While graph databases are primarily known as the backbone of the modern social networks, we have found a much more interesting application for them: program analysis. This talk aims to demonstrate that graph databases and the typical program representations developed in compiler construction are a match made in heaven, allowing large code bases to be mined for vulnerabilities using complex bug descriptions encoded in simple, and not so simple graph database queries.
This talk will bring together two well-known but previously unrelated topics: static program analysis and graph databases. After briefly covering the "emerging graph landscape" and why it may be interesting for hackers, a graph representation of programs exposing syntax, control-flow, data-dependencies and type information is presented, designed specifically with bug/backdoors/business logic flaws hunting in mind.
Capabilities of the system will then be demonstrated live with Joern, an open source code exploration tool, as we craft queries for RCE exploits, insider attacks, data leak detection.
2. Agenda
• Source Code : Your unit of value
• Common traits of source code (from code to application)
• What is the Code Property Graph and its applicability
• What are backdoors?
• Querying the Code Property Graph using Ocular to hunt
for backdoors
6. Code Property Graph – a versatile graph format
Instruction Level - Syntax, Control & Semantics
Flow
Methods, Type information, Call Graph, Data
Flow and Configurations
High Level Information Flows
Violations – vulnerable flows
that unifies syntax, control and semantics in one representation
7. Insider Threats
SOURCE: www.cert.org/archive/pdfCERTInsiderThreatVulnerabilityAssessment.pdf
The cases of insiderIT sabotage were among the more technically sophisticated
attacks examined in the Insider Threat Study and resulted in substantial harmto
people and organizations. Forty-nine cases were studied. 86%of the insiders
held technical positions. 90% of them were granted system privileges.
In those cases, 81% of the organizations that were attacked experienced a negative
financial impact as a result of insider activities. The losses ranged from a low of five
hundred dollars to a high of tens of millions of dollars
8. What can attackers do with backdoors?
• Install backdoor for future access to system
• Destroy sensitive data stored on the database, while “riding
on” the established connection from the application to the
database.
• Log sensitive information generated by applications, such as
credit card numbers, passwords, encryption keys, and so forth.
• Execute OS commands using the user’s identity, or provide a
remote command prompt while using a reverse shell.
9. • Tools for security analysts, appsec teams
and developers
• Powerful querying capabilities to identify
vulnerable conditions
• Understand application structure and
attack surface
• Baseline and compare high level
information flows
10. Buckle up!
Let’s hunt for insider
attack patterns in an
application
using
Ocular
https://github.com/conikeec/tarpit
11. Logic Bomb
• Malicious code that executes when
specific trigger conditions are met
• A time bomb is a type of logic bomb
that uses a date and time as its
trigger condition.
• When the time bomb or logic bomb
is detonated, it may perform a denial
of service such as crashing the
system, deleting critical data, or
degrading system response time.
12. MagicValue
• Developer intentionally places “Malicious Easter Egg” which is
triggered based on magic value entered in form field or REST API
• Why?
• Bypass compliance for debugging production data
• Preparation for attack by disgruntled employee/consultant
13. Sensitive Data Leak to file
• Write PII, PHI, Cloud credentials to log file
• Exfiltrate log file prior to rotation or aggregation by rsyslog daemon
15. Attack using compiler API
• DevOps bake in images with
JDK (not hardened) rather
than just the JRE
• This makes Java compiler API
available to compile an attack
class
• Attack class encoded to
escape code reviewers keen
sight
16. Attack using compiler API continued
• DevOps bake in images with
JDK (not hardened) rather
than just the JRE
• This makes Java compiler API
available to compile an attack
class (from exposed HTTP
endpoint)
• Attack class encoded to
bypass application firewall
18. Ocular Workflow
• Enable development and security teams to create #AppSec
requirements via scripts using Ocular
• Enforce execution of Ocular scripts in CI/CD to conduct checks for
every release
• Create your own scripts or use ShiftLeft’s packages
• SCA (Software Composition Analysis)
• Business Logic flaws
• Sensitive Data leaks
• Insider attack patterns
19. Try Ocular on Your Code
14 Day Ocular Free Trial
• Download here: https://go.shiftleft.io/ocular-free-trial
• Java only
• Trial version does not include security profile queries, policies or frameworks
Ocular Proof of Concept
• Email sales@shiftleft.io
• Java or C/C++
• Full featured product version
• Support & training
• Custom timeframe