Prevent business logic attacks using dynamic instrumentation

Transcript

1. using dynamic instrumentation 2018/10/18 Prevent business logic attacks

2. Who am I? Jean-Baptiste Aviat CTO & CO-FOUNDER OF SQREEN.IO

   EX APPLE RED TEAM Email [email protected] Twitter @JbAviat

3. 2000’s Code Frame- works

4. Frameworks Code 2010’s

5. 5 2020’s

6. What is an attack against business logic?

7. None

8. WAF

9. None
10. None

11. How to do it in practice?

12. def track(event_name) Let’s define a function

13. function generate_user_token(user_id) { ... track(‘user_token’) } function reset_password(email) { ...

    track(‘reset_password’) } 1 2 3 4 1 2 3 4 function login(email, password) { ... track(‘login’) } 1 2 3 4

14. Event Stream

15. Event Stream Processing & analysis

16. Event Stream Processing & analysis Response

17. if (rate(user_token_gen) is unusual) { respond: lock_user_account alert: send_webhook }

    1 2 3 4 if (count(user_impersonation) is above 10 over last 1 minute) { respond: raise_exception, block_ip in reverse proxy alert: call_pager } 1 2 3 4

18. Application Performance Monitoring

19. How to do this at scale?

20. 1 2 4 AUTHENTICATE 5 6

21. 1 2 HOOK 4 5 6 AUTHENTICATE

22. 1 2 HOOK 4 5 6 AUTHENTICATE Dynamic?

23. 23 def override_instance_method(klass_name, meth, hook) saved_meth_name = "#{meth}_saved" new_method =

    "#{meth}_modified".to_sym klass_name.class_eval do alias_method saved_meth_name, meth define_method(new_method, hook) end alias_method meth, new_method end 1 2 3 4 5 6 7 8 9 10 11 12 In Ruby

24. 24 Class<?> dynamicType = new ByteBuddy() .subclass(Object.class) .method(ElementMatchers.named("toString")) .intercept(FixedValue.value("Hello World!"))

    .make() .load(getClass().getClassLoader()) .getLoaded(); 1 2 3 4 5 6 7 In Java

25. Retrieve all the context you need • Authenticated user •

    Custom business information • Custom code / framework information • Any HTTP value • Previous service called • Spanning information

26. 26 Architecting for performance

27. [ { "class": "User", "method": "token_generation", "event_name": "user_token_generation", "custom_properties": {

    "impersonated": "@impersonated" } }, { "class": "User", "method": "impersonation", "event_name": "user_impersonation" } ] instrumentation.json 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 How could this work?

28. Analyze • The volume of calls • The successive actions

    performed by a given user (or IP) • Detect unusual activity • Anomalies in volume, proportions • Check logic flows

29. • Deny access to sensitive functions • Deny access to

    a whole service • Set account “read only” • Lock a user account • Log a user out • Trigger a pager • Fire a webhook • Create a ticket • … Respond

30. 30 Case Study Facebook Hack

31. View as Video uploader User Token Management

32. How to solve it Record business logic actions (down to

    the code) Define rules to detect a vulnerability exploitation Trigger security responses to be applied (a)Impersonate a user (b) Generate a token User is calling (impersonation) too much OR
 user is calling (generate_token) too much Lock the user AND Tag the user for review

33. 33

34. None

35. Event Stream Processing & analysis Respond: Lock User View as

    Video uploader User Token Management instru- mentation .json

36. https://github.com/sqreen/BusinessLogicAttacksPOC Example Open Source Project

37. Questions?