Security Policy Management: Easy as PIE
Transcript of Security Policy Management: Easy as PIE
What I’m Talking About Today
• A look at security policies in applications– I will mostly be speaking in the context of Java
web applications, though much is general.
• How security managers are used in practice– Or, more precisely, how they aren’t used.
• A slice of PIE– A new FOSS tool for building and managing
security policies for Java applications.
Security Policy Management: Easy as PIEIan Haken
2
What is a Security Policy?
• A security policy defines the “resources” an application can access
• Access is usually conditioned on context– Is the user authenticated?– What role(s) does the user posses?– What is the origin of the resource access
request?
3
Security Policy Management: Easy as PIEIan Haken
An Idealized Security Policy
Resource/Role Stock Prices Investment
Demo My Portfolio Total AssetsUnder Mgmt
No Authentication
(AuthN)✓
Guest ✓ ✓
User ✓ ✓ ✓
Admin ✓ ✓
4
Security Policy Management: Easy as PIEIan Haken
A More Realistic Security Policy
5
Resource/Role
Stock Prices
InvestmentDemo My Portfolio Total Assets
Under Mgmt
No AuthN
Internal IP ✓
External IP ✓ ✓
GuestInternal IP ✓ ✓
External IP ✓
UserInternal IP ✓ ✓
External IP ✓ ✓ ✓
AdminInternal IP ✓ ✓
External IP ✓ ✓
Security Policy Management: Easy as PIEIan Haken
An Even More Realistic Security Policy
6
Security Policy Management: Easy as PIEIan Haken
Resource/Role
Stock Prices
InvestmentDemo My Portfolio Total Assets
Under Mgmt
Private
Public
Beta Featur
es
Production
Features
Projections History
Potential
Clients
Current
Clients
No AuthN
Internal IP ✓ ✓
External IP ✓ ✓
GuestInternal IP ✓ ✓ ✓
External IP ✓
UserInternal IP ✓ ✓ ✓ ✓
External IP ✓ ✓ ✓ ✓
AdminInternal IP ✓ ✓ ✓ ✓ ✓ ✓
External IP ✓ ✓ ✓ ✓ ✓
Security Managers
• A Security Manager is a component which enforces the relevant security policy.– Database and filesystem access control lists– Firewall rules– Android permissions framework– Content Security Policy (CSP)– The Java Security Manager– Spring Security
7
Security Policy Management: Easy as PIEIan Haken
Content Security Policy
• A defense-in-depth solution which, if well-implemented in an application, could eliminate some XSS
• For each page, CSP whitelists origins for which content can be loaded.
• Since script/CSS/image/etc content is (usually) static, this means only trusted content is loaded.
8
Security Policy Management: Easy as PIEIan Haken
Java Security Manager
• In the JDK since 1.0 (1996)• Most common use-case is to sandbox
untrusted code, i.e. web applets, Google App Engine, and dynamic analyzers.
• Enforces a security policy when accessing system resources, e.g. filesystem, network sockets, process invocation, thread creation, reflection, class loader, etc.
9
Security Policy Management: Easy as PIEIan Haken
Spring Security
• Framework for managing user authentication and authorization controls
• Highly flexible and customizable• Supports lots of other web application
protections: CSRF, session fixation, etc.• Can use annotations to define method-
level authorization checks
10
Security Policy Management: Easy as PIEIan Haken
In General
• Security Managers enforce policies and often add a layer of protection to applications
• If utilized properly, they can mitigate or even eliminate entire classes of vulnerabilities
11
Security Policy Management: Easy as PIEIan Haken
A Use Case: Struts 2
• Struts 2 has been plagued (at least 12 remote code execution CVEs) by issues related to OGNL-injection.
• Example: Roller 5.0.0 uses Struts 2.2.1$> curl -s -X GET -G \ http://localhost:8080/roller/roller-ui/login.rol \ --data-urlencode"pageTitle=\${(#_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(‘calc'),'')}"
12
Security Policy Management: Easy as PIEIan Haken
A Use Case: Struts 2
• A first pass for one issue used a regex to blacklist disallowed characters. It blocked one attack but remained open to others:1
“The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases…”
• The current codebase uses a regex whitelist to prevent OGNL-injection
13
1Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html
Security Policy Management: Easy as PIEIan Haken
A Use Case: Struts 2
• If you’re supporting a legacy Struts 2 app and can’t upgrade, you need an additional layer of protection.
• The current version doesn’t have known exploits, but are we sure there’s no intersection between the whitelist and malicious OGNL?
14
Security Policy Management: Easy as PIEIan Haken
A Use Case: Struts 2
• For both legacy and current Struts 2 apps, the Java SM with a strong security policy can mitigate your overall risk:– Disallows unused OGNL directives– Disallows class loader manipulation– Disallows process invocation– Disallows arbitrary filesystem access– …
15
Security Policy Management: Easy as PIEIan Haken
Awesome!
16
• Security managers add a layer of defense– They can protect legacy code with known
vulnerabilities– Or current code with unknown vulnerabilities.
• They’re widely available and have been around for years.
Security Policy Management: Easy as PIEIan Haken
Awesome!
17
So every web application out there is using these things, right?
Security Policy Management: Easy as PIEIan Haken
The State of CSP
• As of April 27, 2015, in the Alexa Top 500 sites, only 2.7% are using CSP.– And of those, more than 60% include ‘unsafe-
eval’ or ‘unsafe-inline’ for script-src.
• Across the wider web, utilization drops further. Informal reports suggest less than 0.5% of sites use CSP.
18
Security Policy Management: Easy as PIEIan Haken
The State of the Java Security Manager• As aforementioned, used is several places
as a sandboxing mechanism.• Prevalence is hard to measure; it’s
bundled with the JDK, and usually has no fingerprint when used server-side.
• But anecdotally, no production system that I or anyone I know has seen uses it on top of trusted applications.
19
Security Policy Management: Easy as PIEIan Haken
Why Aren’t These Tools Getting Used?• Performance Impact?
– 2004 paper by Herzog and Shahmehrir2 showed 5% to 100% time increase per resource access in Java Security Manager
• However, this difference is marginal given the overhead of typical web applications, in particular network request/response time, and the low density of security manager-relevant operations.
– CSP adds ~0.02ms per resource load in FF.3
20
Security Policy Management: Easy as PIEIan Haken
Why Aren’t These Tools Getting Used?• Ease-of-use
– Difficult to write a policy• What permissions do you need to add?• What parts of the application need those
permissions?
– Difficult to validate a policy• Should you really be whitelisting dxgmaaybvjuttx.cloudfront.net or should it be *.cloudfront.net?
21
Security Policy Management: Easy as PIEIan Haken
Why Aren’t These Tools Getting Used?• Ease-of-use
– Keeping it up-to-date• What if a developer changes the data path?• What if hostnames get changed?• What if you upgrade a dependency?
22
Security Policy Management: Easy as PIEIan Haken
Using Security Manager with TomcatTomcat ships with a security manager policy which provides sane defaults and isolation between applications.
23
$> ./startup.sh -security
Security Policy Management: Easy as PIEIan Haken
Using Security Manager with Tomcat
25
$> cat catalina.out[ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ...Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:213) ... 39 more
Security Policy Management: Easy as PIEIan Haken
[ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ...Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:213) ... 39 more
Using Security Manager with Tomcat
26
$> cat catalina.out
Security Policy Management: Easy as PIEIan Haken
"java.lang.RuntimePermission" "accessDeclaredMembers"
org.springframework.core.type.classreading .AnnotationAttributesReadingVisitor
Using Security Manager with Tomcat
28
$> cat catalina.policy...// The permissions granted to the context root directory apply to JSP pages.// grant codeBase "file:${catalina.base}/webapps/examples/-" {// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";// permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };//// The permissions granted to the context WEB-INF/classes directory// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {// };//// The permission granted to your JDBC driver// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";// };// The permission granted to the scrape taglib// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {// permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };
Security Policy Management: Easy as PIEIan Haken
Using Security Manager with TomcatSo what “CodeBase” needs the permission?
The class which threw the exception wasorg.springframework.core.annotation.AnnotationUtils
In Pebble’s lib directory, there is:
29
spring-core-3.0.3.RELEASE.jarspring-security-core-3.0.3.RELEASE.jarspring-web-3.0.3.RELEASE.jarspring-security-web-3.0.3.RELEASE.jarspring-context-3.0.3.RELEASE.jarspring-beans-3.0.3.RELEASE.jar
spring-aop-3.0.3.RELEASE.jarspring-asm-3.0.3.RELEASE.jarspring-tx-3.0.3.RELEASE.jarspring-expression-3.0.3.RELEASE.jarspring-security-config-3.0.3.RELEASE.jarspring-security-openid-3.0.3.RELEASE.jar
Security Policy Management: Easy as PIEIan Haken
Using Security Manager with TomcatAfter much trial and tribulation you’ll (maybe) figure out that you need to append the following to catalina.policy:grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-asm-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-beans-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-context-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-core-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-web-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers";};
30
Security Policy Management: Easy as PIEIan Haken
Using Security Manager with Tomcat
31
$> ./shutdown.sh; ./startup.sh -security
Security Policy Management: Easy as PIEIan Haken
Using Security Manager with Tomcat
32
Dig Through the Tomcat Log
Figure Out The Correct Permissions
to Add
$> ./shutdown.sh$> ./startup.sh -security
Security Policy Management: Easy as PIEIan Haken
Using Security Manager with Tomcat• To load Pebble’s homepage, you’ll need to
add 84 permissions.– Distributed across 16 JARs.
• And at this point, you haven’t even gotten to system-resource intensive actions:– Adding blog entries, file uploads, creating new
users…
33
Security Policy Management: Easy as PIEIan Haken
Introducing PIE
• PIE (Policy Instantiation & Enforcement) aims to be a tool for painlessly building a security policy for your application.
• It’s FOSS: github.com/coverity/pie• It’s modular: Java Security Manager and
CSP are two modules currently working with PIE out-of-the-box.
34
Security Policy Management: Easy as PIEIan Haken
What is PIE?
• Has a learning mode which observes the execution of your application in order to automatically generate a security policy.
• Automatically simplifies/collapses the policy, making it easy to manually verify.
• A maven plugin integrates PIE into development and QA, making sure policy issues show up early in the SDLC
35
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Generation
36
Container (e.g. Tomcat)
webapp.war PIE
JVM Java Security ManagerJava Security Manager
pie.sm.policy
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Enforcement
37
Container (e.g. Tomcat)
webapp.war PIE
JVM Java Security ManagerJava Security Manager
pie.sm.policy
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Generation$> head -n 20 pie.sm.policy"file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar": { "java.io.FilePermission": { "/home/ihaken/pebble/*": { "read": {} }, "/home/ihaken/pebble/blogs/default/-": { "delete,read,write": {} }, "/home/ihaken/pebble/realm/*": { "read,write": {} }, "/home/ihaken/tomcats/pebble/temp": { "read": {} }, "/home/ihaken/tomcats/pebble/temp/*": { "delete,write": {} }, "/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/themes/user-default/*": { "delete,write": {} }, "/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/themes/user-default/images/*": { "write": {} } }, "java.lang.RuntimePermission": { "accessDeclaredMembers": { "": {} }, "defineClassInPackage.java.lang": { "": {} } }, "java.lang.reflect.ReflectPermission": { "suppressAccessChecks": { "": {} } }, "java.net.SocketPermission": { "resolve": { "ihaken-wrkst": {} } },
40
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Simplification"file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/commons-fileupload-1.0.jar": { "java.io.FilePermission": { "/home/ihaken/tomcats/pebble/temp/upload_00000000.tmp": { "delete": {}, "read": {} }, "/home/ihaken/tomcats/pebble/temp/upload_00000001.tmp": { "delete": {}, "read": {} }, "/home/ihaken/tomcats/pebble/temp/upload_00000002.tmp": { "delete": {}, "read": {} }, ...
41
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Simplification"file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/commons-fileupload-1.0.jar": { "java.io.FilePermission": { "/home/ihaken/tomcats/pebble/temp/*": { “delete,read”: {} } }, ...
42
$> wc -l pie.sm.policy* 1785 pie.sm.policy 83 pie.sm.policy.simple
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Verification
• So you’ve built the perfect security policy…– It’s not too restrictive– It’s not too permissive– It’s already out-of-date
• How can I make sure today’s security policy doesn’t break tomorrow’s build?
43
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Verification
• Bake PIE into your QA process!• You’re already thoroughly testing your
application. (Right?)
• Let’s not only verify that the policy doesn’t break anything…
• Let’s also automatically update the policy with any observed violations.
44
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Verification
<plugin> <groupId>com.coverity.security.pie</groupId> <artifactId>pie-maven-plugin</artifactId> <version>1.0.0</version> <configuration> <serverUrl>http://localhost:18885/my-app</serverUrl> <pieConfig>pieConfig.properties</pieConfig> </configuration> <executions><execution><goals> <goal>build-policy</goal> </goals></execution></executions></plugin>
45
Security Policy Management: Easy as PIEIan Haken
PIE has a Maven plugin so you can integrate it into your build/test pipeline.
Maven
PIE
PIE: Policy Verification
46
Container
webapp.war
PIE
SeleniumGridSauceLabs
etc.
pie.sm.policypie.csp.policypie.foo.policy
Security Policy Management: Easy as PIEIan Haken
PIE: Policy Verification
• The PIE Maven plugin will…– Record the start-time of the test-run– After the test-run is complete, query the
server for any policy violations– If there were violations:
• Update and simplify the policy• Fail the Maven build
47
Security Policy Management: Easy as PIEIan Haken
What Frameworks Does PIE Support?• Running Servlet 3.0 (E.g. Tomcat)?
– Just drop the war in your container’s lib directory, or include PIE as a Maven dependency.
• Using Dropwizard?– Add the Maven dependency and one line to
your app’s config. (Details in the docs)
• Other frameworks easily added.
48
Security Policy Management: Easy as PIEIan Haken
Extensibility
• Out-of-the-box support for– Java Security Manager– CSP
• These are written as modules; use them as a guide to write your own!– The PIE project includes an example of
integrating with application-specific usage of Spring Security
49
Security Policy Management: Easy as PIEIan Haken
A Reprise: Struts 2Remember our vulnerable version of Roller?$> cp pieConfig.learning.properties \ ../lib/pieConfig.properties$> ./startup.sh; mvn verify -Pselenium; ./shutdown.sh$> cp pieConfig.enforce.properties \ ../lib/pieConfig.properties$> ./startup.sh$> curl -X GET –G …$> tail -n 1 ../logs/catalina.outObserved violation: ("ognl.OgnlInvokePermission" "invoke.com.opensymphony.xwork2.ognl.SecurityMemberAccess.setAllowStaticMethodAccess")
50
Security Policy Management: Easy as PIEIan Haken
Conclusions
• Tools exist for securing your web apps, but generally they aren’t getting used.– Why not? It’s a discussion we should have.
• Our hypothesis: barrier to entry and associated risk is too high.
• PIE is an attempt to address these issues.– Try it, use it, fork it, provide feedback!
51
Security Policy Management: Easy as PIEIan Haken
References
53
1. Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html
2. Performance of the Java security managerhttp://rewerse.net/publications/download/REWERSE-RP-2005-141.pdf
3. A Faster Content Security Policy (CSP) https://blog.mozilla.org/security/2014/09/10/faster-csp/
Security Policy Management: Easy as PIEIan Haken