Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prevent business logic attacks using dynamic instrumentation

Prevent business logic attacks using dynamic instrumentation

Presented by Jean-Baptiste Aviat at SysadminDays #8 (https://sysadmindays.fr)

Renaud Chaput

October 19, 2018
Tweet

More Decks by Renaud Chaput

Other Decks in Programming

Transcript

  1. using dynamic instrumentation
    2018/10/18
    Prevent business logic attacks

    View full-size slide

  2. Who am I?
    Jean-Baptiste Aviat
    CTO & CO-FOUNDER OF SQREEN.IO
    EX APPLE RED TEAM
    Email [email protected]
    Twitter @JbAviat

    View full-size slide

  3. 2000’s
    Code
    Frame-
    works

    View full-size slide

  4. Frameworks
    Code
    2010’s

    View full-size slide

  5. What is an attack
    against business logic?

    View full-size slide

  6. How to do it in practice?

    View full-size slide

  7. def track(event_name)
    Let’s define a function

    View full-size slide

  8. function generate_user_token(user_id) {
    ...
    track(‘user_token’)
    }
    function reset_password(email) {
    ...
    track(‘reset_password’)
    }
    1
    2
    3
    4
    1
    2
    3
    4
    function login(email, password) {
    ...
    track(‘login’)
    }
    1
    2
    3
    4

    View full-size slide

  9. Event Stream

    View full-size slide

  10. Event Stream
    Processing
    & analysis

    View full-size slide

  11. Event Stream
    Processing
    & analysis
    Response

    View full-size slide

  12. if (rate(user_token_gen) is unusual) {
    respond: lock_user_account
    alert: send_webhook
    }
    1
    2
    3
    4
    if (count(user_impersonation) is above 10 over last 1 minute) {
    respond: raise_exception, block_ip in reverse proxy
    alert: call_pager
    }
    1
    2
    3
    4

    View full-size slide

  13. Application Performance Monitoring

    View full-size slide

  14. How to do this
    at scale?

    View full-size slide

  15. 1
    2
    4
    AUTHENTICATE
    5 6

    View full-size slide

  16. 1
    2
    HOOK 4
    5 6
    AUTHENTICATE

    View full-size slide

  17. 1
    2
    HOOK 4
    5 6
    AUTHENTICATE
    Dynamic?

    View full-size slide

  18. 23
    def override_instance_method(klass_name, meth, hook)
    saved_meth_name = "#{meth}_saved"
    new_method = "#{meth}_modified".to_sym
    klass_name.class_eval do
    alias_method saved_meth_name, meth
    define_method(new_method, hook)
    end
    alias_method meth, new_method
    end
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    In Ruby

    View full-size slide

  19. 24
    Class> dynamicType = new ByteBuddy()
    .subclass(Object.class)
    .method(ElementMatchers.named("toString"))
    .intercept(FixedValue.value("Hello World!"))
    .make()
    .load(getClass().getClassLoader())
    .getLoaded();
    1
    2
    3
    4
    5
    6
    7
    In Java

    View full-size slide

  20. Retrieve all the
    context you need
    • Authenticated user
    • Custom business information
    • Custom code / framework information
    • Any HTTP value
    • Previous service called
    • Spanning information

    View full-size slide

  21. 26
    Architecting for
    performance

    View full-size slide

  22. [
    {
    "class": "User",
    "method": "token_generation",
    "event_name": "user_token_generation",
    "custom_properties": {
    "impersonated": "@impersonated"
    }
    },
    {
    "class": "User",
    "method": "impersonation",
    "event_name": "user_impersonation"
    }
    ]
    instrumentation.json
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    How could
    this work?

    View full-size slide

  23. Analyze
    • The volume of calls
    • The successive actions performed by a
    given user (or IP)
    • Detect unusual activity
    • Anomalies in volume, proportions
    • Check logic flows

    View full-size slide

  24. • Deny access to sensitive
    functions
    • Deny access to a whole
    service
    • Set account “read only”
    • Lock a user account
    • Log a user out
    • Trigger a pager
    • Fire a webhook
    • Create a ticket
    • …
    Respond

    View full-size slide

  25. 30
    Case Study
    Facebook Hack

    View full-size slide

  26. View as
    Video uploader
    User Token Management

    View full-size slide

  27. How to solve it
    Record business logic
    actions (down to the code)
    Define rules to detect a
    vulnerability exploitation
    Trigger security responses
    to be applied
    (a)Impersonate a user
    (b) Generate a token
    User is calling (impersonation) too much OR

    user is calling (generate_token) too much
    Lock the user AND
    Tag the user for review

    View full-size slide

  28. Event Stream
    Processing
    & analysis
    Respond:
    Lock User
    View as
    Video uploader
    User Token Management
    instru-
    mentation
    .json

    View full-size slide

  29. https://github.com/sqreen/BusinessLogicAttacksPOC
    Example Open Source Project

    View full-size slide