By Stephanie Steenbergen, SunWorld staff". Sunsite.uakom.sk. 1998-08-01. http://sunsite.uakom.sk/sunworldonline/swol-08-1998/swol-08-emailbug.html. Retrieved 2011-11-03. 
  15. ^ "CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight Directory Access Protocol (LDAP)". Cert.org. http://www.cert.org/advisories/CA-2001-18.html. Retrieved 2011-11-03. 
  16. ^ "Edmund Whelan. SNMP and Potential ASN.1 Vulnerabilities. December 2002. SANS Institute InfoSec Reading Room.". http://www.sans.org/reading_room/whitepapers/protocols/snmp_and_potential_asn_1_vulnerabilities_912. Retrieved 2011-11-03. 
  17. ^ XML Security and Fuzzing. http://www.codenomicon.com/labs/xml/
  18. ^ "Bryan Burns, Jennifer Granick, Steve Manzuik, Dave Killion, Paul Guersch, Nicolas Beauchesne. Security Power Tools. Published by O'Reilly". Books.google.com. http://books.google.com/books?q=%22Created%20with%20Codenomicon%20Mini-Simulation%20Toolkit%22. Retrieved 2011-11-03. 
  19. ^ "Viide J., Helin A., Laakso M., Pietikäinen P., Seppänen M., Halunen K., Puuperä R., Röning J. "Experiences with Model Inference Assisted Fuzzing". In proceedings of the 2nd USENIX Workshop on Offensive Technologies (WOOT '08). San Jose, CA. July 28, 2008". Ee.oulu.fi. http://www.ee.oulu.fi/research/ouspg/protos/sota/woot08-experiences/. Retrieved 2011-11-03. 

External links

Security advisory links

Video links


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Clarified Networks — Type Privately held company Founded 2006 Headquarters Oulu, Finland Area served worldwide Products …   Wikipedia

  • Fuzzing — Dieser Artikel wurde aufgrund von inhaltlichen Mängeln auf der Qualitätssicherungsseite der Redaktion Informatik eingetragen. Dies geschieht, um die Qualität der Artikel aus dem Themengebiet Informatik auf ein akzeptables Niveau zu bringen. Hilf… …   Deutsch Wikipedia

  • Border Gateway Protocol — BGP redirects here. For the Formula One Team, see Brawn GP. The Border Gateway Protocol (BGP) is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or prefixes which designate network reachability …   Wikipedia

  • Mutation testing — For the biological term, see: Gene mutation analysis. Software Testing portal Mutation testing (or Mutation analysis or Program mutation) is a method of software testing, which involves modifying programs source code or byte code in small ways …   Wikipedia

  • Sicherheitstests — werden in der Softwareindustrie eingesetzt, um die Sicherheit eines Computerprogramms zu testen. Sie stellen eine der zahlreichen Möglichkeiten zur Erhöhung der Sicherheit einer Software dar. Sicherheitstests werden in der Entwicklungsphase… …   Deutsch Wikipedia

  • Asd — répertoire des logiciels SIP notables qui utilisent le SIP comme un protocole de voix sur IP (VoIP). Sommaire 1 Serveurs SIP 1.1 Libre et open source 1.2 Licence exclusive 2 …   Wikipédia en Français

  • Zero-day attack — This article is about technical vulnerabilities. For other uses, see Zero day (disambiguation). A zero day (or zero hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are… …   Wikipedia

  • Oulu University Secure Programming Group — The Oulu University Secure Programming Group (OUSPG) is a research group at the University of Oulu that studies, evaluates and develops methods of implementing and testing application and system software in order to prevent, discover and… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”