bytecode injection

8/7/2019 Bytecode Injection

1/41

Escape From theBlack Box

Brian Chess

Fortify Software

Countering the faults of typical webscanners through bytecode injection


2/41

Agenda Problems With Black Box Testing

Approaches To Finding Security Issues

4 Problems With Black Box Testing

Solution: White Box Testing

Bytecode Injection

Demo


3/41

Black Box Testing

Today


4/41

Black Box Testing TodayHow Do You Find Security Issues?

Looking at architectural / design documents

Looking at the source code

Static Analysis

Looking at a running application

Dynamic Analysis


5/41

Static Analysis

Analysis Of Source Code and Configuration Files

Manual Source Code Reviews Automated Tools

Commercial Static Analysis Tools

Coverity

Fortify Software Klocwork

Ounce Labs


6/41

Dynamic Analysis Testing & Analysis Of Running Application

Find Input

Fuzz Input

Analyze Response

Commercial Web Scanners Cenzic

SPIDynamics

Watchfire ...


7/41

Most People Use Web Scanners

Because Easy To Run

Fast To Run

Someone Told Me To


8/41

But ...Did I Do A Good Job?


9/41

Q1: How Thorough Was My Test? Do You Know How Much Of Your

Application Was Tested?

0%

5%

10%

15%

20%

25%

30%

35%

40%

No Idea Very

uncertain

Could guess

within 30%

Could guess

within 15%

Extremely

confident


10/41

Q1: How Thorough Was My Test? How Much Of The Application Do You

Think You Tested?

0%

10%

20%

30%

40%

50%

0-20% of the

Application

21-40 41-60 61-80 81-100


11/41

Truth About Thoroughness We ran a Version 7.0 Scanner on the

following:

Application EMMA Code Coverage Tool Web SourceHacmeBooks 34% classes

12% blocks

14% lines

30.5%

JCVS Web 45% classes

19% blocks

22% lines

31.2%

Java PetStore 2 70% classes

20% blocks

23% lines

18%


12/41

Web Scanner Review Good

Found Real Vulnerabilities

Was Easy To Run

Bad

How Thorough Was My Test?

No Way To Tell, And Actual Coverage Is Often Low


13/41

Q2:Did I Find All Vulnerabilities? 3 Ways To Fail

Didnt Test

Tested But Couldnt Conclude Cant Test


14/41

Q2:Did I Find All Vulnerabilities?1. Didnt Test

If The Web Scanner Didnt Even Reach That

Area, It Cannot Test!

Application

TestedVulnerabilities

Not Found

Untested

Vulnerabilities

Found


15/41

Q2:Did I Find All Vulnerabilities?2. Tested, But Couldnt Conclude

Blind SQL Injection Vulnerabilities That Did Not

Return With A Known Signature


16/41

Q2:Did I Find All Vulnerabilities?2. Tested, But Couldnt Conclude

Certain Classes Of Vulnerabilities Sometimes

Can Be Detected Through HTTP Response SQL Injection

Command Injection

LDAP Injection


17/41

Q2:Did I Find All Vulnerabilities?3. Cant Test

Some Vulnerabilities Have No Manifestation In

Http Response

Application

Log

File

Client

I hope theyre not

logging my CC# into

plaintext log file

cc num

cc num

Your order will be

processed in 2 days

HTTP

Response


18/41


19/41



Was Easy To Run

Bad How Thorough Was My Test?


Did I Find All My Vulnerabilities?

Didnt Test, Tested But Couldnt Conclude, Cant Test


20/41


21/41

Matching Signature On A Valid Page

Q3:Are The Results Reported True?


22/41

Q3:Are The Results Reported True? Matching Behavior On A Valid Page

To determine if the application is vulnerable to SQLinjection, try injecting an extra true condition into the

WHERE clause and if this query also returns thesame , then the application is susceptible to SQLinjection (from paper on Blind SQL Injection)

E.g. http://www.server.com/getCC.jsp?id=5

select ccnum from table where id=5 http://www.server.com/getCC.jsp?id=5 AND 1=1

select ccnum from table where id=5 AND 1=1


23/41

Q3:Are The Results Reported True? E.g.

http://www.server.com/getCC.jsp?id=5 select ccnum from table where id=5

Response:

No match found (No one with id 5) http://www.server.com/getCC.jsp?id=5 AND 1=1

select ccnum from table where id=5\ AND \1\=\1

Response No match found (No one with id 5 AND 1=1)

All single quotes were escaped.

According To The Algorithm (inject a true clause andlook for same response), This Is SQL InjectionVulnerability!


24/41



Was Easy To Run

Bad1. How Thorough Was My Test?


2. Did I Find All My Vulnerabilities? Didnt Test, Tested But Couldnt Conclude, Cant Test

3. Are All The Results Reported True? Susceptible To False Signature & Behavior Matching


25/41

Q4: How Do I Fix The Problem? Security Issues Must Be Fixed In Source Code

Information Given

URL Parameter

General Vulnerability Description

HTTP Request/Response

But Where In My Source Code Should I Look?


26/41

Question 4: How Do I Fix The

Problem? Incomplete Vulnerability Report -> Bad Fixes

Report:

Injecting AAAAA..AAAAA Caused Application ToCrash

Solution By Developers:

.

if (input.equals(AAAAA..AAAAA))

return;

..


27/41



Was Easy To Run

Bad1. How Thorough Was My Test?


2. Did I Find All My Vulnerabilities? Didnt Test, Tested But Couldnt Conclude, Cant Test

3. Are All The Results Reported True?

Susceptible To Signature & Behavior Matching

4. How Do I Fix The Problem? No Source Code / Root Cause Information


28/41

Attacking The ProblemsWhite Box Testing With

Bytecode Injection


29/41


30/41

How Will Monitors Solve The

Problems? How Thorough Was

My Test?

Did I Find All My

Vulnerabilities? Are All The Results

Reported True?

How Do I Fix TheP

roblem?

Monitors Inside Will Tell

Which Parts Was Hit

Monitors Inside Detects

More Vulnerabilities Very Low False Positive

By Looking At Source Of

Vulnerabilities

Monitors Inside Can GiveRoot Cause Information


31/41

How To Build The Solution How Do You Inject The Monitors Inside

The Application?

Where Do You Inject The MonitorsInside The Application?

What Should The Monitors Do Inside

The Application?


32/41

How Do You Inject The Monitors? Problem: How Do You Put The Monitors Into The

Application?

Assumption: You Do Not Have Source Code,Only Deployed Java / .NET Application

Solution: Bytecode Weaving AspectJ for Java

AspectDNG for .NET


33/41

How Does Bytecode Weaving Work?

Original.class

AspectJ New.class

New Code &Location Spec.

Similar process for .NET


34/41

How Does Bytecode Weaving Work?List getStuff(String id) {

List list = new ArrayList();

try {

String sql = select stuff frommytable where id= + id + ;

JDBCstmt.executeQuery(sql);

} catch (Exception ex) {

log.log(ex);

}

return list;

}

List getStuff(String id) {

List list = new ArrayList();

try {

String sql = select stuff frommytable where id= + id + ;

MyLibrary.doCheck(sql);

JDBCstmt.executeQuery(sql);

} catch (Exception ex) {

log.log(ex);

}

return list;

}

BeforeexecuteQuery()

Call

MyLibrary.doCheck()


35/41

Applying Byte-Code Injection To

Enhance Security Testing How Do You Inject The Monitors Inside

The Application?

Where Do You Inject The MonitorsInside The Application?

What Should The Monitors Do Inside

The Application?


36/41


37/41


38/41

aspect SQLInjection {

pointcut sqlExec(String sql):call(ResultSet Statement.executeQuery(String))

&& args(sql);

before(String sql) : sqlExec(sql) { checkInjection(sql, thisJoinPoint); }

void checkInjection(String sql, JoinPoint thisJoinPoint){System.out.println("HIT:" +

thisJoinPoint.getSourceLocation().getFileName() +

thisJoinPoint.getSourceLocation().getLine());

if (count(sql, '\'')%2 == 1) {

System.out.println("*** SQL Injection detected. SQL statement

being executed as follows: + sql);}

..

What Should The Monitors Do?

1) Report whether API was hit or not

2) Analyze The Content Of The API Call

3) Report Code-Level Information


39/41

Conclusions Web Scanners Good

Easy To Use

Finding Smoking Gun Bad

Lack Of Coverage Information

False Negatives

False Positives Lack Of Code-Level / Root Cause Information


40/41

Conclusions White Box Testing Bytecode Injection Require Access To

Running Application

In Exchange Gain Coverage Information

Find More Vulnerabilities, More Accurately

Determine Root Cause Information


41/41

Conclusions Use YourAdvantageAttacker Defender

Time

Attempts

Security

KnowledgeAccess To

Application

bytecode injection

Documents