Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz - PowerPoint PPT Presentation

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Introduction 10+ years of web development experience ● IT security background ● Web application security ○ Incremental static code analysis ○ CTO / Co-Founder RIPS Technologies ● Static code analysis for security with strong focus on PHP ○ 2

Usual Workflow 3

Usual Workflow 4

Usual Workflow 5

Improved Workflow 6

Improved Workflow Idea: Combine runtime information with static code analysis 7

Static Code Analysis 8

Simplified Approach Transform code into abstract syntax tree (AST) 9

Simplified Approach $cookie = $_COOKIE['text']; Transform code into abstract syntax tree (AST) 10

Simplified Approach $cookie = $_COOKIE['text']; $cookie = $_COOKIE['text']; Transform code into abstract syntax tree (AST) 11

Simplified Approach $cookie = $_COOKIE['text']; $cookie = $_COOKIE['text']; Transform code into abstract syntax tree (AST) Assign var expr $cookie $_COOKIE variable array dim 'text' string 12

Simplified Approach Split AST into basic blocks 13

Simplified Approach Split AST into basic blocks Analyze data flow within each basic block ● 14

Simplified Approach Split AST into basic blocks Analyze data flow within each basic block ● Summarize data flow in block and function summaries ● 15

Simplified Approach Connect basic blocks to a control flow graph 16

Simplified Approach Perform backwards-directed taint analysis for each sensitive sink 17

Simplified Approach Perform backwards-directed taint analysis for each sensitive sink 18

Context-Sensitive Taint Analysis 1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; 4 } else { 5 $id = htmlentities($id); 6 } 7 echo "<div id='$id'>..."; 19

Context-Sensitive Taint Analysis $id = $_POST['id']; 1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; $id = (int)$id; $id = htmlentities($id); 4 } else { 5 $id = htmlentities($id); 6 } echo "<div id='$id'>..."; 7 echo "<div id='$id'>..."; 20

Context-Sensitive Taint Analysis $id = $_POST['id']; Variable $id is used in sensitive sink Markup context: HTML attribute single-quoted $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>..."; 21

Context-Sensitive Taint Analysis $id = $_POST['id']; Sanitized: integer only No further actions required $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>..."; 22

Context-Sensitive Taint Analysis $id = $_POST['id']; Sanitizes only: “ < > $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>..."; 23

Context-Sensitive Taint Analysis $id = $_POST['id']; Sanitizes only: “ < > Vulnerable: All user input allowed except characters stated above $id = (int)$id; $id = htmlentities($id); echo "<div id='$id'>..."; 24

Results WordPress RCE ● Magento RCE ● Joomla! LDAP injection ● Moodle RCE ● wooCommerce PHP Object Injection ● Roundcube RCE ● phpMyAdmin RCE ● … ● Visit ripstech.com/vulndb for more 25

Performance Wordpress (333 KLOC) 13m Magento (2.4 MLOC) 30m Joomla! (722 KLOC) 11m Moodle (2.2 MLOC) 39m 26

Performance Wordpress (333 KLOC) 13m Magento (2.4 MLOC) 30m Joomla! (722 KLOC) 11m Moodle (2.2 MLOC) 39m Lightning fast compared to other SAST solutions that scan 8h or 1 week. 27

Incremental Analysis State-of-the-art: Static analysis of only the code that changed ● Problem: function definition changes ● All call sites need reanalysis ○ If a function is called in a function, it needs reanalysis as well ○ Changed to global variables ○ .... ○ Average of only 50% scan time improvement in our experiments ● 28

Boost Code Analysis with Z-Ray 29

Z-Ray Available with Zend Server ● Runtime (dynamic) analysis ● Deep insights into your PHP application ● Inspect ○ Debug ○ Optimize ○ Many plugins and extensions available ● 30

Z-Ray 31

Execution Times 32

Database Query Information 33

Application-Specific Information 34

Stacktrace 35

Stacktrace - Used Files // page_a.php do_something(); // index.php include('functions.php'); switch($_GET['page']) { case 'a': include('page_a.php'); // page_b.php case 'b': include('export.php'); include('page_b.php'); do_something_export(); } 36

Stacktrace - Used Files 37

Stacktrace - Used Files index.php?page=a 38

Stacktrace - Used Files index.php?page=b 39

Stacktrace - Used Files 40

Request Information 41

Request Information - Performance 42

Request Information - Performance 43

Request Information - Performance 44

Request Information - Performance 45

Request Information - Performance 46

Request Information - Performance 47

Request Information - Performance admin(); user(); guest(); 48

Example $id = $_POST['id']; 1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; $id = (int)$id; $id = htmlentities($id); 4 } else { 5 $id = htmlentities($id); 6 } echo "<div id='$id'>..."; 7 echo "<div id='$id'>..."; 49

Example $id = $_POST['id']; 1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; $id = (int)$id; $id = htmlentities($id); 4 } else { 5 $id = htmlentities($id); 6 } echo "<div id='$id'>..."; 7 echo "<div id='$id'>..."; 50

Example $id = $_POST['id']; 1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; $id = (int)$id; $id = htmlentities($id); 4 } else { 5 $id = htmlentities($id); 6 } echo "<div id='$id'>..."; 7 echo "<div id='$id'>..."; 51

Example $id = $_POST['id']; 1 $id = $_POST['id']; 2 if (...) { 3 $id = (int)$id; $id = (int)$id; 4 } else { 5 $id = htmlentities($id); 6 } echo "<div id='$id'>..."; 7 echo "<div id='$id'>..."; 52

Pitfall // ... if (!isset($_SESSION['id'])) { $_SESSION['id'] = select_id(); } select_from_db($_SESSION['id']); 53

Pitfall // ... // ... if (!isset($_SESSION['id'])) { $_SESSION['id'] = select_id(); $_SESSION['id'] = select_id(); } select_from_db($_SESSION['id']); select_from_db($_SESSION['id']); 54

Pitfall // ... // ... if (!isset($_SESSION['id'])) { $_SESSION['id'] = select_id(); $_SESSION['id'] = select_id(); } select_from_db($_SESSION['id']); select_from_db($_SESSION['id']); 55

Pitfall // ... // ... if (!isset($_SESSION['id'])) { $_SESSION['id'] = select_id(); $_SESSION['id'] = select_id(); } select_from_db($_SESSION['id']); select_from_db($_SESSION['id']); 56

Request Information - Verification 57

Request Information - Verification http://mysite.com/search?category=book 58

Request Information - Verification http://mysite.com/search?category=book&t= 59

Request Information - Verification http://mysite.com/search?category=book&t= <script>alert(1);</script> 60

Request Information - Verification http://mysite.com/search?category=book&t= ’ onclick=’alert(1);’ 61

Prototype Integrate into already available Zend Server plugin ● Zend Server UI plugin ○ Scan deployed applications or virtual hosts ○ Full scans only ○ Zend Server Z-Ray plugin ● Scan single requests ○ Implement the most significant performance optimizations ○ 62

Prototype Zend Server Plugin UI 63

Prototype Add Z-Ray component to our plugin ● Access data via the Z-Ray API ○ Run first batch of optimizations ○ Zend Server Plugin Z-Ray API UI Z-Ray 64

Prototype Add Z-Ray component to our plugin ● Access data via the Z-Ray API ○ Run first batch of optimizations ○ Send relevant source code to static code analysis tool ● Static Code Analysis Zend Server Plugin Z-Ray API UI Z-Ray 65

Prototype Add Z-Ray component to our plugin ● Access data via the Z-Ray API ○ Run first batch of optimizations ○ Send relevant source code to static code analysis tool ● Extend taint analysis with data provided by Z-Ray ● Static Code Analysis Zend Server Plugin Z-Ray API UI Z-Ray Z-Ray 66

Prototype Implementation 67

Prototype Implementation Full scan ● ~2,4M Lines of Code ○ ~30 Minutes scan time ○ QuickScan ● ~70k Lines of Code ○ ~1 Minutes scan time ○ Can still be greatly improved ● 68

Prototype Implementation Full scan ● ~2,4M Lines of Code ○ ~30 Minutes scan time ○ QuickScan ● ~70k Lines of Code ○ ~1 Minutes scan time ○ Can still be greatly improved ● 69

Prototype Implementation Full scan ● ~2,4M Lines of Code ○ ~30 Minutes scan time ○ QuickScan ● ~70k Lines of Code ○ ~1 Minutes scan time ○ Can still be greatly improved ● 70

Demo 71