Automated Detection of Complexvulnerabilities with Static
Total Page:16
File Type:pdf, Size:1020Kb
Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities with Static Code Analysisvon Webapplikationen Automated Detection of Complex Vulnerabilities with Static Code Analysis Johannes Dahse, Dortmund, 10 Nov 2016 Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities with Static Code Analysisvon Webapplikationen 1. Introduction 2. Static Code Analysis 3. First-order Bug Detection 4. Second-order Bug Detection 5. Gadget Chain Detection 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.1 About ● Dr. Johannes Dahse ● CEO of RIPS Technologies ● Study/Ph.D. IT-Security, Ruhr-University Bochum ● Security Consultant ● CTF participant ● @FluxReiners, websec.wordpress.com ● Developer of RIPS www.ripstech.com 3 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.2 Research Timeline ● 2007 – 2009: PHP Scanner based on Regex used for CTF competitions ● 2009 – 2011: RIPS 1st Generation based on Tokenizer open sourced during MOPS (2nd place) ● 2012: RIPS 2nd Generation based on AST and CFG subject of master thesis ● 2013 – 2015: RIPS 3rd Generation subject of doctor thesis ● 2016: RIPS (Standalone / Cloud) 4 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.3 The Role of PHP in Security ● 82.2 % of the websites run PHP as server-side language ● Dynamic language, built-in features, oddities / pitfalls ● 25 % of all reported CVE vulnerabilities are related to PHP ● Sucuri Website Hacked Report: 97 % of hacked websites run PHP CMS Source: W3Techs Source: MITRE CVE 8000 PHP 7000 ASP 6000 Java 5000 CFM Other 4000 Ruby PHP 3000 Perl 2000 Python 1000 JS 0 0 10 20 30 40 50 60 70 80 90 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 5 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.4 Security Vulnerability Demo 6 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 1.5 Goal ● Automated security analysis of PHP code - Analyze dynamic language - Support variety of language features - Detect common vulnerability types - Detect complex vulnerabilities - Scale to large applications - Non-annotation based 7 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2. Static Code Analysis 8 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 2.1 Overview ● Transform code into abstract syntax tree (AST) ● Split AST into basic blocks ● Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● Connect basic blocks to a control flow graph (CFG) ● Perform backwards-directed taint analysis for each sensitive sink Code AST Basic Blocks CFG Report 9 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3. First-order Bug Detection 10 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.1 Traditional Vulnerability Types ✗ Authorization Bypass ✔ File Inclusion ✔ Open Redirect ✗ Cross-Site Request Forgery ✔ File Write ✔ PHP Object Injection ✔ Cross-Site Scripting ✔ File System Manipulation ✔ PHP Object Instantiation ✔ Code Execution ✔ File Upload ✔ Reflection/Autoload Injection ✔ Command Execution ✔ HTTP Response Splitting ✔ Server-Side JavaScript Injection ✔ Connection String Injection ✔ Information Leakage ✔ Server-Side Request Forgery ✔ Denial of Service ✔ LDAP Injection ✔ Session Fixation ✔ Directory Listing ✔ Library Injection ✔ SQL Injection ✔ Environment Manipulation ✔ Log Forge ✔ Variable Manipulation ✔ Execution After Redirect ✔ Mass Assignment ✔ Weak Cryptography ✔ File Create ✔ Memcached Injection ✔ XML/XXE Injection ✔ File Delete ✔ MongoDB Injection ✔ XPath Injection ✔ File Disclosure ✔ NoSQL Injection ✔ Xquery Injection 11 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.2 Taint Analysis user input sensitive sink $_GET print() XSS $_POST mysql_query() SQL Injection $_COOKIE include() File Inclusion + = $_REQUEST eval() Code Execution $_FILES system() Command Execution $_SERVER ... ... ... 12 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.2 Taint Analysis (Refined) user input sanitization sensitive sink $_GET htmlentities() print() XSS $_POST addslashes() mysql_query() SQL Injection $_COOKIE basename() include() File Inclusion + + = $_REQUEST (int) eval() Code Exec $_FILES escapeshellarg() system() Cmd Exec $_SERVER ... ... ... ... 13 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.3 Security Mechanisms source 1 $url = htmlentities($_GET['id']); “ → " 2 echo '<a href=““>' . $url . '</a>'; < → < 3 echo “<a href='$url'>click</a>“; sanitization 4 echo '<a href=“' . $url . '“>click</a>'; sensitive sink 14 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.3 Security Mechanisms source 1 $url = htmlentities($_GET['id']); “ → " 2 echo '<a href=““>' . $url . '</a>'; < → < 3 echo “<a href='$url'>click</a>“; 'onclick='alert(1) sanitization 4 echo '<a href=“' . $url . '“>click</a>'; javascript:alert(1) sensitive sink 15 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.4 Taint Analysis (Context-Sensitive) user input sanitization markup sensitive sink $_GET htmlentities() HTML print() XSS $_POST addslashes() SQL mysql_query() SQL Injection $_COOKIE basename() File Path include() File Inclusion + + + = $_REQUEST (int) PHP eval() Code Exec $_FILES escapeshellarg() OS Command system() Cmd Exec $_SERVER ... ... ... ... ... 16 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.5 Context-Sensitive Taint Analysis 1 $id = $_POST['id']; $id = $_POST['id']; 2 if(...) { 3 $id = (int)$id; 4 } $id = (int)$id; $id = htmlentities($id); 5 else { 6 $id = htmlentities($id); 7 } 8 echo "<div id='$id'>"; echo "<div id='$id'>"; Code AST Basic CFG Report Blocks 17 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.5 Context-Sensitive Taint Analysis $id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); Markup Context $id: HTML attribute single-quoted (SQ) echo "<div id='$id'>"; Code AST Basic CFG Report Blocks 18 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.5 Context-Sensitive Taint Analysis $id = $_POST['id']; Sanitized: Integer only $id = (int)$id; $id = htmlentities($id); $id Markup Context $id: HTML attribute single-quoted (SQ) echo "<div id='$id'>"; Code AST Basic CFG Report Blocks 19 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse Vulnerabilities 2. Static Code Analysis 3. First-order Bugs with Static Code Analysisvon Webapplikationen 4. Second-order Bugs 5. Gadget Chains 3.5 Context-Sensitive Taint Analysis Vulnerable! User input (no " < >) $_POST $id = $_POST['id']; $id id XSS <> XSS DQ" $id = htmlentities($id); Element Attribute $id = (int)$id; Markup Context $id: HTML attribute single-quoted (SQ) echo "<div id='$id'>"; Code AST Basic CFG Report Blocks 20 1. Introduction Automated DetectionAutomatisierte of Complex Sicherheitsanalyse