Download Slides - owasp

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
Document related concepts
no text concepts found
Transcript 
1
/**
* Enterprise Java Rootkits
*
* @author Jeff Williams - Aspect Security
* @since November 13, 2009 – OWASP AppSec
*
* @website http://www.aspectsecurity.com
* @email [email protected]
* @email [email protected]
* @twitter @planetlevel
* @phone 410-707-1487
*/
)
2
<!-- The Experiment -->
Experiment:
* One developer
* One week
3
<!–- Agenda -->
1: public static void present() {
2:
What’s a Java Enterprise Rootkit?
3:
Turning Data into Code in the JVM
4:
Hiding from Source Code Analysis (both kinds)
5:
Trojaning Libraries
6:
Owning the Build
7:
Keeping Malicious Java Out
8:
Questions
9: }
3
4
<!-- Materials -->
Java a bit rusty?
Download the paper!!
No social skills?
Download the code!!
(modified BSD license)
http://www.aspectsecurity.com/documents/EnterpriseJavaRootkits.zip
<!– What’s a Java Enterprise Rootkit? -->
5
Security Alert!
Definition
A Java Enterprise Rootkit is
code that makes a malicious
payload harder to find.
5
5
6
<!–- Java Is “Secure”? -->
Disclaimer: Java is an excellent
choice for secure enterprise web
applications.
Security Alert!
Likelihood: No protection,Production
no
Alert!
detection. How many developers
touch your application stack?
Your developers already have
full privilege in production.
Impact: What damage could one
developer’s code actually do?
Not considering the risk from a
malicious developer is reckless
Hippocratic Oath
6
7
<!-- The Emperor’s New Sandbox -->
• “Although Java 2
security is
supported, it is
disabled by default”
• “Using a Java
Security Manager is
an optional security
Security Alert!
step”
Shields DOWN!
Running without a Java
SecurityManager means any
code or library can do
absolutely anything!
WebSphere
7.0
WebLogic
10
• “The security
manager is disabled
by default”
• “Tomcat can be
started with a
SecurityManager in
place by using the
-security option”
GlassFish
Prelude 3
Tomcat
6.0
7
8
<!-- Turning Data into Code in the JVM -->
1
9
/* Hiding Data*/
byte[] b = { 0x41, 0x54, 0x22, 0x24, 0x85, … };
a.foo() + b + c.bar();
new sun.misc.BASE64Decoder().decode(b);
request.getHeader( Bean.CONSTANT );
s.executeQuery( "SELECT * FROM BAD" ).getString(1);
@override toString() anywhere and call "" + o;
9
9
10
/* Writing Bytecode */
10
/* Abusing the Java Compiler API */
11
/* Abusing the JSP Compiler */
12
/* Abusing the ClassLoader */
13
14
/* Abusing the Java Instrumentation API */
15
/* Abusing the Java Instrumentation API */
16
<!-- Hiding from Source Code Analysis -->
16
17
/* PsyOps */
1:
2:
3:
4:
5:
6:
7:
8:
9:
// Good code reviewers make assumptions
// You can easily mislead them
Use misleading method, variable, and class names
Use misleading comments
Make well-known methods do the wrong thing
Use http://www.javapuzzlers.com/
Add a @SuppressWarnings annotation to your attack!
17
/* Abusing Overpowerful Methods */
18
/* Abusing Reflection 1 */
19
/* Abusing Reflection 2 */
20
/* Abusing Code Formatting */
Security Alert!
Puzzler!
Try decoding the real encoded
(and obfuscated) Java file at:
http://extrods.googlecode.com
/svn/trunk/clients/jargon/src/a
pi/edu/sdsc/grid/io/Lucid.java
21
/* More Code Formatting */
Security Alert!
Free Tools!
The code for this paper
includes tools to encode and
decode Java source code using
this method.
22
/* Abusing Java EE Filters */
23
/* Abusing Java EE Filters */
Security Alert!
Easier and Easier!
In the latest servlet
specification 3.0 you can add
and remove servlets and filters
programatically!
24
/* Abusing Taint Tracing 1 */
25
/* Abusing Taint Tracing 2 */
26
/* Abusing Control Flow Analysis */
27
28
/* Abusing Timing Channels */
RECV SEND
29
<!-- Trojaning Libraries -->
29
/* Trojaning Popular Libraries */
30
/* Trojaning Class Files */
Security Alert!
Thank You Sun!
Making the ByteCode
Engineering Library (BCEL)
available right in rt.jar makes
things much easier!
31
/* Trojaning Jar Files */
Security Alert!
Signing?
With a bit more code you can
generate a signed jar
32
/* Trojaning Java Installation */
Security Alert!
Bonus!
Put files in the /ext directory
and they are automatically put
on classpath AND get
AllPermission for ALL
applications!
33
34
<!-- Owning the Build -->
34
/* "Reflections on Trusting Trust" */
“The moral is obvious. You
can’t trust code that you did
not totally create yourself.
(Especially code from
companies that employ
people like me.)”
Ken Thompson, 1984
“To what extent should one
trust a statement that a
program is free of Trojan
horses? Perhaps it is more
important to trust the people
who wrote the software.”
http://cm.bell-labs.com/who/ken/trust.html
35
36
<!-- What Happened to javac? -->
1: Maven, Hudson, Subversion, Sonar – Default install
Hudson core: 103 open source projects
Hudson dependencies: ~50 open source projects
Security Alert!
Maven core: ~15 open source projects
Vulnerable?
Nexus core: 86 open source projects
Subversion: ~3 open source
Twoprojects
hours looking at Hudson
Sonar: ~100 open source projects
resulted in 6 XSS and 4 CSRF…
http://host/hudson/computer/
2: Overall
(master)/script?script=Runtime
Over 16 million lines of .getRuntime().exec("notepad")
code
503 open source projects involved
36
/* Abusing Build Tasks */
Security Alert!
Remote!
Remember, this will run on the
build server and likely on every
developer’s machine!
37
/* Abusing Test Cases */
38
/* Abusing Dependency Resolution */
39
<!-- Keeping Malicious Java Out -->
40
41
<!-- Building Trust -->
{
1:
2:
3:
4:
5:
6:
7:
Limit the Number of Developers
Find Trustworthy Developers
Limit Trust During CodingSecurity Alert!
Limit Trust in Your Build
Process
Plausible
Deniability!
Limit Trust in Operations
Create Overlapping TrustAfter all this, the safest attack
is to make a backdoor look like
Detect Malicious Code
an inadvertent programming
error like the OWASP Top Ten.
41
<!-- Tempted? -->
42
43
Questions and Answers
/**
* Questions?
*
*
*
* Jeff Williams - Aspect Security
* @email [email protected]
* @email [email protected]
* @twitter @planetlevel
*/
)
Related documents
Chapter 1 questions
Chapter 1 questions
A Java Environment for High-Performance Computing
A Java Environment for High-Performance Computing
Programming
Programming
Name - ReachIvy
Name - ReachIvy
Academic Vocabulary Chap 1-3
Academic Vocabulary Chap 1-3
Our direct client has an urgent need for Java Developer for
Our direct client has an urgent need for Java Developer for
Java Basic Syntax
Java Basic Syntax
Java – Course Syllabus Standard Edition
Java – Course Syllabus Standard Edition
CENG494 : Special Topics: Object
CENG494 : Special Topics: Object
The Java Class Library
The Java Class Library
Java Basics
Java Basics