Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Application Security Workshop

The document discusses the science behind runtime application self-protection (RASP) and interactive application security testing (IAST). It describes how RASP works by instrumenting application code to perform dynamic taint analysis, tracking tainted data from inputs and checking for policy violations at sinks like database queries. IAST similarly instruments code but also correlates runtime behavior with attacks to confirm vulnerabilities. The document outlines challenges with taint analysis like under-tainting causing false negatives or over-tainting causing false positives. Both RASP and IAST add overhead, and IAST also has limitations of traditional dynamic application security testing.

1 of 29

1

The science behind RASP & IAST Jitendra Chauhan Cigital Inc. Instrumentation & Taint Analysis

2

Agenda Web Security Evolution Marketing view of RASP and IAST Science Behind RASP and IAST Way Forward Q/A

3

Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI WAF Training Prevention Protection

4

DAST vs. SAST 4 + SQL Injection + Cross Site Scripting (XSS) + OS Commanding + HTTP Response Splitting + LDAP Injection + XPATH Injection + Path Traversal + Buffer Overflows + Format String Issues + Null Pointer Dereference + Threading Issues + Code Quality Issues + Insecure Crypto Issues + Issues in Non Web application Code - Higher number of FP - Run time Code generation - Dynamic Languages (Ruby + Python) Vulnerability Coverage + Runtime Privilege Issues + Authentication Issues + Session Management Issues + Insecure 3rd Party Libraries + Business Logic Vulnerabilities + Protocol Parser Issues - Web2.0, JSON, Flash, HTML 5.0, - Integrity and Availability violations - Long Execution Times

5

WAF vs. DAST WAF Positive Quick Turnaround Time (Virtual Patching) Drawbacks Signature based (False Negatives, Bypass) Manage Rules (Configure  QA  Deploy) False Positives (Business disruption) No Protection against Business Logic Vulnerabilities

6

Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid RASP IAST Prevention Protection

7

RASP Protection configured inside the application

8

IAST Place instrumentation inside the app to confirm vulnerabilities

9

Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid Security JVM Containers RASP IAST Security Coding IDE Botwall Intrusion Deception Prevention Protection

10

SQL Injection Example Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU: 10

11

How RASP Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Exception: Invalid SQL Query 4. Agent intercept malicious query at instrumented executeSQL method in JDBC 5. Agent respond back SQL Exception. Application will return back error to the attacker Account: SKU: Account: SKU: 11 Exception  

12

How IAST Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions SQL query  "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. DAST Engine sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Some Data. 4. Agent stores the malicious query at instrumented executeSQL method in JDBC 5. DB execute query containing attack and sends results back to application. Account: SKU: Account: SKU: 12 DAST Engine Correlation Engine HTTP request  DB Table   6. Application decrypts data as normal and sends results to the user HTTP response   Confirmed Vulnerability!!

13

Let us talk about some Science!!!

14

Components of RASP App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer Configuration

15

Components of IAST App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer CorrelationEngine

16

How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders Apache Tomcat b.class

17

How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders b.class Apache Tomcat

18

How Instrumentation Works? java -java agent:/path/to/agent.jar com/example/mains/QueryDBTransactions JVM Agent Agent.class: void premain(String agentArgs, Instrumentation inst) MyTransformer.class: byte[] transform( . . . , byte[] queryTransBytes) 1. call Agent premain in manifest 2. JVM registers my transformer 3. Give QueryDBTransaction bytes to MyTransformer 4. MyTransformer performs byte code manipulation QueryDBTransaction.class: void main(String[] args) 5. QueryDBTransactionloaded and main runs

19

Byte Code Manipulation (Class File format)

20

Byte Code Manipulation Class Parser Class Adapter Class Generator b.class Loaded into JVM Visit VisitMethod* VisitEnd Visit VisitMethod* VisitEnd New Classes New Methods New Fields

21

Dynamic Taint Analysis (Quick & Dirty) 21 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y)

22

Dynamic Taint Analysis (Quick & Dirty) 22 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted

23

Dynamic Taint Analysis (Quick & Dirty) 23 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted Tainted Untainted

24

Taint Propagtion 24 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Data derived from user input is tainted

25

Taint Sink 25 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Policy violation detected

26

Example Taint Propagation Rules 26

27

Challenges in Taint Analysis Under Tainting False Negatives Over Tainting False Positives Taint Sanitization False Positives

28

Challenges RASP Performance overhead of Instrumentation and Taint Analysis. Are you ready for it? Taint Analysis Challenges False Positives False Negatives No protection from logical vulnerabilities IAST Time to discover vs. time to fix Instrumentation of the production code Has all the limitation of DAST

29

QA

More Related Content

Application Security Workshop

  • 1. The science behind RASP & IAST Jitendra Chauhan Cigital Inc. Instrumentation & Taint Analysis
  • 2. Agenda Web Security Evolution Marketing view of RASP and IAST Science Behind RASP and IAST Way Forward Q/A
  • 3. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI WAF Training Prevention Protection
  • 4. DAST vs. SAST 4 + SQL Injection + Cross Site Scripting (XSS) + OS Commanding + HTTP Response Splitting + LDAP Injection + XPATH Injection + Path Traversal + Buffer Overflows + Format String Issues + Null Pointer Dereference + Threading Issues + Code Quality Issues + Insecure Crypto Issues + Issues in Non Web application Code - Higher number of FP - Run time Code generation - Dynamic Languages (Ruby + Python) Vulnerability Coverage + Runtime Privilege Issues + Authentication Issues + Session Management Issues + Insecure 3rd Party Libraries + Business Logic Vulnerabilities + Protocol Parser Issues - Web2.0, JSON, Flash, HTML 5.0, - Integrity and Availability violations - Long Execution Times
  • 5. WAF vs. DAST WAF Positive Quick Turnaround Time (Virtual Patching) Drawbacks Signature based (False Negatives, Bypass) Manage Rules (Configure  QA  Deploy) False Positives (Business disruption) No Protection against Business Logic Vulnerabilities
  • 6. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid RASP IAST Prevention Protection
  • 9. Evolution Developers SDK + Libraries Application Web Containers JRE + JVM OS Network 2001 2010 2012 2015 Beyond DAST SAST EASPI SAST + DAST WAF Training DAST+ WAF Hybrid Security JVM Containers RASP IAST Security Coding IDE Botwall Intrusion Deception Prevention Protection
  • 10. SQL Injection Example Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU: 10
  • 11. How RASP Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions HTTP request  SQL query  HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Exception: Invalid SQL Query 4. Agent intercept malicious query at instrumented executeSQL method in JDBC 5. Agent respond back SQL Exception. Application will return back error to the attacker Account: SKU: Account: SKU: 11 Exception  
  • 12. How IAST Works? SQL Injection Firewall Hardened OS Web Server App Server Firewall Databases LegacySystems WebServices Directories HumanResrcs Billing Custom Code APPLICATION ATTACK NetworkLayerApplicationLayer Accounts Finance Administration Transactions Communication KnowledgeMgmt E-Commerce Bus.Functions SQL query  "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. DAST Engine sends an attack in the form data. Agent taint the getParameter variable 3. Application create SQL Query based on getParameter. Some Data. 4. Agent stores the malicious query at instrumented executeSQL method in JDBC 5. DB execute query containing attack and sends results back to application. Account: SKU: Account: SKU: 12 DAST Engine Correlation Engine HTTP request  DB Table   6. Application decrypts data as normal and sends results to the user HTTP response   Confirmed Vulnerability!!
  • 13. Let us talk about some Science!!!
  • 14. Components of RASP App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer Configuration
  • 15. Components of IAST App Containers (Tomcat/Jboss) • javax.servlet.ServletOutputStream • org.apache.catalina.connector.CoyoteWriter • org.apache.coyote.tomcat5.CoyoteWriter • javax.servlet.jsp.JspWriter DB (JDBC / Hibernate) • org/hibernate/impl/SessionImpl • com/mysql/.* • com/ibm/db2/.* • org/postgresql/.* Frameworks (Spring /Struts) • org/springframework/web/HttpRequestHandler • org/apache/struts/action/Action • org/apache/struts/actions/DispatchAction Instrumentation Dynamic Taint Analysis Taint Source Taint Propagat ion Taint Sink Taint Policy Exploit Analyzer CorrelationEngine
  • 16. How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders Apache Tomcat b.class
  • 17. How Instrumentation Works? a.class Web Application JVM Transformation Module a.classa.class Instrumentation Byte Code Instrumentation Agent Runtime Data Areas Method Area Thread Stacks Heap Constant Pool Set of Class Loaders b.class Apache Tomcat
  • 18. How Instrumentation Works? java -java agent:/path/to/agent.jar com/example/mains/QueryDBTransactions JVM Agent Agent.class: void premain(String agentArgs, Instrumentation inst) MyTransformer.class: byte[] transform( . . . , byte[] queryTransBytes) 1. call Agent premain in manifest 2. JVM registers my transformer 3. Give QueryDBTransaction bytes to MyTransformer 4. MyTransformer performs byte code manipulation QueryDBTransaction.class: void main(String[] args) 5. QueryDBTransactionloaded and main runs
  • 20. Byte Code Manipulation Class Parser Class Adapter Class Generator b.class Loaded into JVM Visit VisitMethod* VisitEnd Visit VisitMethod* VisitEnd New Classes New Methods New Fields
  • 21. Dynamic Taint Analysis (Quick & Dirty) 21 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y)
  • 22. Dynamic Taint Analysis (Quick & Dirty) 22 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted
  • 23. Dynamic Taint Analysis (Quick & Dirty) 23 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Input is tainted Tainted Untainted
  • 24. Taint Propagtion 24 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Data derived from user input is tainted
  • 25. Taint Sink 25 x = Request.getQueryParam(“username”) … y = copyString(x) … r = executeSQL(y) Tainted Untainted Policy violation detected
  • 27. Challenges in Taint Analysis Under Tainting False Negatives Over Tainting False Positives Taint Sanitization False Positives
  • 28. Challenges RASP Performance overhead of Instrumentation and Taint Analysis. Are you ready for it? Taint Analysis Challenges False Positives False Negatives No protection from logical vulnerabilities IAST Time to discover vs. time to fix Instrumentation of the production code Has all the limitation of DAST
  • 29. QA