Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher

Transcription

1 Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher

2 Matias Madou Principal Security Researcher, Fortify an HP Company Static Analysis Rules Insider Threat Research Runtime products: RTA and SecurityScope Hybrid 2.0: Correlation Gray-box analysis Contributor to Building Security in Maturity Model (BSIMM) Europe History in code obfuscation (and binary rewriting)

3 Overview Introduction The Test Application: Secure in 2010 What s new in 2011? New vulnerabilities New analysis techniques Continues Testing

4 Introduction History of the experiment: Gather empirical results while developing gray-box analysis. Test Application, criteria: Extensively used Undergone security improvements

5 The Test Application Selection criteria for the project working on: Open source, java or.net Widely used Apache 10.04

6 The Test Application Products and Projects based on Apache OFBiz: OpenTaps

7 The Test Application End Users: Flowers Olympus.de United.com BT.com

8 The Test Application Security? Multiple vulnerabilities found in CVE Other (Exploit Search) and an interesting video on how to become an admin by exploiting a XSS

9 The Test Application

10 The Test Application

11 The Test Application

12 The Test Application Bug Tracking: Security Issues grouped together

13 The Test Application In the end: All known issues are fixed in Apache OFBiz Secure in 2010!

14 So what s new in 2011? 1) New vulnerabilities: Denial-of-service: Parse Double 2) Analysis techniques: Gray box analysis

15 Denial-of-Service: Parse Double Problem description:

16 Denial-of-Service: Parse Double More concrete: Value: API: e-308 Double.parseDouble(value) Infinite loop!

17 Denial-of-Service: Parse Double Feb 01, 2011? No, no. March 04, 2001! Why is this fixed within 1 month after the rediscover?

18 Denial-of-Service: Parse Double Examples: Application: Usage: Apache Tomcat Tomcat uses parsedouble() on the value of the Accept-Language HTTP header when an application calls request.getlocale() Infinite loop!

19 Denial-of-Service: Parse Double What is the problem? Root case is a Java problem, not an application problem! Everybody uses the fixed java version, right? (Version Java 6 Update 24 or later) Everybody runs a patched or latest Tomcat version, right? (Tomcat 7.0.8, , or later)

20 Denial-of-Service: Parse Double Tomcat fix

21 Denial-of-Service: Parse Double Java fix

22 Denial-of-Service: Parse Double Seen in the field: adding the pattern to WAF Problems: 1. Does not protect against persistent 2. Are you sure your patterns cover everything? Pattern often used: e-308 How about: e-307

23 Denial-of-Service: Parse Double Seen in the field: adding the pattern to WAF Problems: 2. Are you sure your patterns cover everything?

24 Denial-of-Service: Parse Double How many issues in Apache OFBiz? Used analysis techniques: Static Analysis (White Box) Penetration Testing (Black Box)

25 Denial-of-Service: Parse Double Static Analysis (White Box)

26 Denial-of-Service: Parse Double Penetration Testing (Black Box): (update_0, update_1, ) (quantity, add_product_id) (quantity) (quantity) (quantity) (quantity) (quantity,add_amount) (update_0) (quantity) (quantity) (quantity) (quantity) ( )

27 Gray Box Analysis

28 Black-Box Testing System-level tests No assumptions about implementation Example: fuzzing Good: concrete results Bad: a losing game

29 White-Box Testing Examine implementation Test components in isolation Example: static analysis Good: thorough Bad: too thorough Bad: no show me exploits

30 Gray-Box Testing System-level tests (like black-box) Examine implementation (like white-box)

31 Hybrid == Gray Box Analysis Right? NO!

32 Hybrid Analysis Dynamic Analysis Application Monitor Static Analysis Correlation Engine Correlated Vulnerability List

33 Internals: Lining Up an Attack with the Code Dynamic sales.xyz.com?n= Monitor Static ID: 234 File: MyCode.cs Line: 27 ID: 234 File: MyCode.cs Line: 27 Source trace: <com.my.xxx>

34 Gray-box analysis: Integrated Analysis Dynamic Analysis Application Real-time link Real-Time Analysis Find More Fix Faster

35 Find More Detect new types of vulnerabilities Privacy violation, Log Forging Find more of all kinds of vulnerabilities Automatic attack surface identification Understand effects of attacks

36 Attack surface identification /login.jsp /pages/account.jsp /pages/balance.jsp /backdoor.jsp File system Configuration-driven Programmatic

37 Attack surface identification Point to a particular start page and scan: Crawl will find some directories

38 Attack surface identification Point to a particular start page and scan Crawl is no longer necessary! The Runtime Component just tells the pen tester the attack surface.

39 Understand effects of attacks /backdoor.jsp sysadmin$./sh Command Injection

40 Fix Faster Provide Actionable Details Stack trace Line of code Group Symptoms with a Common Cause

41 Actionable Details /login.jsp

42 Group Symptoms with a common cause Counting issues seems to be hard! /login.jsp /pages/account.jsp /pages/balance.jsp 1 Cross-Site Scripting Symptom 2 Cross-Site Scripting Symptoms 3 Cross-Site Scripting Symptoms 1 Cross-Site Scripting Cause

43 Fix Faster: Actionable details

44 Fix Faster: Actionable details

45 Fix Faster: Group symptoms

46 Group symptoms: details Detailed information on where to fix the issue

47 For the record: the proof The page Page Source

48 More to come: Automated anti-anti automation

49 Solution Which one are you talking about? Solution to fix the code Solution to keep it protected

50 Solution to fix the code It s still open source, so you can DIY (found in the bug databse)

51 Solution to fix the code Right now and no time: (vulns in these slides) Run the Java 6 Update 24 or later (no DoS: Parse Double issues) In Framework/webslinger/modules/defaults.zip: www/errors/codes/404.vtl Remove ${webslinger.payload.pathinfo} In: Remove the mapkey

52 Solution to keep it protected Continues testing?

53 Solution to keep it protected How about the application in production? Static Analysis Security WAF Design Code Test Integration /Staging Operate Gray-box Analysis Development IT / Operations Penetration Testing

54 Solution to keep it protected Code changes, keep scanning New vulnerabilities are discovered. Update with the latest security information No rocket science, right?

55 Solution to keep it protected Try out new assessment techniques Work the scans. Tune them to work in your environment

56