際際滷

際際滷Share a Scribd company logo

CyberJutsu - The Joern-ey of Static Code Analysis.pdf

Security Bootcamp
Security Bootcamp

CyberJutsu - The Joern-ey of Static Code Analysis.pdf

1 of 41
Downloaded 61 times
CYBERJUTSU ACADEMY. We make security easier to learn! PHU QUOC, 2024
Can you spot the bug? Untrusted Data Integer Overflow (0x + 1)
Untrusted Data OS Command Injection Format String
C叩ch ti畉p c畉n 畛 但y l g狸?
Treat code as graph! Tri畉t l箪 c畛a Joern
Graph l g狸? edge node
臓 void foo() { int x = source(); if (x < MAX) { int y = 2 * x; sink(y); } } Abstract Syntax Trees (ASTs) Control Flow Graph Program Dependency Graph
臓 void foo() { int x = source(); if (x < MAX) { int y = 2 * x; sink(y); } } Abstract Syntax Trees (ASTs) Bi畛u di畛n c畉u tr炭c m達 ngu畛n Thi畉u th担ng tin lu畛ng ho畉t 畛ng Control Flow Graph Bi畛u di畛n lu畛ng th畛c thi Kh担ng bi畛u di畛n c畉u tr炭c c炭 ph叩p chi ti畉t Control Flow Graph Th畛 hi畛n r探 ph畛 thu畛c d畛 li畛u v i畛u khi畛n Kh担ng bi畛u di畛n c畉u tr炭c c炭 ph叩p chi ti畉t
臓 void foo() { int x = source(); if (x < MAX) { int y = 2 * x; sink(y); } } Code Property Graphs = AST + CFG + PDG
Joern c嘆n b畛 sung th棚m c叩c l畛p th担ng tin cho CPGs Code Property Graphs
Vulnerability paerns in nut shell
CyberJutsu - The Joern-ey of Static Code Analysis.pdf
THE JOERN-EY OF STATIC CODE ANALYSIS
Joern 101 則 Code Property Graphs: Generator + Traversal tool 則 Ci 畉t nhanh: h畛 tr畛 nhi畛u ng担n ng畛 則 Linh ho畉t: kh担ng c畉n bi棚n d畛ch hon ch畛nh 則 Hi畛u su畉t cao, nhanh: Ng担n ng畛 truy v畉n tr畛c quan
How joern work? Fuzzy Parser Source code Bytecode Binary code Store CPG Database Query Insights, Bugs, 0day
For everyone! Ng担n ng畛 L挑nh v畛c nghi棚n c畛u ph湛 h畛p C/C++ Binary System exploitation, IoT security, Malware analysis Java Web application security, Mobile security (Android), Malware analysis JavaScript Web application security, Browser security Python Security scripting, Malware analysis, Automated exploitation x86/x64 Binary exploitation, Malware analysis, Reverse engineering JVM Bytecode Advanced Java security analysis, Java reverse engineering Kotlin Android application security PHP Web application security Go Microservices security, Modern malware analysis Ruby Web application security, Ruby on Rails framework security Swift iOS application security C# .NET application security, Windows security
i畛u h動畛ng trong Kh担ng gian 3D c畛a M達 ngu畛n. cpg method node-type step name root node Node-Type Steps Property Directives Others, Advanced 則 .method 則 .call 則 .identifer 則 .literal 則 .file 則 ... 則 .name 則 .name("main") 則 .lineNumber(10) 則 .argument(1) 則 ... 則 .help 則 .map(...) 則 .filter(...) 則 .where(...) 則 sink.reachableBy (source) 則 sink.reachableByFlows (source) Traversal Basics
>cpg: root node N畉p nguy棚n li畛u 畛 di chuy畛n
Chuy畛n 畛i k畉t qu畉 c畛a m畛t truy v畉n thnh m畛t danh s叩ch (List) M畉c 畛nh cho ph辿p s畛 d畛ng bi畛u th畛c ch鱈nh quy (regex) trong tham s畛 c畛a c叩c truy v畉n. >cpg.file
joern> cpg.method.name("main") T狸m ra t畉t c畉 khai b叩o method c坦 t棚n main ... joern> cpg.method.name("main").file. name("format_string.c") T狸m ra t畉t c畉 khai b叩o method c坦 t棚n main v node 坦 c坦 filename l format_string.c >cpg.method
joern> cpg.call("printf") T狸m ra t畉t c畉 l畛i g畛i hm printf ... >cpg.call joern> cpg.call("printf") .map(p => (p.code)).toList T狸m ra t畉t c畉 l畛i g畛i hm printf v d湛ng .map 畛 bi畉n 畛i output ch畛 l畉y ra o畉n code li棚n quan
The heart of static code analysis: Data Flow Tainting Source Sink (OS command injection)
>Data Flow Tainting joern> val sink = cpg.call("system").argument(1) X叩c 畛nh sink (system) joern> val source = cpg.call("scanf").argument(2) X叩c 畛nh source (buffer) joern> sink.reachableByFlows(source).p T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink Command Injection in C
CyberJutsu - The Joern-ey of Static Code Analysis.pdf
>Detect Integer Overflow Untrusted Data Integer Overflow (0x + 1)
>Detect Integer Overflow 畉u ti棚n ph畉i 畛nh ngh挑a 動畛c khu担n m畉u: Nh動 th畉 no l m畛t bug Integer Overflow? L khi m畛t untrusted data 畛 d畉ng Integer, v r董i vo m畛t ph辿p t鱈nh c畛ng (ho畉c tr畛) joern> val source = cpg.call("atoi") val sink = cpg.call(Operators.addition) sink.reachableByFlows(source).p Integer Overflow in C
Source Format string Integer Overflow in C
Challenge (Formart String) :D joern> val sink = cpg.call("____").argument(__) joern> val source = cpg.call("____").argument(__) joern> sink.reachableByFlows(source).p X叩c 畛nh sink (system) X叩c 畛nh source (buffer) T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink Format String in C
joern> val sink = cpg.call("printf").argument(1) joern> val source = cpg.call("scanf").argument(2) joern> sink.reachableByFlows(source).p X叩c 畛nh sink (system) X叩c 畛nh source (buffer) T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink Format String in C
Demo
COMMAND INJECTION (EXAMPLE) PATH TRAVERSAL (REALWORLD) SQL INJECTION (REALWORLD)
Source Sink (OS command injection) COMMAND INJECTION
joern> val source = cpg.method.where(_.annotation.name("GetMapping")).parameter X叩c 畛nh source (command) joern> val sink = cpg.method.fullName(".*java.lang.Runtime.exec.*").parameter X叩c 畛nh sink (Runtime.getRuntime.exec) COMMAND INJECTION
joern> sink.reachableByFlows(source).p T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink COMMAND INJECTION
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. Description CVE-2022-27925 Detail Severity PATH TRAVERSAL: REALWORLD Scenario: reproduce l畉i cve v t狸m bi畉n th畛
PATH TRAVERSAL: REALWORLD Approach: reproduce l畉i cve v t狸m bi畉n th畛 Untrusted data l file Zip, x叩c 畛nh source l c叩c method li棚n quan 畉n extract file joern> val source = cpg.call.typeFullName(".*java.util.zip.ZipEntry.*") Define sinks l m畛t vi sink c董 b畉n c畛a Path Traversal 畛 Java T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink joern> val path = sink.reachableByFlows(source).p
Source Sink PATH TRAVERSAL: REALWORLD
Conclusion Pros: 則 Hacking at scale 則 D畛 dng tr畛c quan h坦a m達 ngu畛n d動畛i d畉ng 畛 th畛 則 Ng担n ng畛 truy v畉n d畛 s畛 d畛ng 則 Kh畉 nng m畛 r畛ng, ma ngu畛n m畛 則 H畛 tr畛 nhi畛u ng担n ng畛 Cons: 則 畛 ch鱈nh x叩c th畉p h董n trong m畛t s畛 tr動畛ng h畛p 則 Ti li畛u h畉n ch畉 則 Thi畉u h畛 tr畛 s畉n c坦 cho m畛t s畛 lo畉i l畛 h畛ng Further idea: 則 The 4th dimension: th畛i gian th畛c! (Joern + Fuzzing) 則 Joern + Machine Learning Joern + Fuzzing (4d)
References 則 https://cpg.joern.io/ 則 https://kth.diva-portal.org/smash/get/diva2:1800437/FULLTEXT01.pdf 則 https://elmanto.github.io/posts/sast_derby_joern_vs_codeql 則 https://comsecuris.com/papers/06956589.pdf 則 https://lightless.me/archives/code-analysis-with-joern.html
CyberJutsu Academy WE TRAIN YOUR TEAM! CyberJutsu JSC, since 2017. Professionals training and cutting-edge penetration testing services. We transform learners and fortify businesses. Contact us: contact@cyberjutsu.io Website: https://cyberjutsu.io
Thank you!

More Related Content

CyberJutsu - The Joern-ey of Static Code Analysis.pdf

  • 1. CYBERJUTSU ACADEMY. We make security easier to learn! PHU QUOC, 2024
  • 2. Can you spot the bug? Untrusted Data Integer Overflow (0x + 1)
  • 3. Untrusted Data OS Command Injection Format String
  • 4. C叩ch ti畉p c畉n 畛 但y l g狸?
  • 5. Treat code as graph! Tri畉t l箪 c畛a Joern
  • 7. 臓 void foo() { int x = source(); if (x < MAX) { int y = 2 * x; sink(y); } } Abstract Syntax Trees (ASTs) Control Flow Graph Program Dependency Graph
  • 8. 臓 void foo() { int x = source(); if (x < MAX) { int y = 2 * x; sink(y); } } Abstract Syntax Trees (ASTs) Bi畛u di畛n c畉u tr炭c m達 ngu畛n Thi畉u th担ng tin lu畛ng ho畉t 畛ng Control Flow Graph Bi畛u di畛n lu畛ng th畛c thi Kh担ng bi畛u di畛n c畉u tr炭c c炭 ph叩p chi ti畉t Control Flow Graph Th畛 hi畛n r探 ph畛 thu畛c d畛 li畛u v i畛u khi畛n Kh担ng bi畛u di畛n c畉u tr炭c c炭 ph叩p chi ti畉t
  • 9. 臓 void foo() { int x = source(); if (x < MAX) { int y = 2 * x; sink(y); } } Code Property Graphs = AST + CFG + PDG
  • 10. Joern c嘆n b畛 sung th棚m c叩c l畛p th担ng tin cho CPGs Code Property Graphs
  • 13. THE JOERN-EY OF STATIC CODE ANALYSIS
  • 14. Joern 101 則 Code Property Graphs: Generator + Traversal tool 則 Ci 畉t nhanh: h畛 tr畛 nhi畛u ng担n ng畛 則 Linh ho畉t: kh担ng c畉n bi棚n d畛ch hon ch畛nh 則 Hi畛u su畉t cao, nhanh: Ng担n ng畛 truy v畉n tr畛c quan
  • 15. How joern work? Fuzzy Parser Source code Bytecode Binary code Store CPG Database Query Insights, Bugs, 0day
  • 16. For everyone! Ng担n ng畛 L挑nh v畛c nghi棚n c畛u ph湛 h畛p C/C++ Binary System exploitation, IoT security, Malware analysis Java Web application security, Mobile security (Android), Malware analysis JavaScript Web application security, Browser security Python Security scripting, Malware analysis, Automated exploitation x86/x64 Binary exploitation, Malware analysis, Reverse engineering JVM Bytecode Advanced Java security analysis, Java reverse engineering Kotlin Android application security PHP Web application security Go Microservices security, Modern malware analysis Ruby Web application security, Ruby on Rails framework security Swift iOS application security C# .NET application security, Windows security
  • 17. i畛u h動畛ng trong Kh担ng gian 3D c畛a M達 ngu畛n. cpg method node-type step name root node Node-Type Steps Property Directives Others, Advanced 則 .method 則 .call 則 .identifer 則 .literal 則 .file 則 ... 則 .name 則 .name("main") 則 .lineNumber(10) 則 .argument(1) 則 ... 則 .help 則 .map(...) 則 .filter(...) 則 .where(...) 則 sink.reachableBy (source) 則 sink.reachableByFlows (source) Traversal Basics
  • 18. >cpg: root node N畉p nguy棚n li畛u 畛 di chuy畛n
  • 19. Chuy畛n 畛i k畉t qu畉 c畛a m畛t truy v畉n thnh m畛t danh s叩ch (List) M畉c 畛nh cho ph辿p s畛 d畛ng bi畛u th畛c ch鱈nh quy (regex) trong tham s畛 c畛a c叩c truy v畉n. >cpg.file
  • 20. joern> cpg.method.name("main") T狸m ra t畉t c畉 khai b叩o method c坦 t棚n main ... joern> cpg.method.name("main").file. name("format_string.c") T狸m ra t畉t c畉 khai b叩o method c坦 t棚n main v node 坦 c坦 filename l format_string.c >cpg.method
  • 21. joern> cpg.call("printf") T狸m ra t畉t c畉 l畛i g畛i hm printf ... >cpg.call joern> cpg.call("printf") .map(p => (p.code)).toList T狸m ra t畉t c畉 l畛i g畛i hm printf v d湛ng .map 畛 bi畉n 畛i output ch畛 l畉y ra o畉n code li棚n quan
  • 22. The heart of static code analysis: Data Flow Tainting Source Sink (OS command injection)
  • 23. >Data Flow Tainting joern> val sink = cpg.call("system").argument(1) X叩c 畛nh sink (system) joern> val source = cpg.call("scanf").argument(2) X叩c 畛nh source (buffer) joern> sink.reachableByFlows(source).p T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink Command Injection in C
  • 25. >Detect Integer Overflow Untrusted Data Integer Overflow (0x + 1)
  • 26. >Detect Integer Overflow 畉u ti棚n ph畉i 畛nh ngh挑a 動畛c khu担n m畉u: Nh動 th畉 no l m畛t bug Integer Overflow? L khi m畛t untrusted data 畛 d畉ng Integer, v r董i vo m畛t ph辿p t鱈nh c畛ng (ho畉c tr畛) joern> val source = cpg.call("atoi") val sink = cpg.call(Operators.addition) sink.reachableByFlows(source).p Integer Overflow in C
  • 28. Challenge (Formart String) :D joern> val sink = cpg.call("____").argument(__) joern> val source = cpg.call("____").argument(__) joern> sink.reachableByFlows(source).p X叩c 畛nh sink (system) X叩c 畛nh source (buffer) T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink Format String in C
  • 29. joern> val sink = cpg.call("printf").argument(1) joern> val source = cpg.call("scanf").argument(2) joern> sink.reachableByFlows(source).p X叩c 畛nh sink (system) X叩c 畛nh source (buffer) T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink Format String in C
  • 30. Demo
  • 32. Source Sink (OS command injection) COMMAND INJECTION
  • 33. joern> val source = cpg.method.where(_.annotation.name("GetMapping")).parameter X叩c 畛nh source (command) joern> val sink = cpg.method.fullName(".*java.lang.Runtime.exec.*").parameter X叩c 畛nh sink (Runtime.getRuntime.exec) COMMAND INJECTION
  • 34. joern> sink.reachableByFlows(source).p T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink COMMAND INJECTION
  • 35. Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. Description CVE-2022-27925 Detail Severity PATH TRAVERSAL: REALWORLD Scenario: reproduce l畉i cve v t狸m bi畉n th畛
  • 36. PATH TRAVERSAL: REALWORLD Approach: reproduce l畉i cve v t狸m bi畉n th畛 Untrusted data l file Zip, x叩c 畛nh source l c叩c method li棚n quan 畉n extract file joern> val source = cpg.call.typeFullName(".*java.util.zip.ZipEntry.*") Define sinks l m畛t vi sink c董 b畉n c畛a Path Traversal 畛 Java T狸m t畉t c畉 動畛ng i m c坦 th畛 ch畉m 動畛c sink joern> val path = sink.reachableByFlows(source).p
  • 38. Conclusion Pros: 則 Hacking at scale 則 D畛 dng tr畛c quan h坦a m達 ngu畛n d動畛i d畉ng 畛 th畛 則 Ng担n ng畛 truy v畉n d畛 s畛 d畛ng 則 Kh畉 nng m畛 r畛ng, ma ngu畛n m畛 則 H畛 tr畛 nhi畛u ng担n ng畛 Cons: 則 畛 ch鱈nh x叩c th畉p h董n trong m畛t s畛 tr動畛ng h畛p 則 Ti li畛u h畉n ch畉 則 Thi畉u h畛 tr畛 s畉n c坦 cho m畛t s畛 lo畉i l畛 h畛ng Further idea: 則 The 4th dimension: th畛i gian th畛c! (Joern + Fuzzing) 則 Joern + Machine Learning Joern + Fuzzing (4d)
  • 39. References 則 https://cpg.joern.io/ 則 https://kth.diva-portal.org/smash/get/diva2:1800437/FULLTEXT01.pdf 則 https://elmanto.github.io/posts/sast_derby_joern_vs_codeql 則 https://comsecuris.com/papers/06956589.pdf 則 https://lightless.me/archives/code-analysis-with-joern.html
  • 40. CyberJutsu Academy WE TRAIN YOUR TEAM! CyberJutsu JSC, since 2017. Professionals training and cutting-edge penetration testing services. We transform learners and fortify businesses. Contact us: contact@cyberjutsu.io Website: https://cyberjutsu.io