PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Dr. Markus Schumacher
„Daimler ITM/S Global Information Security Conference“, 23. - 25. April, Stuttgart
Avoiding Compliance Issues in ABAP code
Andreas Wiegenstein
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
This session shows security risks in the ABAP programming language.
The fact that certain security defects can occur in ABAP does not
necessarily imply that such defects exist in SAP standard code.
However, Virtual Forge has found all security defects discussed in this
session in code written by SAP customers.
Disclaimer
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Andreas Wiegenstein
Founder of Virtual Forge (Heidelberg), responsible for Research &
Development
SAP Security Researcher, active since 2003
Received Credits from SAP for more than 20 reported 0-day Vulnerabilities
Frequent Speaker at international Conferences
SAP TechEd 2004 (USA & Europa) / 2005 (USA) / 2006 (USA), DSAG 2009
BlackHat 2011 (Europe), Hack in the Box 2011 (Europe)
Troopers 2011 / 2012, RSA 2012 (USA)
Co-Author of „Sichere ABAP Programmierung" (SAP Press)
Training Class WDESA3 @ SAP University
My car, my house, my boat, …
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
1. Challenge „ABAP Security“
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
„Our SAP systems are secure…“
„…and this is our ABAP security department.“
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
SE 80
Security: A question of granularity
Function Module ZFB1
INSERT REPORT
Not the transactions are dangerous, but the ABAP commands.
SE 38
Example: Creating ABAP Programs
Business Server Page ZBSP
Web Dynpro Application ZWD
Transaction ZTRANS1
REPORT ZREP
Function Module ZFB2 Transaction ZTRANS2
Risk
Risk
Risk
Risk
Risk
Risk
Risk
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
The Attack Surface of ABAP
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
SAP ALL in 5 Minutes… (Part 1)
DEMO
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Authorizations
ABAP Risks (1)
Risks
Missing Authority-Checks
Wrong Authority-Checks
Logically wrong
Technically wrong
Proprietary Authority-Checks
Roles & Authorizations
ASSET
OK
Failed
AUTHORITY
CHECK
© 2010 Virtual Forge GmbH. All rights reserved.
ABAP has an explicit authorization model
x
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Authorizations
ABAP Vulnerabilities (1a)
REPORT ZFT.
DATA lv_msg TYPE string.
AUTHORITY-CHECK OBJECT 'S_DEVELOP'
ID 'DEVCLASS' FIELD '*'
ID 'OBJTYPE' FIELD 'PROG'
ID 'OBJNAME' FIELD 'ZTEST'
ID 'ACTVT' FIELD '02'.
CONCATENATE 'No authority in ' SY-REPID INTO lv_msg.
IF sy-subrc <> 0.
WRITE : / lv_msg.
EXIT.
ENDIF.
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Authorizations
ABAP Vulnerabilities (1b)
REPORT ZFT.
DATA lv_msg TYPE string.
AUTHORITY-CHECK OBJECT 'S_DEVELOP'
ID 'DEVCLASS' FIELD 'ZHR'
ID 'OBJTYPE' FIELD 'PROG'
ID 'OBJNAME' FIELD 'ZTEST'
ID 'P_GROUP' FIELD DUMMY
ID 'ACTVT' FIELD '02'.
IF sy-subrc <> 0.
CONCATENATE 'No authority in ' SY-REPID INTO lv_msg.
WRITE : / lv_msg.
EXIT.
ENDIF.
Meaningful restriction
ID intentionally ignored
sy-subrc correclty checked
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Authorizations
ABAP Vulnerabilities (1c)
* Proprietary Authorization Check
IF sy-uname NE 'WIEGENSTEINA'.
RAISE no_authority.
ENDIF.
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Client Separation
ABAP Risks (2)
Risks
Cross-client Access to Business Data
SAP maintains multiple Clients
Client Separation
Client 007
Client 023
Client 042
© 2010 Virtual Forge GmbH. All rights reserved.
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Client Separation
ABAP Vulnerabilities (2)
* OPEN SQL
DELETE FROM usr02 CLIENT SPECIFIED.
* Native SQL
EXEC SQL.
DELETE FROM usr02.
ENDEXEC.
* ABAP Database Connectivity (ADBC)
CALL FUNCTION 'DB_EXECUTE_SQL'
EXPORTING
stmt = 'DELETE FROM usr02'.
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Development Process
ABAP Risks (3)
Risks
Bypassing Quality Assurance
Developing Code on the Productive System
Controlled Development & Quality Assurance
System Separation
DEV TEST PROD
Transport Transport
© 2010 Virtual Forge GmbH. All rights reserved.
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Development Process
ABAP Vulnerabilities (3)
PARAMETERS lv_name TYPE string.
IF sy-sysid = 'PFI'.
lt_prog = 'REPORT ZFT.'. APPEND lt_prog.
CONCATENATE `DATA lv_tmp(80) TYPE c VALUE '`
lv_name `'.` INTO lt_prog. APPEND lt_prog.
lt_prog = 'WRITE / lv_tmp.'. APPEND lt_prog.
INSERT REPORT 'ZFT' FROM lt_prog.
SUBMIT ('ZFT').
ENDIF.
Code only runs on Prod-System
Development without
ABAP Workbench
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Operating System Commands
ABAP Risks (4)
Risks
Insecure Alternatives
Controlled Execution of Operating System Commands
Controlled Operating System (OS) Command Execution
OS
SM49 / SM69SM49 / SM69
Command Program
LIST ls
PING ping
X_PYTHON x_python
ABAP OS Call
'LIST'
OS Command
'ls'
© 2010 Virtual Forge GmbH. All rights reserved.
SAP Standard Function Modules
SXPG_CALL_SYSTEM
SXPG_COMMAND_EXECUTE
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Operating System Commands
ABAP Vulnerabilities (4)
1. Kernel calls
CALL 'SYSTEM' ID 'COMMAND' FIELD 'net.exe user test pass /add'
ID 'TAB' FIELD rt-*sys*.
2. Filter option in OPEN DATASET
OPEN DATASET lv_file
FOR OUTPUT
IN TEXT MODE ENCODING DEFAULT
FILTER 'format c:'.
3. Residual Risks
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
No Precedent (ABAP Hack) in the press
Managers and Developers lack Awareness
Very large amounts of custom Code
Massive Legacy Problems
No central Responsibility in Corporations
ABAP Security is a an S.E.P. (Someone Else’s Problem)
Quality of 3rd Party Code not transparent
Backdoors & Security Defects are Part of the Delivery
Missing Know-How
No Guidelines, No Trainings, No Test Tools
General Problems in ABAP Security
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
2. Compliance Risks
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
ICS-Structure in the ERP Environment
ABAP Security in a Compliance Context
IT General Controls (ITGC)
Change Management
ABAP Code
Business Risks regarding
Completeness Rights Correctness Non-Repudiation … Segregation of Duties Data Protection
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Exemplary technical Defects
Unauthorized Execution of Business Logic
Authorization Defects, ABAP Command Injection, OS Command Injection
Unauthorized read Access to Business and Configuration Data
OSQL Injection, Cross-Client DB Access, Directory Traversal, ABAP Command Injection
Unauthorized write Access to Business and Configuration Data
OSQL Injection, ADBC Injection, Directory Traversal, ABAP Command Injection
Jeopardizing the Availability of the System
ADBC Injection, OS Command Injection, Directory Traversal, ABAP Command Injection
Adverse Effects on Non-Repudiation
ADBC Injection, ABAP Command Injection
Identity Theft
Alias Authorizations, Cross-Site Scripting, Cross-Site Request Forgery
ABAP Code Risks
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
The most common Security Defects in ABAP Programs
Check List BIZEC APP/11
ID Defect Description
APP-01 ABAP Command Injection Execution of arbitrary ABAP Code
APP-02 OS Command Injection Execution of arbitrary Operating System Commands
APP-03 Improper Authorization (Missing, Broken, Proprietary, Generic)
Missing or erroneous Authorization Checks
APP-04 Generic Module Execution Unauthorized Execution of Modules (Reports, FuMo, etc.)
APP-05 Cross-Client Database Access Cross-Client Access to Business Data
APP-06 SQL Injection Malicious Manipulation of Database Commands
APP-07 Unmanaged SQL Usage of native SQL Commands
APP-08 Cross-Site Scripting Manipulation of Browser UI, Authorization Theft
APP-09 Cross-Site Request Forgery Execution of Business Logic in the Name of a different User.
APP-10 File Upload (Malware) Storage of malicious Files on an SAP Server
APP-11 Directory Traversal Unauthorized read/write Access to Files (SAP Server)
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Exemplary Analysis of a technical Risk
Illegal Access to data of another SAP Client
Manipulation of User Accounts and Authorizations (SOX Violation)
E.g. assign SAP_ALL Rights to unauthorized Users
Undocumented Changes to critical Tables (SOX Violation)
No Entries in CDHDR, CDPOS, …
Read Access to HR Data (Violation of Data Protection Law)
E.g. Social Security Number (PA0002-PERID)
Access to Credit Card Data (PCI/DSS Violation)
E.g. BSEGC-CCNUM
Access to Bank Account Data of Customers and Suppliers
E.g. Customer Bank Data (KNBK-BANKN)
Manipulation von financial Data (SOX Violation)
E.g. Manipulation of Table BSEG
Risks of SQL Injection (APP-06)
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
SAP ALL in 5 Minutes (Part 2)
DEMO
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
3. ABAP Security at the Process Level
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Secure Development Process (SDP)
Going Live Testing Implementation Design Spezification
Tools
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
The SDP Maturity Model
The SDP Maturity Model determines, to what degree an organization applies Methods and (automated) Tools, in order to ensure the Quality of its Development Process.
Ad-Hoc Quality is a reactive Process
Minimal Basic Awareness for Quality, but only minimal Application of Tests
Without Feedback Established Process, but Feedback/Results not used in order to improve it
Planned and controlled Code-Quality is considered from the Beginning
There are sufficient Metrics in order to supervise the Process
The Process is enhanced, whenever necessary
Going Live Testing Implementation Design Spezification
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Management Support
Responsibility, Budget
Dealing with Legacy Problems
What must be corrected, what is a residual Risk ?
Developer Acceptance of the Process
Tolerant Introduction Phase
Support for Mitigations
Challenges
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
4. Practical ABAP Security
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Central Requirements for secure ABAP Development
Security as Part of the Project
Time and Budget Planning
Mandatory Training for all Developers
Development Guidelines as Reference
Peer-Reviews
Internal Expert-Team for Questions
Test Tools
Regular Updates of all Information
Manual Penetration Testing
Internal ABAP Development
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Central Requirements in the Call for Tenders
General contractual Conditions (Liability etc)
Tests on all external Code
Extensive manual Penetration Testing
Externe ABAP Development
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Tool should have Focus on Security & Compliance
Potential Synergies in other Test Domains should be leveraged
Data- and Control-Flow Analysis is important
Otherwise False-Positive Rate will be high
Performance und Scalability are important Factors
How often is new Test-Content delivered?
Explanations for Findings should be detailed and comprehensive
What is the Problem? How is it solved?
Integration into the Development Landscape / Workbench
TMS, ChaRM, SE80, …
Is SAP-specific Context considered?
Critical Tables, dangerous Kernel Calls, …
Automated Tests
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
ABAP Security Resources
Literature
Organizations
Sichere ABAP-Programmierung (SAP PRESS, 372 S., 2009)
Andreas Wiegenstein, Markus Schumacher,
Sebastian Schinzel, Frederik Weidemann
BIZEC – Business Security Initiative
http://www.bizec.org
Handbuch SAP-Revision (SAP PRESS, 672 S., 2011)
Maxim Chuprunov
PPT Masterfolie
zur Erstellung von Präsentationen
© 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2012 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Questions?
VIRTUALFORGE GmbH
Speyerer Straße 6
69115 Heidelberg
Deutschland
Telefon: + 49 (0) 6221 86 89 0 - 0
Fax: + 49 (0) 6221 86 89 0 - 101
Top Related