Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Заголовок
ptsecurity.com
Do WAFs
dream of static analyzers?
Vladimir Kochetkov
vkochetkov@ptsecurity.com
Head of Applicati...
Заголовок
None of the things discussed here is yet an official
product or production development project of
Positive Techn...
ЗаголовокCredits
• Vladimir Kochetkov
• Igor Yakovlev
• Dmitriy Nagibin
• Arseniy Reutov
• Denis Kolegov
Заголовок
Challenge: improve virtual patching
ЗаголовокHow virtual patching works
• Based on the formula obtained from the formal model of the code
being analyzed, the ...
ЗаголовокVirtual patching: convenient code (1/2)
01 var condition = Request.Params["condition"];
02 var param = Request.Pa...
Заголовок
01 var condition = Request.Params["condition"];
02 var param = Request.Params["param"];
03
04 if (condition == n...
ЗаголовокVirtual patching drawbacks
→ One vector only
To prove the existence of a vulnerability, SAST needs to find only o...
Заголовок
01 var condition = Request.Params["condition"];
02 var param = Request.Params["param"];
03
04 if (condition == n...
Заголовок
01 var condition = Request.Params["condition"];
02 var param = Request.Params["param"];
03
04 if (condition == n...
Заголовок
Classical virtual patching
looks at an individual tree, but
does not have the means to
describe the entire fores...
Заголовок
 SAST should give the WAF complete information on all transformations
applied to the vector and conditional par...
Заголовок
IAM: Inspected Application Module
ЗаголовокIAM concepts: unification of the format of SAST formulas
To describe the formulas, a domain-specific language (DS...
ЗаголовокIAM concepts: formulas DSL
Contains the following expression types:
• [Bool/Int/String/…]Literal – literals;
• [N...
ЗаголовокIAM concepts: formulas evaluators
The DSL code is compiled into a binary module that runs on the WAF
and allows c...
ЗаголовокIAM concepts: Boolean unknown expressions
• For all unknown Boolean expressions,
the SAT problem is solved at run...
ЗаголовокIAM concepts: incremental evaluation
To evaluate the values of the arguments of a dangerous function, used an alg...
ЗаголовокIAM concepts: marked tokenization (1/2)
An algorithm similar to the libinjection / libdetection approaches is
use...
Заголовок
An algorithm similar to the libinjection / libdetection approaches is
used to detect an injection.
Parameter val...
ЗаголовокIAM workflow
SAST
Deployed
application
Configuration
IAM WAF Front-end
Web client
Application
CompFG (2) HTTP res...
Заголовок
IAM
DEMO
Заголовок
Thank You!
ptsecurity.com
ЗаголовокIAM advantages
+ Traditional VP drawbacks are resolved
Due to the formal approach and ability to account for inte...
Заголовок
̶ Values cannot be computed for formulas that contain external data from data
sources not hosted on the WAF.
̶ F...
Заголовок
What if IAM can get non-computable values
directly from the application itself?
More tricky plan
Заголовок
A-RASP: Advanced Runtime Application Self-Protection
ЗаголовокReally scary code (1/2)
01 var encryptedParm = Request.Params["encrypted_parm"];
02 var plainTextParm = Request.P...
ЗаголовокReally scary code (2/2)
01 var encryptedParm = Request.Params["encrypted_parm"];
02 var plainTextParm = Request.P...
ЗаголовокA-RASP concepts: expression coordinates
In the report exported from SAST, each expression in a formula is
supplem...
ЗаголовокA-RASP concepts: instrumentation module
SAST report is used to generate not only an IAM formulas evaluation modul...
ЗаголовокWhat does instrumented code look like? (1/3)
ЗаголовокWhat does instrumented code look like? (2/3)
ЗаголовокWhat does instrumented code look like? (3/3)
ЗаголовокA-RASP concepts: lazy detection
• In case of unknown expressions IAM does not take control when processing
an HTT...
ЗаголовокA-RASP workflow
SAST
Deployed
application
Configuration
IAM
module
WAF Front-end
Web client
Application
CompFG
(2...
Заголовок
A-RASP
DEMO
Заголовок
Thank You!
ptsecurity.com
ЗаголовокA-RASP advantages in comparison to classical RASP
+ CompFG is used as the main model. Nuff said.
+ Negligible per...
Заголовок
Closing the circle: U-RASP
Ultimate Runtime Application Self-Protection
ЗаголовокOur own SAST with CompFG and formulas
• To derive vulnerability formulas enough for
A-RASP, a much simpler analyz...
ЗаголовокApproaches comparison: performance degradation
Harmless paths Dangerous paths Attack paths
IAM +0% +10% +7%
A-RAS...
ЗаголовокApproaches comparison: functionality
Unknown
expressions
External data
sources
Depends on
SAST
Vulnerabilities
co...
Заголовок
Thank You!
ptsecurity.com
Upcoming SlideShare
Loading in …5
×

Мечтают ли WAF'ы о статанализаторах

186 views

Published on

Для традиционных WAF защищаемое приложение — черный ящик: HTTP-запросы на входе, HTTP-ответы на выходе — вот и все, что доступно для детектирования атак. Очевидно, что этой информации недостаточно для формального доказательства результатов детектирования, и WAF довольствуется эвристическими методами. Даже если обеспечить возможность перехвата всех обращений приложения к его окружению (файловой системе, сокетам, БД и т. п.), это позволит лишь улучшить качество эвристик, но никак не поможет в переходе к формальным методам. Но что, если построить такой WAF, который рассматривал бы защищаемое приложение в качестве белого ящика? Что, если бы он работал с моделью приложения, получаемой в результате статического анализа кода? Что, если бы появилась возможность решать, является ли атакой тот или иной HTTP-запрос, — с помощью выполнения фрагментов кода самого приложения?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Мечтают ли WAF'ы о статанализаторах

  1. 1. Заголовок ptsecurity.com Do WAFs dream of static analyzers? Vladimir Kochetkov vkochetkov@ptsecurity.com Head of Application Security Analysis Research Department
  2. 2. Заголовок None of the things discussed here is yet an official product or production development project of Positive Technologies.
  3. 3. ЗаголовокCredits • Vladimir Kochetkov • Igor Yakovlev • Dmitriy Nagibin • Arseniy Reutov • Denis Kolegov
  4. 4. Заголовок Challenge: improve virtual patching
  5. 5. ЗаголовокHow virtual patching works • Based on the formula obtained from the formal model of the code being analyzed, the SAST generates a vulnerability descriptor: ─ vulnerability class; ─ vulnerable entry point to the application (URL or URL fragment); ─ values of additional HTTP request parameters necessary for the attack; ─ set of characters or words or tokens in the vector necessary to exploit the vulnerability. • WAF creates a blocking rule based on the vulnerability descriptor provided by SAST.
  6. 6. ЗаголовокVirtual patching: convenient code (1/2) 01 var condition = Request.Params["condition"]; 02 var param = Request.Params["param"]; 03 04 if (condition == null || param == null) 05 { 06 Response.Write("Wrong parameters!"); 07 return; 08 } 09 10 string response; 11 if (condition == "secret") 12 { 13 response = "Parameter value is `" + param + "`"; 14 } 15 else 16 { 17 response = "Secret not found!"; 18 } 19 20 Response.Write("<b>" + response + "</b>");
  7. 7. Заголовок 01 var condition = Request.Params["condition"]; 02 var param = Request.Params["param"]; 03 04 if (condition == null || param == null) 05 { 06 Response.Write("Wrong parameters!"); 07 return; 08 } 09 10 string response; 11 if (condition == "secret") 12 { 13 response = "Parameter value is `" + param + "`"; 14 } 15 else 16 { 17 response = "Secret not found!"; 18 } 19 20 Response.Write("<b>" + response + "</b>"); Vulnerability Formula Entry point = MainPage.Load Attack vector = condition = "secret" ⇒ param ∈ {xss-vectors-text} Vulnerability Descpriptor URL: //Default.aspx Conditional request parameters values: condition = "secret" Vulnerable request parameters: param Attack type: Cross-Site Scripting Injection tokens: ('<',tagName','>') Virtual patching: convenient code (2/2)
  8. 8. ЗаголовокVirtual patching drawbacks → One vector only To prove the existence of a vulnerability, SAST needs to find only one possible attack vector targeting the vulnerability. But to effectively patch it, all possible vectors need to be described to the WAF. → …also for all extra parameters The same applies to the values of all additional request parameters that are necessary for exploiting a vulnerability. → Information about injection token is often useless because of intermediate transformations of the attack vector.
  9. 9. Заголовок 01 var condition = Request.Params["condition"]; 02 var param = Request.Params["param"]; 03 04 if (condition == null || param == null) 05 { 06 Response.Write("Wrong parameters!"); return; 07 } 08 09 string response; 10 if (CustomDecode(condition).Contains("secret")) 11 { 12 // CustomDecode -- arbitrary transforming 13 // function (i.e, base64->url->base64) 14 response = "Parameter value is `" + 15 CustomDecode(param) + "`"; 16 } 17 else 18 { 19 response = "Secret not found!"; 20 } 21 22 Response.Write("<b>" + response + "</b>"); Virtual patching: inconvenient code (1/2)
  10. 10. Заголовок 01 var condition = Request.Params["condition"]; 02 var param = Request.Params["param"]; 03 04 if (condition == null || param == null) 05 { 06 Response.Write("Wrong parameters!"); return; 07 } 08 09 string response; 10 if (CustomDecode(condition).Contains("secret")) 11 { 12 // CustomDecode -- arbitrary transforming 13 // function (i.e, base64->url->base64) 14 response = "Parameter value is `" + 15 CustomDecode(param) + "`"; 16 } 17 else 18 { 19 response = "Secret not found!"; 20 } 21 22 Response.Write("<b>" + response + "</b>"); Virtual patching: inconvenient code (2/2) Vulnerability Formula Entry point = MainPage.Load Vector = CustomDecode(condition) ⊃ "secret" ⇒ param ∈ CustomDecode({xss-vectors-text} Vulnerability Descriptor URL: //Default.aspx Conditional request parameters values: condition: ? Vulnerable request parameters: param Attack type: Cross-Site Scripting Injection tokens: '?'
  11. 11. Заголовок Classical virtual patching looks at an individual tree, but does not have the means to describe the entire forest of vulnerabilities that are detected by SAST. Inconvenient code: summary
  12. 12. Заголовок  SAST should give the WAF complete information on all transformations applied to the vector and conditional parameters.  WAF should compute their values at the vulnerable point based on the values of HTTP request parameters.  Formal, not heuristic, methods should be used for detecting attacks. A tricky plan
  13. 13. Заголовок IAM: Inspected Application Module
  14. 14. ЗаголовокIAM concepts: unification of the format of SAST formulas To describe the formulas, a domain-specific language (DSL) based on S-expressions is used: + ("Parameter value is `") (FromBase64Str (UrlDecodeStr (FromBase64Str (GetParameterData ("param")))))
  15. 15. ЗаголовокIAM concepts: formulas DSL Contains the following expression types: • [Bool/Int/String/…]Literal – literals; • [Nullary/Unary/Binary/Ternary/…]Operation – operations with different number of arguments (functions and methods calls, operators, etc.); • Unknown – expressions of an unknown type.
  16. 16. ЗаголовокIAM concepts: formulas evaluators The DSL code is compiled into a binary module that runs on the WAF and allows computing the formulas from the report.
  17. 17. ЗаголовокIAM concepts: Boolean unknown expressions • For all unknown Boolean expressions, the SAT problem is solved at runtime. • The SAT problem is solved "naturally" (with O(n) to O(2n). • If conjunction of all unknown Boolean expressions is decidable, then the reachability formula is feasible.
  18. 18. ЗаголовокIAM concepts: incremental evaluation To evaluate the values of the arguments of a dangerous function, used an algorithm that combines a concrete computation and an abstract interpretation in semantic of taint-analysis: GetParameterData (param) "UEhOamNtbHdkRDVoYkdWeWRDZ3hLVHd2YzJOeWFYQjBQZyU zRCUzRA==" FromBase64Str (GetParameterData (param)) "PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg%3D%3D" UrlDecodeStr (FromBase64Str (GetParameterData (param))) "PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" FromBase64Str (UrlDecodeStr (FromBase64Str (GetParameterData (param)))) "<script>alert(1)</script>" + (Parameter value is `) (FromBase64Str (UrlDecodeStr (FromBase64Str (GetParameterData (param))))) "Parameter value is `<script>alert(1)</script>" + (+ (Parameter value is `) (FromBase64Str (UrlDecodeStr (FromBase64Str (GetParameterData (param)))))) (`) "Parameter value is `<script>alert(1)</script>`"
  19. 19. ЗаголовокIAM concepts: marked tokenization (1/2) An algorithm similar to the libinjection / libdetection approaches is used to detect an injection. Parameter value is `<script>alert(1)</script>`
  20. 20. Заголовок An algorithm similar to the libinjection / libdetection approaches is used to detect an injection. Parameter value is ` < script > alert ( 1 ) </ script > ` ten tokens instead of single one inside taint boundaries ⇒ injection attack IAM concepts: marked tokenization (2/2)
  21. 21. ЗаголовокIAM workflow SAST Deployed application Configuration IAM WAF Front-end Web client Application CompFG (2) HTTP response context (3) HTTP response context Computation flow model (4) HTTP request (5) HTTP response (6) HTTP response (1) HTTP request Compiled binary module Source code Web Application Firewall
  22. 22. Заголовок IAM DEMO
  23. 23. Заголовок Thank You! ptsecurity.com
  24. 24. ЗаголовокIAM advantages + Traditional VP drawbacks are resolved Due to the formal approach and ability to account for intermediate transformations of inputs, all the described drawbacks of traditional virtual patching are resolved. + Minimum false positives The formal approach minimizes the risk of false-positive detections. + No effects on web application functionality since protection is not merely made to fit the application per se, but is actually based on its logic. Therefore, IAM is already better than the classical virtual patching. But…
  25. 25. Заголовок ̶ Values cannot be computed for formulas that contain external data from data sources not hosted on the WAF. ̶ Formulas quality depends directly on the quality of approximation of fragments of code of certain classes during analysis. ̶ Describing the semantics of transformation functions for the IAM knowledge base requires a certain amount of semi-manual work. IAM peculiarities
  26. 26. Заголовок What if IAM can get non-computable values directly from the application itself? More tricky plan
  27. 27. Заголовок A-RASP: Advanced Runtime Application Self-Protection
  28. 28. ЗаголовокReally scary code (1/2) 01 var encryptedParm = Request.Params["encrypted_parm"]; 02 var plainTextParm = Request.Params["plaintext_parm"]; 03 04 if (string.IsNullOrEmpty(encryptedParm) || 05 string.IsNullOrEmpty(plainTextParm) || 06 !CurrentSession.ContainsVariable("key")) 07 { 08 return; 09 } 10 11 var keyBytes = Encoding.UTF8.GetBytes(CurrentSession.GetVariableValue("key")); 12 var encryptedParmBytes = Convert.FromBase64String(encryptedParm); 13 var decryptedParmBytes = EtM_CBC.Decrypt(keyBytes, new ArraySegment<byte>(encryptedParmBytes)); 14 var decryptedParm = Encoding.UTF8.GetString(decryptedParmBytes); 15 var decodedPlainTextParm = Encoding.UTF8.GetString(Convert.FromBase64String(plainTextParm)); 16 17 if (decryptedParm == "Valid value") 18 { 19 Response.Write($"Decrypted value of encrypted_parm: {decryptedParm}<br>"); 20 Response.Write($"Value of plaintext_parm: {decodedPlainTextParm}"); 21 }
  29. 29. ЗаголовокReally scary code (2/2) 01 var encryptedParm = Request.Params["encrypted_parm"]; 02 var plainTextParm = Request.Params["plaintext_parm"]; 03 04 if (string.IsNullOrEmpty(encryptedParm) || 05 string.IsNullOrEmpty(plainTextParm) || 06 !CurrentSession.ContainsVariable("key")) 07 { 08 return; 09 } 10 11 var keyBytes = Encoding.UTF8.GetBytes(CurrentSession.GetVariableValue("key")); 12 var encryptedParmBytes = Convert.FromBase64String(encryptedParm); 13 var decryptedParmBytes = EtM_CBC.Decrypt(keyBytes, new ArraySegment<byte>(encryptedParmBytes)); 14 var decryptedParm = Encoding.UTF8.GetString(decryptedParmBytes); 15 var decodedPlainTextParm = Encoding.UTF8.GetString(Convert.FromBase64String(plainTextParm)); 16 17 if (decryptedParm == "Valid value") 18 { 19 Response.Write($"Decrypted value of encrypted_parm: {decryptedParm}<br>"); 20 Response.Write($"Value of plaintext_parm: {decodedPlainTextParm}"); 21 }
  30. 30. ЗаголовокA-RASP concepts: expression coordinates In the report exported from SAST, each expression in a formula is supplemented by its coordinates in the code (or binary): + ("Parameter value is `") (Default.aspx.cs:36:7:FromBase64Str (Default.aspx.cs:35:13:UrlDecodeStr (Default.aspx.cs:32:11:FromBase64Str (Default.aspx.cs:31:10:GetParameterData ("param")))))
  31. 31. ЗаголовокA-RASP concepts: instrumentation module SAST report is used to generate not only an IAM formulas evaluation module, but also an A-RASP instrumentation module that runs on the application side and embeds data sensors and breakpoints into the its code: 11 var keyBytes = Encoding.UTF8. GetBytes(CurrentSession.GetVariableValue("key")); .. 13 var decryptedParmBytes = EtM_CBC. Decrypt(keyBytes, new ArraySegment<byte>(encryptedParmBytes)); .. 17 if (decryptedParm == "Valid value") 18 { 19 Response. Write($"Decrypted value of encrypted_parm: {decryptedParm}<br>"); 20 Response. Write($"Value of plaintext_parm: {decodedPlainTextParm}"); 21 }
  32. 32. ЗаголовокWhat does instrumented code look like? (1/3)
  33. 33. ЗаголовокWhat does instrumented code look like? (2/3)
  34. 34. ЗаголовокWhat does instrumented code look like? (3/3)
  35. 35. ЗаголовокA-RASP concepts: lazy detection • In case of unknown expressions IAM does not take control when processing an HTTP request, instead allowing the application to process the request up until the breakpoint that precedes the dangerous function call. • When the breakpoint is reached, processing of the HTTP request is handed over to the IAM and formulas with unknown expressions are computed against values taken from data sensors.
  36. 36. ЗаголовокA-RASP workflow SAST Deployed application Configuration IAM module WAF Front-end Web client Application CompFG (2) HTTP response context (3) Intermediate context Computation flow model (4) HTTP request (5) HTTP response (9) HTTP response (1) HTTP request Compiled binary module Source code Web Application Firewall A-RASP module (7) Unknown expressions values (8) HTTP response context (6) Sensors and breakpoints data
  37. 37. Заголовок A-RASP DEMO
  38. 38. Заголовок Thank You! ptsecurity.com
  39. 39. ЗаголовокA-RASP advantages in comparison to classical RASP + CompFG is used as the main model. Nuff said. + Negligible performance penalty. Natural processing of a request by application fragments is used to compute particular expressions of the formulas. + Minimal hit to application stability. Instrumentation is used only for those execution points that are truly needed for computing formulas. + Precise (close to 100%) detection of injection attacks, thanks to use of CompFG model elements and formal methods for operating on these elements.
  40. 40. Заголовок Closing the circle: U-RASP Ultimate Runtime Application Self-Protection
  41. 41. ЗаголовокOur own SAST with CompFG and formulas • To derive vulnerability formulas enough for A-RASP, a much simpler analyzer is required. • U-RASP is A-RASP supplied with its own specific static analyzer instead of full- featured SAST tool: ─ works at the same level as the instrumentation; ─ does not takes into account reachability formulas; ─ computes values formulas for ~O(n); ─ collects all potentially dangerous execution point.
  42. 42. ЗаголовокApproaches comparison: performance degradation Harmless paths Dangerous paths Attack paths IAM +0% +10% +7% A-RASP +0% +10÷15% +12÷17% U-RASP +0% +15% +17%
  43. 43. ЗаголовокApproaches comparison: functionality Unknown expressions External data sources Depends on SAST Vulnerabilities coverage* VP No No Yes 40% IAM Boolean only No Yes 70% A-RASP Yes Yes Yes 85% U-RASP Yes Yes No 99% * in non-trivial and hard cases only – with many conditions, intermediate transformations etc.
  44. 44. Заголовок Thank You! ptsecurity.com

×