Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1 ). 2 2 Experiment: * One developer * One week.

Similar presentations


Presentation on theme: "1 1 ). 2 2 Experiment: * One developer * One week."— Presentation transcript:

1 1 1 )

2 2 2 Experiment: * One developer * One week

3 3 3 3 1: public static void present() { 2: What’s a Java Enterprise Rootkit? 3: Turning Data into Code in the JVM 4: Hiding from Source Code Analysis (both kinds) 5: Trojaning Libraries 6: Owning the Build 7: Keeping Malicious Java Out 8: Questions 9: }

4 4 4 Java a bit rusty? Download the paper!! No social skills? Download the code!! (modified BSD license) http://www.aspectsecurity.com/documents/EnterpriseJavaRootkits.zip

5 5 5 5 5 Definition A Java Enterprise Rootkit is code that makes a malicious payload harder to find. Security Alert!

6 6 6 6 Disclaimer: Java is an excellent choice for secure enterprise web applications. Likelihood: No protection, no detection. How many developers touch your application stack? Impact: What damage could one developer’s code actually do? Not considering the risk from a malicious developer is reckless Hippocratic Oath Production Alert! Your developers already have full privilege in production. Security Alert!

7 7 7 7 “Although Java 2 security is supported, it is disabled by default” WebSphere 7.0 “Using a Java Security Manager is an optional security step” WebLogic 10 “The security manager is disabled by default” GlassFish Prelude 3 “Tomcat can be started with a SecurityManager in place by using the -security option” Tomcat 6.0 Shields DOWN! Running without a Java SecurityManager means any code or library can do absolutely anything! Security Alert!

8 8 8 1

9 9 9 9 /* Hiding Data*/ byte[] b = { 0x41, 0x54, 0x22, 0x24, 0x85, … }; a.foo() + b + c.bar(); new sun.misc.BASE64Decoder().decode(b); request.getHeader( Bean.CONSTANT ); s.executeQuery( "SELECT * FROM BAD" ).getString(1); @override toString() anywhere and call "" + o; 9

10 10 /* Writing Bytecode */

11 11 /* Abusing the Java Compiler API */

12 12 /* Abusing the JSP Compiler */

13 13 /* Abusing the ClassLoader */

14 14 /* Abusing the Java Instrumentation API */

15 15 /* Abusing the Java Instrumentation API */

16 16

17 17 /* PsyOps */ 1: // Good code reviewers make assumptions 2: // You can easily mislead them 3: 4: Use misleading method, variable, and class names 5: Use misleading comments 6: Make well-known methods do the wrong thing 7: Use http://www.javapuzzlers.com/http://www.javapuzzlers.com/ 8: Add a @SuppressWarnings annotation to your attack! 9:

18 18 /* Abusing Overpowerful Methods */

19 19 /* Abusing Reflection 1 */

20 20 /* Abusing Reflection 2 */

21 21 /* Abusing Code Formatting */ Puzzler! Try decoding the real encoded (and obfuscated) Java file at: http://extrods.googlecode.com /svn/trunk/clients/jargon/src/a pi/edu/sdsc/grid/io/Lucid.java http://extrods.googlecode.com /svn/trunk/clients/jargon/src/a pi/edu/sdsc/grid/io/Lucid.java Security Alert!

22 22 /* More Code Formatting */ Free Tools! The code for this paper includes tools to encode and decode Java source code using this method. Security Alert!

23 23 /* Abusing Java EE Filters */

24 24 /* Abusing Java EE Filters */ Easier and Easier! In the latest servlet specification 3.0 you can add and remove servlets and filters programatically! Security Alert!

25 25 /* Abusing Taint Tracing 1 */

26 26 /* Abusing Taint Tracing 2 */

27 27 /* Abusing Control Flow Analysis */

28 28 /* Abusing Timing Channels */ SEND RECV

29 29

30 30 /* Trojaning Popular Libraries */

31 31 /* Trojaning Class Files */ Thank You Sun! Making the ByteCode Engineering Library (BCEL) available right in rt.jar makes things much easier! Security Alert!

32 32 /* Trojaning Jar Files */ Signing? With a bit more code you can generate a signed jar Security Alert!

33 33 /* Trojaning Java Installation */ Bonus! Put files in the /ext directory and they are automatically put on classpath AND get AllPermission for ALL applications! Security Alert!

34 34

35 35 /* "Reflections on Trusting Trust" */ “To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.” “The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)” Ken Thompson, 1984 http://cm.bell-labs.com/who/ken/trust.html

36 36 1: Maven, Hudson, Subversion, Sonar – Default install Hudson core: 103 open source projects Hudson dependencies: ~50 open source projects Maven core: ~15 open source projects Nexus core: 86 open source projects Subversion: ~3 open source projects Sonar: ~100 open source projects 2: Overall Over 16 million lines of code 503 open source projects involved Vulnerable? Two hours looking at Hudson resulted in 6 XSS and 4 CSRF… http://host/hudson/computer/ (master)/script?script=Runtime.getRuntime().exec("notepad") Security Alert!

37 37 /* Abusing Build Tasks */ Remote! Remember, this will run on the build server and likely on every developer’s machine! Security Alert!

38 38 /* Abusing Test Cases */

39 39 /* Abusing Dependency Resolution */

40 40

41 41 1: Limit the Number of Developers 2: Find Trustworthy Developers 3: Limit Trust During Coding 4: Limit Trust in Your Build Process 5: Limit Trust in Operations 6: Create Overlapping Trust 7: Detect Malicious Code Plausible Deniability! After all this, the safest attack is to make a backdoor look like an inadvertent programming error like the OWASP Top Ten. Security Alert! {

42 42

43 43 ) Questions and Answers


Download ppt "1 1 ). 2 2 Experiment: * One developer * One week."

Similar presentations


Ads by Google