Using Z-Ray for Lightning Fast Security Analysis

Martin BednorzZendCon Las Vegas 2018

1

Introduction

● 10+ years of web development experience

● IT security background○ Web application security

○ Incremental static code analysis

● CTO / Co-Founder RIPS Technologies○ Static code analysis for security with strong focus on PHP

2

Usual Workflow

3

Usual Workflow

4

Usual Workflow

5

Improved Workflow

6

Improved Workflow

7

Idea: Combine runtime information with static code analysis

Static Code Analysis

8

Simplified Approach

Transform code into abstract syntax tree (AST)

9

Simplified Approach

Transform code into abstract syntax tree (AST)

10

$cookie = $_COOKIE['text'];

Simplified Approach

Transform code into abstract syntax tree (AST)

11

$cookie = $_COOKIE['text'];

$cookie = $_COOKIE['text'];

Simplified Approach

Transform code into abstract syntax tree (AST)

12

$cookie = $_COOKIE['text'];

$cookie = $_COOKIE['text'];

Assign

$cookie $_COOKIE

'text'

variable array

string

var expr

dim

Simplified Approach

Split AST into basic blocks

13

Simplified Approach

Split AST into basic blocks

● Analyze data flow within each basic block

14

Simplified Approach

Split AST into basic blocks

● Analyze data flow within each basic block

● Summarize data flow in block and function summaries

15

Simplified Approach

Connect basic blocks to a control flow graph

16

Simplified Approach

Perform backwards-directed taint analysis for each sensitive sink

17

Simplified Approach

Perform backwards-directed taint analysis for each sensitive sink

18

Context-Sensitive Taint Analysis

1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";

19

Context-Sensitive Taint Analysis

1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";

20

$id = $_POST['id'];

$id = (int)$id; $id = htmlentities($id);

echo "<div id='$id'>...";

Context-Sensitive Taint Analysis

21

$id = $_POST['id'];

$id = (int)$id; $id = htmlentities($id);

echo "<div id='$id'>...";

Variable $id is used in sensitive sink

Markup context:

HTML attribute single-quoted

Context-Sensitive Taint Analysis

22

$id = $_POST['id'];

$id = (int)$id; $id = htmlentities($id);

echo "<div id='$id'>...";

Sanitized: integer only

No further actions required

Context-Sensitive Taint Analysis

23

$id = $_POST['id'];

$id = (int)$id; $id = htmlentities($id);

echo "<div id='$id'>...";

Sanitizes only: “ < >

Context-Sensitive Taint Analysis

24

$id = $_POST['id'];

$id = (int)$id; $id = htmlentities($id);

echo "<div id='$id'>...";

Sanitizes only: “ < >

Vulnerable: All user input allowed

except characters stated above

Results

● WordPress RCE

● Magento RCE

● Joomla! LDAP injection

● Moodle RCE

● wooCommerce PHP Object Injection

● Roundcube RCE

● phpMyAdmin RCE

● …

Visit ripstech.com/vulndb for more

25

Performance

26

Wordpress (333 KLOC) 13m

Magento (2.4 MLOC) 30m

Joomla! (722 KLOC) 11m

Moodle (2.2 MLOC) 39m

Performance

27

Wordpress (333 KLOC) 13m

Magento (2.4 MLOC) 30m

Joomla! (722 KLOC) 11m

Moodle (2.2 MLOC) 39m

Lightning fast compared to other SAST solutions that scan 8h or 1 week.

Incremental Analysis

28

● State-of-the-art: Static analysis of only the code that changed

● Problem: function definition changes○ All call sites need reanalysis

○ If a function is called in a function, it needs reanalysis as well

○ Changed to global variables

○ ....

● Average of only 50% scan time improvement in our experiments

Boost Code Analysis with Z-Ray

29

Z-Ray

● Available with Zend Server

● Runtime (dynamic) analysis

● Deep insights into your PHP application○ Inspect

○ Debug

○ Optimize

● Many plugins and extensions available

30

Z-Ray

31

Execution Times

32

Database Query Information

33

Application-Specific Information

34

Stacktrace

35

Stacktrace - Used Files

36

// index.phpinclude('functions.php');switch($_GET['page']) {

case 'a': include('page_a.php');

case 'b': include('page_b.php');}

// page_a.phpdo_something();

// page_b.phpinclude('export.php');do_something_export();

Stacktrace - Used Files

37

Stacktrace - Used Files

38

index.php?page=a

Stacktrace - Used Files

39

index.php?page=b

Stacktrace - Used Files

40

Request Information

41

Request Information - Performance

42

Request Information - Performance

43

Request Information - Performance

44

Request Information - Performance

45

Request Information - Performance

46

Request Information - Performance

47

Request Information - Performance

48

admin();

user();

guest();

Example

1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";

49

$id = $_POST['id'];

$id = (int)$id; $id = htmlentities($id);

echo "<div id='$id'>...";

Example

1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";

50

$id = $_POST['id'];

$id = (int)$id; $id = htmlentities($id);

echo "<div id='$id'>...";

Example

1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";

51

$id = $_POST['id'];

$id = (int)$id; $id = htmlentities($id);

echo "<div id='$id'>...";

Example

1 $id = $_POST['id'];2 if (...) {3 $id = (int)$id;4 } else {5 $id = htmlentities($id);6 }7 echo "<div id='$id'>...";

52

$id = $_POST['id'];

$id = (int)$id;

echo "<div id='$id'>...";

Pitfall

// ...if (!isset($_SESSION['id'])) {

$_SESSION['id'] = select_id();}select_from_db($_SESSION['id']);

53

Pitfall

// ...if (!isset($_SESSION['id'])) {

$_SESSION['id'] = select_id();}select_from_db($_SESSION['id']);

54

// ...

$_SESSION['id'] = select_id();

select_from_db($_SESSION['id']);

Pitfall

// ...if (!isset($_SESSION['id'])) {

$_SESSION['id'] = select_id();}select_from_db($_SESSION['id']);

55

// ...

$_SESSION['id'] = select_id();

select_from_db($_SESSION['id']);

Pitfall

// ...if (!isset($_SESSION['id'])) {

$_SESSION['id'] = select_id();}select_from_db($_SESSION['id']);

56

// ...

$_SESSION['id'] = select_id();

select_from_db($_SESSION['id']);

Request Information - Verification

57

Request Information - Verification

58

http://mysite.com/search?category=book

Request Information - Verification

59

http://mysite.com/search?category=book&t=

Request Information - Verification

60

http://mysite.com/search?category=book&t=<script>alert(1);</script>

Request Information - Verification

61

http://mysite.com/search?category=book&t=’ onclick=’alert(1);’

Prototype

● Integrate into already available Zend Server plugin○ Zend Server UI plugin

○ Scan deployed applications or virtual hosts

○ Full scans only

● Zend Server Z-Ray plugin○ Scan single requests

○ Implement the most significant performance optimizations

62

Prototype

63

Zend Server Plugin

UI

Prototype

64

Zend Server Plugin

UI Z-RayZ-Ray API

● Add Z-Ray component to our plugin○ Access data via the Z-Ray API

○ Run first batch of optimizations

Prototype

65

Zend Server Plugin

UI Z-RayZ-Ray API

Static Code Analysis

● Add Z-Ray component to our plugin○ Access data via the Z-Ray API

○ Run first batch of optimizations

● Send relevant source code to static code analysis tool

Prototype

66

Zend Server Plugin

UI Z-RayZ-Ray API

Static Code Analysis

Z-Ray

● Add Z-Ray component to our plugin○ Access data via the Z-Ray API

○ Run first batch of optimizations

● Send relevant source code to static code analysis tool

● Extend taint analysis with data provided by Z-Ray

Prototype Implementation

67

Prototype Implementation

● Full scan○ ~2,4M Lines of Code

○ ~30 Minutes scan time

● QuickScan○ ~70k Lines of Code

○ ~1 Minutes scan time

● Can still be greatly improved

68

Prototype Implementation

● Full scan○ ~2,4M Lines of Code

○ ~30 Minutes scan time

● QuickScan○ ~70k Lines of Code

○ ~1 Minutes scan time

● Can still be greatly improved

69

Prototype Implementation

● Full scan○ ~2,4M Lines of Code

○ ~30 Minutes scan time

● QuickScan○ ~70k Lines of Code

○ ~1 Minutes scan time

● Can still be greatly improved

70

Demo

71

Conclusion

● Lightning fast security analysis for single requests

● Verify patches or single components much quicker○ Allows for a workflow similar to tests

● Still some work required○ Improve taint analysis with runtime information

○ Fix some of the pitfalls

72

Thank you!

Any questions?

73