Injection-Angriffe: Szenarien, Analyseansätze, Gegenmaßnahmen und Erfahrungen aus der Praxis Dr. Alexander von Rhein
Alexander von Rhein Research Software Verification Software-Product-Line Analysis Taint-Analysis Consulting Software Development Quality-Assessment & Quality-Controlling Free for Research & Open Source Projects
Security Threat: System Command Injection source sink rm -rf
Most Common Security Threats in SAP Systems Code execution Cross-client access Directory traversal Database modification Authentication flaws Open SQL injection Injection/leak attacks
Security Situation in SAP systems 83% Forbes 500 companies use SAP (mainly ERP systems) Customization [Business Risk Illustration, Onapsis] SAP systems are extended with custom code written in ABAP In-house, closed-world development
Analysis View – Closed World System Source (Report Parameter) Sinks source sink System-Commands CALL ‘SYSTEM‘ ID ‘COMMAND‘ Directory Traversal OPEN DATASET ABAP Program Generation INSERT REPORT GENERATE SUBROUTINE POOL Loop iteration limits DO input TIMES. … ENDDO. … 21 pattern in total
ABAP in 1 minute Object, can be Parameter of the report invoked by user Class declaration Class implementation „Main method“ of the report
Analysis View – Closed World System Source (Report Parameter) Sinks source sink System-Commands CALL ‘SYSTEM‘ ID ‘COMMAND‘ Directory Traversal OPEN DATASET ABAP Program Generation INSERT REPORT GENERATE SUBROUTINE POOL Loop iteration limits DO input TIMES. … ENDDO. … 21 pattern in total
Simple Security Threat Scenario Data Injection Data Leak SAP ERP Database
Trivial Checks for Deprecated Sinks Local analysis (typically method level) Fast Here: Based on discouraged statements
Taint-Propagation Analysis z = x + y z x y z x y = 1, z = 2 to unsecure statements Detailed taint-propagation analysis Requires much more time and memory Data-flow analysis Tracks user input source sink 1 source 2 3 sink
Global inter-procedural taint-propagation analysis Complex data flow Large, active code bases source 1 Crossing method boudaries Multiple files Incremental analysis 3 sink 5 4 2
1659 LOC / 1301 SLOC
Findings im Benchmark Trivial Checks Taint Analysis 12.943 yellow findings 24.555 red findings 7.251 taint-analysis findings Some methods (2%) had to be ignored (cycles, complexity)
Performance Performance benchmark 3 hours initial analysis time Analysis time for single commit depends on number of „touched“ methods 12.600.000 source lines of code from customers Some projects use git, so they have actually more code with 270.000 methods Typically few seconds
Beyond ABAP ABAP Java, C#, … Closed world Client/Server setting Database and Server-Filesystem are typically trusted Entropy of identifiers (method names, variable names) is high No closed-world scenario Who defines the taint sources and sinks? More use of high-level programming (inheritance, lambdas, …) Many similar variable and method names
Code Test Results cmocka Test Results Reviews GCOV Test Coverage Static Analysis Version History Models Issues Code Reviews Coverage Test Analysis Static Models History Version … and many more. Issue Trackers
Models Software Intelligence Code Version History Static Analysis Test Coverage Reviews Issues Test Results
Does our Version Issues Reviews Coverage Test Analysis Static History Code system leak Software Intelligence Models tests? gaps in my Where are data? confidential Test Results
GUI.Base GUI.Dialogs Authentication UI Controls Data Validation
• = Modified & untested • = Added & untested • = Unchanged
Does our Code Issues Reviews Coverage Test Analysis Static History Version Software Intelligence system leak Models used? is actually Which code tests? gaps in my Where are data? confidential Test Results
Does our Models Issues Reviews Coverage Test Analysis Static History Version Code Software Intelligence monopolies? system leak head- Are there used? is actually Which code tests? gaps in my Where are data? confidential Test Results
Einarbeitung abgebrochen Neues Team Knowledge-Transfer
Which Software Intelligence components are most error-prone? Do we discover errors early enough? Models Code monopolies? Version History Static Analysis Test Coverage Reviews Issues Which head- changes code? have not been reviewed? Is our architecture in conformance with the Does our Are there system leak confidential data? Where are gaps in my tests? Which code is actually used? Test Results
www.cqse.eu/de/ressourcen/blog/
Conclusion Static analysis can find many attack scenarios at development time. Security attacks are often injection/leak attacks. (Near) real-time feedback is vital for acceptance. Our solution is incremental analysis. Wanted: Evaluation partners for security analyses (and teamscale in general).
Kontakt Dr. Alexander von Rhein · rhein@cqse.eu · +49 159 04517754 @alexvonrhein www.cqse.eu/en/blog CQSE GmbH Centa-Hafenbrädl-Straße 59 81249 München
Recommend
More recommend
