Tweet
Tweet

Slide 1

Slide 1 text

using dynamic instrumentation 2018/10/18 Prevent business logic attacks

Slide 2

Slide 2 text

Who am I? Jean-Baptiste Aviat CTO & CO-FOUNDER OF SQREEN.IO EX APPLE RED TEAM Email [email protected] Twitter @JbAviat

Slide 3

Slide 3 text

2000’s Code Frame- works

Slide 4

Slide 4 text

Frameworks Code 2010’s

Slide 5

Slide 5 text

5 2020’s

Slide 6

Slide 6 text

What is an attack against business logic?

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

WAF

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

How to do it in practice?

Slide 12

Slide 12 text

def track(event_name) Let’s define a function

Slide 13

Slide 13 text

function generate_user_token(user_id) { ... track(‘user_token’) } function reset_password(email) { ... track(‘reset_password’) } 1 2 3 4 1 2 3 4 function login(email, password) { ... track(‘login’) } 1 2 3 4

Slide 14

Slide 14 text

Event Stream

Slide 15

Slide 15 text

Event Stream Processing & analysis

Slide 16

Slide 16 text

Event Stream Processing & analysis Response

Slide 17

Slide 17 text

if (rate(user_token_gen) is unusual) { respond: lock_user_account alert: send_webhook } 1 2 3 4 if (count(user_impersonation) is above 10 over last 1 minute) { respond: raise_exception, block_ip in reverse proxy alert: call_pager } 1 2 3 4

Slide 18

Slide 18 text

Application Performance Monitoring

Slide 19

Slide 19 text

How to do this at scale?

Slide 20

Slide 20 text

1 2 4 AUTHENTICATE 5 6

Slide 21

Slide 21 text

1 2 HOOK 4 5 6 AUTHENTICATE

Slide 22

Slide 22 text

1 2 HOOK 4 5 6 AUTHENTICATE Dynamic?

Slide 23

Slide 23 text

23 def override_instance_method(klass_name, meth, hook) saved_meth_name = "#{meth}_saved" new_method = "#{meth}_modified".to_sym klass_name.class_eval do alias_method saved_meth_name, meth define_method(new_method, hook) end alias_method meth, new_method end 1 2 3 4 5 6 7 8 9 10 11 12 In Ruby

Slide 24

Slide 24 text

24 Class dynamicType = new ByteBuddy() .subclass(Object.class) .method(ElementMatchers.named("toString")) .intercept(FixedValue.value("Hello World!")) .make() .load(getClass().getClassLoader()) .getLoaded(); 1 2 3 4 5 6 7 In Java

Slide 25

Slide 25 text

Retrieve all the context you need • Authenticated user • Custom business information • Custom code / framework information • Any HTTP value • Previous service called • Spanning information

Slide 26

Slide 26 text

26 Architecting for performance

Slide 27

Slide 27 text

[ { "class": "User", "method": "token_generation", "event_name": "user_token_generation", "custom_properties": { "impersonated": "@impersonated" } }, { "class": "User", "method": "impersonation", "event_name": "user_impersonation" } ] instrumentation.json 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 How could this work?

Slide 28

Slide 28 text

Analyze • The volume of calls • The successive actions performed by a given user (or IP) • Detect unusual activity • Anomalies in volume, proportions • Check logic flows

Slide 29

Slide 29 text

• Deny access to sensitive functions • Deny access to a whole service • Set account “read only” • Lock a user account • Log a user out • Trigger a pager • Fire a webhook • Create a ticket • … Respond

Slide 30

Slide 30 text

30 Case Study Facebook Hack

Slide 31

Slide 31 text

View as Video uploader User Token Management

Slide 32

Slide 32 text

How to solve it Record business logic actions (down to the code) Define rules to detect a vulnerability exploitation Trigger security responses to be applied (a)Impersonate a user (b) Generate a token User is calling (impersonation) too much OR
 user is calling (generate_token) too much Lock the user AND Tag the user for review

Slide 33

Slide 33 text

33

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

Event Stream Processing & analysis Respond: Lock User View as Video uploader User Token Management instru- mentation .json

Slide 36

Slide 36 text

https://github.com/sqreen/BusinessLogicAttacksPOC Example Open Source Project

Slide 37

Slide 37 text

Questions?