Security Policy Management: Easy as PIE

  • Published on
    08-Aug-2015

  • View
    150

  • Download
    1

Embed Size (px)

Transcript

<ol><li> 1. Security Policy Management: Easy as PIE Ian Haken </li><li> 2. What Im Talking About Today A look at security policies in applications I will mostly be speaking in the context of Java web applications, though much is general. How security managers are used in practice Or, more precisely, how they arent used. A slice of PIE A new FOSS tool for building and managing security policies for Java applications. Security Policy Management: Easy as PIE Ian Haken 2 </li><li> 3. What is a Security Policy? A security policy defines the resources an application can access Access is usually conditioned on context Is the user authenticated? What role(s) does the user posses? What is the origin of the resource access request? 3 Security Policy Management: Easy as PIE Ian Haken </li><li> 4. An Idealized Security Policy Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt No Authentication (AuthN) Guest User Admin 4 Security Policy Management: Easy as PIE Ian Haken </li><li> 5. A More Realistic Security Policy 5 Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt No AuthN Internal IP External IP Guest Internal IP External IP User Internal IP External IP Admin Internal IP External IP Security Policy Management: Easy as PIE Ian Haken </li><li> 6. An Even More Realistic Security Policy 6 Security Policy Management: Easy as PIE Ian Haken Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt Private Public Beta Features Production Features Projections History Potential Clients Current Clients No AuthN Internal IP External IP Guest Internal IP External IP User Internal IP External IP Admin Internal IP External IP </li><li> 7. Security Managers A Security Manager is a component which enforces the relevant security policy. Database and filesystem access control lists Firewall rules Android permissions framework Content Security Policy (CSP) The Java Security Manager Spring Security 7 Security Policy Management: Easy as PIE Ian Haken </li><li> 8. Content Security Policy A defense-in-depth solution which, if well- implemented in an application, could eliminate some XSS For each page, CSP whitelists origins for which content can be loaded. Since script/CSS/image/etc content is (usually) static, this means only trusted content is loaded. 8 Security Policy Management: Easy as PIE Ian Haken </li><li> 9. Java Security Manager In the JDK since 1.0 (1996) Most common use-case is to sandbox untrusted code, i.e. web applets, Google App Engine, and dynamic analyzers. Enforces a security policy when accessing system resources, e.g. filesystem, network sockets, process invocation, thread creation, reflection, class loader, etc. 9 Security Policy Management: Easy as PIE Ian Haken </li><li> 10. Spring Security Framework for managing user authentication and authorization controls Highly flexible and customizable Supports lots of other web application protections: CSRF, session fixation, etc. Can use annotations to define method- level authorization checks 10 Security Policy Management: Easy as PIE Ian Haken </li><li> 11. In General Security Managers enforce policies and often add a layer of protection to applications If utilized properly, they can mitigate or even eliminate entire classes of vulnerabilities 11 Security Policy Management: Easy as PIE Ian Haken </li><li> 12. A Use Case: Struts 2 Struts 2 has been plagued (at least 12 remote code execution CVEs) by issues related to OGNL-injection. Example: Roller 5.0.0 uses Struts 2.2.1 $&gt; curl -s -X GET -Ghttp://localhost:8080/roller/roller-ui/login.rol--data-urlencode "pageTitle=${(#_memberAccess["allowStaticMethodAccess "]=true,@java.lang.Runtime@getRuntime().exec(calc'),'') }" 12 Security Policy Management: Easy as PIE Ian Haken </li><li> 13. A Use Case: Struts 2 A first pass for one issue used a regex to blacklist disallowed characters. It blocked one attack but remained open to others:1 The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases The current codebase uses a regex whitelist to prevent OGNL-injection 13 1Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html Security Policy Management: Easy as PIE Ian Haken </li><li> 14. A Use Case: Struts 2 If youre supporting a legacy Struts 2 app and cant upgrade, you need an additional layer of protection. The current version doesnt have known exploits, but are we sure theres no intersection between the whitelist and malicious OGNL? 14 Security Policy Management: Easy as PIE Ian Haken </li><li> 15. A Use Case: Struts 2 For both legacy and current Struts 2 apps, the Java SM with a strong security policy can mitigate your overall risk: Disallows unused OGNL directives Disallows class loader manipulation Disallows process invocation Disallows arbitrary filesystem access 15 Security Policy Management: Easy as PIE Ian Haken </li><li> 16. Awesome! 16 Security managers add a layer of defense They can protect legacy code with known vulnerabilities Or current code with unknown vulnerabilities. Theyre widely available and have been around for years. Security Policy Management: Easy as PIE Ian Haken </li><li> 17. Awesome! 17 So every web application out there is using these things, right? Security Policy Management: Easy as PIE Ian Haken </li><li> 18. The State of CSP As of April 27, 2015, in the Alexa Top 500 sites, only 2.7% are using CSP. And of those, more than 60% include unsafe- eval or unsafe-inline for script-src. Across the wider web, utilization drops further. Informal reports suggest less than 0.5% of sites use CSP. 18 Security Policy Management: Easy as PIE Ian Haken </li><li> 19. The State of the Java Security Manager As aforementioned, used is several places as a sandboxing mechanism. Prevalence is hard to measure; its bundled with the JDK, and usually has no fingerprint when used server-side. But anecdotally, no production system that I or anyone I know has seen uses it on top of trusted applications. 19 Security Policy Management: Easy as PIE Ian Haken </li><li> 20. Why Arent These Tools Getting Used? Performance Impact? 2004 paper by Herzog and Shahmehrir2 showed 5% to 100% time increase per resource access in Java Security Manager However, this difference is marginal given the overhead of typical web applications, in particular network request/response time, and the low density of security manager-relevant operations. CSP adds ~0.02ms per resource load in FF.3 20 Security Policy Management: Easy as PIE Ian Haken </li><li> 21. Why Arent These Tools Getting Used? Ease-of-use Difficult to write a policy What permissions do you need to add? What parts of the application need those permissions? Difficult to validate a policy Should you really be whitelisting dxgmaaybvjuttx.cloudfront.net or should it be *.cloudfront.net? 21 Security Policy Management: Easy as PIE Ian Haken </li><li> 22. Why Arent These Tools Getting Used? Ease-of-use Keeping it up-to-date What if a developer changes the data path? What if hostnames get changed? What if you upgrade a dependency? 22 Security Policy Management: Easy as PIE Ian Haken </li><li> 23. Using Security Manager with Tomcat Tomcat ships with a security manager policy which provides sane defaults and isolation between applications. 23 $&gt; ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken </li><li> 24. Using Security Manager with Tomcat 24 Security Policy Management: Easy as PIE Ian Haken </li><li> 25. Using Security Manager with Tomcat 25 $&gt; cat catalina.out [ERROR] ContextLoader - Context initialization failed org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ... Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidate ComponentProvider.java:213) ... 39 more Security Policy Management: Easy as PIE Ian Haken </li><li> 26. [ERROR] ContextLoader - Context initialization failed org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ... Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidate ComponentProvider.java:213) ... 39 more Using Security Manager with Tomcat 26 $&gt; cat catalina.out Security Policy Management: Easy as PIE Ian Haken "java.lang.RuntimePermission" "accessDeclaredMembers" org.springframework.core.type.classreading .AnnotationAttributesReadingVisitor </li><li> 27. Using Security Manager with Tomcat 27 Security Policy Management: Easy as PIE Ian Haken </li><li> 28. Using Security Manager with Tomcat 28 $&gt; cat catalina.policy ... // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.base}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; Security Policy Management: Easy as PIE Ian Haken </li><li> 29. Using Security Manager with Tomcat So what CodeBase needs the permission? The class which threw the exception was org.springframework.core.annotation.AnnotationUtils In Pebbles lib directory, there is: 29 spring-core-3.0.3.RELEASE.jar spring-security-core-3.0.3.RELEASE.jar spring-web-3.0.3.RELEASE.jar spring-security-web-3.0.3.RELEASE.jar spring-context-3.0.3.RELEASE.jar spring-beans-3.0.3.RELEASE.jar spring-aop-3.0.3.RELEASE.jar spring-asm-3.0.3.RELEASE.jar spring-tx-3.0.3.RELEASE.jar spring-expression-3.0.3.RELEASE.jar spring-security-config-3.0.3.RELEASE.jar spring-security-openid-3.0.3.RELEASE.jar Security Policy Management: Easy as PIE Ian Haken </li><li> 30. Using Security Manager with Tomcat After much trial and tribulation youll (maybe) figure out that you need to append the following to catalina.policy: grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-asm-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-beans-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-context-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-core-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-web-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; 30 Security Policy Management: Easy as PIE Ian Haken </li><li> 31. Using Security Manager with Tomcat 31 $&gt; ./shutdown.sh; ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken </li><li> 32. Using Security Manager with Tomcat 32 Dig Through the Tomcat Log Figure Out The Correct Permissions to Add $&gt; ./shutdown.sh $&gt; ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken </li><li> 33. Using Security Manager with Tomcat To load Pebbles homepage, youll need to add 84 permissions. Distributed across 16 JARs. And at this point, you havent even gotten to system-resour...</li></ol>