avoiding compliance issues in abap code ppt masterfolie … · · 2014-12-22risk risk risk risk...

PPT Masterfolie

zur Erstellung von Präsentationen

© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.

Dr. Markus Schumacher

„Daimler ITM/S Global Information Security Conference“, 23. - 25. April, Stuttgart

Avoiding Compliance Issues in ABAP code

Andreas Wiegenstein

PPT Masterfolie



This session shows security risks in the ABAP programming language.

The fact that certain security defects can occur in ABAP does not

necessarily imply that such defects exist in SAP standard code.

However, Virtual Forge has found all security defects discussed in this

session in code written by SAP customers.

Disclaimer

PPT Masterfolie



Andreas Wiegenstein

Founder of Virtual Forge (Heidelberg), responsible for Research &

Development

SAP Security Researcher, active since 2003

Received Credits from SAP for more than 20 reported 0-day Vulnerabilities

Frequent Speaker at international Conferences

SAP TechEd 2004 (USA & Europa) / 2005 (USA) / 2006 (USA), DSAG 2009

BlackHat 2011 (Europe), Hack in the Box 2011 (Europe)

Troopers 2011 / 2012, RSA 2012 (USA)

Co-Author of „Sichere ABAP Programmierung" (SAP Press)

Training Class WDESA3 @ SAP University

My car, my house, my boat, …

PPT Masterfolie



1. Challenge „ABAP Security“

PPT Masterfolie



„Our SAP systems are secure…“

„…and this is our ABAP security department.“

PPT Masterfolie



SE 80

Security: A question of granularity

Function Module ZFB1

INSERT REPORT

Not the transactions are dangerous, but the ABAP commands.

SE 38

Example: Creating ABAP Programs

Business Server Page ZBSP

Web Dynpro Application ZWD

Transaction ZTRANS1

REPORT ZREP

Function Module ZFB2 Transaction ZTRANS2

Risk

Risk

Risk

Risk

Risk

Risk

Risk

PPT Masterfolie



The Attack Surface of ABAP

PPT Masterfolie



SAP ALL in 5 Minutes… (Part 1)

DEMO

PPT Masterfolie



Authorizations

ABAP Risks (1)

Risks

Missing Authority-Checks

Wrong Authority-Checks

Logically wrong

Technically wrong

Proprietary Authority-Checks

Roles & Authorizations

ASSET

OK

Failed

AUTHORITY

CHECK

© 2010 Virtual Forge GmbH. All rights reserved.

ABAP has an explicit authorization model

x

PPT Masterfolie



Authorizations

ABAP Vulnerabilities (1a)

REPORT ZFT.

DATA lv_msg TYPE string.

AUTHORITY-CHECK OBJECT 'S_DEVELOP'

ID 'DEVCLASS' FIELD '*'

ID 'OBJTYPE' FIELD 'PROG'

ID 'OBJNAME' FIELD 'ZTEST'

ID 'ACTVT' FIELD '02'.

CONCATENATE 'No authority in ' SY-REPID INTO lv_msg.

IF sy-subrc <> 0.

WRITE : / lv_msg.

EXIT.

ENDIF.

PPT Masterfolie



Authorizations

ABAP Vulnerabilities (1b)

REPORT ZFT.

DATA lv_msg TYPE string.

AUTHORITY-CHECK OBJECT 'S_DEVELOP'

ID 'DEVCLASS' FIELD 'ZHR'

ID 'OBJTYPE' FIELD 'PROG'

ID 'OBJNAME' FIELD 'ZTEST'

ID 'P_GROUP' FIELD DUMMY

ID 'ACTVT' FIELD '02'.

IF sy-subrc <> 0.

CONCATENATE 'No authority in ' SY-REPID INTO lv_msg.

WRITE : / lv_msg.

EXIT.

ENDIF.

Meaningful restriction

ID intentionally ignored

sy-subrc correclty checked

PPT Masterfolie



Authorizations

ABAP Vulnerabilities (1c)

* Proprietary Authorization Check

IF sy-uname NE 'WIEGENSTEINA'.

RAISE no_authority.

ENDIF.

PPT Masterfolie



Client Separation

ABAP Risks (2)

Risks

Cross-client Access to Business Data

SAP maintains multiple Clients

Client Separation

Client 007

Client 023

Client 042


PPT Masterfolie



Client Separation

ABAP Vulnerabilities (2)

* OPEN SQL

DELETE FROM usr02 CLIENT SPECIFIED.

* Native SQL

EXEC SQL.

DELETE FROM usr02.

ENDEXEC.

* ABAP Database Connectivity (ADBC)

CALL FUNCTION 'DB_EXECUTE_SQL'

EXPORTING

stmt = 'DELETE FROM usr02'.

PPT Masterfolie



Development Process

ABAP Risks (3)

Risks

Bypassing Quality Assurance

Developing Code on the Productive System

Controlled Development & Quality Assurance

System Separation

DEV TEST PROD

Transport Transport


PPT Masterfolie



Development Process


PARAMETERS lv_name TYPE string.

IF sy-sysid = 'PFI'.

lt_prog = 'REPORT ZFT.'. APPEND lt_prog.

CONCATENATE `DATA lv_tmp(80) TYPE c VALUE '`

lv_name `'.` INTO lt_prog. APPEND lt_prog.

lt_prog = 'WRITE / lv_tmp.'. APPEND lt_prog.

INSERT REPORT 'ZFT' FROM lt_prog.

SUBMIT ('ZFT').

ENDIF.

Code only runs on Prod-System

Development without

ABAP Workbench

PPT Masterfolie



Operating System Commands

ABAP Risks (4)

Risks

Insecure Alternatives

Controlled Execution of Operating System Commands

Controlled Operating System (OS) Command Execution

OS

SM49 / SM69SM49 / SM69

Command Program

LIST ls

PING ping

X_PYTHON x_python

ABAP OS Call

'LIST'

OS Command

'ls'


SAP Standard Function Modules

SXPG_CALL_SYSTEM

SXPG_COMMAND_EXECUTE

PPT Masterfolie



Operating System Commands


1. Kernel calls

CALL 'SYSTEM' ID 'COMMAND' FIELD 'net.exe user test pass /add'

ID 'TAB' FIELD rt-*sys*.

2. Filter option in OPEN DATASET

OPEN DATASET lv_file

FOR OUTPUT

IN TEXT MODE ENCODING DEFAULT

FILTER 'format c:'.

3. Residual Risks

PPT Masterfolie



No Precedent (ABAP Hack) in the press

Managers and Developers lack Awareness

Very large amounts of custom Code

Massive Legacy Problems

No central Responsibility in Corporations

ABAP Security is a an S.E.P. (Someone Else’s Problem)

Quality of 3rd Party Code not transparent

Backdoors & Security Defects are Part of the Delivery

Missing Know-How

No Guidelines, No Trainings, No Test Tools

General Problems in ABAP Security

PPT Masterfolie



2. Compliance Risks

PPT Masterfolie



ICS-Structure in the ERP Environment

ABAP Security in a Compliance Context

IT General Controls (ITGC)

Change Management

ABAP Code

Business Risks regarding

Completeness Rights Correctness Non-Repudiation … Segregation of Duties Data Protection

PPT Masterfolie



Exemplary technical Defects

Unauthorized Execution of Business Logic

Authorization Defects, ABAP Command Injection, OS Command Injection

Unauthorized read Access to Business and Configuration Data

OSQL Injection, Cross-Client DB Access, Directory Traversal, ABAP Command Injection

Unauthorized write Access to Business and Configuration Data

OSQL Injection, ADBC Injection, Directory Traversal, ABAP Command Injection

Jeopardizing the Availability of the System

ADBC Injection, OS Command Injection, Directory Traversal, ABAP Command Injection

Adverse Effects on Non-Repudiation

ADBC Injection, ABAP Command Injection

Identity Theft

Alias Authorizations, Cross-Site Scripting, Cross-Site Request Forgery

ABAP Code Risks

PPT Masterfolie



The most common Security Defects in ABAP Programs

Check List BIZEC APP/11

ID Defect Description

APP-01 ABAP Command Injection Execution of arbitrary ABAP Code

APP-02 OS Command Injection Execution of arbitrary Operating System Commands

APP-03 Improper Authorization (Missing, Broken, Proprietary, Generic)

Missing or erroneous Authorization Checks

APP-04 Generic Module Execution Unauthorized Execution of Modules (Reports, FuMo, etc.)

APP-05 Cross-Client Database Access Cross-Client Access to Business Data

APP-06 SQL Injection Malicious Manipulation of Database Commands

APP-07 Unmanaged SQL Usage of native SQL Commands

APP-08 Cross-Site Scripting Manipulation of Browser UI, Authorization Theft

APP-09 Cross-Site Request Forgery Execution of Business Logic in the Name of a different User.

APP-10 File Upload (Malware) Storage of malicious Files on an SAP Server

APP-11 Directory Traversal Unauthorized read/write Access to Files (SAP Server)

PPT Masterfolie



Exemplary Analysis of a technical Risk

Illegal Access to data of another SAP Client

Manipulation of User Accounts and Authorizations (SOX Violation)

E.g. assign SAP_ALL Rights to unauthorized Users

Undocumented Changes to critical Tables (SOX Violation)

No Entries in CDHDR, CDPOS, …

Read Access to HR Data (Violation of Data Protection Law)

E.g. Social Security Number (PA0002-PERID)

Access to Credit Card Data (PCI/DSS Violation)

E.g. BSEGC-CCNUM

Access to Bank Account Data of Customers and Suppliers

E.g. Customer Bank Data (KNBK-BANKN)

Manipulation von financial Data (SOX Violation)

E.g. Manipulation of Table BSEG

Risks of SQL Injection (APP-06)

PPT Masterfolie



SAP ALL in 5 Minutes (Part 2)

DEMO

PPT Masterfolie



3. ABAP Security at the Process Level

PPT Masterfolie



Secure Development Process (SDP)

Going Live Testing Implementation Design Spezification

Tools

PPT Masterfolie



The SDP Maturity Model

The SDP Maturity Model determines, to what degree an organization applies Methods and (automated) Tools, in order to ensure the Quality of its Development Process.

Ad-Hoc Quality is a reactive Process

Minimal Basic Awareness for Quality, but only minimal Application of Tests

Without Feedback Established Process, but Feedback/Results not used in order to improve it

Planned and controlled Code-Quality is considered from the Beginning

There are sufficient Metrics in order to supervise the Process

The Process is enhanced, whenever necessary

Going Live Testing Implementation Design Spezification

PPT Masterfolie



Management Support

Responsibility, Budget

Dealing with Legacy Problems

What must be corrected, what is a residual Risk ?

Developer Acceptance of the Process

Tolerant Introduction Phase

Support for Mitigations

Challenges

PPT Masterfolie



4. Practical ABAP Security

PPT Masterfolie



Central Requirements for secure ABAP Development

Security as Part of the Project

Time and Budget Planning

Mandatory Training for all Developers

Development Guidelines as Reference

Peer-Reviews

Internal Expert-Team for Questions

Test Tools

Regular Updates of all Information

Manual Penetration Testing

Internal ABAP Development

PPT Masterfolie



Central Requirements in the Call for Tenders

General contractual Conditions (Liability etc)

Tests on all external Code

Extensive manual Penetration Testing

Externe ABAP Development

PPT Masterfolie



Tool should have Focus on Security & Compliance

Potential Synergies in other Test Domains should be leveraged

Data- and Control-Flow Analysis is important

Otherwise False-Positive Rate will be high

Performance und Scalability are important Factors

How often is new Test-Content delivered?

Explanations for Findings should be detailed and comprehensive

What is the Problem? How is it solved?

Integration into the Development Landscape / Workbench

TMS, ChaRM, SE80, …

Is SAP-specific Context considered?

Critical Tables, dangerous Kernel Calls, …

Automated Tests

PPT Masterfolie



ABAP Security Resources

Literature

Organizations

Sichere ABAP-Programmierung (SAP PRESS, 372 S., 2009)

Andreas Wiegenstein, Markus Schumacher,

Sebastian Schinzel, Frederik Weidemann

BIZEC – Business Security Initiative

http://www.bizec.org

Handbuch SAP-Revision (SAP PRESS, 672 S., 2011)

Maxim Chuprunov

PPT Masterfolie



Questions?

VIRTUALFORGE GmbH

[email protected]

Speyerer Straße 6

69115 Heidelberg

Deutschland

Telefon: + 49 (0) 6221 86 89 0 - 0

Fax: + 49 (0) 6221 86 89 0 - 101

avoiding compliance issues in abap code ppt masterfolie … · · 2014-12-22risk risk risk risk...

Documents