securing internet applications sobenet user group meeting 08/10/2004
TRANSCRIPT
Securing Internet Applications
SoBeNet User group meeting08/10/2004
Recent trends in Internet Security
• Key findings for Q1-Q2 2004• Increased Threats to e-Commerce
• Attacks Against Web Application Technologies Are Increasingly Popular
• Short Time Between Vulnerability and Exploit
• Rise in Bot Networks
• Increase in Severe, Easy-to-Exploit vulnerabilities
end user systems are compromised and used to attack the application/server platforms
Attack life cycle
• Step1: Reconnaissance scanning• Port scans, Vulnerability scans
• Asset discovery scans
• Step 2: Exploiting vulnerabilities• Buffer overflows, Backdoors,
• Email attachments, active content,…
• Step 3: Installing backdoors, trojans• Create new and modify existing files, weaken security settings
• Step 4: Go forth and multiply • Mail, web, irc,ftp, file shares
• Step 5: Distributed attack• Delete files, DOS, …
Beyond network attacks …
• hidden field manipulation
• cookie poisoning
• backdoor and debug options
• stealth commanding
• parameter tampering
• SQL injection
• session hijacking
• buffer overflow
Interception at the network layer doesn’t allow enough protection!
• cross-site scripting
• forceful browsing
• denial of service
• data theft
• forged transactions
• ...
application level attacks
Rooting out flaws…
• Discovering vulnerabilities before applications reach production status
No absolute security: secure for how long? from whom?
Source: Infosecurity Magazine
MULTI LAYER approach to Application Security
• Coarse grain interception techniques• Network based interception
• System based interception
Dee
p P
acke
t Ins
pect
ion
Security Context and CoordinationDefense In Depth
1234567
GU
ID
eep
Pac
ket I
nspe
ctio
n
1234567
Pre
sen
tati
on L
ogic
Dee
p P
acke
t Ins
pect
ion
1234567
Bu
sin
ess
Log
ic
Dee
p P
acke
t Ins
pect
ion
1234567
Dat
a A
cces
s
Dee
p P
acke
t Ins
pect
ion
1234567
Dat
a L
ayer
Network based Interception
• Perimeter Security• Packet filter circuit level gateway application gateway
• General trend to incorporate application level security in the perimeter firewalls
• Concentration of security logic, but performance?
• Connection Security• Mutual Authenticated Connection
• Confidentiality
• Integrity
• Symmetric Proxy configuration (client site component)
• IPSEC Tunnel - SSH Tunnel - SSL Tunnel
• (Semi) Transparent solution
general applicable in production environments
Network based Interception (cont’d)
• Application Security• Detection vs. Prevention techniques
• Network Transparent Proxy and Reverse Proxy• Separate system intercepting all requests/responses between client
and server • Isolation of the systems running the application in a secure zone• Authentication and coarse grain authorization, SSO
• Implement application level sanitizing and shielding• Application specific approach
Example 1: Web Application Shielding
Network level
filtering
Application level
filtering
• An application firewall filters the traffic that the network firewall must allow
HTTPallowed
Firewall Server
HTTPvalidation
ApplicationShield
Regular Users
Example 1: Web Application Shielding
Network level
filtering
Application level
filtering
zero latency!
• An application firewall filters the traffic that the network firewall must allow
HTTPallowed
Firewall Server
HTTPvalidation
ApplicationShield
Regular Users
Hacker
How does it work?
sanity check policy check content check
• The Security Shield blocks all traffic that an application does not expect, using a three-layer validation
• is the request well-formed?
• e.g. buffer overflow, cookie poisoning
1
• is the request expected?
• e.g. forceful browsing, stealth commanding
2
• is the content expected?
• e.g. parameter tampering, forged transactions
3
Sanity check
• Translation of URI into canonical form• Empty URI
• Starting /
• Hex decoding
• Ascii control characters (e.g. <32)
• Reserved characters (RFC)-> %xy
• Remove “.” and “..” dirs
• Protocol check• E.g. HTTP1.0/HTTP1.1
• Method check• E.g. HEAD/POST/GET/…
Sanity check (cont’d)
• Path Sanity check• URI length
• Path depth
• Determination of file part in an URLHidden filesE.g. /site/dir/malicious_script.asp/pathinfo/goodlooking.htmlE.g. /site/version2.1/good.html
• Request and Response Header check• Application Defined headers
• RFC defined headers
• Other not-standard headers
• Protect against fingerprinting.
Policy check
• Default Deny Policy• If the URI doesn’t match a known pattern reject request
• Attack patterns• Predefined list of well-known attack patterns
• Filtering Patterns• File name pattern
• directory string and flag indicating if the pattern is valid for all subdirectories of that directory as well
• set of allowed request methods for the pattern
• switch indicating if parameters are allowed or not and if there is a maximum length specified
Content check
• Parameter Check• Name
• Maximum length
• Type : "nocheck“, "alpha“, "numeric“, "alphanumeric“, "ip“, "enumeration“, "pattern“, "empty“, "novalue“
• Allowed/required
• Encoding (multi-part, url-encoding)
• Maximum Occurrences
• Parameter Groups• Manageable configuration
• Contains a list of individual parameter check definitions
• If exhaustive switch set no other parameters allowed
Other checks
• Cookie protection• Integrity check for detecting cookie poisoning and tampering
• confidentiality for cookies in transit or persistent cookies
Introduction of security state in the application session
• Hidden field Protection• Mapping of response of the server to request of the client
Requires a state full system
• Request – Response Mapping• Validation of response codes
• Validation of mime-type response corresponds to original requests
• Pattern matching in response content
• Audit log• Secure trace of all traffic for forensic analyses
• Logs a stored on secure system
Problems related to http reverse proxy architecture
• E.g. HTTP protocol contains references to information of lower level layers
• Relocation stage• Request header Host:• Response header Location:• Response header Content-Location: reverse mapping:
• Forwarder stage• SSL authentication bridging
Pro’s and con’s related to http reverse proxy architecture
• Pro’s• Centrally managed, secured and accelerated SSL
• Ideal place for Web Caching and Content Compression
• Con’s• Inline point of failure
• Increased latency
System based Interception
• Operating System Level• Plug-able services of the OS (e.g. network or file io)
• Loadable kernel module for system call interception are well known in the research community for more than 5 years
• Very effective technique for protection against Step 3,4 and 5
Since recent general applicable in production environments Considerable effort is spent on tools for defining a system baseline for common platforms and to make the technology manageable
• Library Level• Invasiveness scale
• Not invasive: Dynamic Linking against other libraries• Medium invasive: Recompilation with f.e. compiler supporting addition
of code to dynamically check stack frames• Highly invasive: Modifying program code to interact with new api’s• See a.o. work of DistriNet in the context of the SoBeNet project
System based Interception (cont’d)
• Data Privacy• Encrypted File systems
• Encrypted databases• Generic Interception technique via Views and Triggers to transparently add encrypted
information in tables
Key management
• Language Runtime Support• E.g. Load time modification of binary code
• Techniques are well known and promising for supporting composition and component frameworks but not general applicable for legacy software
Allows very fine-grained modifications and as such too intrusive to apply on production applications
• Application Platform Suite• J2EE container services and components
• Microsoft .NET services and components Under investigation
Example 2: Securing System Endpoints
Network
Host Operating System
Application
Network Traffic Interceptor Network Shield (FW)
System Call Interceptor LKM
File IOProcess ExecutionMemory Access
Registry AccessCOM Object Access
DiskSystem
IP level-Syn Flood-Malicious IP headers-ICMP requests-…Service level- ip ranges (in/out)- services
• A host intrusion prevention system filters all access to the system
How does it work?
• Policy based on access rules
• Policy based on heuristic rules• Correlation of system call events
• Cross Correlation of events of different systems
Resource
Operation
Application
Allow/Disallow
Rule
RuleRule
Example rules
Operation
Read, Write
File Access Control Rule
ActionDeny, Allow, QueryApp
Class$MS_Offic
e
FilesC:\winnt\*.exe
Connection Direction
Client, Server
Network Access Control Rule
ActionDeny, Allow, Query
App Class$MS_Office
Network Address128.66.2.10-20
Network Servicetcp/80
Pre defined system baselines
• Network Applications
• Processes created by Network Apps
• Processes that read downloaded content
• Processes created by servers (TCP and UDP)
• Remote clients
• Microsoft Office Applications
• Web Browser Applications
• Email Applications
• . . .
Current and future work
• Study and evaluation of point solutions
• Additional research on interaction of interceptors• For exchanging information not accessible in a particular
interception point (e.g. authentication information for access control module or database access)
• For attack correlation reduction of false positives while preserving security level
• Applying interception framework to case studies using industry technology (J2EE, .NET)
www.ubizen.com