2. About us
• Arseny Reutov
• Head of application security research at Positive Technologies
• Member of Positive Hack Days (https://phdays.com) conference board
• Occasional web security blogger (https://raz0r.name)
• Denis Kolegov
• Team lead of Application Firewall research at Positive Technologies
• PhD, associate professor at Tomsk State University
• Web security micro blogger (https://twitter.com/dnkolegov)
3. Outline
• The stuff we are going to talk about is joint work of PT Application Firewall
Research Team developing a database firewall prototype as a part of our application
firewall
• Thanks to
Arseny Reutov
Denis Kolegov
Vladimir Kochetkov
Igor Kanygin
Nikolay Tkachenko
Ivan Hudyashov
Sergey Grechnev
Sergey Reshetnikov
4. Agenda
• Intro
• WAF and DBFW
• Related Work
• Our Prototype
• Parser
• Protectors
Profiler
Dejector
SQLi
Access Control
IAM
• Roadmap
14. What is Database Firewall?
Database firewalls are a type of application firewalls which
• Monitor database activity
• Detect database specific attacks
• Protect sensitive information stored in the databases
• Implement adequate access control models
15. Database Firewall Deployment
Like WAFs database firewalls can be deployed
• in proxy mode
• in sniffer mode via a SPAN port (mirrored traffic)
• as a host-based agent
16. What Database Firewall Can Do?
Database firewalls can do several actions on each query:
• Pass
• Log for monitoring purposes
• Alert
• Rewrite query
• Block (either by dropping connection or by generating a native error code)
21. SQL Injection Detection: Green SQL
• Green SQL have been mod_security of DBFWs for many
years, but open source project is no longer maintained
• SQL Injection detection is based on risk score using metrics:
SQL comments
Sensitive tables
OR token
UNION token
Variable comparison
Always true expressions
and more
22. SQL Injection Detection: Machine Learning
SOFIA: An Automated Security Oracle for Black-Box Testing of SQL-Injection Vulnerabilities
23. SQL Injection Detection: Machine Learning
• ”SOFIA is significantly more accurate than antiSQLi and GreenSQL and
significantly faster than antiSQLi in classifying legitimate SQL
statements and SQLi attacks.”
• However, it takes lots of computing power to train the model since tree
operations are time expensive
• The algorithm is not tolerant to attacks during training
35. Profiler
• SQL profiler is a basic protection mechanism implemented in all database firewalls
• It works like linting utilities or linters (e.g. eslint, pylint, cppint, etc.), but analyses
SQL queries and check if they satisfy security policy (SQL profile)
• The main goal is to prevent using of SQLi automatic tools and exploits
• SQL profile can be
Static: created by manual configuration
Dynamic: created by source code analysis tools
38. AST Example
Dejector is a context-free parse tree validation approach to preventing SQL Injection,
proposed by Hansen and Patterson in 2005
Given a set of known-good queries and the base formal grammar, Dejector builds a
new subgrammar that contains only the rules required to produce exactly the queries
in the known-good set
Strings recognized by the subgrammar are guaranteed to be structurally identical to
those in the known-good set
The subgrammar is then used with a parser generator such as bison or ANTLR to
produce a recognizer for the sublanguage
42. Strict Mode
a
b c
f
hg
i j
l
k
m
b1
f
d1
new UCST ANTLR v4 grammar:
a: b | c | pd | b1 | d1 ;
b1: f;
c: f;
f: g | h;
g: i | j;
i: l;
…
p d
43. Strict Dejector Parsing Time Results
Python 2.7 MySQL
~ 0.643 / 0.0019 sec
~ 0.67 / 0.002 sec
~ 0.33 / 0.003 sec
~ 0.32 / 0.009 sec
Python 2.7 SubMySQL
~ 0.09 / 0.0011 sec
~ 0.102 / 0.0011 sec
~ 0.09 / 0.001 sec
~ 0.18 / 0.005 sec
Test
SELECT * FROM a WHERE b='c'
SELECT * FROM a WHERE b BETWEEN 'c' AND 'd'
INSERT INTO passbook VALUES('a','b','c','d','e','f','g','h')
CREATE TABLE a (b int(5) AUTO_INCREMENT, c date, d
VARCHAR(255), e VARCHAR(255), f VARCHAR(255), g int(10), h
int(10), i float(10,2), j VARCHAR(255), PRIMARY KEY (b))
~ 1.54 / 0.003 sec ~ 0.09 / 0.001 secSELECT * FROM (((((((SELECT col1 FROM t1) AS ttt))))))*
* Query can not be derived in SubMySQL grammar
45. WAF + DBFW
• Suppose that we have both WAF and DBFW deployed:
Client WAF Web Server DBFW Database
46. HTTP & SQL Correlation
In order to correlate SQL queries with HTTP packets a host-based module can be
deployed on the web server which will append session cookie into each SQL query in
a comment section
47. HTTP & SQL Correlation
• When these modified queries reach DBFW it can look up those
session identifiers in the database shared with WAF
• WAF holding access control policy for web users acts as
information point, i.e. it provides user information given a
session cookie
• DBFW serves as enforcement point, effectively blocking or
allowing queries
48. HTTP & SQL Correlation
• What if we do not have a chance to deploy a host module (agent)?
• We can still try to correlate HTTP and SQL using time-throttled request processing
• Idea is that we process HTTP requests synchronously, observe emitted SQL queries, and associate
them with HTTP requests
49. SQL Injection Detection
• Using host-based agent we can effectively detect SQL Injections
• Agent injects into an SQL comment data about HTTP parameters that were
observed when executing SQL query
50. SQLi Detection Approach
• DBFW replaces each occurrence of HTTP parameter value
found in SQL query with a constant
• Then it tries to parse and get tokens firstly for the original query
and then for the second one with replaced constants
• If a number of tokens is different, an SQL Injection is reported
since constant replacement have caused changes in the query
structure
51. AST-based Detection
• A better approach is to compare ASTs instead
• After traversal of the ASTs, if differences are found, an SQL Injection is
reported because constant replacement have caused changes in AST
52. It decreases number of false positives. Does this mechanism decrease
false negatives too?
One of bypasses for owasp-modsecurity-crs found by Ivan Novikov
It is not detected by libinjection too due to the context issue
From Theory to Practice
curl 'localhost/index.html?id=1%20or%20true'
1%20or%20true
id=1.or-id
id=.1or-UTC_DATE—
)-sleep(9999
sleep(9999)
*/UNION SELECT password FROM users--
54. SQLi Detection Example
GET /app/?id=1%20or%20true HTTP/1.1
Host: example.com
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
55. SQLi Detection Example
GET /app/?id=1%20or%20true HTTP/1.1
Host: example.com
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
/*{"get_args":[{"id":"1 or true"}]}*/ select * from users where clientid = 1 or true
56. SQLi Detection Example
GET /app/?id=1%20or%20true HTTP/1.1
Host: example.com
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
/*{"get_args":[{"id":"1 or true"}]}*/ select * from users where clientid = 1 or true
select * from users where clientid = ""
select * from users where clientid = 1 or true
58. SQLi Detection Example
select * from users where clientid = ""
select * from users where clientid = 1 or true
select
*
from
users
where
id
=
""
Lexems
select
*
from
users
where
id
=
1
or
true
Lexems
59. SQLi Detection Example
select * from users where clientid = ""
select * from users where clientid = 1 or true
select
*
from
users
where
id
=
""
Lexems
select
*
from
users
where
id
=
1
or
true
Lexems
8 ≠ 10
60. SQLi Detection Example
select * from users where id = ""
select * from users where id = 1 or true
select
*
from
users
where
clientid
=
""
Lexems
select
*
from
users
where
clientid
=
1
or
true
Lexems
8 ≠ 10
62. Access Control
• All types of application firewalls should have access control mechanisms
• The main statement of any access policy: All entities must be identified
• Entities identification in account-based systems: at least it is necessary to identify
web application subjects (users) that initiate queries to DBMS
• Approaches
Many-to-many applications
HTTP and SQL user tracking
RASP
• Angine - ABAC eNgine
68. Angine Example
from Angine.policy import Policy
from Angine.pip import PIP
from Angine.pdp import PDP
def pep():
...
request = get_request(network)
policy = Policy(alfa_mysql_policy)
pip = PIP.init_data(mongo_connection)
pdp = PDP(policy.get_lua_policy())
ctx = pip.create_ctx(request)
response = pdp.evaluate(ctx)
if response["result"]["decision"] != "permit":
return None
else:
return process(request)
69. Angine Results
• ALFAScript IDL to runtime language code generator
• ALFAScript language
• ALFAScript to Lua transcompiler
• PDP and PIP implementations for runtime language
• Common parsers (HTTP, mysql, tsql)
70. Roadmap
• Host agents for C#, Java
• ANTLR-based C++ parser
• Release MySQL grammar for ANTLR4
• PT Application Firewall integration
• SQL user tracking
• Machine learning for sensitive data discovery
• Inspected Application Module for DBFW
73. Inspected Application Module
Vladimir Kochetkov. Do WAFs dream of static analyzers?
Peculiarities
Web-only IAM can not process non HTTP attack vectors
There are some cases when CompFG is not adequate to detect attacks
• Loops, recursion
• Internal and external dependencies
The idea is to build SQL profile based on application code, compile it to binary module
and run on the DBFW
This approach can be used to detect second order SQL injection attacks
75. SQL IAM Example
…
$sql = "select * from data where id= intval(".$_POST["id"])
$result = mysql_query($sql, $connection)
$row = mysql_fetch_row($result)
$sql = "select * from data where fname=' ".$row[2]. " ' "
76. SQL IAM Example
…
$sql = "select * from data where id= intval(".$_POST["id"])
$result = mysql_query($sql, $connection)
$row = mysql_fetch_row($result)
$sql = "select * from data where fname=' ".$row[2]. " ' "
Untrusted data read from database.
What if fname is ' or '1' = '1 ?
Second order SQL injection
77. SQL IAM Example
…
$sql = "select * from data where id= intval(".$_POST["id"])
$result = mysql_query($sql, $connection)
$row = mysql_fetch_row($result)
$sql = "select * from data where fname=' ".$row[2]. " ' "
The main SQL injection feature:
a number of tokens more that one
78. SQL IAM Example
…
$sql = "select * from data where id= intval(".$_POST["id"])
$result = mysql_query($sql, $connection)
$row = mysql_fetch_row($result)
$sql = "select * from data where fname=' ".$row[2]. " ' "
(concat "select * from data where fname=" (
concat (index-access row 2) "'"))
79. SQL IAM Example
…
$sql = "select * from data where id= intval(".$_POST["id"])
$result = mysql_query($sql, $connection)
$row = mysql_fetch_row($result)
$sql = "select * from data where fname=' ".$row[2]. " ' "
(concat "select * from data where fname=" (
concat (index-access row 2) "'"))
(call mysql_fetch_row (call mysql_query (concat
"select * from data where id=intval(" (concat (index-
access POST, "id") ")")) connection))
80. SQL IAM Example
…
$sql = "select * from data where id= intval(".$_POST["id"])
$result = mysql_query($sql, $connection)
$row = mysql_fetch_row($result)
$sql = "select * from data where fname=' ".$row[2]. " ' "
№ Query hash Index Tokens
1 87248237482347 [(28,-1)] 1
2 13475837458758 [(32,-1)] 1
81. SQLi IAM Example
GET /app/?id=1000 HTTP/1.1
Host: example.com
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
select * from data where id=1000
select * from data where fname='john' or '1'='1'
1 ≠ 2
Notas do Editor
WAF is not just a set of rules,
WAF can employ various mechanisms to detect attacks,
Although WAF is about HTTP, in order to be effective it should correlate data from different sources.
And it is because web applications have changed.
WAF is not just a set of rules,
WAF can employ various mechanisms to detect attacks,
Although WAF is about HTTP, in order to be effective it should correlate data from different sources.
And it is because web applications have changed.
WAF is not just a set of rules,
WAF can employ various mechanisms to detect attacks,
Although WAF is about HTTP, in order to be effective it should correlate data from different sources.
And it is because web applications have changed.
Modern web applications are a mix of different technologies, frameworks and protocols. It is no longer enough just to analyze HTTP/1.1 packets as a set of parameters that may contain SQL injection payloads.
An effective WAF consists of several interconnected layers that can operate independently but also augment each other to achieve better protection.
An effective WAF consists of several interconnected layers that can operate independently but also augment each other to achieve better protection.
An effective WAF consists of several interconnected layers that can operate independently but also augment each other to achieve better protection.
An effective WAF consists of several interconnected layers that can operate independently but also augment each other to achieve better protection.
Both WAF and DBFW are blackbox
WAF and DBFW can operate independently
WAF can enrich DBFW data for better protection
Both WAF and DBFW are blackbox
WAF and DBFW can operate independently
WAF can enrich DBFW data for better protection
Both WAF and DBFW are blackbox
WAF and DBFW can operate independently
WAF can enrich DBFW data for better protection