It’s been pretty busy at work so I’ve only been able to finish How to Break Software only last week in one of the nights when we had to do overtime work for our demo project. Anyway, there was this section on media-based and file-based attacks. In previous web projects, we had’t considered these as extensively as we had done in JV. In JV, the client’s machine is the environment so we had to be more conscious of the files and folders s/he uses.
- See if your software can handle a full storage medium. Fill up the hard drive and then force the software to perform file operations (by opening, moving, and saving files).
- See if the software can gracefully deal with a busy file system. Some applications don’t have the proper timeout/waiting mechanisms, so they can fail when the file system is busy serving a request from another application. Force the software to perform file operations in conjunction with background applications that are also performing file operations.
- Try forcing the software through file operations with a damage medium. Applications with weak fault handling code will often fail in this scenario.
- Try assigning invalid file names to the application’s data files, temporary files, and read-only files. Then force the software to use those files.
- Change the access permissions of the application’s data files. User permissions and read-write-execute-delete permissions are often ignored by the developers.
- See if the software can handle corrupt data in a file. Since most data corruption results in a failed cyclical redundancy check, Canned HEAT is the perfect mechanism to inject such a faults. Otherwise, use a hex/text editor to change the contents of a file and then force the software to open the file or read from it.
In addition, some other stuff I consider:
- Try using a removable drive for storing some files. See what happens when the drive has been removed properly or removed in the middle of an operation.
- Try using a remote location when specifying some files to be used as the program’s input. I encountered cases wherein the behavior hadn’t turned out as expected when I specified \machine-named$filename.