Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz - - PowerPoint PPT Presentation

using z ray for lightning
SMART_READER_LITE
LIVE PREVIEW

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz - - PowerPoint PPT Presentation

Oct 28, 2023 145 likes •885 views

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1 Introduction 10+ years of web development experience IT security background Web application security Incremental static code analysis

slide-1
SLIDE 1

Using Z-Ray for Lightning Fast Security Analysis

Martin Bednorz ZendCon Las Vegas 2018

1

slide-2
SLIDE 2

Introduction

  • 10+ years of web development experience
  • IT security background

○ Web application security ○ Incremental static code analysis

  • CTO / Co-Founder RIPS Technologies

○ Static code analysis for security with strong focus on PHP

2

slide-3
SLIDE 3

Usual Workflow

3

slide-4
SLIDE 4

Usual Workflow

4

slide-5
SLIDE 5

Usual Workflow

5

slide-6
SLIDE 6

Improved Workflow

6

slide-7
SLIDE 7

Improved Workflow

7

Idea: Combine runtime information with static code analysis

slide-8
SLIDE 8

Static Code Analysis

8

slide-9
SLIDE 9

Simplified Approach

Transform code into abstract syntax tree (AST)

9

slide-10
SLIDE 10

Simplified Approach

Transform code into abstract syntax tree (AST)

10

$cookie = $_COOKIE['text'];

slide-11
SLIDE 11

Simplified Approach

Transform code into abstract syntax tree (AST)

11

$cookie = $_COOKIE['text']; $cookie = $_COOKIE['text'];

slide-12
SLIDE 12

Simplified Approach

Transform code into abstract syntax tree (AST)

12

$cookie = $_COOKIE['text']; $cookie = $_COOKIE['text']; Assign $cookie $_COOKIE 'text'

variable array string var expr dim

slide-13
SLIDE 13

Simplified Approach

Split AST into basic blocks

13

slide-14
SLIDE 14

Simplified Approach

Split AST into basic blocks

  • Analyze data flow within each basic block

14

slide-15
SLIDE 15

Simplified Approach

Split AST into basic blocks

  • Analyze data flow within each basic block
  • Summarize data flow in block and function summaries

15

slide-16
SLIDE 16

Simplified Approach

Connect basic blocks to a control flow graph

16

slide-17
SLIDE 17

Simplified Approach

Perform backwards-directed taint analysis for each sensitive sink

17

slide-18
SLIDE 18

Simplified Approach

Perform backwards-directed taint analysis for each sensitive sink

18

slide-19
SLIDE 19

Context-Sensitive Taint Analysis

1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; 4 } else { 5 $id = htmlentities($id); 6 } 7 echo "<div id='$id'>...";

19

slide-20
SLIDE 20

Context-Sensitive Taint Analysis

1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; 4 } else { 5 $id = htmlentities($id); 6 } 7 echo "<div id='$id'>...";

20

$id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>...";

slide-21
SLIDE 21

Context-Sensitive Taint Analysis

21

$id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>..."; Variable $id is used in sensitive sink Markup context: HTML attribute single-quoted

slide-22
SLIDE 22

Context-Sensitive Taint Analysis

22

$id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>..."; Sanitized: integer only No further actions required

slide-23
SLIDE 23

Context-Sensitive Taint Analysis

23

$id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>..."; Sanitizes only: “ < >

slide-24
SLIDE 24

Context-Sensitive Taint Analysis

24

$id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>..."; Sanitizes only: “ < > Vulnerable: All user input allowed except characters stated above

slide-25
SLIDE 25

Results

  • WordPress RCE
  • Magento RCE
  • Joomla! LDAP injection
  • Moodle RCE
  • wooCommerce PHP Object Injection
  • Roundcube RCE
  • phpMyAdmin RCE

Visit ripstech.com/vulndb for more

25

slide-26
SLIDE 26

Performance

26

Wordpress (333 KLOC) 13m Magento (2.4 MLOC) 30m Joomla! (722 KLOC) 11m Moodle (2.2 MLOC) 39m

slide-27
SLIDE 27

Performance

27

Wordpress (333 KLOC) 13m Magento (2.4 MLOC) 30m Joomla! (722 KLOC) 11m Moodle (2.2 MLOC) 39m

Lightning fast compared to other SAST solutions that scan 8h or 1 week.

slide-28
SLIDE 28

Incremental Analysis

28

  • State-of-the-art: Static analysis of only the code that changed
  • Problem: function definition changes

○ All call sites need reanalysis ○ If a function is called in a function, it needs reanalysis as well ○ Changed to global variables ○ ....

  • Average of only 50% scan time improvement in our experiments
slide-29
SLIDE 29

Boost Code Analysis with Z-Ray

29

slide-30
SLIDE 30

Z-Ray

  • Available with Zend Server
  • Runtime (dynamic) analysis
  • Deep insights into your PHP application

○ Inspect ○ Debug ○ Optimize

  • Many plugins and extensions available

30

slide-31
SLIDE 31

Z-Ray

31

slide-32
SLIDE 32

Execution Times

32

slide-33
SLIDE 33

Database Query Information

33

slide-34
SLIDE 34

Application-Specific Information

34

slide-35
SLIDE 35

Stacktrace

35

slide-36
SLIDE 36

Stacktrace - Used Files

36

// index.php include('functions.php'); switch($_GET['page']) { case 'a': include('page_a.php'); case 'b': include('page_b.php'); } // page_a.php do_something(); // page_b.php include('export.php'); do_something_export();

slide-37
SLIDE 37

Stacktrace - Used Files

37

slide-38
SLIDE 38

Stacktrace - Used Files

38

index.php?page=a

slide-39
SLIDE 39

Stacktrace - Used Files

39

index.php?page=b

slide-40
SLIDE 40

Stacktrace - Used Files

40

slide-41
SLIDE 41

Request Information

41

slide-42
SLIDE 42

Request Information - Performance

42

slide-43
SLIDE 43

Request Information - Performance

43

slide-44
SLIDE 44

Request Information - Performance

44

slide-45
SLIDE 45

Request Information - Performance

45

slide-46
SLIDE 46

Request Information - Performance

46

slide-47
SLIDE 47

Request Information - Performance

47

slide-48
SLIDE 48

Request Information - Performance

48

admin(); user(); guest();

slide-49
SLIDE 49

Example

1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; 4 } else { 5 $id = htmlentities($id); 6 } 7 echo "<div id='$id'>...";

49

$id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>...";

slide-50
SLIDE 50

Example

1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; 4 } else { 5 $id = htmlentities($id); 6 } 7 echo "<div id='$id'>...";

50

$id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>...";

slide-51
SLIDE 51

Example

1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; 4 } else { 5 $id = htmlentities($id); 6 } 7 echo "<div id='$id'>...";

51

$id = $_POST['id']; $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>...";

slide-52
SLIDE 52

Example

1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; 4 } else { 5 $id = htmlentities($id); 6 } 7 echo "<div id='$id'>...";

52

$id = $_POST['id']; $id = (int)$id; echo "<div id='$id'>...";

slide-53
SLIDE 53

Pitfall

// ... if (!isset($_SESSION['id'])) { $_SESSION['id'] = select_id(); } select_from_db($_SESSION['id']);

53

slide-54
SLIDE 54

Pitfall

// ... if (!isset($_SESSION['id'])) { $_SESSION['id'] = select_id(); } select_from_db($_SESSION['id']);

54

// ... $_SESSION['id'] = select_id(); select_from_db($_SESSION['id']);

slide-55
SLIDE 55

Pitfall

// ... if (!isset($_SESSION['id'])) { $_SESSION['id'] = select_id(); } select_from_db($_SESSION['id']);

55

// ... $_SESSION['id'] = select_id(); select_from_db($_SESSION['id']);

slide-56
SLIDE 56

Pitfall

// ... if (!isset($_SESSION['id'])) { $_SESSION['id'] = select_id(); } select_from_db($_SESSION['id']);

56

// ... $_SESSION['id'] = select_id(); select_from_db($_SESSION['id']);

slide-57
SLIDE 57

Request Information - Verification

57

slide-58
SLIDE 58

Request Information - Verification

58

http://mysite.com/search?category=book

slide-59
SLIDE 59

Request Information - Verification

59

http://mysite.com/search?category=book&t=

slide-60
SLIDE 60

Request Information - Verification

60

http://mysite.com/search?category=book&t= <script>alert(1);</script>

slide-61
SLIDE 61

Request Information - Verification

61

http://mysite.com/search?category=book&t= ’ onclick=’alert(1);’

slide-62
SLIDE 62

Prototype

  • Integrate into already available Zend Server plugin

○ Zend Server UI plugin ○ Scan deployed applications or virtual hosts ○ Full scans only

  • Zend Server Z-Ray plugin

○ Scan single requests ○ Implement the most significant performance optimizations

62

slide-63
SLIDE 63

Prototype

63

Zend Server Plugin UI

slide-64
SLIDE 64

Prototype

64

Zend Server Plugin UI Z-Ray Z-Ray API

  • Add Z-Ray component to our plugin

○ Access data via the Z-Ray API ○ Run first batch of optimizations

slide-65
SLIDE 65

Prototype

65

Zend Server Plugin UI Z-Ray Z-Ray API Static Code Analysis

  • Add Z-Ray component to our plugin

○ Access data via the Z-Ray API ○ Run first batch of optimizations

  • Send relevant source code to static code analysis tool
slide-66
SLIDE 66

Prototype

66

Zend Server Plugin UI Z-Ray Z-Ray API Static Code Analysis Z-Ray

  • Add Z-Ray component to our plugin

○ Access data via the Z-Ray API ○ Run first batch of optimizations

  • Send relevant source code to static code analysis tool
  • Extend taint analysis with data provided by Z-Ray
slide-67
SLIDE 67

Prototype Implementation

67

slide-68
SLIDE 68

Prototype Implementation

  • Full scan

○ ~2,4M Lines of Code ○ ~30 Minutes scan time

  • QuickScan

○ ~70k Lines of Code ○ ~1 Minutes scan time

  • Can still be greatly improved

68

slide-69
SLIDE 69

Prototype Implementation

  • Full scan

○ ~2,4M Lines of Code ○ ~30 Minutes scan time

  • QuickScan

○ ~70k Lines of Code ○ ~1 Minutes scan time

  • Can still be greatly improved

69

slide-70
SLIDE 70

Prototype Implementation

  • Full scan

○ ~2,4M Lines of Code ○ ~30 Minutes scan time

  • QuickScan

○ ~70k Lines of Code ○ ~1 Minutes scan time

  • Can still be greatly improved

70

slide-71
SLIDE 71

Demo

71

slide-72
SLIDE 72

Conclusion

  • Lightning fast security analysis for single requests
  • Verify patches or single components much quicker

○ Allows for a workflow similar to tests

  • Still some work required

○ Improve taint analysis with runtime information ○ Fix some of the pitfalls

72

slide-73
SLIDE 73

Thank you!

Any questions?

73