Tuesday, 29 November 2011

Application Security Highlights (November 2011)

This is a list of articles, blog entries and research related to application security that we found interesting and worthwhile reading this month at Astyran.

Discovery Techniques

The paper “One Technique is Not Enough: A comparison of Vulnerability Discovery Techniques” by Andrew Austin and Laurie Williams of the Department of Computer Science of the North Carolina State University examines the effectiveness of specific vulnerability discovery techniques:

  • systematic and exploratory manual penetration testing
  • static analysis
  • automated penetration testing.

Based on a case study of two web-based electronic health care record systems (OpenEMR and eCHR) the authors found empirical evidence that:

  • no single technique discovered every type of vulnerability;
  • static analysis found the most implementation bugs;
  • systematic manual penetration testing found the most design flaws;
  • the most effective technique (measured in vulnerabilities discovered per hour) was automated penetration testing);
  • if one has limited time, one should conduct automated penetration testing to discover implementation bugs and systematic manual penetration testing to discover design flaws. 

At the 11th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2011) Andrea Avancini and Mariano Ceccato presented their paper “Security Testing of Web Applications: A Search-Based Approach for Cross-Site Scripting Vulnerabilities”. Slides available here.

Framework Security

Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri and David Evans (University of Virginia) presented their paper “GuardRails: A Data-Centric Web Application Security Framework” at the 2nd USENIX Conference on Web Application Development (WebApps 2011). Slides of their talk are also available here.

The authors present GuardRails, a tool for Ruby on Rails (currently only version 2) that helps developers build secure web applications. GuardRails works by attaching security policies using annotations to the data model itself. GuardRails then produces a version of the application that enforces those policies. The paper assumes that the developer is a benevolent partner in this (see an earlier blog-post of mine if there is potential malicious intent by developers).

The design goals where:

  • to allow developers to specify and automatically enforce data policies in a way that minimizes opportunity for developer error;
  • no functionality is broken by the GuardRails transformations;
  • no need to modify an application to use GuardRails.

The authors acknowledge that currently their method imposes a significant performance cost, but they believe that this is more related to the prototype system than the intrinsic costs of their approach. Anyway, visit the GuardRails website for more information or download the GuardRails source code.

In another interesting paper presented at WebApps 2011 “PHP Aspis: Using Partial Taint Tracking
To Protect Against Injection Attacks
” by Ioannis Papagiannis, Matteo Migliavacca and Peter Pietzuch, the authors introduce PHP Aspis, a source code transformation tool that applies partial taint tracking at the language level. PHP Aspis carries out taint propagation only in an application’s most vulnerable parts: third-party plugins.

The authors evaluate PHP Aspis with Wordpress and show that it prevents all code injection exploits that were found in Wordpress plugins in 2010. The overhead penalty was about 2.2 times. Code available here.

In the paper “A Systematic Analysis of XSS Sanitization in Web Application Frameworks” (presentations available here and here) by Joel Weinberger, Prateek Saxena, Devdatta Akhawe,
Matthew Finifter, Richard Shin, and Dawn Song (University of California, Berkeley) the authors systematically study the security of the XSS sanitization abstractions 14 major commercially used frameworks provide. The (not so positive) conclusions are:

  • Frameworks often do not address critical parts of the XSS conundrum.
  • There is a wide gap between the abstractions provided by frameworks and the requirements of applications.

I already described this study on the Astyran blog in September but forgot to add the conclusion. Related research (by the same authors) is An Empirical Analysis of XSS Sanitization in Web Application Frameworks.

Fun

Since apparently attackers are having great fun making fools of us, it is maybe time too to have some fun. The International Obfuscated C Code Contest (IOCCC) for the first time in many year launched a new challenge (running from 12 November till 12 January). For those who are too young to remember the previous challenges, here are the goals of the contest:

  • To write the most Obscure/Obfuscated C program under the rules below.
  • To show the importance of programming style, in an ironic way.
  • To stress C compilers with unusual code.
  • To illustrate some of the subtleties of the C language.
  • To provide a safe forum for poor C code.

Since the online submission tool will be available tomorrow, please hurry and visit the IOCCC website.

If you are more into games, you can register for DARPA’s Crowd Sourced Formal Verification (CSFV).  This program seeks to make formal verification of software more cost effective by enabling non-specialists to participate productively in the formal verification process; this is done by creating a specific game that is intuitively understandable and fun to play. This game is based on the particular software implementation and software property to be verified. Playing, and completing, the CSFV game enables formal verification tools to complete a corresponding formal software verification proof.

Secure Design

The presentation “A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks” by Ben S. Y. Fung and Patrick P. C. Lee of the Department of Computer Science and Engineering of The Chinese University of Hong Kong at the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-11), Changsha, China, November 2011 won deservedly so the best paper award. The authors also made the presentation slides and source code available.

The authors propose the DeRef defence mechanism (proof-of-concept prototype on Firefox and WordPress) and justified the performance overheads. The DeRef mechanism provides fine-grained access control on the scope within which the client’s authentication credentials can be embedded in the requests with the following features:

  • The browser cannot infer the scopes being configured by the website;
  • The website does not know where the browser initiates requests.

DeRef achieves this by using two-phase checking using hashing and blind signature (read the paper!).

And in yet another paper from WebApps 2011 “Secure Data Preservers for Web Services” by Jayanthkumar Kannan (Google Inc.), Petros Maniatis (Intel Labs) and Byung-Gon Chun (Yahoo! Research), the authors describe a novel approach wherein a user who hands off her data to a web service has complete choice over the code and policies that constrain access to her data.

And in our last paper from WebApps 2011, “The Effectiveness of Application Permissions” by Adrienne Porter Felt, Kate Greenwood and David Wagner of the University of California, Berkeley, the authors performed case studies on two platforms with application permissions, the Google Chrome extension system and the Android OS in order to evaluate whether application permissions are effective at protecting users.

Their results indicate that “application permissions can have a positive impact on system security when applications’ permission requirements are declared upfront by the developer, but can be improved”.

At ESORICS 2011, Leuven, Belgium (where yours truly was born) Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens (KUL Leuven) presented their paper “Automatic and Precise Client-Side Protection against CSRF Attacks”. The paper presents a request filtering algorithm that automatically and precisely identifies expected cross-origin requests, based on whether they are preceded by certain indicators of collaboration between sites. Presentation available here.

In another paper from ESORICS 2011, “Protecting Against Web Application Injections with Complementary Character Coding” (presentation available here) by  Raymond Mui and Phyllis Frankl of the Polytechnic Institute of NYU, the authors describe complementary character coding, a new character encoding scheme and its application for protecting against input injection attacks, including SQL injection and cross site scripting.

In this approach, each character has two encodings, which can be used to distinguish between trusted and untrusted data. Small modifications to web components, such as the browser, application code interpreter, and database management system, allow them to enforce security policies guarding against injection attacks. 

Secure SDLC

Thanks to the (very interesting) security blog at www.clerkendweller.com I was made aware of the paper “Exploring the Relationship Between Web Application Development Tools and Security” by Matthew Finifter and David Wagner of the University of California, Berkeley. Their presentation from WeBApps 2011is available here. The authors come to the following conclusions:

  • There is no relationship between choice of programming language and application security;
  • Automatic framework protection measures (such as for CSRF and session management) are effective at precluding vulnerabilities, while manual protection mechanisms provide little value;
  • Manual source code review is more effective than automated black-box testing, but testing is complementary.

Note that the authors came to those conclusions based on a review of 9 implementations (by 9 different professional programming teams) of the same application. Three teams used Perl, 3 used Java and 3 used PHP. The manual review and the automated black box test were executed by Matthew Finifter. For the black-box test the brilliant Burp Suite Professional was used.

Personally I belief that Burp is an invaluable tool in the hands of a manual tester (we use it at Astyran), but not really the best in ‘automated’ (scan-based) black-box testing. See for instance the results of the recently publicized scanner benchmark. But the well-written paper is certainly worth a read and will no doubt be abused in the heated “manual versus automated reviews” wars.

Risk Management

ISACA (the Information Systems Audit and Control Association) published the white paper “Mobile Payment: Risk, Security and Assurance Issues”. This - very high level - white paper examines the current state and nature of the mobile payments market, some of the relevant enabling technologies, and looks at the relevant risk, security and assurance issues that security and audit professionals will want to consider when developing and evaluating mobile payment services.

Web 2.0 and Beyond

An interesting paper “Security Issues in NoSQL Databases” in the proceedings of the 2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11 reviews two of the most popular NoSQL databases (Cassandra and MongoDb) and outlines their main security features and problems.

The conclusions are “Clearly the future generations of such DBMSs need considerable development and hardening in order to provide secure environment for sensitive data which is being stored by applications (such as social networks) using them.” More information in a previous blog-post of mine.

Disclaimer

This post is not supposed to be a full list of all publications regarding application security in the this month but just a selection, based on the amount of time we had free to read them and the relevancy of the topics to our work.

Anything I missed or that you think should be added to this list? Let me know!

Please find earlier overviews here:

“Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.” (Douglas Adams, Mostly Harmless)

Thursday, 24 November 2011

There is No Security in NoSQL

An interesting paper “Security Issues in NoSQL Databases” in the proceedings of the 2011 International Joint Conference of IEEE TrustCom-11/IEEE ICESS-11/FCST-11 reviews two of the most popular NoSQL databases (Cassandra and MongoDb) and outlines their main security features and problems.

The conclusions are “Clearly the future generations of such DBMSs need considerable development and hardening in order to provide secure environment for sensitive data which is being sored by applications (such as social networks) using them.” An interesting article about the paper can be found here.

Let’s investigate this further!

What is a NoSQL Database?

A NoSQL Database is a database that is not relational by definition and does not support full SQL (Structured Query Language) functionality. A typical relational DBMS (Database Management System) performs poorly on data-intensive applications needed for high-traffic websites.

A NoSQL database focuses on performance and scalability, has a simple data-model, a primitive query language and no mechanisms for managing data consistency and integrity constraints.

Status and Recommendations

The paper itself concluded that the main problems to both Cassandra and MongoDB are “the lack of encryption support for the data files, weak authentication both between the client and the servers and between server members, very simple authorization without support for RBAC or fine-grained authorization, and vulnerability to SQL Injection and Denial of Service attacks”.

The following table describes the security posture and recommendations for Cassandra:

Category Status Recommendations
Data at rest Unencrypted. Protect with OS level mechanisms.
Authentication The available solution isn’t production ready. Implement a custom IAuthentication provider.
Authorization Done at the CF granularity level. The available solution isn’t production ready. Implement a custom IAuthority provider.
Auditing Not available out-of-the-box. Implement as part of the authentication and authorization solutions.
Intercluster network communication Encryption is available. Enable this using a private CA.
Client communication No encryption is available. Add packet-filter rules to prevent unknown hosts from connection. Re-implement the Thrift server-side to use the SSL transport in Thrift 0.6. Add timeouts for silent connections in the Thrift server side, and cap the number of acceptable client connection.
Injection Attacks Possible in CQL (Cassandra Query Language). If using the Java driver, prefer PreparedStatements to Statements. Always perform input validation in the application.

The paper states that “security was not a primary concern of MongoDB’s designers. As a result there are quite a few holes in its design”. The following table describes the security posture and recommendations for MongoDB:

Category Status Recommendations
Data at rest Unencrypted. Protect with OS level mechanisms.
Authentication for native connections Available only in unsharded configurations. Enable if possible.
Authorization for native connections READ/READ-WRITE/Admin levels, only in unsharded configurations. Enable if possible, requires enabled authentication.
Auditing Not available in MongoDB  
AAA (authentication, authorization, auditing) for RESTful connections Users and permissions are maintained externally. Available if configured on a reverse proxy.
Database communication Encryption is not available.  
Injection Attacks Possible, via JavaScript or string concatenation. Verify that the application does reasonable input validation.

Note: some of the security issues might have been fixed in later version than reviewed in the paper. The authors reviewed Cassandra 0.8.X but did not mention the version under review for MongoDB.

Conclusion

Well, since NoSQL databases where never designed for security, it will be very difficult if not impossible to fix all issues. I cannot imagine the use of a ‘proxy’ will ever be implemented: if high availability is your primary concern, you just don’t add another component.

NoSQL databases certainly have their uses, but unfortunately, they are already in used in situation (e.g. privacy related data) where security is certainly needed.

Not providing any security measures and even making it impossible to audit access does not seems to me the brightest idea ever, but I’m sure - in the not so distant future - it will make the life of hackers and pen-testers a lot easier. Let me also be the first to ROFL when I’ll hear the term APT (Advanced Persistent Threat) being used in connection with a break-in into a NoSQL database.   

“It was a programming technique that had been reverse-engineered from the sort of psychotic mental blocks that otherwise perfectly normal people had been observed invariably to develop when elected to high political office”. (Douglas Adams, Mostly Harmless)

Further References

[1] Lior Okman, Nurit Gal-Oz, Yaron Gonen, Ehud Gudes, Jenny Abramov in “Security Issues in NoSQL Databases” in Proceedings of the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-11), November 2011, Changsha, China

[2] Christof Strauch in “NoSQL Databases” (2011)

[3] Bryan Sullivan in “NoSQL, But Even Less Security: Attacking and Defending NoSQL”  (Presentation, RSA Conference, Europe 2011)

History

2011/11/24 - First version

Wednesday, 23 November 2011

Astyran Article Appears in PenTest Magazine

Just a quick message that I am very proud that my article “Pulling the Legs of Arachni” appeared in the most recent edition of PenTest Magazine.

Arachni is is a fire-and-forget or point-and-shoot web application vulnerability scanner. Some additional information on how to get it running on Windows (using Cygwin) is available here.

PenTest Magazine is a monthly downloadable IT security mag, devoted exclusively to penetration testing. It features articles by penetration testing specialists and enthusiasts, experts in vulnerability assessment and management.

Luckily they didn’t call it Penetration Test Magazine, since Google does not like that term.

I already got some questions about the Astyran advertisement that appeared in the same issue. People want to know where the picture was taken. Well, here is the answer: the picture was taken by yours truly on a wonderful holiday in 2009 in Iceland.  It shows a view on plains of Þingvellir where the first Icelandic parliament was established in 930. More pictures will be soon available on my travel blog as soon as I have time!

iceland_clouds_thingvellir

Sunday, 20 November 2011

Application Security Highlights (Oct 2011)

This is a list of articles, blog entries and studies related to application security that we found interesting and worthwhile reading this month at Astyran.

Cloud Security

  • Researchers from the North Carolina State University developed a new technique called "Strongly Isolated Computing Environment" (SICE) to reduce the attack surface of the hypervisor in cloud computing. The technique is based on the Trusted Computing Base (TCB), only 300 lines of code need to be protected (trusted).

Encryption

  • Researchers of the Ruhr University of Bochum publicised a summary on how they break components of the official W3C encryption specification. The technique is based on analysing the responses to specifically modified cipher texts that are sent to a web service. The attack is limited to situations where AES is used for encryption in the cipher-block chaining (CBC) mode.

The HUMAN Factor

  • Researchers at Stanford University recently found that 13 out of 15 CAPTCHA methods  were vulnerable to automated attacks. In their research paper “Text-based CAPTCHA Strengths and Weaknesses” the team suggests several approaches to make CAPTCHAs harder to beat and describe the design of their tool Decaptcha. Further reading and slides available here.

Security Principles

  • A interesting paper (Gaming security by obscurity) by Professor Dusko Pavlovic of Royal Holloway, University of London and and University of Twente applies game theory to security and comes to the conclusion that security by obscurity might actually have some benefits after all. The author describes the new security paradigm “applied security by obscurity”:
    • The first idea is that security is a game of incomplete information: by analysing the enemy’s behaviours and algorithms and by obscuring your own, you can improve the odds of winning this game. This claim contradicts Kerckhoffs’ Principle.
    • The second idea is the idea of one way programming, based on the concept
      of logical complexity of programs: easy to construct, but hard to deconstruct and transform. A system programmed in that way could still allow computationally feasible, but logically unfeasible attacks.
    • And the last insight: both game theory and immune system teach us that we
      cannot avoid profiling the enemy. But both the social experience and immune system teach us that we must set the thresholds high to avoid the false positives that the profiling methods are so prone to.

Risk Management

Web 2.0 and Beyond

  • The W3C (World Wide Web Consortium) has published (October 25th) a Last Call Working Draft of Web Storage. This specification introduces two related mechanisms, similar to HTTP session cookies, for storing structured data on the client side. Comments are welcome through 15 November.
  • The W3C updated three drafts (October 20th) which might be interesting from an attacker’s point of view:
    • File API, which provides an API for representing file objects in web applications, as well as programmatically selecting them and accessing their data.
    • Server-Sent Events, which defines an API for opening an HTTP connection for receiving push notifications from a server in the form of DOM events. The API is designed such that it can be extended to work with other push notification schemes such as Push SMS.
    • HTML5 Web Messaging, which defines two mechanisms for communicating between browsing contexts in HTML documents.
  • Researchers from the Ruhr-Universität Bochum publicized the paper “Crouching Tiger – Hidden Payload, Security Risks of Scalable Vector Graphics” detailing several novel attack techniques targeted at websites, browsers, email clients and other comparable tools.

Well, that’s it for this month! Sorry to have been a bit late.

This post is not supposed to be a full list of all publications regarding application security in the this month but just a selection, based on the amount of time we had free to read them and the relevancy of the topics to our work. Anything I missed or that you think should be added to this list? Let me know!

“Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.” (Douglas Adams, Mostly Harmless)