DevSecOps
COMP6443 : Topic 5 (Week 9)
COMP6443 – Week 3 – Injection
A NOTE ON ETHICS / LEGALITY
UNSW hosting this course is an extremely important step forward.
We expect a high standard of professionalism from you, meaning:
Respect the property of others and the university
Always abide by the law and university regulations
Be considerate of others to ensure everyone has an equal learning experience
Always check that you have written permission before performing a security test on a system
Always err on the side of caution. If you are unsure about anything ask one of the course staff!
COMP6443 – Week 3 – Injection
Agile vs. Waterfall
COMP6443 – Week 3 – Injection
Waterfall development
Software has been traditionally developed as a sequential project, visualised as a waterfall, with the output of each phase becoming the input to the next.
Pros:
Clear scheduling
Task dependency
Accurate planning
Cons:
Inflexibility for changing requirements while a project is being executed
Schedule blowout if one phase holds up the subsequent phases
Integration occurs at the very end of the process
COMP6443 – Week 3 – Injection
DEMO ROLE BASED ACCESS CONTROL DEMO
Security in a waterfall model
Requirements
Security goes here
Design
Implementation
Testing
Maintenance
COMP6443 – Week 3 – Injection
Security in a waterfall model
Requirements
Security goes here
Design
Implementation
Testing
Maintenance
Patch vulnerability
COMP6443 – Week 3 – Injection
COMP6443 – Week 3 – Injection
Source: http://ouriken.com/blog/which-one-is-right-for-you-waterfall-or-agile/
COMP6443 – Week 3 – Injection
Agile manifesto
We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:
Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
That is, while there is value in the items on the right, we value the items on the left more.
… Scrums? Kanban? Sprints? Backlog grooming?
COMP6443 – Week 3 – Injection
DEMO ROLE BASED ACCESS CONTROL DEMO
Agile cycle
Phase Inputs Outcomes
Backlog Developer training Security prioritised
Design Secrets management Secure persistency
Development Software composition analysis Secure dependencies
Testing Static & dynamic analysis Fix bugs
Deployment Containerisation, hardening Defence in depth
Review Root cause analysis Bug class eradication
COMP6443 – Week 3 – Injection
DEMO ROLE BASED ACCESS CONTROL DEMO
Developer training
COMP6443 – Week 3 – Injection
Developer training
COMP6443 – Week 3 – Injection
Secrets management
Password vaults are the current best solution
Config file
App
Secret
Config file
App
Secret
Encryption key
COMP6443 – Week 3 – Injection
Common Vulnerability Enumeration CVE
COMP6443 – Week 3 – Injection
OVAL & NIST NVD
CVSS
CVE
The vulnerability
CPE
CWE
Risk rating
What is vulnerable?
Vulnerability
Taxonomy
COMP6443 – Week 3 – Injection
NVD Example
https://nvd.nist.gov/vuln/detail/CVE-2014-0003
COMP6443 – Week 3 – Injection
NVD Problems
COMP6443 – Week 3 – Injection
NVD Problems
COMP6443 – Week 3 – Injection
Dependency identification
NVD CPE identifies known vulnerable versions
Package metadata identifies version used
SCA tool attempts to match the two and identify known vulns
Package Metadata
NVD CPE
SCA Tool
Vuln Report
COMP6443 – Week 3 – Injection
Dependency identification in Java
NVD:
cpe:/a:springsource:spring_framework:3.2.0 cpe:/a:pivotal:spring_framework:3.2.0 cpe:/a:pivotal_software:spring_framework:3.2.0
GAV:
org.springframework:spring-core:3.2.0.RELEASE
Package Metadata
NVD CPE
SCA Tool
Vuln Report
Fail Build
COMP6443 – Week 3 – Injection
Source code analysis
$ grep -L “parameter-entities” $(grep -l -R “general-entities” *)
resteasy-jaxrs-2.3.2.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java
https://www.openwall.com/lists/oss-security/2014/06/03/5
COMP6443 – Week 3 – Injection
Source code analysis
Unpack all release zips
Run through JD
Grep string
1 line matches
~3 hrs on latest MBP
COMP6443 – Week 3 – Injection
Sources, sinks & taints
String a = request.getParameter(“varname”);
String b = “We got value: “ + a;
byte[] c = b.getBytes();
String d = new String(c, “UTF-8”);
response.getWriter.println(d);
Source
Taint
Sink
COMP6443 – Week 3 – Injection
Static application security testing
Pros Cons
Find & fix vulns early Massive false positives
Identify vulns in configuration & conditions Manual triage & exploitation
Open source tools available Commercial deployments = $$$
Potential for bug class eradication Complexity of tweaking rules
COMP6443 – Week 3 – Injection
Dynamic application security testing
AKA DAST. Many tools, big commercial ones include Netsparker, Tenable, CheckMarx and Veracode.
COMP6443 – Week 3 – Injection
Dynamic application security testing
Pros Cons
Scanning of live targets Data corruption
Language independent Cannot read config files
Cloud based deployment Cannot understand complex dynamic client/server
Less false positives than SAST Relies on configuration to map attack surface
COMP6443 – Week 3 – Injection
Virtualisation vs containerisation
Guest OS
Hypervisor
Host OS
Infrastructure
App A
Guest OS
App B
Docker
Host OS
Infrastructure
App A
App B
COMP6443 – Week 3 – Injection
Container breakout CVE-2019-5736
RunC is a container runtime originally developed as part of Docker and later extracted out as a separate open source tool and library. As a “low level” container runtime, runC is mainly used by “high level” container runtimes (e.g. Docker) to spawn and run containers, although it can be used as a stand-alone tool. “High level” container runtimes like Docker will normally implement functionalities such as image creation and management and will use runC to handle tasks related to running containers – creating a container, attaching a process to an existing container (docker exec) and so on.
Credit: https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/
COMP6443 – Week 3 – Injection
Container breakout CVE-2019-5736
procfs is a virtual fs in Linux that presents information about processes, mounted to /proc. It can be thought of as an interface to system data that the kernel exposes as a filesystem. Each process has its own directory in procfs, at /proc/[pid]
/proc/self points to the current process. Each process’s directory contains information on the process. For the vulnerability, the relevant items are:
/proc/self/exe – a symbolic link to the executable file the process is running
/proc/self/fd – a directory containing the file descriptors open by the process.
For example, using ls /proc/self one can see that /proc/self/exe points to the ‘ls’ executable.
COMP6443 – Week 3 – Injection
Container breakout CVE-2019-5736
procfs is a virtual fs in Linux that presents information about processes, mounted to /proc. It can be thought of as an interface to system data that the kernel exposes as a filesystem. Each process has its own directory in procfs, at /proc/[pid]
/proc/self points to the current process. Each process’s directory contains information on the process. For the vulnerability, the relevant items are:
/proc/self/exe – a symbolic link to the executable file the process is running
/proc/self/fd – a directory containing the file descriptors open by the process.
For example, using ls /proc/self one can see that /proc/self/exe points to the ‘ls’ executable.
COMP6443 – Week 3 – Injection
Container breakout CVE-2019-5736
Anattacker can trick runC into executing itself by asking it to run /proc/self/exe, which is a symbolic link to the runC binary on the host.
An attacker with root access in the container can then use /proc/[runc-pid]/exe as a reference to the runC binary on the host and overwrite it.
Root access in the container is required to perform this attack as the runC binary is owned by root.
The next time runC is executed, the attacker will achieve code execution on the host.
Since runC is normally run as root (e.g. by the Docker daemon), the attacker will gain root access on the host.
COMP6443 – Week 3 – Injection
docker-bench-security
COMP6443 – Week 3 – Injection
Continuous integration|deployment
Source: atlassian.com
COMP6443 – Week 3 – Injection
Continuous integration|deployment
COMP6443 – Week 3 – Injection
READING MATERIAL (REFERENCE)
Find-sec-bugs
https://find-sec-bugs.github.io/
Tracking vulnerable JARs
OWASP dependency check
https://owasp.org/www-project-dependency-check/
OWASP ZAP
https://owasp.org/www-project-zap/
Jenkins
https://www.jenkins.io/
Docker-bench-security
https://github.com/docker/docker-bench-security
COMP6443 – Week 3 – Injection
WEEK 9 ASSESSMENT
Exam question based on provided scenario
Similar in structure to a job interview question
Answer will be a few paragraphs of text
Please call out if you get stuck.
Support one another, your tutors are here to help!
COMP6443 – Week 3 – Injection
questions? slack / email / come talk to us
THANKS FOR LISTENING TO US RANT!
COMP6443 – Week 3 – Injection