Waratek Runtime Protection Platform

Transcription

1 Waratek Runtime Protection Platform Cirosec TrendTage - March 2018 Waratek Solves the Application Security Problems That No One Else Can Prateep Bandharangshi Director of Client Security Solutions

2

3

4 March, 2017 September, 2017 On 8 September, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 143 million U.S. consumers. Equifax said the breach was facilitated using a flaw in Apache Struts (CVE ). A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later.

5 March, 2017 September, 2017 On 8 September, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 143 million U.S. consumers. Equifax said the breach was facilitated using a flaw in Apache Struts (CVE ). A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later.

6 January, 2018 Senators want 'massive' fines for data breaches at Equifax and other credit reporting firms January 10, 2018

7 February, 2018 The Equifax breach may have exposed more personal information of customers than previously thought. February 10, 2018

8 March, 2018 Equifax breach could be most costly in corporate history Total costs of the breach could be well over $600 million March 02, 2018

9 GDPR Implications IF breach was a violation of GDPR: the highest tier fine would translate to $125.8 million

10 CVE The Jakarta Multipart parser in Apache Struts x before and 2.5.x before has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

11 The Content-Type entity header is used to indicate the media type of the resource. In requests, (such as POST or PUT), the client tells the server what type of data is actually sent.

12 #dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognl t.setmemberaccess(#dm)))).(#cmd='cat s('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new

13 DEMO

14 Better coding will cure application attacks.

15 More Secure Application Coding Cannot Solve the Problem! We can t only rely on developers to write secure code

16 More Secure Application Coding Cannot Solve the Problem! Even if they do write, perfect, secure code, YOUR developers are only responsible for < 20% of the code that you actually run

17 More Secure Application Coding Cannot Solve the Problem! Large enterprises can identify far more vulnerabilities than they can actually fix

18 More Secure Application Coding Cannot Solve the Problem! Patching and updating everything is often completely unrealistic

19

20 Waratek Application Security Platform

21 Waratek Waratek is a plugin (agent) to the JVM or the.net CLR We solve three key problems: 1. Instantly patch Java and.net applications 2. Secure against OWASP Top Ten / SANS Virtually upgrade out-of-support Java applications Out of the box protection against remote code injection exploits like apache struts

22 Waratek Containers A container inside the Java Virtual Machine Architecturally similar to Docker

23 Waratek Containers In the Docker world, you have: A host operating system A guest Docker container In the Waratek world, you have: A host Java Virtual Machine A guest Java container

24 What can I use Docker for? Fast, consistent delivery of your applications Responsive deployment and scaling Running more workloads on the same hardware Docker is great for operations and deployment It was not designed to solve application security problems

25

26 Waratek Java Container Inside the JVM

27 Waratek Containers Waratek s Runtime Container is a quarantined in-jvm container with extensive application security controls A Runtime Container virtualizes the entire App Stack (including App s JRE) from the host JVM/CLR and OS A Runtime Container s security controls are invisible, extensible, and omnipresent Business Logic 3 rd Party Components Platform & Java APIs JRE 4-8 JVM Fully protected, containerized application Waratek Java 8/ 9 JVM

28 As Waratek is inside the application... We see every file system operation We see every network connection We see every call to a Java API We see every execution of an operating system command We see every connection to a database We see every SQL statement We see every memory read and write operation We see every CPU instruction etc., etc., etc. Most importantly, this visibility is complete and deterministic resulting in no false positives

29 Application Security Policy SQLi, XSS, CSRF, Unsafe Deserialisation File system operations (read/write/exec) Network I/O Use of Java APIs Zero day protection / hardening Virtual patching

30 curl -s tar zxf - demo@demo1:~$ export JAVA_HOME="/opt/oracle/jdk-hs-8u162-linux-x64" demo@demo1:~$ export CATALINA_OPTS=" \ -agentpath:${home}/waratek/libwaratek.so \ -javaagent:${home}/waratek/waratek.jar \ -Dcom.waratek.ContainerHome=/opt/oracle/jdk-hs-7u80-linux-x64 \ -Dcom.waratek.rules.local=${HOME}/jvc.rules \ -Dcom.waratek.log.properties=${HOME}/logProps.xml \ -Dcom.waratek.rules.autoreload=true" demo@demo1:~$./tomcat_startup.sh Identical deployment model to Application Performance Monitoring (APM) agents such as AppDynamics, New Relic

31 curl -s tar zxf - demo@demo1:~$ export JAVA_HOME="/opt/oracle/jdk-hs-8u162-linux-x64" demo@demo1:~$ export CATALINA_OPTS=" \ -agentpath:${home}/waratek/libwaratek.so \ -javaagent:${home}/waratek/waratek.jar \ -Dcom.waratek.ContainerHome=/opt/oracle/jdk-hs-7u80-linux-x64 \ -Dcom.waratek.rules.local=${HOME}/jvc.rules \ -Dcom.waratek.log.properties=${HOME}/logProps.xml \ -Dcom.waratek.rules.autoreload=true" demo@demo1:~$./tomcat_startup.sh Note that the host JVM version differs to that used by the guest Java Container

32 DEMO

33 Attack Detection/Response/Zero Day Runtime Protection Rules Unbounded rules replace/insert functionality at runtime to provide patch-equivalent remediation Rules make it possible to virtually patch any vulnerability in Java CPUs, AppServers (WebLogic, JBoss, Tomcat, etc) and frameworks Virtual patching applies instantly at runtime with immediate effect, without restarting the target application

34 Attack Detection/Response/Zero Day --- commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/multipartstream.java +++ commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/multipartstream.java -338,6 +332,12 throw new IllegalArgumentException( "The buffer size specified for the MultipartStream is too small"); } this.input = input; + this.bufsize = Math.max(bufSize, boundarylength*2); this.buffer = new byte[this.bufsize]; this.notifier = pnotifier; Source code fix this.boundary = new byte[this.boundarylength]; this.keepregion = this.boundary.length; RULE Virtual Patch for CVE CLASS org/apache/tomcat/util/http/fileupload/multipartstream METHOD <init>(java/io/inputstream,byte[],int,multipartstream$progressnotifier) AT WRITE bufsize IF true DO warn("applying Virtual Patch for CVE "); $bufsize = java/lang/math.max($bufsize, $boundarylength*2); ENDRULE Virtual Patch

35 Questions?