Download pptx - Security Policy Management: Easy as PIE

Security Policy Management:Easy as PIE

Ian Haken

What I’m Talking About Today

• A look at security policies in applications– I will mostly be speaking in the context of Java

web applications, though much is general.

• How security managers are used in practice– Or, more precisely, how they aren’t used.

• A slice of PIE– A new FOSS tool for building and managing

security policies for Java applications.

Security Policy Management: Easy as PIEIan Haken

2

What is a Security Policy?

• A security policy defines the “resources” an application can access

• Access is usually conditioned on context– Is the user authenticated?– What role(s) does the user posses?– What is the origin of the resource access

request?

3


An Idealized Security Policy

Resource/Role Stock Prices Investment

Demo My Portfolio Total AssetsUnder Mgmt

No Authentication

(AuthN)✓

Guest ✓ ✓

User ✓ ✓ ✓

Admin ✓ ✓

4


A More Realistic Security Policy

5

Resource/Role

Stock Prices

InvestmentDemo My Portfolio Total Assets

Under Mgmt

No AuthN

Internal IP ✓

External IP ✓ ✓

GuestInternal IP ✓ ✓

External IP ✓

UserInternal IP ✓ ✓

External IP ✓ ✓ ✓

AdminInternal IP ✓ ✓

External IP ✓ ✓


An Even More Realistic Security Policy

6


Resource/Role

Stock Prices

InvestmentDemo My Portfolio Total Assets

Under Mgmt

Private

Public

Beta Featur

es

Production

Features

Projections History

Potential

Clients

Current

Clients

No AuthN

Internal IP ✓ ✓

External IP ✓ ✓

GuestInternal IP ✓ ✓ ✓

External IP ✓

UserInternal IP ✓ ✓ ✓ ✓

External IP ✓ ✓ ✓ ✓

AdminInternal IP ✓ ✓ ✓ ✓ ✓ ✓

External IP ✓ ✓ ✓ ✓ ✓

Security Managers

• A Security Manager is a component which enforces the relevant security policy.– Database and filesystem access control lists– Firewall rules– Android permissions framework– Content Security Policy (CSP)– The Java Security Manager– Spring Security

7


Content Security Policy

• A defense-in-depth solution which, if well-implemented in an application, could eliminate some XSS

• For each page, CSP whitelists origins for which content can be loaded.

• Since script/CSS/image/etc content is (usually) static, this means only trusted content is loaded.

8


Java Security Manager

• In the JDK since 1.0 (1996)• Most common use-case is to sandbox

untrusted code, i.e. web applets, Google App Engine, and dynamic analyzers.

• Enforces a security policy when accessing system resources, e.g. filesystem, network sockets, process invocation, thread creation, reflection, class loader, etc.

9


Spring Security

• Framework for managing user authentication and authorization controls

• Highly flexible and customizable• Supports lots of other web application

protections: CSRF, session fixation, etc.• Can use annotations to define method-

level authorization checks

10


In General

• Security Managers enforce policies and often add a layer of protection to applications

• If utilized properly, they can mitigate or even eliminate entire classes of vulnerabilities

11


A Use Case: Struts 2

• Struts 2 has been plagued (at least 12 remote code execution CVEs) by issues related to OGNL-injection.

• Example: Roller 5.0.0 uses Struts 2.2.1$> curl -s -X GET -G \ http://localhost:8080/roller/roller-ui/login.rol \ --data-urlencode"pageTitle=\${(#_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(‘calc'),'')}"

12



• A first pass for one issue used a regex to blacklist disallowed characters. It blocked one attack but remained open to others:1

“The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases…”

• The current codebase uses a regex whitelist to prevent OGNL-injection

13

1Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html


https://struts.apache.org/docs/s2-022.html




• If you’re supporting a legacy Struts 2 app and can’t upgrade, you need an additional layer of protection.

• The current version doesn’t have known exploits, but are we sure there’s no intersection between the whitelist and malicious OGNL?

14



• For both legacy and current Struts 2 apps, the Java SM with a strong security policy can mitigate your overall risk:– Disallows unused OGNL directives– Disallows class loader manipulation– Disallows process invocation– Disallows arbitrary filesystem access– …

15


Awesome!

16

• Security managers add a layer of defense– They can protect legacy code with known

vulnerabilities– Or current code with unknown vulnerabilities.

• They’re widely available and have been around for years.


Awesome!

17

So every web application out there is using these things, right?


The State of CSP

• As of April 27, 2015, in the Alexa Top 500 sites, only 2.7% are using CSP.– And of those, more than 60% include ‘unsafe-

eval’ or ‘unsafe-inline’ for script-src.

• Across the wider web, utilization drops further. Informal reports suggest less than 0.5% of sites use CSP.

18


The State of the Java Security Manager• As aforementioned, used is several places

as a sandboxing mechanism.• Prevalence is hard to measure; it’s

bundled with the JDK, and usually has no fingerprint when used server-side.

• But anecdotally, no production system that I or anyone I know has seen uses it on top of trusted applications.

19


Why Aren’t These Tools Getting Used?• Performance Impact?

– 2004 paper by Herzog and Shahmehrir2 showed 5% to 100% time increase per resource access in Java Security Manager

• However, this difference is marginal given the overhead of typical web applications, in particular network request/response time, and the low density of security manager-relevant operations.

– CSP adds ~0.02ms per resource load in FF.3

20


Why Aren’t These Tools Getting Used?• Ease-of-use

– Difficult to write a policy• What permissions do you need to add?• What parts of the application need those

permissions?

– Difficult to validate a policy• Should you really be whitelisting dxgmaaybvjuttx.cloudfront.net or should it be *.cloudfront.net?

21


Why Aren’t These Tools Getting Used?• Ease-of-use

– Keeping it up-to-date• What if a developer changes the data path?• What if hostnames get changed?• What if you upgrade a dependency?

22


Using Security Manager with TomcatTomcat ships with a security manager policy which provides sane defaults and isolation between applications.

23

$> ./startup.sh -security


Using Security Manager with Tomcat

24



25

$> cat catalina.out[ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ...Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:213) ... 39 more


[ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ...Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:213) ... 39 more


26

$> cat catalina.out


"java.lang.RuntimePermission" "accessDeclaredMembers"

org.springframework.core.type.classreading .AnnotationAttributesReadingVisitor


27



28

$> cat catalina.policy...// The permissions granted to the context root directory apply to JSP pages.// grant codeBase "file:${catalina.base}/webapps/examples/-" {// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";// permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };//// The permissions granted to the context WEB-INF/classes directory// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {// };//// The permission granted to your JDBC driver// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";// };// The permission granted to the scrape taglib// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {// permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };


Using Security Manager with TomcatSo what “CodeBase” needs the permission?

The class which threw the exception wasorg.springframework.core.annotation.AnnotationUtils

In Pebble’s lib directory, there is:

29

spring-core-3.0.3.RELEASE.jarspring-security-core-3.0.3.RELEASE.jarspring-web-3.0.3.RELEASE.jarspring-security-web-3.0.3.RELEASE.jarspring-context-3.0.3.RELEASE.jarspring-beans-3.0.3.RELEASE.jar

spring-aop-3.0.3.RELEASE.jarspring-asm-3.0.3.RELEASE.jarspring-tx-3.0.3.RELEASE.jarspring-expression-3.0.3.RELEASE.jarspring-security-config-3.0.3.RELEASE.jarspring-security-openid-3.0.3.RELEASE.jar


Using Security Manager with TomcatAfter much trial and tribulation you’ll (maybe) figure out that you need to append the following to catalina.policy:grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-asm-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-beans-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-context-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-core-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-web-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};

30



31

$> ./shutdown.sh; ./startup.sh -security



32

Dig Through the Tomcat Log

Figure Out The Correct Permissions

to Add

$> ./shutdown.sh$> ./startup.sh -security


Using Security Manager with Tomcat• To load Pebble’s homepage, you’ll need to

add 84 permissions.– Distributed across 16 JARs.

• And at this point, you haven’t even gotten to system-resource intensive actions:– Adding blog entries, file uploads, creating new

users…

33


Introducing PIE

• PIE (Policy Instantiation & Enforcement) aims to be a tool for painlessly building a security policy for your application.

• It’s FOSS: github.com/coverity/pie• It’s modular: Java Security Manager and

CSP are two modules currently working with PIE out-of-the-box.

34


What is PIE?

• Has a learning mode which observes the execution of your application in order to automatically generate a security policy.

• Automatically simplifies/collapses the policy, making it easy to manually verify.

• A maven plugin integrates PIE into development and QA, making sure policy issues show up early in the SDLC

35


PIE: Policy Generation

36

Container (e.g. Tomcat)

webapp.war PIE

JVM Java Security ManagerJava Security Manager

pie.sm.policy


PIE: Policy Enforcement

37

Container (e.g. Tomcat)

webapp.war PIE

JVM Java Security ManagerJava Security Manager

pie.sm.policy



38



39

$> mvn verify -Pselenium


PIE: Policy Generation$> head -n 20 pie.sm.policy"file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar": { "java.io.FilePermission": { "/home/ihaken/pebble/*": { "read": {} }, "/home/ihaken/pebble/blogs/default/-": { "delete,read,write": {} }, "/home/ihaken/pebble/realm/*": { "read,write": {} }, "/home/ihaken/tomcats/pebble/temp": { "read": {} }, "/home/ihaken/tomcats/pebble/temp/*": { "delete,write": {} }, "/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/themes/user-default/*": { "delete,write": {} }, "/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/themes/user-default/images/*": { "write": {} } }, "java.lang.RuntimePermission": { "accessDeclaredMembers": { "": {} }, "defineClassInPackage.java.lang": { "": {} } }, "java.lang.reflect.ReflectPermission": { "suppressAccessChecks": { "": {} } }, "java.net.SocketPermission": { "resolve": { "ihaken-wrkst": {} } },

40


PIE: Policy Simplification"file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/commons-fileupload-1.0.jar": { "java.io.FilePermission": { "/home/ihaken/tomcats/pebble/temp/upload_00000000.tmp": { "delete": {}, "read": {} }, "/home/ihaken/tomcats/pebble/temp/upload_00000001.tmp": { "delete": {}, "read": {} }, "/home/ihaken/tomcats/pebble/temp/upload_00000002.tmp": { "delete": {}, "read": {} }, ...

41


PIE: Policy Simplification"file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/commons-fileupload-1.0.jar": { "java.io.FilePermission": { "/home/ihaken/tomcats/pebble/temp/*": { “delete,read”: {} } }, ...

42

$> wc -l pie.sm.policy* 1785 pie.sm.policy 83 pie.sm.policy.simple


PIE: Policy Verification

• So you’ve built the perfect security policy…– It’s not too restrictive– It’s not too permissive– It’s already out-of-date

• How can I make sure today’s security policy doesn’t break tomorrow’s build?

43



• Bake PIE into your QA process!• You’re already thoroughly testing your

application. (Right?)

• Let’s not only verify that the policy doesn’t break anything…

• Let’s also automatically update the policy with any observed violations.

44



<plugin> <groupId>com.coverity.security.pie</groupId> <artifactId>pie-maven-plugin</artifactId> <version>1.0.0</version> <configuration> <serverUrl>http://localhost:18885/my-app</serverUrl> <pieConfig>pieConfig.properties</pieConfig> </configuration> <executions><execution><goals> <goal>build-policy</goal> </goals></execution></executions></plugin>

45


PIE has a Maven plugin so you can integrate it into your build/test pipeline.

Maven

PIE


46

Container

webapp.war

PIE

SeleniumGridSauceLabs

etc.

pie.sm.policypie.csp.policypie.foo.policy



• The PIE Maven plugin will…– Record the start-time of the test-run– After the test-run is complete, query the

server for any policy violations– If there were violations:

• Update and simplify the policy• Fail the Maven build

47


What Frameworks Does PIE Support?• Running Servlet 3.0 (E.g. Tomcat)?

– Just drop the war in your container’s lib directory, or include PIE as a Maven dependency.

• Using Dropwizard?– Add the Maven dependency and one line to

your app’s config. (Details in the docs)

• Other frameworks easily added.

48


Extensibility

• Out-of-the-box support for– Java Security Manager– CSP

• These are written as modules; use them as a guide to write your own!– The PIE project includes an example of

integrating with application-specific usage of Spring Security

49


A Reprise: Struts 2Remember our vulnerable version of Roller?$> cp pieConfig.learning.properties \ ../lib/pieConfig.properties$> ./startup.sh; mvn verify -Pselenium; ./shutdown.sh$> cp pieConfig.enforce.properties \ ../lib/pieConfig.properties$> ./startup.sh$> curl -X GET –G …$> tail -n 1 ../logs/catalina.outObserved violation: ("ognl.OgnlInvokePermission" "invoke.com.opensymphony.xwork2.ognl.SecurityMemberAccess.setAllowStaticMethodAccess")

50


Conclusions

• Tools exist for securing your web apps, but generally they aren’t getting used.– Why not? It’s a discussion we should have.

• Our hypothesis: barrier to entry and associated risk is too high.

• PIE is an attempt to address these issues.– Try it, use it, fork it, provide feedback!

51


Thank You

52


https://github.com/coverity/pie

References

53

1. Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html

2. Performance of the Java security managerhttp://rewerse.net/publications/download/REWERSE-RP-2005-141.pdf

3. A Faster Content Security Policy (CSP) https://blog.mozilla.org/security/2014/09/10/faster-csp/




http://rewerse.net/publications/download/REWERSE-RP-2005-141.pdf



https://blog.mozilla.org/security/2014/09/10/faster-csp/

