Prevent business logic attacks using dynamic instrumentation

Prevent business logic attacks using dynamic instrumentation

Presented by Jean-Baptiste Aviat at SysadminDays #8 (https://sysadmindays.fr)

415efaa445ed983307231341eaa4be55?s=128

Renaud Chaput

October 19, 2018
Tweet

Transcript

  1. using dynamic instrumentation 2018/10/18 Prevent business logic attacks

  2. Who am I? Jean-Baptiste Aviat CTO & CO-FOUNDER OF SQREEN.IO

    EX APPLE RED TEAM Email jb@sqreen.io Twitter @JbAviat
  3. 2000’s Code Frame- works

  4. Frameworks Code 2010’s

  5. 5 2020’s

  6. What is an attack against business logic?

  7. None
  8. WAF

  9. None
  10. None
  11. How to do it in practice?

  12. def track(event_name) Let’s define a function

  13. function generate_user_token(user_id) { ... track(‘user_token’) } function reset_password(email) { ...

    track(‘reset_password’) } 1 2 3 4 1 2 3 4 function login(email, password) { ... track(‘login’) } 1 2 3 4
  14. Event Stream

  15. Event Stream Processing & analysis

  16. Event Stream Processing & analysis Response

  17. if (rate(user_token_gen) is unusual) { respond: lock_user_account alert: send_webhook }

    1 2 3 4 if (count(user_impersonation) is above 10 over last 1 minute) { respond: raise_exception, block_ip in reverse proxy alert: call_pager } 1 2 3 4
  18. Application Performance Monitoring

  19. How to do this at scale?

  20. 1 2 4 AUTHENTICATE 5 6

  21. 1 2 HOOK 4 5 6 AUTHENTICATE

  22. 1 2 HOOK 4 5 6 AUTHENTICATE Dynamic?

  23. 23 def override_instance_method(klass_name, meth, hook) saved_meth_name = "#{meth}_saved" new_method =

    "#{meth}_modified".to_sym klass_name.class_eval do alias_method saved_meth_name, meth define_method(new_method, hook) end alias_method meth, new_method end 1 2 3 4 5 6 7 8 9 10 11 12 In Ruby
  24. 24 Class<?> dynamicType = new ByteBuddy() .subclass(Object.class) .method(ElementMatchers.named("toString")) .intercept(FixedValue.value("Hello World!"))

    .make() .load(getClass().getClassLoader()) .getLoaded(); 1 2 3 4 5 6 7 In Java
  25. Retrieve all the context you need • Authenticated user •

    Custom business information • Custom code / framework information • Any HTTP value • Previous service called • Spanning information
  26. 26 Architecting for performance

  27. [ { "class": "User", "method": "token_generation", "event_name": "user_token_generation", "custom_properties": {

    "impersonated": "@impersonated" } }, { "class": "User", "method": "impersonation", "event_name": "user_impersonation" } ] instrumentation.json 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 How could this work?
  28. Analyze • The volume of calls • The successive actions

    performed by a given user (or IP) • Detect unusual activity • Anomalies in volume, proportions • Check logic flows
  29. • Deny access to sensitive functions • Deny access to

    a whole service • Set account “read only” • Lock a user account • Log a user out • Trigger a pager • Fire a webhook • Create a ticket • … Respond
  30. 30 Case Study Facebook Hack

  31. View as Video uploader User Token Management

  32. How to solve it Record business logic actions (down to

    the code) Define rules to detect a vulnerability exploitation Trigger security responses to be applied (a)Impersonate a user (b) Generate a token User is calling (impersonation) too much OR
 user is calling (generate_token) too much Lock the user AND Tag the user for review
  33. 33

  34. None
  35. Event Stream Processing & analysis Respond: Lock User View as

    Video uploader User Token Management instru- mentation .json
  36. https://github.com/sqreen/BusinessLogicAttacksPOC Example Open Source Project

  37. Questions?