using instrumentation to optimize application...
TRANSCRIPT
![Page 1: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/1.jpg)
Using Instrumentation to Optimize Application Security
The road to Self-Protecting Software
Girish Nair, CISSP, CSSLPSolutions Architect
May 2018
![Page 2: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/2.jpg)
Current state of Application SecurityPAIN POINTS
1. Delays2. Inconvenience3. Unfriendly4. …
![Page 3: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/3.jpg)
An early application exploit
• In 1988, Morris Worm exploited a buffer overflow in Unix to spread from machine to machine.
• 3 decades later… buffer overflows still exist.
• Is the developer responsible for the security breach?
Don’t blame the developer!
![Page 4: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/4.jpg)
Possible ways to prevent it?
• One could argue that the technology failed him.
• Why is C/C++ susceptible to buffer overflow attacks?
• Java & .NET developers don’t create this problem. Are they better developers?
The JVM and CLR protects against such
exploits.
![Page 5: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/5.jpg)
Self-Protecting Application
Ordinary InsecureApplication
AGENTAdds missing security
capabilities at runtime without changing existing code…
Self-Protecting Application
![Page 6: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/6.jpg)
4. The use of measuring instruments to monitor and control a process. It is the art and science of measurement and control of process variables within a production, laboratory, or manufacturing area.
![Page 7: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/7.jpg)
Source instrumentation
Inject simple static method call
![Page 8: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/8.jpg)
Binary Instrumentation
• Widely used• CPU Performance• Memory• Logging• Security• …
• Lots of libraries• ASM (Java)• BCEL (Java)• Javassist (Java)• MBEL (.NET)• RAIL (.NET)• …
![Page 9: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/9.jpg)
Dynamic Binary Instrumentation!
Runtime Environment
ClassClassClass
ClassClassClass
Agent
ClassClassClass
ClassClassClass
Binary code is enhanced as it loads
ClassClassClass
ClassClassClassOriginalBinary Code
Command andControl Dashboard
InstrumentedBinary Code
![Page 10: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/10.jpg)
ClassFileTransformer
Java Instrumentation API
Agent
ClassLoader
Class A
Class BClass C
1. java –javaagent:security.jar 2. premain()
3. addTransformer()
5. transform()
JVMClass A
Class BClass C
4. Loading originalclasses …
6. Instrumented classeswith Security
![Page 11: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/11.jpg)
Your Web Application
Runtime Platform
Application Server
Frameworks
Libraries
Custom Code
Secu
rity
Anal
ysis
Rul
es E
ngin
e
Visibilityand Control
Sensors are Woven
![Page 12: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/12.jpg)
RuntimeApp Server
FrameworksLibraries
Custom Code
Your application stackInstrumentation
Agent
1
Add agent-javaagent:security.jar
2
Agent instrumentsrunning application
4
Dashboard providesvisibility and control
3
Agent blocks attacksand finds vulnerabilities
Dashboard
Attacks andvulnerabilities
Instrumentation in Action
![Page 13: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/13.jpg)
Types of SensorsVulnerability Sensors• Verify Security Configuration• Verify Library Versions• Verify Library Vulnerabilities• Verify Control Flow Patterns• Verify Data Flow Patterns• Verify Coding Patterns
Discovery Sensors• Identify Architecture• Identify Connections• Identify Security Controls• Profile Application• Report Technologies In Use• Measure Lines of Code
Appsec Console
![Page 14: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/14.jpg)
What Does a Vulnerability Look Like?
conn = pool.getConnection();String sql = "select * from user where
username='" + username +"' andpassword='" + password + "'";
stmt = conn.createStatement();rs = stmt.executeQuery(sql);if (rs.next()) {
loggedIn = true;out.println("Successfully logged in");
} else {out.println("Invalid credentials");
}O
![Page 15: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/15.jpg)
DB
It’s a “Path” Through Your Code!
![Page 16: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/16.jpg)
Source a = request.getParameter(“foo”)
Data Flow b = a + “bar”;
Control (Validation) pattern.matches(“[a-zA-Z0-9 ]”);
Data Flow c = b.replaceAll(“foo”,“bar”);
Data Flow d = c.getBytes();
Data Flow e = new String(d,“UTF-8”);
Control (Encoding) f = ESAPI.encodeForSQL(e);
Trigger stmt.exec(“SELECT * FROM “ + f);
![Page 17: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/17.jpg)
Tagging
“user-input” a = request.getParameter(“foo”)
b = a + “bar”;
“limited-chars” pattern.matches(“[a-zA-Z0-9 ]”);
c = b.replaceAll(“foo”,“bar”);
“encoded” d = ESAPI.encodeForSQL( c );
stmt.exec(“SELECT * FROM “ + d );
Safe!
![Page 18: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/18.jpg)
Data flow analysis (aka clusterbomb)
HTTP Request
Header
Header
Cookie
URL Parameter
URL Parameter
Form Parameter
Form Parameter
…
chunk1
chunk2
chunk3
chunk4
chunk5
…
split(“,”)
chunk3<
append(“<”)
chunk3<
htmlEncode()getParameter(”foo”)
append(chunk1)
chunk3<chunk1
html-encoded
cross-site
?
![Page 19: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/19.jpg)
Fine-Grained Tracking
foo a = request.getParameter(“foo”)
foobarfoo b = a + “bar” + a;
pattern.matches(“[a-zA-Z0-9 ]”);
foarfoo c = b.replaceAll( “ob”, “” );
foarfoo d = ESAPI.encodeForSQL( c );
SELECT * FROM ‘foarfoo’ stmt.exec(“SELECT * FROM “ + d );
![Page 20: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/20.jpg)
Application Platform
Agent capabilities
Physical Host or VM
Container OS
Container Runtime
3rd Party Frameworks
3rd Party Libraries
Apps and APIs
Examples…• Analyze configuration files• Analyze loaded libraries• Analyze HTTP request• Analyze HTTP response• Analyze Backend connections• Report hardcode credentials• Report on weak ciphers• Report injection flaws• Report vulnerable libraries• Zero touch logging• Deploy virtual patches• Block attacksYour standard application stack(s)
Agent
![Page 21: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/21.jpg)
Library analysis – 3rd party / CVEs
![Page 22: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/22.jpg)
Data Flow analysis - SQL injection
![Page 23: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/23.jpg)
HTTP response analysis – Clickjacking
![Page 24: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/24.jpg)
Configuration analysis – Authentication mode
![Page 25: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/25.jpg)
Execution analysis – Cipher initialization
![Page 26: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/26.jpg)
Blocking attacks
Security context assembled within agent
DeveloperTesterUser
Attacker
Controller Validation Session BusinessLogic Data Layer SQL
API Database
HTTP Request
Validation Tags
Data Tracking
Data Parsing
Escaping Tags Query
Vulnerability?
Attack?
✓✓
✘
Sensors woven into running application
![Page 27: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/27.jpg)
RASPRASP
RASP
WAFGET /foo?name='%20or%20%20'1'='1 HTTP/1.0
GET /foo?name='%20or%20%20'1'='1 HTTP/1.0
WAF
RASP
Three problems:1) Bottleneck2) No context3) Impedance
RASP
stmt.execute( "select * from table where id ='1' or '1'='1'" );
APPLICATION DECISION POINT
PERIMETER DECISION POINT
![Page 28: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/28.jpg)
RASP performance – same as code
WebGoat RASP ProcessingTypical traffic 50 microsecondsMixed traffic 170 microsecondsHeavy attack traffic 230 microseconds
• Number of applications doesn’t matter• No bottleneck on either bandwidth or CPU
millionths of a second
![Page 29: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/29.jpg)
Accuracy, Automation and Scalability
You can’t scale appsec without highly accurate tools(both true positives and true negatives)
Because inaccuracies require experts…
…and experts don’t scale.
![Page 30: Using Instrumentation to Optimize Application Securityowasp-stl.org/decks/OWASP_Instrumentation_051718.pdf · 2018-05-18 · An early application exploit •In 1988, Morris Worm exploited](https://reader034.vdocument.in/reader034/viewer/2022043022/5f3e6178581b8127e53bd3e9/html5/thumbnails/30.jpg)
Concluding Remarks
Instrumentation enables …
• Application security in parallel (background),• continuously across entire portfolio,• without scans and bottlenecks,• on modern software architecture • at breakneck speed of development.