Wednesday, 11 January 2012

Voices that Matter: Katrina O'Neil on Building Secure Android Apps

Voices that Matter: Android Developers Conference

Katrina O'Neil, the founding member of HP Fortify's Security Research Group, will be speaking on Building Secure Android Apps at the Voices that Matter: Android Developers Conference in San Francisco from 11:30 - 12:45pm on Friday, February 10. Specifically, the talk will spend 75 minutes covering the following:

According to Google, Android was designed to give mobile developers “an excellent software platform for everyday users” on which to build rich applications for the growing mobile device market. The power and flexibility of the Android platform are undeniable, but where does it leave developers when it comes to security?

In this talk we discuss seven of the most interesting code-level security mistakes we’ve seen developers make in Android applications. We cover common errors ranging from the promiscuous or incorrect use of Android permissions to lax input validation that enables a host of exploits, such as query string injection. We discuss the root cause of each vulnerability, describe how attackers might exploit it, and share the results of our research applying static analysis to identify the issue. Specifically, we will show our successes and failures using static analysis to identify each type of vulnerability in real-world Android applications.

For a special early-bird discount, please use the priority code ANDSP36 and register for the conference before Friday the 13th of January.
Posted by jwest at 4:03 PM in Fortify
Responses (0)

Tuesday, 27 December 2011

JavaScript With No Letters or Numbers (and what it teaches us about JavaScript security)

At the HP Fortify office, we have a casual event every week where the company orders lunch and a brave soul gives a presentation on a subject of interest. It's where we all come for the food and stay for the cool stuff we learn. One of the topics from a while ago was an overview of Joey Tyson's talk at NoVa Hackers. I think the video is well worth a watch, because he does a great job at presenting the material in a both entertaining and educational way. It has become one of my favorite links to share with my tech-savvy friends, as it showcases all the fun (and frightening) things we can do with JavaScript.

The video looks at ways to abuse the loose typing and dynamic nature of JavaScript to produce heavily obfuscated code. I'll let you watch for yourselves, as he explains the topic much better than I can. Instead, I will focus on discussing the morals of the story. What do such "powers" of JavaScript mean for us security-minded folks?

Code Execution

One of the main points of the talk was highlighting the many ways to turn a string into executable code. From a security standpoint, this is the backbone of injection vulnerabilities, such as DOM-based XSS. DOM-based XSS is a type of cross-site scripting vulnerability that appears and is exploited entirely on the client-side—typically entirely in JavaScript. This is in contrast with reflected and persistent XSS, which are server-side vulnerabilities.

The most obvious way for an attacker to execute code is using functions made just for this - eval(), setTimeout(), new Function(), and so forth. In a similar vein, though not covered in the talk, event handlers for DOM objects - e.g., window.attachEvent(), assignments to document.forms[0].action - achieve the same effect. Of course, simply writing out the stream without any sort of validation - document.write() or DOMObj.innerHTML - is the classic XSS attack. Those who know or have experienced a little bit of Web history will know that browsers accept URIs prepended with "javascript:" and execute them as JavaScript code. Attackers often use this to their advantage to redirect victims to a "javascript:" URL.

The talk also discusses another, less obvious way, to inject code. In browsers, the global namespace resides in the window object, so that if we have access to the window object, we can call on anything within it, including functions. Furthermore, in JavaScript, window['foo'] is identical to window.foo. Thus, if an attacker were ever in a position to control the value of x in window[x](), he would be able to successfully launch a cross-site scripting attack.

In short, JavaScript's flexibility allows for many different and often subtle ways to execute a string as code. Web application developers need to be especially careful to dodge the many avenues for XSS execution.

Attack strings in URLs

The canonical XSS attack involves embedding the payload in the URL of the page that eventually gets executed via one of the methods above. In DOM-based XSS, the practice is no different. In the JavaScript talk, the presenter spends a good amount of time discussing different ways to embed code in the URL. It's a very common and easy way to pass malicious code to the victim's browser.

What this means for us that we need to be especially careful when reading URL values out of the page. This often means reading window.location or its properties, such as window.location.href, window.location.hash, or window.location.search. The data therein may well contain an XSS attack string, so it is always crucial to validate any data that your code reads out of these objects.

Escaping and blacklisting characters are insufficient

The techniques in the talk are concrete examples of why escaping or blacklisting individual characters is not enough to prevent cross-site scripting attacks. The presenter was able to give several different character sets that enable arbitrary script execution. With a highly flexible language like JavaScript, it's often possible for an attacker to circumvent blacklisted characters, yet it's very difficult for a developer to be aware of and defend against every means of code injection.

In general, whitelisting is an almost certainly better alternative to blacklisting. It is easier for us to justify any options we explicitly allow, than to try to enumerate and account for every possibility to disallow. Rejecting certain characters or names can help prevent the most basic code injection attacks, but will not guard against obfuscated payload strings.

Lastly, in spirit of the holiday season, I'll leave you with something a little more whimsical. Yosuke Hasegawa is one of the earliest and most prominent JavaScript gurus to bend and abuse the language in various ways. He has written (in JavaScript, of course), among other things, a JavaScript-to-Japanese-Smileys encoder - if you happen to be a fan of Japanese emoticons.

Happy Holidays!

Posted by sarah at 4:25 AM in Fortify
Responses (0)

Friday, 16 December 2011

Let’s Talk About Overprivilege

Our collaboration on Google Android with UC Berkeley is an example of a very successful endeavor: as of Q4’11 update to the HP Fortify Secure Coding Rulepacks, we can statically detect overprivileged Android applications. But what does overprivilege mean in the world of Android?

As part of its security model, Google Android platform defines an elaborate system of permissions. Permissions can protect access to three things:

  1. Sensitive APIs,
  2. Application components (e.g. content providers), and
  3. Inter-and-intra-component communication.
Sensitive APIs allow developers to access important services provided by the platform, such as accessing the Internet and sending SMS messages. Content providers serve as application internal databases, while a communication system lets internal and external components send messages to each other. In order to use privileged platform services, Android applications have to explicitly request permissions at install time, which is when it’s also decided whether they are granted or denied. The enforcement happens at runtime.

If an application requests too few permissions, it is underprivileged and won’t be able to execute correctly because privileged calls will fail at runtime. This problem is much easier to detect during testing than the problem of overprivilege – that is, an application requesting more permissions than it needs. Overprivilege is bad for a number of reasons, the first one being violation of the principle of least privilege that says that one should not have more authority than he or she needs in order to perform a task. If the same application has other vulnerabilities, an attacker who exploits them and takes control of the application will have the same permissions the application requested, and therefore can further misuse them. Also, overprivileged applications make it easier for the end-user to end up with malware on their device because many users can become desensitized by benign applications requesting scary permissions. On the other hand, overprivileged applications can scare away security-savvy users from downloading benign applications just because they request more permissions than they need.

Our analysis of real-world Android applications showed that over 30% of all the apps we looked at are overprivileged. The most shocking cause of overprivilege is the lack of documentation from Google: as determined by our Berkeley colleagues, version 2.2 of the platform documents permission requirements for only 78 out of 1207 API calls, and 6 out of these 78 instances turned out to be incorrect. Developers are left with either figuring out permission requirements by trial and error or turning to forums and message boards, which often provide incorrect answers as well.

Static analysis is faced with some challenges when detecting overprivilege in Android applications. Specifically, aggressive use of third-party APIs (e.g. advertising APIs) and Java reflection API may result in false alarms. However, we think that static analysis can still be of great help to developers, so please take advantage of this new and exciting capability from the HP Fortify SCA.

Posted by yoneil at 11:15 AM in Fortify
Responses (0)

Monday, 5 December 2011

Watch Us on YouTube

Remember our DEFCON talk on Android that we talked about here? Now you can watch it on YouTube -- enjoy!
Posted by yoneil at 12:56 PM in Fortify
Responses (0)

Friday, 2 December 2011

Application Frameworks and Static Analysis (Part Ein)

Fortify SCA and the custom rules associated with application frameworks provide deep coverage of application frameworks.  It may not be perfect, as no product is, but our research team is probably one of the strongest that I have worked with and they understand how to vet and analyze frameworks.  I want to reveal some of our secret sauce when it comes to analyzing an application framework for vulnerabilities.  I am hoping that by giving you insight into how a framework is analyzed you will understand how we support application frameworks.  When analyzing frameworks, there are 3 primary areas of focus: architectural flows and components, dataflow analysis (sources of input, pass through methods, and output sinks) and framework specific vulnerabilities (error prone API methods).

Architectural Flows and Components

When analyzing an application framework, a security researcher has to understand the architectural components which make up the framework and the data flows between each component.  This helps with understanding the big picture.  You’ve got to understand what a framework does and how it does it if you hope of find weaknesses in it.  For example, if you are looking at Struts 2, the researcher has to understand the Struts2 filters, interceptors, Actions, Results, configurations files, and custom tags.  The following picture sums things up:

Copyright Apache Software Foundation.  Picture is from http://struts.apache.org/2.0.6/docs/architecture.data/s2-arch-big-old.png

Understanding the big picture gives you an understanding of what is going on at a macro level but developing support for an application framework requires you to dig deeper.  One of the basic rules that you write to support frameworks are dataflow rules.  These rules define the input sources, pass through methods, and sinks (where vulnerabilities can be exploited). 

Dataflow Analysis

Any application framework will usually define alternate ways of retrieving input.  For example Spring MVC utilizes Command classes, WebRequest, NativeWebRequest, and annotations (on top of the standard JEE HttpServletRequest and ServletRequest ) to define inputs for web requests.  But the Spring framework itself also provides input into the application via web services (Spring WS, XFire, JAX-RPC, etc.), remoted objects (Burlap, Hessian, Http, RMI, JMX, etc.) and other services.  Identifying these entry points requires the analysis of configuration files, class hierarchies, and annotations.  All of which are possible with the Fortify static code analysis (SCA) engine. 

In the last 2 months I have the opportunity to write some pretty advanced SCA rules to support frameworks.   I discovered that the SCA engine is a pretty amazing creation.  There are actually five phases of scanning which occur where 3 of the phases deal with scripting rules (rules written entirely in a scripting language having direct access to core SCA data structures, functions, and entities) and the other two phases dealing with standard rules (rules which are represented in xml format which pass input to specific SCA analyzers to produce findings).  Script rules are raw script blocks which hold the script code used by SCA to carry out a specific task such as parsing application configuration files and setting up the data structures containing this information.  Standard rules are analyzer specific but can also execute script logic to customize the rule definition and inputs based on application information identified in pre-phase scripts.  Standard rules are primarily focused on directing one of the many analyzers to find vulnerabilities.   The SCA engine also supports a process called labeling where mid-phase scripts or labeling rules (running in phase 2) can tag classes, methods, and fields with an arbitrary identifier.  Once labeling is complete, standard rules (which run after mid-phase script rules) can turn labeled items into findings or use labels to taint entry points or taint labeled methods as sources/sinks for dataflow analysis.  Standard rules can also directly utilize annotated code structures to turn annotated methods into findings or taint entry points for dataflow analysis.  The ability to work with annotations is important for a static analysis engine because modern frameworks such as Spring MVC (version 2.5 and above) are turning away from rigid class hierarchies and moving toward annotated POJOs (plain old java objects).  Annotations are used to identify controller classes and request mapped  methods for  web request entry points.  The SCA engine is especially well adapted to work with annotations and our rule set reflects this.  Finally, post-phase scripting rules are run after vulnerabilities are identified and can be used to clean up/prune identified vulnerabilities or add additional information to identified vulnerabilities (such as which configuration file triggered the finding).

 Labeling is an important feature of the SCA engine so let me give you an example:

If a web application utilizes a Hibernate or JPA persisted entity as its request bound object (commandClass in Spring MVC or Action attribute in Struts 2) then an attacker could use request parameters to update information in associate (foreign key related) entities/tables of the persistent entity.

In order to find this vulnerability a pre-script runs to collect all of the Hibernate and JPA entities as well as the Spring commandClasses or Struts 2 Actions within the application.  Then mid-scripts add a label such as “persistentEntity” or “reqBoundClass” to the classes which are used as Hibernate/JPA persisted entities or request bound objects.  Finally, standard rules would find all classes which had labels “persistentEntity” and “reqBoundClass” to identify objects as request bound persistent entities.

A security researcher not only needs to understand the architecture of an application framework and its inputs but he/she also needs to understand how framework APIs are utilized to pass data through the architecture of the framework (the “big” picture above).  Most applications that are scanned will not provide the source code for 3rd party frameworks.  In order to trace data flows correctly, pass-through rules need to be created which cover tainted data as it passes through framework code.  This allows the dataflow analyzer to correctly trace dataflow through components where the source code was not provided.

Finally, framework specific sinks need to be added to support the specific application framework.  An example related to hibernate would be session.createSQLQuery(“SQL string…”);  The Hibernate specific method “createSQLQuery” could be used to execute a SQL injection attack if a user controlled string is passed to the method. 

Conclusion

This is probably a lot to take in one setting.  We have covered two of the three steps required to analyze application frameworks.  You have also gained insight into some of the inner workings of the SCA engine.  Next week we will continue our discussion of application frameworks and static analysis by looking at framework specific vulnerabilities.

Technorati Tags:

Posted by akang at 3:04 PM in Fortify
Responses (1)

Wednesday, 23 November 2011

Q4 2011 Rulepack Update

We have just released the Q4 2011 update to the HP Fortify Secure Coding Rulepacks and the HP Fortify RTA Rulepack Kit.

With this release the HP Fortify Secure Coding Rulepacks now detect 502 unique categories of vulnerabilities across 20 programming languages and over 700,000 individual APIs. I would like to share with you a quick summary of the latest offerings from this release.


HP Fortify Secure Coding Rulepacks

Spring 3.0 – Support for the latest version of the Spring framework, including the following major features:

   Spring MVC – Updated support includes enhanced coverage of specific vulnerabilities related to the Spring    Framework and Spring Annotations. The update also allows Fortify to identify web service taint from REST    templates, locate resource injection errors in Spring applications, and detect three new vulnerability categories:

      - Often Misused: Spring Remote Service

      - Often Misused: Spring Web Service and

      - Spring MVC Bad Practices: Request Parameters Bound into Persisted Objects

   Spring Web Flow – New support for the Spring Web Flow framework includes identifying sources of web taint    from the framework and reporting vulnerabilities specific to Spring Web Flow applications.

Google Android – Updated support now provides improved detection of underprivileged Android applications, including missing permissions for privileged API calls, as well as sending and receiving intents. In addition, Fortify now detects overprivileged Android applications that request unnecessary permissions. This update introduces three new categories related to privilege management:

      - Privilege Management: Missing API Permission

      - Privilege Management: Missing Intent Permission and

      - Privilege Management: Unnecessary Permission.

File Disclosure – Misconfiguration and poor input validation in modern web frameworks can accidentally disclose sensitive files, including configuration and application code. Fortify now identifies File Disclosure vulnerabilities in applications that rely on Core EE Java APIs, Apache Struts, Spring and Spring Web Flow.


HP Fortify RTA Rulepack Kit – This quarter’s update adds three new categories for Fortify RTA:

Insecure Randomness – Added the ability to detect and replace uses of insecure random number generators with cryptographically-strong alternatives.

JavaScript Hijacking – We now detect JavaScript Hijacking and provide protection against Ajax/JSON/JSONP Hijacking in applications that rely on JavaScript for data transport.

Cookie Security: HTTPOnly not Set on Session Cookie – Added support for detecting and remediating insecure settings of the HTTPOnly flag during cookie creation.

Posted by skamani at 1:15 PM in Fortify
Responses (0)

Tuesday, 15 November 2011

From an Undisclosed Location in Washington State

Image and video hosting by TinyPic

This week I’m attending a conference for the participants of the BSIMM project, which seeks to objectively measure the software security assurance activities conducted by leading ISVs, financial services firms, and a variety of other development organizations.

At the conference, Gary McGraw, Sammy Migues, and Brian Chess (who created BSIMM) are sharing the results of the third round of measurements spanning 42 different firms with representatives of those firms. Most of the results make sense and fit with a motherhood-and-apple-pie understanding of the industry and what counts. However, as the number of participants increases and the set of measured data points grows, so to does the risk of misconstruing the results to promote pet arguments or other fallacies.

Now things are getting fun. As I write this, the group is preparing to spend the bulk of the afternoon discussing how measurement efforts like BSIMM could be used to assess and compare vendors in terms of software security maturity. Do the activities measured in BSIMM provide a meaningful differentiator? Do strong maturity levels correlate to better security? Do third-party vendors behave the same way as internal efforts?

I will enjoy debating these topics, but more importantly, I’m excited that the debate is occurring. The more energy we spend discussing these topics, the more likely we are to collect and share data that will help us reach better answers.

Posted by jwest at 2:25 PM in Fortify
Responses (0)

Friday, 11 November 2011

No correlation is interesting too. Part 2: SCA customization: Custom Source rules

As discussed in part 1 of this blog post WI misconfiguration can lead to no correlation. Now, we show how SCA misconfiguration can also lead to no correlation.

For a particular application, WI was showing issues in the category "Privacy Violation: Credit Card Number Disclosed" and "Privacy Violation: Social Security Number Disclosure". While the SSN issues correlated nicely with SCA issues, the CCN issues did not. In fact, SCA wasn't finding a single issue in the CCN Disclosed category in the first place, so no wonder there was no correlation.

The underlying problem was fairly obvious too. By default the HP Fortify SCA rules keep track of CCN and SSN when they are stored in variables which are unambiguous. For example, the SSN in this application was stored in a field called "ssn" which was tracked by default. However, the CCN was stored in a field "ccNum" which is not one of the field or variable names which we track by default. To resolve this, a characterization rule can be written to keep track of these custom field and variable names. An example of such rule is: 
            <CharacterizationRule formatVersion="3.7" language="dotnet">
                <RuleID>SAMPLE_RULE_ADDING_PRIVATE_FLAG_001</RuleID>
                <StructuralMatch><![CDATA[
                    FieldAccess fa: fa.field.name matches "ccNum" and
                    not fa in [AssignmentStatement: lhs.location is [Location l: l.transitiveBase === fa.transitiveBase]]
                    ]]></StructuralMatch>
                <Definition><![CDATA[
                    TaintSource(fa, {+PRIVATE})
                    ]]></Definition>
            </CharacterizationRule>
When the field in the class is retrieved through a getter, a even more trivial rule can be written (more trivial, because click through the wizards and the rule will be written for you): 
            <DataflowSourceRule formatVersion="3.2" language="dotnet">
                <RuleID>SAMPLE_RULE_ADDING_PRIVATE_FLAG_002</RuleID>
                <TaintFlags>+PRIVATE</TaintFlags>
                <FunctionIdentifier>
                    <NamespaceName>
                        <Value>App.Name.Space</Value>
                    </NamespaceName>
                    <ClassName>
                        <Value>CCProcessing</Value>
                    </ClassName>
                    <FunctionName>
                        <Pattern>GetSavedCC</Pattern>
                    </FunctionName>
                    <ApplyTo implements="true" overrides="true" extends="true"/>
                </FunctionIdentifier>
                <OutArguments>return</OutArguments>
            </DataflowSourceRule>
By inserting the rule, SCA was able to find the issues shown by WI. More importantly, SCA was able to find issues which weren't found by WI. Turned out that WI only scanned a portion of the application.

In short, it is important to exactly model your application in a static analysis tool to find the best results (reduce false positives and find all true issues). As it is not always obvious where a static analysis tool is missing true issues, a pen testing tool can help pointing out shortcomings in the result set. These shortcomings can then be modeled through custom rules. To write custom rules, the tools and documentation which SRG uses on day-to-day basis is available for our customers too.
Posted by mmadou at 3:56 AM in Fortify
Responses (0)

Friday, 4 November 2011

Common Pitfalls in Custom Rules -- constantValue and null

To get the most out of a static analysis scan, one of the important features is the ability to write custom rules. The Custom Rules Editor, available as a part of HP Fortify Audit Workbench, contains wizards that generate templates rules for many common rule types. These templates provide a great starting point for writing more complex custom rules to suit your organization's needs.

One of our last updates to the wizard contains a customizable structural rules for hardcoded, empty, and null passwords. These rules demonstrate one of the fine points of the structural language and the constantValue field. Understanding how the constantValue field works will greatly help you write your own custom structural rules from scratch.

Here is the generated rule for hardcoded passwords: 

   FieldAccess fa: fa.field.name matches "password" and
       fa in [AssignmentStatement: lhs.location is fa and
               not rhs.constantValue.null and
               not rhs.constantValue is [Null: ] and
               not rhs.constantValue == ""] and
       fa.field is [Field f:]*

One of the most common points of confusion is the difference between not rhs.constantValue.null, not rhs.constantValue is [Null: ], and not rhs.constantValue == "". Looking at the structural type reference, it tells us that AssignmentStatement.rhs is an Expression, which in turn contains the following structural property:

Name Type Description
constantValue Value The constant value of this expression. Will be null if this expression doesn't have a constant value or if SCA is unable to determine it.

With this definition in mind, let's look at each of them in turn and discuss what each of the clauses mean.

  1. First, let's look at constantValue.null. From the structural type definition above, we see that the constantValue field is null if the expression does not have a constant value. In other words, not rhs.constantValue.null matches an expression whose value is a constant.
  2. constantValue is [Null: ]. Again, according to the structural type reference, constantValue is of type Value, of which Null is a subtype. Null simply refers to "A null program value." Thus, not rhs.constantValue is [Null: ] simply means that the right-hand side is a non-null constant value.
  3. constantValue == "". It signifies that the value is a non-null empty string. Therefore, not rhs.constantValue == "" refers to an expression that is a non-empty constant string.

To summarize:

not rhs.constantValue.null means right hand side is a constant value,
not rhs.constantValue is [Null: ] means right-hand side is non-null,
not rhs.constantValue == ""] means right-hand side is a non-empty string.
Posted by sarah at 8:00 AM in Fortify
Responses (0)

Friday, 21 October 2011

Brakeman

One of my favorite talks from OWASP AppSec USA 2011 was Brakeman and Jenkins: The Duo Detect Defects in Ruby on Rails Code. Justin Collins and Tin Zaw have written a static analysis system for Ruby on Rails. (Here's a link directly to Brakeman.)

What I particularly like about their work is that they didn't focus exclusively on analysis algorithms. They saved some of their energy and creativity for creating a solid build integration framework and an audit interface. The typical mistake for a first-time static analysis builder is to become fascinated with syntax trees and fixed point calculation. Justin and Tin have (wisely) chosen to make an end-to-end working system instead. Good stuff!

Posted by bchess at 9:30 AM in Fortify
Responses (0)