Using Z-Ray for Lightning Fast Security Analysis€¦ · Using Z-Ray for Lightning Fast Security...
Transcript of Using Z-Ray for Lightning Fast Security Analysis€¦ · Using Z-Ray for Lightning Fast Security...
Using Z-Ray for Lightning Fast Security Analysis
Martin BednorzZendCon Las Vegas 2018
1
Introduction
● 10+ years of web development experience
● IT security background○ Web application security
○ Incremental static code analysis
● CTO / Co-Founder RIPS Technologies○ Static code analysis for security with strong focus on PHP
2
Usual Workflow
3
Usual Workflow
4
Usual Workflow
5
Improved Workflow
6
Improved Workflow
7
Idea: Combine runtime information with static code analysis
Static Code Analysis
8
Simplified Approach
Transform code into abstract syntax tree (AST)
9
Simplified Approach
Transform code into abstract syntax tree (AST)
10
$cookie = $_COOKIE['text'];
Simplified Approach
Transform code into abstract syntax tree (AST)
11
$cookie = $_COOKIE['text'];
$cookie = $_COOKIE['text'];
Simplified Approach
Transform code into abstract syntax tree (AST)
12
$cookie = $_COOKIE['text'];
$cookie = $_COOKIE['text'];
Assign
$cookie $_COOKIE
'text'
variable array
string
var expr
dim
Simplified Approach
Split AST into basic blocks
13
Simplified Approach
Split AST into basic blocks
● Analyze data flow within each basic block
14
Simplified Approach
Split AST into basic blocks
● Analyze data flow within each basic block
● Summarize data flow in block and function summaries
15
Simplified Approach
Connect basic blocks to a control flow graph
16
Simplified Approach
Perform backwards-directed taint analysis for each sensitive sink
17
Simplified Approach
Perform backwards-directed taint analysis for each sensitive sink
18
Context-Sensitive Taint Analysis
1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";
19
Context-Sensitive Taint Analysis
1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";
20
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
echo "<div id='$id'>...";
Context-Sensitive Taint Analysis
21
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
echo "<div id='$id'>...";
Variable $id is used in sensitive sink
Markup context:
HTML attribute single-quoted
Context-Sensitive Taint Analysis
22
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
echo "<div id='$id'>...";
Sanitized: integer only
No further actions required
Context-Sensitive Taint Analysis
23
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
echo "<div id='$id'>...";
Sanitizes only: “ < >
Context-Sensitive Taint Analysis
24
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
echo "<div id='$id'>...";
Sanitizes only: “ < >
Vulnerable: All user input allowed
except characters stated above
Results
● WordPress RCE
● Magento RCE
● Joomla! LDAP injection
● Moodle RCE
● wooCommerce PHP Object Injection
● Roundcube RCE
● phpMyAdmin RCE
● …
Visit ripstech.com/vulndb for more
25
Performance
26
Wordpress (333 KLOC) 13m
Magento (2.4 MLOC) 30m
Joomla! (722 KLOC) 11m
Moodle (2.2 MLOC) 39m
Performance
27
Wordpress (333 KLOC) 13m
Magento (2.4 MLOC) 30m
Joomla! (722 KLOC) 11m
Moodle (2.2 MLOC) 39m
Lightning fast compared to other SAST solutions that scan 8h or 1 week.
Incremental Analysis
28
● State-of-the-art: Static analysis of only the code that changed
● Problem: function definition changes○ All call sites need reanalysis
○ If a function is called in a function, it needs reanalysis as well
○ Changed to global variables
○ ....
● Average of only 50% scan time improvement in our experiments
Boost Code Analysis with Z-Ray
29
Z-Ray
● Available with Zend Server
● Runtime (dynamic) analysis
● Deep insights into your PHP application○ Inspect
○ Debug
○ Optimize
● Many plugins and extensions available
30
Z-Ray
31
Execution Times
32
Database Query Information
33
Application-Specific Information
34
Stacktrace
35
Stacktrace - Used Files
36
// index.phpinclude('functions.php');switch($_GET['page']) {
case 'a': include('page_a.php');
case 'b': include('page_b.php');}
// page_a.phpdo_something();
// page_b.phpinclude('export.php');do_something_export();
Stacktrace - Used Files
37
Stacktrace - Used Files
38
index.php?page=a
Stacktrace - Used Files
39
index.php?page=b
Stacktrace - Used Files
40
Request Information
41
Request Information - Performance
42
Request Information - Performance
43
Request Information - Performance
44
Request Information - Performance
45
Request Information - Performance
46
Request Information - Performance
47
Request Information - Performance
48
admin();
user();
guest();
Example
1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";
49
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
echo "<div id='$id'>...";
Example
1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";
50
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
echo "<div id='$id'>...";
Example
1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";
51
$id = $_POST['id'];
$id = (int)$id; $id = htmlentities($id);
echo "<div id='$id'>...";
Example
1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";
52
$id = $_POST['id'];
$id = (int)$id;
echo "<div id='$id'>...";
Pitfall
// ...if (!isset($_SESSION['id'])) {
$_SESSION['id'] = select_id();}select_from_db($_SESSION['id']);
53
Pitfall
// ...if (!isset($_SESSION['id'])) {
$_SESSION['id'] = select_id();}select_from_db($_SESSION['id']);
54
// ...
$_SESSION['id'] = select_id();
select_from_db($_SESSION['id']);
Pitfall
// ...if (!isset($_SESSION['id'])) {
$_SESSION['id'] = select_id();}select_from_db($_SESSION['id']);
55
// ...
$_SESSION['id'] = select_id();
select_from_db($_SESSION['id']);
Pitfall
// ...if (!isset($_SESSION['id'])) {
$_SESSION['id'] = select_id();}select_from_db($_SESSION['id']);
56
// ...
$_SESSION['id'] = select_id();
select_from_db($_SESSION['id']);
Request Information - Verification
57
Request Information - Verification
58
http://mysite.com/search?category=book
Request Information - Verification
59
http://mysite.com/search?category=book&t=
Request Information - Verification
60
http://mysite.com/search?category=book&t=<script>alert(1);</script>
Request Information - Verification
61
http://mysite.com/search?category=book&t=’ onclick=’alert(1);’
Prototype
● Integrate into already available Zend Server plugin○ Zend Server UI plugin
○ Scan deployed applications or virtual hosts
○ Full scans only
● Zend Server Z-Ray plugin○ Scan single requests
○ Implement the most significant performance optimizations
62
Prototype
63
Zend Server Plugin
UI
Prototype
64
Zend Server Plugin
UI Z-RayZ-Ray API
● Add Z-Ray component to our plugin○ Access data via the Z-Ray API
○ Run first batch of optimizations
Prototype
65
Zend Server Plugin
UI Z-RayZ-Ray API
Static Code Analysis
● Add Z-Ray component to our plugin○ Access data via the Z-Ray API
○ Run first batch of optimizations
● Send relevant source code to static code analysis tool
Prototype
66
Zend Server Plugin
UI Z-RayZ-Ray API
Static Code Analysis
Z-Ray
● Add Z-Ray component to our plugin○ Access data via the Z-Ray API
○ Run first batch of optimizations
● Send relevant source code to static code analysis tool
● Extend taint analysis with data provided by Z-Ray
Prototype Implementation
67
Prototype Implementation
● Full scan○ ~2,4M Lines of Code
○ ~30 Minutes scan time
● QuickScan○ ~70k Lines of Code
○ ~1 Minutes scan time
● Can still be greatly improved
68
Prototype Implementation
● Full scan○ ~2,4M Lines of Code
○ ~30 Minutes scan time
● QuickScan○ ~70k Lines of Code
○ ~1 Minutes scan time
● Can still be greatly improved
69
Prototype Implementation
● Full scan○ ~2,4M Lines of Code
○ ~30 Minutes scan time
● QuickScan○ ~70k Lines of Code
○ ~1 Minutes scan time
● Can still be greatly improved
70
Demo
71
Conclusion
● Lightning fast security analysis for single requests
● Verify patches or single components much quicker○ Allows for a workflow similar to tests
● Still some work required○ Improve taint analysis with runtime information
○ Fix some of the pitfalls
72
Thank you!
Any questions?
73