Presented at AppSec EU 2015 in Amsterdam. http://sched.co/37oK
Presentation recording is available on YouTube: https://www.youtube.com/watch?v=75Xtb0lzyWw
There are many security frameworks for web applications such as Content Security Policy (CSP), the Java Security Manager, and Spring Security. Effective use of these tools can mitigate or even eliminate entire classes of defects, but despite this they don't see widespread, standard use. This presentation discusses why this is, and focuses on one particular obstacle: defining a good security policy is hard. As part of this talk we present a new open-source tool, Policy Instantiation & Enforcement (PIE). PIE is designed as a generic tool which hooks into security managers and generates effective, simple, and verifiable security policies.
2. What I’m Talking About Today
• A look at security policies in applications
– I will mostly be speaking in the context of Java
web applications, though much is general.
• How security managers are used in practice
– Or, more precisely, how they aren’t used.
• A slice of PIE
– A new FOSS tool for building and managing
security policies for Java applications.
Security Policy Management: Easy as PIE
Ian Haken
2
3. What is a Security Policy?
• A security policy defines the “resources”
an application can access
• Access is usually conditioned on context
– Is the user authenticated?
– What role(s) does the user posses?
– What is the origin of the resource access
request?
3
Security Policy Management: Easy as PIE
Ian Haken
4. An Idealized Security Policy
Resource/
Role
Stock Prices
Investment
Demo
My Portfolio
Total Assets
Under Mgmt
No
Authentication
(AuthN)
✓
Guest ✓ ✓
User ✓ ✓ ✓
Admin ✓ ✓
4
Security Policy Management: Easy as PIE
Ian Haken
5. A More Realistic Security Policy
5
Resource/
Role
Stock
Prices
Investment
Demo
My Portfolio
Total Assets
Under Mgmt
No
AuthN
Internal IP ✓
External IP ✓ ✓
Guest
Internal IP ✓ ✓
External IP ✓
User
Internal IP ✓ ✓
External IP ✓ ✓ ✓
Admin
Internal IP ✓ ✓
External IP ✓ ✓
Security Policy Management: Easy as PIE
Ian Haken
6. An Even More Realistic Security
Policy
6
Security Policy Management: Easy as PIE
Ian Haken
Resource/
Role
Stock
Prices
Investment
Demo
My Portfolio
Total Assets
Under Mgmt
Private
Public
Beta
Features
Production
Features
Projections
History
Potential
Clients
Current
Clients
No
AuthN
Internal IP ✓ ✓
External IP ✓ ✓
Guest
Internal IP ✓ ✓ ✓
External IP ✓
User
Internal IP ✓ ✓ ✓ ✓
External IP ✓ ✓ ✓ ✓
Admin
Internal IP ✓ ✓ ✓ ✓ ✓ ✓
External IP ✓ ✓ ✓ ✓ ✓
7. Security Managers
• A Security Manager is a component which
enforces the relevant security policy.
– Database and filesystem access control lists
– Firewall rules
– Android permissions framework
– Content Security Policy (CSP)
– The Java Security Manager
– Spring Security
7
Security Policy Management: Easy as PIE
Ian Haken
8. Content Security Policy
• A defense-in-depth solution which, if well-
implemented in an application, could
eliminate some XSS
• For each page, CSP whitelists origins for
which content can be loaded.
• Since script/CSS/image/etc content is
(usually) static, this means only trusted
content is loaded.
8
Security Policy Management: Easy as PIE
Ian Haken
9. Java Security Manager
• In the JDK since 1.0 (1996)
• Most common use-case is to sandbox
untrusted code, i.e. web applets, Google
App Engine, and dynamic analyzers.
• Enforces a security policy when accessing
system resources, e.g. filesystem, network
sockets, process invocation, thread
creation, reflection, class loader, etc.
9
Security Policy Management: Easy as PIE
Ian Haken
10. Spring Security
• Framework for managing user
authentication and authorization controls
• Highly flexible and customizable
• Supports lots of other web application
protections: CSRF, session fixation, etc.
• Can use annotations to define method-
level authorization checks
10
Security Policy Management: Easy as PIE
Ian Haken
11. In General
• Security Managers enforce policies and
often add a layer of protection to
applications
• If utilized properly, they can mitigate or
even eliminate entire classes of
vulnerabilities
11
Security Policy Management: Easy as PIE
Ian Haken
12. A Use Case: Struts 2
• Struts 2 has been plagued (at least 12
remote code execution CVEs) by issues
related to OGNL-injection.
• Example: Roller 5.0.0 uses Struts 2.2.1
$> curl -s -X GET -G
http://localhost:8080/roller/roller-ui/login.rol
--data-urlencode
"pageTitle=${(#_memberAccess["allowStaticMethodAccess
"]=true,@java.lang.Runtime@getRuntime().exec(‘calc'),'')
}"
12
Security Policy Management: Easy as PIE
Ian Haken
13. A Use Case: Struts 2
• A first pass for one issue used a regex to
blacklist disallowed characters. It blocked
one attack but remained open to others:1
“The excluded parameter pattern introduced in version 2.3.16.2 to
block access to getClass() method didn't cover other cases…”
• The current codebase uses a regex
whitelist to prevent OGNL-injection
13
1Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html
Security Policy Management: Easy as PIE
Ian Haken
14. A Use Case: Struts 2
• If you’re supporting a legacy Struts 2 app
and can’t upgrade, you need an additional
layer of protection.
• The current version doesn’t have known
exploits, but are we sure there’s no
intersection between the whitelist and
malicious OGNL?
14
Security Policy Management: Easy as PIE
Ian Haken
15. A Use Case: Struts 2
• For both legacy and current Struts 2 apps,
the Java SM with a strong security policy
can mitigate your overall risk:
– Disallows unused OGNL directives
– Disallows class loader manipulation
– Disallows process invocation
– Disallows arbitrary filesystem access
– …
15
Security Policy Management: Easy as PIE
Ian Haken
16. Awesome!
16
• Security managers add a layer of defense
– They can protect legacy code with known
vulnerabilities
– Or current code with unknown vulnerabilities.
• They’re widely available and have been
around for years.
Security Policy Management: Easy as PIE
Ian Haken
17. Awesome!
17
So every web application out there is
using these things, right?
Security Policy Management: Easy as PIE
Ian Haken
18. The State of CSP
• As of April 27, 2015, in the Alexa Top 500
sites, only 2.7% are using CSP.
– And of those, more than 60% include ‘unsafe-
eval’ or ‘unsafe-inline’ for script-src.
• Across the wider web, utilization drops
further. Informal reports suggest less than
0.5% of sites use CSP.
18
Security Policy Management: Easy as PIE
Ian Haken
19. The State of the Java Security
Manager
• As aforementioned, used is several places
as a sandboxing mechanism.
• Prevalence is hard to measure; it’s
bundled with the JDK, and usually has no
fingerprint when used server-side.
• But anecdotally, no production system that
I or anyone I know has seen uses it on top
of trusted applications.
19
Security Policy Management: Easy as PIE
Ian Haken
20. Why Aren’t These Tools Getting
Used?
• Performance Impact?
– 2004 paper by Herzog and Shahmehrir2
showed 5% to 100% time increase per
resource access in Java Security Manager
• However, this difference is marginal given the
overhead of typical web applications, in particular
network request/response time, and the low
density of security manager-relevant operations.
– CSP adds ~0.02ms per resource load in FF.3
20
Security Policy Management: Easy as PIE
Ian Haken
21. Why Aren’t These Tools Getting
Used?
• Ease-of-use
– Difficult to write a policy
• What permissions do you need to add?
• What parts of the application need those
permissions?
– Difficult to validate a policy
• Should you really be whitelisting
dxgmaaybvjuttx.cloudfront.net or should it
be *.cloudfront.net?
21
Security Policy Management: Easy as PIE
Ian Haken
22. Why Aren’t These Tools Getting
Used?
• Ease-of-use
– Keeping it up-to-date
• What if a developer changes the data path?
• What if hostnames get changed?
• What if you upgrade a dependency?
22
Security Policy Management: Easy as PIE
Ian Haken
23. Using Security Manager with
Tomcat
Tomcat ships with a security manager policy
which provides sane defaults and isolation
between applications.
23
$> ./startup.sh -security
Security Policy Management: Easy as PIE
Ian Haken
25. Using Security Manager with
Tomcat
25
$> cat catalina.out
[ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read
candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-
2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access
denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed
to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-
2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access
denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
...
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Class.checkMemberAccess(Class.java:2281)
at java.lang.Class.getDeclaredMethods(Class.java:1859)
at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270)
at
org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135)
at org.springframework.asm.ClassReader.a(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54)
at
org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80)
at
org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101)
at
org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidate
ComponentProvider.java:213)
... 39 more
Security Policy Management: Easy as PIE
Ian Haken
26. [ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read
candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-
2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access
denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed
to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-
2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access
denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
...
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Class.checkMemberAccess(Class.java:2281)
at java.lang.Class.getDeclaredMethods(Class.java:1859)
at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270)
at
org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135)
at org.springframework.asm.ClassReader.a(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.asm.ClassReader.accept(Unknown Source)
at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54)
at
org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80)
at
org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101)
at
org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidate
ComponentProvider.java:213)
... 39 more
Using Security Manager with
Tomcat
26
$> cat catalina.out
Security Policy Management: Easy as PIE
Ian Haken
"java.lang.RuntimePermission" "accessDeclaredMembers"
org.springframework.core.type.classreading
.AnnotationAttributesReadingVisitor
28. Using Security Manager with
Tomcat
28
$> cat catalina.policy
...
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
// };
//
// The permission granted to your JDBC driver
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// };
// The permission granted to the scrape taglib
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
Security Policy Management: Easy as PIE
Ian Haken
29. Using Security Manager with
Tomcat
So what “CodeBase” needs the permission?
The class which threw the exception was
org.springframework.core.annotation.AnnotationUtils
In Pebble’s lib directory, there is:
29
spring-core-3.0.3.RELEASE.jar
spring-security-core-3.0.3.RELEASE.jar
spring-web-3.0.3.RELEASE.jar
spring-security-web-3.0.3.RELEASE.jar
spring-context-3.0.3.RELEASE.jar
spring-beans-3.0.3.RELEASE.jar
spring-aop-3.0.3.RELEASE.jar
spring-asm-3.0.3.RELEASE.jar
spring-tx-3.0.3.RELEASE.jar
spring-expression-3.0.3.RELEASE.jar
spring-security-config-3.0.3.RELEASE.jar
spring-security-openid-3.0.3.RELEASE.jar
Security Policy Management: Easy as PIE
Ian Haken
30. Using Security Manager with
Tomcat
After much trial and tribulation you’ll (maybe)
figure out that you need to append the
following to catalina.policy:
grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-asm-3.0.3.RELEASE.jar" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-beans-3.0.3.RELEASE.jar" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-context-3.0.3.RELEASE.jar" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-core-3.0.3.RELEASE.jar" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-web-3.0.3.RELEASE.jar" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
30
Security Policy Management: Easy as PIE
Ian Haken
31. Using Security Manager with
Tomcat
31
$> ./shutdown.sh; ./startup.sh -security
Security Policy Management: Easy as PIE
Ian Haken
32. Using Security Manager with
Tomcat
32
Dig Through the
Tomcat Log
Figure Out The
Correct Permissions
to Add
$> ./shutdown.sh
$> ./startup.sh -security
Security Policy Management: Easy as PIE
Ian Haken
33. Using Security Manager with
Tomcat
• To load Pebble’s homepage, you’ll need to
add 84 permissions.
– Distributed across 16 JARs.
• And at this point, you haven’t even gotten
to system-resource intensive actions:
– Adding blog entries, file uploads, creating new
users…
33
Security Policy Management: Easy as PIE
Ian Haken
34. Introducing PIE
• PIE (Policy Instantiation & Enforcement)
aims to be a tool for painlessly building a
security policy for your application.
• It’s FOSS: github.com/coverity/pie
• It’s modular: Java Security Manager and
CSP are two modules currently working
with PIE out-of-the-box.
34
Security Policy Management: Easy as PIE
Ian Haken
35. What is PIE?
• Has a learning mode which observes the
execution of your application in order to
automatically generate a security policy.
• Automatically simplifies/collapses the
policy, making it easy to manually verify.
• A maven plugin integrates PIE into
development and QA, making sure policy
issues show up early in the SDLC
35
Security Policy Management: Easy as PIE
Ian Haken
36. PIE: Policy Generation
36
Container (e.g. Tomcat)
webapp.war PIE
JVM Java Security ManagerJava Security Manager
pie.sm.policy
Security Policy Management: Easy as PIE
Ian Haken
37. PIE: Policy Enforcement
37
Container (e.g. Tomcat)
webapp.war PIE
JVM Java Security ManagerJava Security Manager
pie.sm.policy
Security Policy Management: Easy as PIE
Ian Haken
43. PIE: Policy Verification
• So you’ve built the perfect security
policy…
– It’s not too restrictive
– It’s not too permissive
– It’s already out-of-date
• How can I make sure today’s security
policy doesn’t break tomorrow’s build?
43
Security Policy Management: Easy as PIE
Ian Haken
44. PIE: Policy Verification
• Bake PIE into your QA process!
• You’re already thoroughly testing your
application. (Right?)
• Let’s not only verify that the policy doesn’t
break anything…
• Let’s also automatically update the policy
with any observed violations.
44
Security Policy Management: Easy as PIE
Ian Haken
47. PIE: Policy Verification
• The PIE Maven plugin will…
– Record the start-time of the test-run
– After the test-run is complete, query the
server for any policy violations
– If there were violations:
• Update and simplify the policy
• Fail the Maven build
47
Security Policy Management: Easy as PIE
Ian Haken
48. What Frameworks Does PIE
Support?
• Running Servlet 3.0 (E.g. Tomcat)?
– Just drop the war in your container’s lib
directory, or include PIE as a Maven
dependency.
• Using Dropwizard?
– Add the Maven dependency and one line to
your app’s config. (Details in the docs)
• Other frameworks easily added.
48
Security Policy Management: Easy as PIE
Ian Haken
49. Extensibility
• Out-of-the-box support for
– Java Security Manager
– CSP
• These are written as modules; use them
as a guide to write your own!
– The PIE project includes an example of
integrating with application-specific usage of
Spring Security
49
Security Policy Management: Easy as PIE
Ian Haken
50. A Reprise: Struts 2
Remember our vulnerable version of Roller?
$> cp pieConfig.learning.properties
../lib/pieConfig.properties
$> ./startup.sh; mvn verify -Pselenium; ./shutdown.sh
$> cp pieConfig.enforce.properties
../lib/pieConfig.properties
$> ./startup.sh
$> curl -X GET –G …
$> tail -n 1 ../logs/catalina.out
Observed violation: ("ognl.OgnlInvokePermission"
"invoke.com.opensymphony.xwork2.ognl.SecurityMemberAcc
ess.setAllowStaticMethodAccess")
50
Security Policy Management: Easy as PIE
Ian Haken
51. Conclusions
• Tools exist for securing your web apps, but
generally they aren’t getting used.
– Why not? It’s a discussion we should have.
• Our hypothesis: barrier to entry and
associated risk is too high.
• PIE is an attempt to address these issues.
– Try it, use it, fork it, provide feedback!
51
Security Policy Management: Easy as PIE
Ian Haken