Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex...
Transcript of Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex...
![Page 1: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/1.jpg)
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
Automated Detection of Complex Vulnerabilities with Static Code Analysis
Johannes Dahse, Dortmund, 10 Nov 2016
![Page 2: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/2.jpg)
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1. Introduction
2. Static Code Analysis
3. First-order Bug Detection
4. Second-order Bug Detection
5. Gadget Chain Detection
![Page 3: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/3.jpg)
3
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1.1 About
● Dr. Johannes Dahse● CEO of RIPS Technologies● Study/Ph.D. IT-Security, Ruhr-University Bochum● Security Consultant ● CTF participant● @FluxReiners, websec.wordpress.com ● Developer of RIPS
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
www.ripstech.com
![Page 4: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/4.jpg)
4
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1.2 Research Timeline● 2007 – 2009: PHP Scanner based on Regex
used for CTF competitions● 2009 – 2011: RIPS 1st Generation based on Tokenizer
open sourced during MOPS (2nd place)● 2012: RIPS 2nd Generation based on AST and CFG
subject of master thesis● 2013 – 2015: RIPS 3rd Generation
subject of doctor thesis● 2016: RIPS (Standalone / Cloud)
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 5: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/5.jpg)
5
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1.3 The Role of PHP in Security● 82.2 % of the websites run PHP as server-side language● Dynamic language, built-in features, oddities / pitfalls● 25 % of all reported CVE vulnerabilities are related to PHP● Sucuri Website Hacked Report: 97 % of hacked websites run PHP CMS
00 01 02 03 04 05 06 07 08 09 10 11 12 13 140
1000
2000
3000
4000
50006000
7000
8000
Other
PHP
JS
Python
Perl
RubyCFM
Java
ASP
PHP
0 10 20 30 40 50 60 70 80 90
Source: W3Techs Source: MITRE CVE
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 6: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/6.jpg)
6
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1.4 Security Vulnerability Demo
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 7: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/7.jpg)
7
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1.5 Goal
● Automated security analysis of PHP code - Analyze dynamic language
- Support variety of language features- Detect common vulnerability types
- Detect complex vulnerabilities - Scale to large applications - Non-annotation based
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 8: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/8.jpg)
8
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
2. Static Code Analysis
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 9: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/9.jpg)
9
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
2.1 Overview● Transform code into abstract syntax tree (AST)● Split AST into basic blocks● Analyze data flow within each basic block● Summarize data flow in block and function summaries● Connect basic blocks to a control flow graph (CFG)● Perform backwards-directed taint analysis for each sensitive sink
Code AST CFGBasic Blocks Report
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 10: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/10.jpg)
10
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3. First-orderBug Detection
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 11: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/11.jpg)
11
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.1 Traditional Vulnerability Types
✗ Authorization Bypass✗ Cross-Site Request Forgery✔ Cross-Site Scripting✔ Code Execution✔ Command Execution✔ Connection String Injection✔ Denial of Service✔ Directory Listing✔ Environment Manipulation✔ Execution After Redirect✔ File Create✔ File Delete✔ File Disclosure
✔ File Inclusion✔ File Write✔ File System Manipulation✔ File Upload✔ HTTP Response Splitting ✔ Information Leakage✔ LDAP Injection✔ Library Injection✔ Log Forge✔ Mass Assignment✔ Memcached Injection✔ MongoDB Injection✔ NoSQL Injection
✔ Open Redirect✔ PHP Object Injection✔ PHP Object Instantiation✔ Reflection/Autoload Injection✔ Server-Side JavaScript Injection✔ Server-Side Request Forgery✔ Session Fixation✔ SQL Injection✔ Variable Manipulation✔ Weak Cryptography✔ XML/XXE Injection✔ XPath Injection✔ Xquery Injection
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 12: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/12.jpg)
12
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.2 Taint Analysis
$_GET
$_POST
$_COOKIE
$_REQUEST
$_FILES
$_SERVER
...
print()
mysql_query()
include()
eval()
system()
...
XSS
SQL Injection
File Inclusion
Code Execution
Command Execution
...
=
user input sensitive sink
+
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 13: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/13.jpg)
13
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.2 Taint Analysis (Refined)
$_GET
$_POST
$_COOKIE
$_REQUEST
$_FILES
$_SERVER
...
print()
mysql_query()
include()
eval()
system()
...
XSS
SQL Injection
File Inclusion
Code Exec
Cmd Exec
...
=
user input sensitive sinkhtmlentities()
addslashes()
basename()
(int)
escapeshellarg()
...
sanitization
++
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 14: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/14.jpg)
14
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.3 Security Mechanisms
1 $url = htmlentities($_GET['id']); “ → " 2 echo '<a href=““>' . $url . '</a>'; < → < 3 echo “<a href='$url'>click</a>“; 4 echo '<a href=“' . $url . '“>click</a>';
source
sensitive sink
sanitization
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 15: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/15.jpg)
15
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.3 Security Mechanisms
1 $url = htmlentities($_GET['id']); “ → " 2 echo '<a href=““>' . $url . '</a>'; < → < 3 echo “<a href='$url'>click</a>“; 'onclick='alert(1) 4 echo '<a href=“' . $url . '“>click</a>';
source
sensitive sink
sanitization
javascript:alert(1)
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 16: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/16.jpg)
16
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.4 Taint Analysis (Context-Sensitive)
$_GET
$_POST
$_COOKIE
$_REQUEST
$_FILES
$_SERVER
...
print()
mysql_query()
include()
eval()
system()
...
XSS
SQL Injection
File Inclusion
Code Exec
Cmd Exec
...
=
user input sensitive sinkHTML
SQL
File Path
PHP
OS Command
...
markuphtmlentities()
addslashes()
basename()
(int)
escapeshellarg()
...
sanitization
+++
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 17: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/17.jpg)
17
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1 $id = $_POST['id']; 2 if(...) { 3 $id = (int)$id; 4 } 5 else { 6 $id = htmlentities($id); 7 } 8 echo "<div id='$id'>";
3.5 Context-Sensitive Taint Analysis
Code AST CFGBasicBlocks
Report
echo "<div id='$id'>";
$id = htmlentities($id);$id = (int)$id;
$id = $_POST['id'];
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 18: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/18.jpg)
18
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.5 Context-Sensitive Taint Analysis
Code AST CFGBasicBlocks
Report
echo "<div id='$id'>";Markup Context $id: HTML attribute single-quoted (SQ)
$id = (int)$id; $id = htmlentities($id);
$id = $_POST['id'];
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 19: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/19.jpg)
19
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.5 Context-Sensitive Taint Analysis
Code AST CFGBasicBlocks
Report
echo "<div id='$id'>";
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
Markup Context $id: HTML attribute single-quoted (SQ)
$id
Sanitized:Integer only
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 20: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/20.jpg)
20
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.5 Context-Sensitive Taint Analysis
Code AST CFGBasicBlocks
Report
echo "<div id='$id'>";
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
Markup Context $id: HTML attribute single-quoted (SQ)
$id
User input(no " < >)
$_POST
XSS DQ" Attribute
id
XSS <>Element
Vulnerable!
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 21: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/21.jpg)
21
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
3.6 Examples
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
Software Version Vulnerability detected by RIPS
Wordpress 4.01 Cross-Site Scripting
phpBB 2.0.23 SQL Injection
phpMyAdmin 4.2.10 Local File Inclusion
CMS Made Simple 1.11.11 SQL Injection
![Page 22: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/22.jpg)
22
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
4. Second-orderBug Detection
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 23: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/23.jpg)
23
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
4.1 Second-order Vulnerabilities
writeread
databaseapplication
user input
!“*$()&/'\
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 24: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/24.jpg)
24
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
4.2 Persistent Data Stores
● $_GET● $_POST● $_COOKIE● $_FILES● $_SERVER...
● Databases● File Names● $_SESSION (File Content) ...
● Cross-Site Scripting● SQL Injection● Code Execution● File Inclusion● File Disclosure ...
User input Persistent Data Store (PDS) Sensitive Sink
1. 2.
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 25: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/25.jpg)
25
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1 $name = $_POST['name']; 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");
4.3 First-order Taint Analysis
mysql_query("INSERT INTO users VALUES('$name', '$role')");
$role = 'admin'; $role = 'user';
$name = $_POST['name'];
SQLiPOST[name]
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 26: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/26.jpg)
26
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1 $name = addslashes($_POST['name']); 2 if(...) { 3 $role = 'admin'; 4 } 5 else { 6 $role = 'user'; 7 } 8 mysql_query("INSERT INTO users VALUES('$name', '$role')");
4.4 Second-order Taint Analysis
mysql_query("INSERT INTO users VALUES('$name', '$role')");
$role = 'admin'; $role = 'user';
$name = addslashes($_POST['name']);
INSERT INTO users VALUES('$_POST[name]', 'admin')INSERT INTO users VALUES('$_POST[name]', 'user') name role
users
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 27: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/27.jpg)
27
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
1 $r = mysql_query( 'SELECT name FROM users'); 2 if(...) { 3 $row = mysql_fetch_assoc($r); 4 } 5 else { 6 die('error'); 7 } 8 echo "Hi " . $row['name'];
4.4 Second-order Taint Analysis
echo "Hi " . $row['name'];
$row = mysql_fetch_assoc($r);
$r = mysql_query('SELECT name FROM users');
Temp XSSusers[name]
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 28: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/28.jpg)
28
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
4.5 Second-order Vulnerability ReportPDS
*
id name pass
PDS'
users
Second-Order XSS $_POST[name]
Reads Writes
Temp XSSusers[name]
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 29: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/29.jpg)
29
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
4.6 Examples
Software Version Vulnerability detected by RIPS
Gallery3 3.0.4 Remote Code Execution
OpenConf 5.30 Remote Code Execution
osCommerce 2.3.4 Remote Command Execution
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 30: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/30.jpg)
30
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5. Gadget Chain Detection
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 31: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/31.jpg)
31
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.1 PHP Object Injection + POP Chain
Chaining existing code (gadgets)
Object
PHP Object Injection
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 32: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/32.jpg)
32
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.2 PHP Serialization
class Text {public function __construct($data) {
$this->data = $data;}
}
$object1 = new Text('Ruhr');$tmp = serialize($object1);
// O:4:"Text":1:{s:4:"data";s:4:"Ruhr";}
$object2 = unserialize($tmp);echo $object2->data;
Unified string representation of $object1
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 33: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/33.jpg)
33
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.3 PHP Object Injection (POI)
class Text {public function __construct($data) {
$this->data = $data;}
}
$object1 = new Text('Ruhr');setcookie('tmp', serialize($object1));
// O:4:"Text":1:{s:4:"data";s:4:"Ruhr";}
$object2 = unserialize($_COOKIE['tmp']);echo $object2->data;
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 34: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/34.jpg)
34
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.3 PHP Object Injection (POI)
class Text {public function __construct($data) {
$this->data = $data;}
}
$object1 = new Text('Ruhr');setcookie('tmp', serialize($object1));
// O:4:"Text":1:{s:4:"data";s:4:"Ruhr";}// O:8:"stdClass":1:{s:4:"data";s:4:"RIPS";}
$object2 = unserialize($_COOKIE['tmp']);echo $object2->data;
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 35: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/35.jpg)
35
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.4 Magic Methods
class Text { public function __construct($d){
$this->data = $d; }}
// O:4:"Text":1:{s:4:"data";s:4:"Ruhr";}// O:4:"File":1:{s:8:"filename";s:10:"config.php";}
$object2 = unserialize($_COOKIE['tmp']);echo $object2->data;
class File { public function __destruct(){
unlink($this->filename); }}
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 36: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/36.jpg)
36
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.5 Property-oriented Programming (POP)
class File { public function __destruct(){
$this->handler->close(); }}
// O:4:"File":1:{s:7:"handler";O:3:"ABC":0:{};}
$object2 = unserialize($_COOKIE['tmp']);echo $object2->data;
POP
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 37: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/37.jpg)
37
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.5 Property-oriented Programming (POP)
class File { public function __destruct(){
$this->handler->close(); }}
// O:4:"File":1:{s:7:"handler";O:7:"Process":0:{};}
$object2 = unserialize($_COOKIE['tmp']);echo $object2->data;
class Process { public function close() {
system('kill '.$this->pid); }}Process
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 38: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/38.jpg)
38
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.5 Property-oriented Programming (POP)
class File { public function __destruct(){
$this->handler->close(); }}
// O:4:"File":1:{s:7:"handler";O:7:"Process":1: {s:3:"pid";s:6:"0;calc";};}
$object2 = unserialize($_COOKIE['tmp']);echo $object2->data;
class Process { public function close() {
system('kill '.$this->pid); }}
>kill 0;calc
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 39: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/39.jpg)
39
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.5 Property-oriented Programming (POP)
class File { public function __destruct(){
$this->handler->close(); }}
// O:4:"File":1:{s:7:"handler";O:7:"Process":1: {s:3:"pid";s:6:"0;calc";};}
$object2 = unserialize($_COOKIE['tmp']);echo $object2->data;
class Process { public function close() {
system('kill '.$this->pid); }}
>kill 0;calc
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 40: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/40.jpg)
40
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.6 POI Detection
● Backwards-directed taint analysis for unserialize()
● If argument is resolved to user input, report POI vulnerability
● Vulnerable unserialize() call returns tainted object
$tmp = $_COOKIE['tmp'];
$obj = unserialize($tmp);
POI
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 41: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/41.jpg)
41
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.6 POI Detection
● Backwards-directed taint analysis for unserialize()
● If argument is resolved to user input, report POI vulnerability
● Vulnerable unserialize() call returns tainted object
● Propagate tainted object forward
XSS
$tmp = $_COOKIE['tmp'];
$obj = unserialize($tmp);
$obj
echo $obj->data;
POI
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 42: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/42.jpg)
42
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.7 POP Chain Detectionclass File { public function __destruct(){
$this->handler->close(); }}
class Process { public function close() {
system('kill '.$this->pid); }}
class Database { public function close() {
mysql_close($this->db); }}
● Invoke inter-procedural analysis for all magic methods on POI
● For unknown receivers, combine analysis results of methods
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 43: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/43.jpg)
43
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.7 POP Chain Detectionclass File { public function __destruct(){
$this->handler->close(); }}
class Process { public function close() {
system('kill '.$this->pid); }}
class Database { public function close() {
mysql_close($this->db); }}
● Invoke inter-procedural analysis for all magic methods on POI
● For unknown receivers, combine analysis results of methods● Arguments of a sensitive sink that are resolved to object properties are stored as the method's sensitive properties
$this->pid
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 44: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/44.jpg)
44
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.7 POP Chain Detection● Invoke inter-procedural analysis for all magic methods on POI
● For unknown receivers, combine analysis results of methods● Arguments of a sensitive sink that are resolved to object properties are stored as the method's sensitive properties
● Sensitive properties are applied to each receiver at call-site
class File { public function __destruct(){
$this->handler->close(); }}
class Process { public function close() {
system('kill '.$this->pid); }}
class Database { public function close() {
mysql_close($this->db); }}
$this->pid
$this->handler->pid
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 45: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/45.jpg)
45
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
POP Chain (Remote Command
Execution)
$tmp = $_COOKIE['tmp'];
$obj = unserialize($tmp);
$obj->handler->pid
5.8 POP Chain Report
● Sensitive properties are applied to the receiving object at call-site
● If receiving object is tainted, a POP gadget chain is reported and attached to the POI report $this->handler->pid
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 46: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/46.jpg)
46
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
5.9 Examples
Software Version Vulnerability detected by RIPS
Joomla 3.3.4 PHP Object Injection
Magento 1.9.0.1 PHP Object Injection
Drupal 7.34 PHP Object Injection
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 47: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/47.jpg)
47
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
6. Conclusion● Requirements for SCA tools changed
● Diverse language features● Applied security mechanisms● Complex vulnerability types● Growing code size
● SCA can automate bug detection● Quickly identify traditional vulnerabilities● Combine multiple bugs to detect complex bugs● Challenges for frameworks (reflection, template engines)
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains
![Page 48: Automated Detection of Complex Vulnerabilities with Static ... · Automated Detection of Complex Vulnerabilities with Static Code Analysis 1.5 Goal Automated security analysis of](https://reader030.fdocuments.us/reader030/viewer/2022041109/5f0cb2307e708231d436ae73/html5/thumbnails/48.jpg)
48
Automatisierte Sicherheitsanalyse von Webapplikationen
Automated Detection of Complex Vulnerabilities with Static Code Analysis
We are looking for PHP experts and UI designer
Join us building the superior PHP security analysis tool
1. Introduction2. Static Code Analysis3. First-order Bugs4. Second-order Bugs5. Gadget Chains