Injection-Angriffe: Szenarien, Analyseanstze, Gegenmanahmen und - - PowerPoint PPT Presentation

Injection-Angriffe: Szenarien, Analyseansätze, Gegenmaßnahmen und Erfahrungen aus der Praxis

• Dr. Alexander von Rhein

Alexander von Rhein Research

• Software Verification
• Software-Product-Line Analysis
• Taint-Analysis

Consulting

• Software Development
• Quality-Assessment & Quality-Controlling

Free for Research & Open Source Projects

Security Threat: System Command Injection

rm -rf

source sink

Most Common Security Threats in SAP Systems

• Code execution
• Cross-client access
• Directory traversal
• Database modification
• Authentication flaws
• Open SQL injection

Injection/leak attacks

Security Situation in SAP systems

• 83% Forbes 500 companies use SAP (mainly ERP systems)
• Customization
• SAP systems are extended with custom code written in ABAP
• In-house, closed-world development

[Business Risk Illustration, Onapsis]

Analysis View – Closed World System

• Source (Report Parameter)
• Sinks
• System-Commands
• CALL ‘SYSTEM‘ ID ‘COMMAND‘
• Directory Traversal
• OPEN DATASET
• ABAP Program Generation
• INSERT REPORT
• GENERATE SUBROUTINE POOL
• Loop iteration limits
• DO input TIMES. … ENDDO.
• … 21 pattern in total

source sink

ABAP in 1 minute

Object, can be invoked by user Parameter of the report „Main method“ of the report Class declaration Class implementation

Analysis View – Closed World System

• Source (Report Parameter)
• Sinks
• System-Commands
• CALL ‘SYSTEM‘ ID ‘COMMAND‘
• Directory Traversal
• OPEN DATASET
• ABAP Program Generation
• INSERT REPORT
• GENERATE SUBROUTINE POOL
• Loop iteration limits
• DO input TIMES. … ENDDO.
• … 21 pattern in total

source sink

Simple Security Threat Scenario

SAP ERP Database



Data Injection Data Leak

Trivial Checks for Deprecated Sinks

• Local analysis (typically method level)
• Fast
• Here: Based on discouraged statements

Taint-Propagation Analysis

• Detailed taint-propagation analysis
• Requires much more time and memory
• Data-flow analysis
• Tracks user input

to unsecure statements

y = 1, z = 2 x z = x + y z

1 2 3

y x z  



source sink source sink

Global inter-procedural taint-propagation analysis

• Complex data flow
• Crossing method boudaries
• Multiple files
• Large, active code bases
• Incremental analysis

1 2 3 4 5

sink source

1659 LOC / 1301 SLOC

Findings im Benchmark

• Trivial Checks
• 12.943 yellow findings
• 24.555 red findings
• Taint Analysis
• 7.251 taint-analysis findings
• Some methods (2%) had to be ignored (cycles, complexity)

Performance

• Performance benchmark
• 12.600.000 source lines of code from customers
• Some projects use git, so they have actually more code
• with 270.000 methods
• 3 hours initial analysis time
• Analysis time for single commit depends on number of „touched“ methods
• Typically few seconds

Beyond ABAP

• ABAP
• Closed world
• Client/Server setting
• Database and Server-Filesystem are typically trusted
• Entropy of identifiers (method names, variable names) is high
• Java, C#, …
• No closed-world scenario
• Who defines the taint sources and sinks?
• More use of high-level programming (inheritance, lambdas, …)
• Many similar variable and method names

Code Code … and many more. Version History Models Static Analysis Test Coverage Reviews Issues Test Results Models Version History Static Analysis Test Coverage

GCOV

Reviews Test Results

cmocka

Issue Trackers

Models Software Intelligence Code

Version History Static Analysis Test Coverage

Reviews Issues Test Results

Does our system leak confidential data? Where are gaps in my tests?

Models Software Intelligence Code

Version History Static Analysis

Test

Coverage

Reviews Issues Test Results

GUI.Base GUI.Dialogs Authentication UI Controls Data Validation

• = Modified & untested
• = Added & untested
• = Unchanged

Does our system leak confidential data? Where are gaps in my tests? Which code is actually used?

Models Software Intelligence Code

Version History Static Analysis

Test

Coverage

Reviews Issues Test Results

Does our system leak confidential data? Where are gaps in my tests? Which code is actually used? Are there head- monopolies?

Models Software Intelligence Code

Version History Static Analysis

Test

Coverage

Reviews Issues Test Results

Einarbeitung abgebrochen Neues Team Knowledge-Transfer

Which changes have not been reviewed? Is our architecture in conformance with the code? Does our system leak confidential data? Where are gaps in my tests? Which code is actually used? Are there head- monopolies? Which components are most error-prone? Do we discover errors early enough?

Models Software Intelligence Code

Version History Static Analysis

Test

Coverage

Reviews Issues Test Results

www.cqse.eu/de/ressourcen/blog/

Conclusion Static analysis can find many attack scenarios at development time. Security attacks are often injection/leak attacks. (Near) real-time feedback is vital for acceptance. Our solution is incremental analysis. Wanted: Evaluation partners for security analyses (and teamscale in general).

Kontakt

• Dr. Alexander von Rhein · rhein@cqse.eu · +49 159 04517754

@alexvonrhein www.cqse.eu/en/blog CQSE GmbH Centa-Hafenbrädl-Straße 59 81249 München