injection angriffe szenarien analyseans tze gegenma
play

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und - PowerPoint PPT Presentation

Oct 12, 2022 •573 likes •894 views

Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und Erfahrungen aus der Praxis Dr. Alexander von Rhein Alexander von Rhein Research Software Verification Software-Product-Line Analysis Taint-Analysis Consulting Software

  1. Injection-Angriffe: Szenarien, Analyseansätze, Gegenmaßnahmen und Erfahrungen aus der Praxis Dr. Alexander von Rhein

  2. Alexander von Rhein Research Software Verification Software-Product-Line Analysis Taint-Analysis Consulting Software Development Quality-Assessment & Quality-Controlling      Free for Research & Open Source Projects

  3. Security Threat: System Command Injection source sink rm -rf

  4. Most Common Security Threats in SAP Systems Code execution Cross-client access Directory traversal Database modification Authentication flaws Open SQL injection Injection/leak attacks      

  5. Security Situation in SAP systems 83% Forbes 500 companies use SAP (mainly ERP systems) Customization [Business Risk Illustration, Onapsis]    SAP systems are extended with custom code written in ABAP  In-house, closed-world development

  6. Analysis View – Closed World System Source (Report Parameter) Sinks source   sink  System-Commands  CALL ‘SYSTEM‘ ID ‘COMMAND‘  Directory Traversal  OPEN DATASET  ABAP Program Generation  INSERT REPORT  GENERATE SUBROUTINE POOL  Loop iteration limits  DO input TIMES. … ENDDO.  … 21 pattern in total

  7. ABAP in 1 minute Object, can be Parameter of the report invoked by user Class declaration Class implementation „Main method“ of the report

  8. Analysis View – Closed World System Source (Report Parameter) Sinks source   sink  System-Commands  CALL ‘SYSTEM‘ ID ‘COMMAND‘  Directory Traversal  OPEN DATASET  ABAP Program Generation  INSERT REPORT  GENERATE SUBROUTINE POOL  Loop iteration limits  DO input TIMES. … ENDDO.  … 21 pattern in total

  9. Simple Security Threat Scenario  Data Injection Data Leak SAP ERP Database

  10. Trivial Checks for Deprecated Sinks Local analysis (typically method level) Fast Here: Based on discouraged statements   

  11. Taint-Propagation Analysis z = x + y    z x y z x y = 1, z = 2 to unsecure statements Detailed taint-propagation analysis   Requires much more time and memory  Data-flow analysis  Tracks user input source sink 1 source 2 3 sink

  12. Global inter-procedural taint-propagation analysis Complex data flow Large, active code bases source  1  Crossing method boudaries  Multiple files   Incremental analysis 3 sink 5 4 2

  13. 1659 LOC / 1301 SLOC

  14. Findings im Benchmark Trivial Checks Taint Analysis   12.943 yellow findings  24.555 red findings   7.251 taint-analysis findings  Some methods (2%) had to be ignored (cycles, complexity)

  15. Performance Performance benchmark 3 hours initial analysis time Analysis time for single commit depends on number of „touched“ methods   12.600.000 source lines of code from customers  Some projects use git, so they have actually more code  with 270.000 methods    Typically few seconds

  17. Beyond ABAP ABAP Java, C#, …   Closed world  Client/Server setting  Database and Server-Filesystem are typically trusted  Entropy of identifiers (method names, variable names) is high   No closed-world scenario  Who defines the taint sources and sinks?  More use of high-level programming (inheritance, lambdas, …)  Many similar variable and method names

  18. Code Test Results cmocka Test Results Reviews GCOV Test Coverage Static Analysis Version History Models Issues Code Reviews Coverage Test Analysis Static Models History Version … and many more. Issue Trackers

  19. Models Software Intelligence Code Version History Static Analysis Test Coverage Reviews Issues Test Results

  20. Does our Version Issues Reviews Coverage Test Analysis Static History Code system leak Software Intelligence Models tests? gaps in my Where are data? confidential Test Results

  21. GUI.Base GUI.Dialogs Authentication UI Controls Data Validation

  22. • = Modified & untested • = Added & untested • = Unchanged

  23. Does our Code Issues Reviews Coverage Test Analysis Static History Version Software Intelligence system leak Models used? is actually Which code tests? gaps in my Where are data? confidential Test Results

  25. Does our Models Issues Reviews Coverage Test Analysis Static History Version Code Software Intelligence monopolies? system leak head- Are there used? is actually Which code tests? gaps in my Where are data? confidential Test Results

  26. Einarbeitung abgebrochen Neues Team Knowledge-Transfer

  27. Which Software Intelligence components are most error-prone? Do we discover errors early enough? Models Code monopolies? Version History Static Analysis Test Coverage Reviews Issues Which head- changes code? have not been reviewed? Is our architecture in conformance with the Does our Are there system leak confidential data? Where are gaps in my tests? Which code is actually used? Test Results

  28. www.cqse.eu/de/ressourcen/blog/

  29. Conclusion Static analysis can find many attack scenarios at development time. Security attacks are often injection/leak attacks. (Near) real-time feedback is vital for acceptance. Our solution is incremental analysis. Wanted: Evaluation partners for security analyses (and teamscale in general).

  30. Kontakt Dr. Alexander von Rhein · rhein@cqse.eu · +49 159 04517754 @alexvonrhein www.cqse.eu/en/blog CQSE GmbH Centa-Hafenbrädl-Straße 59 81249 München

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore Integrity Network Meeting. Calgary Alberta May 14, 2009 Agenda Wellbore integrity Well design with annular integrity Well design without

443 views • 22 slides
Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits Unit February, 2019 1 Railroad Commission of Texas | June 27, 2016 (Change Date In First Master Slide) Session Overview Overview: UIC Online

1.01k views • 79 slides
Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

1S-1 An Automatic Place-and-Routed Two- Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro Ueno, Teerachot Siriburanon, Satoshi Kondo, Kenichi Okada, and Akira Matsuzawa Tokyo Institute of

423 views • 10 slides
NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for market expectations Modern cars Demanding users Workshop time saving KME trademark Major assumptions of NEVO system Simple Quick to

222 views • 21 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

HIGH QUALITY INJECTION www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL PARTS. INJECTION MOLDING OF MISCELLANEOUS THERMOPLASTICS. HIGH QUALITY INJECTION MAIN OBJECTIVE: PERFORMANCE BASED ON

745 views • 33 slides
CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection What Id Like

440 views • 39 slides
Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web

Andromeda: XSS Accurate and Scalable Security Attackers evil script Analysis of Web Applications Web Application <SCRIPT>...</SCRIPT> Attackers evil script executed using victims credentials Omer Tripp Marco

410 views • 6 slides
Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of

Static analysis for exploitable vulnerability detection Marie-Laure Potet VERIMAG University of Grenoble September 2014 Static analysis for exploitable vulnerability detection 1/43 Outline 1 Context Vulnerability detection process Static

546 views • 43 slides
Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

Kaestner: Tax, Estate Planning, and Trust Administration Implications By: Jonathan G.

7/1/2019 Kaestner: Tax, Estate Planning, and Trust Administration Implications Handout materials are available for download or printing on the HANDOUT TAB on the gotowebinar console. If the tab is not open click on that tab to open it and

278 views • 23 slides
A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE

A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE

A Characterization of State Spill in Modern OSes Kevin Boos Emilio Del Vecchio Lin Zhong ECE Department, Rice University EuroSys 2017 How do we deal with complexity? 2 Modularization complex 1 2 3 4 system 3 Modularization 1

672 views • 26 slides
Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina

Andrubis 1,000,000 Apps Later A View on Current Android Malware Behaviors Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, Christian Platzer Vienna University of

425 views • 31 slides
QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias

QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany 3 HFU Furtwangen, Germany IEEE ICC 2013

735 views • 25 slides
Organiza)onal Privilege & Organiza)onal Insiders

Organiza)onal Privilege & Organiza)onal Insiders

Organiza)onal Privilege & Organiza)onal Insiders Kathleen Clark AALS New Orleans January 5, 2013 Lawyers Represen)ng Whistleblowers

546 views • 37 slides
SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen

SystemSupportforCustom SpeculationPolicies BenjaminWester,PeterM.Chen UniversityofMichigan SOSP2009 Overview App App Policy App Policy Speculation Infrastructure Mechanism

891 views • 5 slides

More recommend