Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Prevent business logic attacks using dynamic instrumentation

Prevent business logic attacks using dynamic instrumentation

Presented by Jean-Baptiste Aviat at SysadminDays #8 (https://sysadmindays.fr)

Renaud Chaput

October 19, 2018
Tweet

More Decks by Renaud Chaput

Other Decks in Programming

Transcript

  1. using dynamic instrumentation
    2018/10/18
    Prevent business logic attacks

    View Slide

  2. Who am I?
    Jean-Baptiste Aviat
    CTO & CO-FOUNDER OF SQREEN.IO
    EX APPLE RED TEAM
    Email [email protected]
    Twitter @JbAviat

    View Slide

  3. 2000’s
    Code
    Frame-
    works

    View Slide

  4. Frameworks
    Code
    2010’s

    View Slide

  5. 5
    2020’s

    View Slide

  6. What is an attack
    against business logic?

    View Slide

  7. View Slide

  8. WAF

    View Slide

  9. View Slide

  10. View Slide

  11. How to do it in practice?

    View Slide

  12. def track(event_name)
    Let’s define a function

    View Slide

  13. function generate_user_token(user_id) {
    ...
    track(‘user_token’)
    }
    function reset_password(email) {
    ...
    track(‘reset_password’)
    }
    1
    2
    3
    4
    1
    2
    3
    4
    function login(email, password) {
    ...
    track(‘login’)
    }
    1
    2
    3
    4

    View Slide

  14. Event Stream

    View Slide

  15. Event Stream
    Processing
    & analysis

    View Slide

  16. Event Stream
    Processing
    & analysis
    Response

    View Slide

  17. if (rate(user_token_gen) is unusual) {
    respond: lock_user_account
    alert: send_webhook
    }
    1
    2
    3
    4
    if (count(user_impersonation) is above 10 over last 1 minute) {
    respond: raise_exception, block_ip in reverse proxy
    alert: call_pager
    }
    1
    2
    3
    4

    View Slide

  18. Application Performance Monitoring

    View Slide

  19. How to do this
    at scale?

    View Slide

  20. 1
    2
    4
    AUTHENTICATE
    5 6

    View Slide

  21. 1
    2
    HOOK 4
    5 6
    AUTHENTICATE

    View Slide

  22. 1
    2
    HOOK 4
    5 6
    AUTHENTICATE
    Dynamic?

    View Slide

  23. 23
    def override_instance_method(klass_name, meth, hook)
    saved_meth_name = "#{meth}_saved"
    new_method = "#{meth}_modified".to_sym
    klass_name.class_eval do
    alias_method saved_meth_name, meth
    define_method(new_method, hook)
    end
    alias_method meth, new_method
    end
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    In Ruby

    View Slide

  24. 24
    Class> dynamicType = new ByteBuddy()
    .subclass(Object.class)
    .method(ElementMatchers.named("toString"))
    .intercept(FixedValue.value("Hello World!"))
    .make()
    .load(getClass().getClassLoader())
    .getLoaded();
    1
    2
    3
    4
    5
    6
    7
    In Java

    View Slide

  25. Retrieve all the
    context you need
    • Authenticated user
    • Custom business information
    • Custom code / framework information
    • Any HTTP value
    • Previous service called
    • Spanning information

    View Slide

  26. 26
    Architecting for
    performance

    View Slide

  27. [
    {
    "class": "User",
    "method": "token_generation",
    "event_name": "user_token_generation",
    "custom_properties": {
    "impersonated": "@impersonated"
    }
    },
    {
    "class": "User",
    "method": "impersonation",
    "event_name": "user_impersonation"
    }
    ]
    instrumentation.json
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    How could
    this work?

    View Slide

  28. Analyze
    • The volume of calls
    • The successive actions performed by a
    given user (or IP)
    • Detect unusual activity
    • Anomalies in volume, proportions
    • Check logic flows

    View Slide

  29. • Deny access to sensitive
    functions
    • Deny access to a whole
    service
    • Set account “read only”
    • Lock a user account
    • Log a user out
    • Trigger a pager
    • Fire a webhook
    • Create a ticket
    • …
    Respond

    View Slide

  30. 30
    Case Study
    Facebook Hack

    View Slide

  31. View as
    Video uploader
    User Token Management

    View Slide

  32. How to solve it
    Record business logic
    actions (down to the code)
    Define rules to detect a
    vulnerability exploitation
    Trigger security responses
    to be applied
    (a)Impersonate a user
    (b) Generate a token
    User is calling (impersonation) too much OR

    user is calling (generate_token) too much
    Lock the user AND
    Tag the user for review

    View Slide

  33. 33

    View Slide

  34. View Slide

  35. Event Stream
    Processing
    & analysis
    Respond:
    Lock User
    View as
    Video uploader
    User Token Management
    instru-
    mentation
    .json

    View Slide

  36. https://github.com/sqreen/BusinessLogicAttacksPOC
    Example Open Source Project

    View Slide

  37. Questions?

    View Slide