• No results found

(In-)Security of Backend-as-a-Service

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "(In-)Security of Backend-as-a-Service"

Copied!
56
0
0

Loading.... (view fulltext now)

Download now ( 56 Page )

Full text

(1)

13.11.15 | BlackHat Europe 2015 | 1

(In-)Security of Backend-as-a-Service

Siegfried Rasthofer (TU Darmstadt / CASED) Steven Arzt (TU Darmstadt / CASED)

Robert Hahn (TU Darmstadt) Max Kolhagen (TU Darmstadt)

(2)

13.11.15 | BlackHat Europe 2015 | 2

Steven Arzt

•  3rd year PhD-Student at TU Darmstadt

•  Maintainer of the Soot and FlowDroid frameworks

•  Works on static program analysis

•  Likes to look for vulnerabilities

#Whoami

Siegfried Rasthofer

•  3rd year PhD-Student at TU Darmstadt

•  Research interest in static-/dynamic code analyses

•  AOSP exploits, App security vulnerabilities

(3)

13.11.15 | BlackHat Europe 2015 | 3

Access to 56 Mio non-public records...

Remote code execution...

... with ease

Full VM control...

(4)

13.11.15 | BlackHat Europe 2015 | 4

IaaS

PaaS

SaaS

(5)

13.11.15 | BlackHat Europe 2015 | 5

(6)

13.11.15 | BlackHat Europe 2015 | 6

(7)
(8)

13.11.15 | BlackHat Europe 2015 | 8

Agenda

•  Introducing BaaS •  Security Analysis •  Findings •  Countermeasures •  The Wishlist •  Conclusion
(9)

13.11.15 | BlackHat Europe 2015 | 9

Backend-as-a-Service (1)

BaaS SDK Cloud APP
(10)

13.11.15 | BlackHat Europe 2015 | 10

Backend-as-a-Service (2)

BaaS

Android iOS ... JavaScript
(11)

13.11.15 | BlackHat Europe 2015 | 11

Backend-as-a-Service (3)

Push Notifications Data Storage

User Administration Social Network

(12)

13.11.15 | BlackHat Europe 2015 | 12

Amazon Tutorial

DB connection

BaaS SDK

AmazonS3Client s3Client = new AmazonS3Client(

(13)

13.11.15 | BlackHat Europe 2015 | 13

Amazon Tutorial

DB connection

AmazonS3Client s3Client = new AmazonS3Client(

new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );

BaaS SDK

“When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications. An access key

consists of an access key ID and a secret access key.

Anyone who has your access key has the same level of access to your AWS resources that you do.

Source: http://docs.aws.amazon.com/

(14)

13.11.15 | BlackHat Europe 2015 | 14

Amazon Tutorial

DB connection

AmazonS3Client s3Client = new AmazonS3Client(

new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );

BaaS SDK

“…The AWS SDKs use your access keys to sign requests for you so that you don't have to handle the signing process…”

http://docs.aws.amazon.com/ “…Secret access keys are, as the name implies, secrets, like your password…”

Jim Scharf Director, AWS Identity and Access Management

“ACCESS_KEY_ID“, “SECRET_KEY“

(15)

13.11.15 | BlackHat Europe 2015 | 15

IT Security 101

Peter “Hi, I am Peter” Identification “My password is Secret123” Authentication "I am allowed to access foo.txt” Authorization Server
(16)

13.11.15 | BlackHat Europe 2015 | 16

App Authentication Model

App Identification “Hi, I am app <Application ID>”

“My <Secret Key> is in the app” ??? Authentication

Server

(17)

13.11.15 | BlackHat Europe 2015 | 17

App Authentication Model

Server Peter

(18)

13.11.15 | BlackHat Europe 2015 | 18

Developer Opinion

[...]“The App-Secret key should be kept private - but when releasing the app they can be reversed by some guys. I want to know what is the best thing to

encrypt, obfuscate or whatever to make this

secure.“[...] (Source: stackoverflow.com)

Few ideas, in my opinion only first one gives some guarantee:

1.Keep your secrets on some server on internet, and when needed

just grab them and use.

2. Put your secrets in jni code

3.use obfuscator

4. Put your secret key as last pixels of one of your image in assets

(Source: stackoverflow.com)

Q:

R:

(19)

13.11.15 | BlackHat Europe 2015 | 19

SECURITY ANALYSIS

Let’s go for it
(20)

13.11.15 | BlackHat Europe 2015 | 20

Pre-Analysis (Parse example)

public void onCreate() { java.lang.String $S1, $S2;

$S1 = “34lI1wgISkIUpTunWRAzXei20H3NAL7W6buKTe7e"; $S2 = “pB7OlNi0jsEp3fpJfq9wvHBoOWgaOQCSW98BF7e3";

staticinvoke <Parse: void initialize(Context, String, String)>(this, $S1, $S2);

}

+

(21)

13.11.15 | BlackHat Europe 2015 | 21

Pre-Analysis result:

All records were accessible

Few developers used obfuscation techniques (“security

(22)

13.11.15 | BlackHat Europe 2015 | 22

(23)

13.11.15 | BlackHat Europe 2015 | 23

Mass Analysis

Apk 1 ... Apk 2 Apk n Pre-Analysis Library-Detection Key-Extraction Tablename Extraction Exploit Information Exploit-Generator Concrete Database Information
(24)

13.11.15 | BlackHat Europe 2015 | 24 Apk 1 ... Apk 2 Apk n Pre-Analysis Library-Detection Key-Extraction Tablename Extraction Exploit Information Exploit-Generator Concrete Database Information

How can we extract

specific information

(25)

13.11.15 | BlackHat Europe 2015 | 25

APK Information Extraction

$S1 = “34lI1wgISkIUpTunWRAzXei20H3NAL7W6buKTe7e";

$S2 = “pB7OlNi0jsEp3fpJfq9wvHBoOWgaOQCSW98BF7e3";

staticinvoke <Parse: void initialize(Context, String, String)>(this, $S1, $S2);

1.  API Identification

2. Information Extraction:

(26)

13.11.15 | BlackHat Europe 2015 | 26

HARVESTER (Hybrid Data Extraction)

Harvesting Runtime Data in Android Applications for Identifying Malware and Enhancing Code Analysis

Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden Technical Report, February 2015.

(27)

13.11.15 | BlackHat Europe 2015 | 27

Data Access

Apk 1 ... Apk 2 Apk n Pre-Analysis Library-Detection Key-Extraction Tablename Extraction Exploit Information Exploit-Generator Concrete Database Information “34lI1wgISkIUpTunWRAzXei20H3N AL7W6buKTe7e" “pB7OlNi0jsEp3fpJfq9wvHBoOWgaOQ CSW98BF7e3" “CreditCardDataTable" “ContactDataTable" ... BaaS API
(28)

13.11.15 | BlackHat Europe 2015 | 28

OUR FINDINGS

So … how bad is it?
(29)

13.11.15 | BlackHat Europe 2015 | 29

Findings Parse

Purchase data User-centric location data Facebook Information -  User‘s friends -  User‘s blocked friends Contact data Valid email addresses Birthday

Information Phone numbers

Pictures Precise car

(30)

13.11.15 | BlackHat Europe 2015 | 30

Findings Parse (2)

We know what you did this summer: Android Banking Trojan exposing its sins in the cloud

Siegfried Rasthofer, Eric Bodden, Carlos Castillo, Alex Hinchliffe VirusBulletin 2015, AVAR 2015

Intercepted SMS

messages C&C tasks

C&C commands Leaked data

(31)

13.11.15 | BlackHat Europe 2015 | 31

Responsible Disclosure Process – Parse (Facebook)

Full access to 100 tables Partial access to 32 tables ( ~56 Mio Data)

Contacted Facebook with a few samples

Facebook verified it and asked for more data We provided all information

28th April 2015 5th Mai 2015 18th Mai 2015

12th Nov 2015 Full access to 99 tables Partial access to 33 tables

20th Mai 2015 Facebook forwarded everything to Parse (we assume they contacted the developers)

(32)

13.11.15 | BlackHat Europe 2015 | 32

Findings Amazon (3)

(33)

13.11.15 | BlackHat Europe 2015 | 33

Findings Amazon (4)

(34)

13.11.15 | BlackHat Europe 2015 | 34

COUNTERMEASURES

How can we get it right?
(35)

13.11.15 | BlackHat Europe 2015 | 35

IT Security 101: ACLs

Peter Howard Peter‘s stuff Howard’s stuff

X

X

(36)

13.11.15 | BlackHat Europe 2015 | 36

Recall: App Authentication Model

Server Peter

(37)

13.11.15 | BlackHat Europe 2015 | 37

Two BaaS Usage Scenarios

Authenticated User

(38)

13.11.15 | BlackHat Europe 2015 | 38

Two BaaS Usage Scenarios

Authenticated User

Anonymous Users

ACL

(39)

13.11.15 | BlackHat Europe 2015 | 39

ACLs in The App Security Model

Peter

Howard

Peter‘s stuff

Howard’s stuff

Anonymous Users Public stuff

(40)

13.11.15 | BlackHat Europe 2015 | 40

(41)

13.11.15 | BlackHat Europe 2015 | 41

Amazon Key Hierarchy (2)

Root Account (AWS Account)

App1 Account App2 Account

(42)

13.11.15 | BlackHat Europe 2015 | 42

Amazon Token Vending Machine (1)

Sample available, final implementation is on you

Needs hosting. Tomcat, Elasticbeanstalk anyone?

(43)

13.11.15 | BlackHat Europe 2015 | 43

Amazon Token Vending Machine (2)

Although you will need to use your AWS account credentials to deploy the TVM, we recommend that you do not run the TVM under your AWS account. Instead, create an IAM

user and configure the TVM to use the credentials of this IAM user, which we will call the TVM user.

So, we have S3, TVM, IAM, Elastic Beanstalk

(44)

13.11.15 | BlackHat Europe 2015 | 44

Amazon Token Vending Machine (3)

You would need to modify the provided samples in order to implement these user-specific policy objects. For more information about policy objects, see the

Identity and Access Management (IAM) documentation

•  What if I want ACLs?

(45)

13.11.15 | BlackHat Europe 2015 | 45

Amazon Cognito (1)

•  Provides Identity Management

•  Real users

•  Anonymous identities

•  Rather New Service

(46)

13.11.15 | BlackHat Europe 2015 | 46

Amazon Cognito (2)

Note: If you created your identity pool before February 2015, you will need to reassociate your roles with your identity pool in order to use this constructor without the roles as parameters. To do so, open the

Amazon Cognito Console, select your identity pool, click

Edit Identity Pool, specify your authenticated and unauthenticated roles, and save the changes.

(47)

13.11.15 | BlackHat Europe 2015 | 47

Amazon Cognito (5)

(48)

13.11.15 | BlackHat Europe 2015 | 48

Amazon Cognito (6)

(1) User credentials or nothing Amazon Cognito (2) Temporary AWS credentials S3 (3) Temporary AWS credentials
(49)

13.11.15 | BlackHat Europe 2015 | 49

Parse.com ACLs (1)

Source: http://blog.parse.com/learn/engineering/parse-security-ii-class-hysteria/

(50)

13.11.15 | BlackHat Europe 2015 | 50

Parse.com ACLs (2)

http://blog.parse.com/announcements/protect-user-data-with-new-parse-features/ Cloud ? 0x1238409
(51)

13.11.15 | BlackHat Europe 2015 | 51

Parse.com ACLs (3)

Anonymous users are special, however, in that once logged out, the user cannot be recovered – a new user will need to be created, and the original user (and its associated data) will be orphaned.

Double-ch

eck your clo ud

storage sp

(52)

13.11.15 | BlackHat Europe 2015 | 52

Parse.com Global Settings

Source: http://blog.parse.com/learn/engineering/parse-security-ii-class-hysteria/ Get this w rong and o ffer free disk sp ace to anyo ne!

(53)

13.11.15 | BlackHat Europe 2015 | 53

THE WISHLIST

What now?
(54)

13.11.15 | BlackHat Europe 2015 | 54

What shall change?

Legal Framework Improved Documentation Checks and Alerts

(55)

13.11.15 | BlackHat Europe 2015 | 55

Takeaway Messages

•  Security in the cloud doesn‘t come for free

•  Attacks are free, effortless, and simple

•  Mitigation techniques exist

Ø  People must care about them

(56)

13.11.15 | BlackHat Europe 2015 | 56

Siegfried Rasthofer

Secure Software Engineering Group Email: siegfried.rasthofer@cased.de

Twitter: @CodeInspect

Steven Arzt

Secure Software Engineering Group Email: steven.arzt@cased.de

Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de

References

Download now ( PDF - 56 Page - 6.93 MB )

Related documents

White Paper Build versus rent Why municipal and industrial organizations should consider owning an outdoor broadband infrastructure

Greater control over bandwidth, website access and security policies for city workers: Network ownership gives cities the control and flexibility to set bandwidth and access

E 2016E 2017E E 2016E 2017E

The restaurant casino which certainly has a lower growth rate, however, with a catalyst in the form of a hastening of the re-regulation within a not too far off future, along with

Real effects of inflation through the redistribution of nominal wealth

Even so, as long as the government’s windfall is not used to increase government spending (which does not enter utility), in every scenario the positive welfare effect arising

The value of C-reactive protein and lactate in the acute abdomen in the emergency department

Case presentation: This report describes the presentation of three critically ill patients with non-traumatic acute abdominal pain and increased concentrations of the

Controls of Caribbean surface hydrology during the mid- to late Holocene: insights from monthly resolved coral records

In order to investigate seasonal to multidecadal variabil- ity patterns of surface hydrology in the Caribbean Sea during the mid- to late Holocene, we use decades-long monthly

Analysis of Partial-Select Concern Free SRAM with Low Leakage Power

In our paper, a new design of PSCF8T SRAM is designed and simulated using 0.18µm CMOS technology and it is compared with different SRAM bit cell configurations. At V DDmin ,

Islamic Wealth Management: a catalyst for global change and innovation

PART 5 – WEALTH MANAGEMENT: ALTERNATIVE INVESTMENT STRATEGIES 25 Islamic banks and sukuk: growing fast, but still fragmented. Anouar