Avoiding Compliance Issues in ABAP code - Virtual Forge
Avoiding Compliance Issues in ABAP code - Virtual Forge
Avoiding Compliance Issues in ABAP code - Virtual Forge
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Andreas Wiegenste<strong>in</strong>Dr. Markus SchumacherPPT <strong>Avoid<strong>in</strong>g</strong> Masterfolie <strong>Compliance</strong> <strong>Issues</strong> <strong>in</strong> <strong>ABAP</strong> <strong>code</strong>zur Erstellung von Präsentationen„Daimler ITM/S Global Information Security Conference“, 23. - 25. April, Stuttgart© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
DisclaimerPPT Masterfoliezur Erstellung von PräsentationenThis session shows security risks <strong>in</strong> the <strong>ABAP</strong> programm<strong>in</strong>g language.The fact that certa<strong>in</strong> security defects can occur <strong>in</strong> <strong>ABAP</strong> does notnecessarily imply that such defects exist <strong>in</strong> SAP standard <strong>code</strong>.However, <strong>Virtual</strong> <strong>Forge</strong> has found all security defects discussed <strong>in</strong> thissession <strong>in</strong> <strong>code</strong> written by SAP customers.© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
My car, my house, my boat, …AndreasPPT MasterfolieWiegenste<strong>in</strong>zur Erstellung von Präsentationen• Founder of <strong>Virtual</strong> <strong>Forge</strong> (Heidelberg), responsible for Research &Development• SAP Security Researcher, active s<strong>in</strong>ce 2003• Received Credits from SAP for more than 20 reported 0-day Vulnerabilities• Frequent Speaker at <strong>in</strong>ternational Conferences• SAP TechEd 2004 (USA & Europa) / 2005 (USA) / 2006 (USA), DSAG 2009• BlackHat 2011 (Europe), Hack <strong>in</strong> the Box 2011 (Europe)• Troopers 2011 / 2012, RSA 2012 (USA)• Co-Author of „Sichere <strong>ABAP</strong> Programmierung" (SAP Press)• Tra<strong>in</strong><strong>in</strong>g Class WDESA3 @ SAP University© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
„Our SAP systems are secure…“PPT Masterfoliezur Erstellung von Präsentationen„…and this is our <strong>ABAP</strong> security department.“© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
The Attack Surface of <strong>ABAP</strong>PPT Masterfoliezur Erstellung von Präsentationen© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
SAP ALL <strong>in</strong> 5 M<strong>in</strong>utes… (Part 1)PPT Masterfoliezur Erstellung von PräsentationenDEMO© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Vulnerabilities (1a)AuthorizationsREPORT PPT MasterfolieZFT.DATA lv_msg TYPE str<strong>in</strong>g.zur Erstellung von PräsentationenAUTHORITY-CHECK OBJECT 'S_DEVELOP'ID 'DEVCLASS' FIELD '*'ID 'OBJTYPE' FIELD 'PROG'ID 'OBJNAME' FIELD 'ZTEST'ID 'ACTVT'FIELD '02'.CONCATENATE 'No authority <strong>in</strong> ' SY-REPID INTO lv_msg.IF sy-subrc 0.WRITE : / lv_msg.EXIT.ENDIF.© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Vulnerabilities (1b)AuthorizationsREPORT PPT MasterfolieZFT.DATA lv_msg TYPE str<strong>in</strong>g.zur Erstellung von PräsentationenAUTHORITY-CHECK OBJECT 'S_DEVELOP'ID 'DEVCLASS' FIELD 'ZHR'ID 'OBJTYPE' FIELD 'PROG'ID 'OBJNAME' FIELD 'ZTEST'ID 'P_GROUP' FIELD DUMMYID 'ACTVT'IF sy-subrc 0.FIELD '02'.CONCATENATE 'No authority <strong>in</strong> ' SY-REPID INTO lv_msg.WRITE : / lv_msg.EXIT.ENDIF.Mean<strong>in</strong>gful restrictionID <strong>in</strong>tentionally ignoredsy-subrc correclty checked© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Vulnerabilities (1c)AuthorizationsPPT Masterfoliezur Erstellung von Präsentationen* Proprietary Authorization CheckIF sy-uname NE 'WIEGENSTEINA'.ENDIF.RAISE no_authority.© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Risks (2)Client SeparationPPT Masterfoliezur Erstellung von PräsentationenSAP ma<strong>in</strong>ta<strong>in</strong>s multiple ClientsClient SeparationClient 007Client 023Client 042© 2010 <strong>Virtual</strong> <strong>Forge</strong> GmbH. All rights reserved.Risks• Cross-client Access to Bus<strong>in</strong>ess Data© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Vulnerabilities (2)Client SeparationPPT Masterfolie* OPEN SQLzur Erstellung von PräsentationenDELETE FROM usr02 CLIENT SPECIFIED.* Native SQLEXEC SQL.DELETE FROM usr02.ENDEXEC.* <strong>ABAP</strong> Database Connectivity (ADBC)CALL FUNCTION 'DB_EXECUTE_SQL'EXPORTINGstmt = 'DELETE FROM usr02'.© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Risks (3)Development ProcessPPT Masterfoliezur Erstellung von PräsentationenControlled Development & Quality AssuranceSystem SeparationTransportTransportDEV TEST PROD© 2010 <strong>Virtual</strong> <strong>Forge</strong> GmbH. All rights reserved.Risks• Bypass<strong>in</strong>g Quality Assurance• Develop<strong>in</strong>g Code on the Productive System© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Vulnerabilities (3)Development ProcessPPT MasterfoliePARAMETERS lv_name TYPE str<strong>in</strong>g.zur Erstellung von PräsentationenIF sy-sysid = 'PFI'.Code only runs on Prod-Systemlt_prog = 'REPORT ZFT.'. APPEND lt_prog.CONCATENATE `DATA lv_tmp(80) TYPE c VALUE '`lv_name `'.` INTO lt_prog. APPEND lt_prog.lt_prog = 'WRITE / lv_tmp.'. APPEND lt_prog.INSERT REPORT 'ZFT' FROM lt_prog.SUBMIT ('ZFT').Development without<strong>ABAP</strong> WorkbenchENDIF.© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Risks (4)Operat<strong>in</strong>g System CommandsPPT Masterfoliezur Erstellung von PräsentationenControlled Execution of Operat<strong>in</strong>g System CommandsControlled Operat<strong>in</strong>g System (OS) Command Execution<strong>ABAP</strong> OS CallSM49 / SM69CommandProgramOS Command'LIST'LISTPINGlsp<strong>in</strong>g'ls'X_PYTHONx_pythonOS© 2010 <strong>Virtual</strong> <strong>Forge</strong> GmbH. All rights reserved.SAP Standard Function Modules• SXPG_CALL_SYSTEM• SXPG_COMMAND_EXECUTERisks• Insecure Alternatives© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Vulnerabilities (4)Operat<strong>in</strong>g System CommandsPPT Masterfolie1. Kernel callszur Erstellung von PräsentationenCALL 'SYSTEM' ID 'COMMAND' FIELD 'net.exe user test pass /add'ID 'TAB'FIELD rt-*sys*.2. Filter option <strong>in</strong> OPEN DATASETOPEN DATASET lv_fileFOR OUTPUTIN TEXT MODE ENCODING DEFAULTFILTER 'format c:'.3. Residual Risks© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
General Problems <strong>in</strong> <strong>ABAP</strong> SecurityPPT Masterfoliezur Erstellung von Präsentationen• No Precedent (<strong>ABAP</strong> Hack) <strong>in</strong> the press• Managers and Developers lack Awareness• Very large amounts of custom Code• Massive Legacy Problems• No central Responsibility <strong>in</strong> Corporations• <strong>ABAP</strong> Security is a an S.E.P. (Someone Else’s Problem)• Quality of 3 rd Party Code not transparent• Backdoors & Security Defects are Part of the Delivery• Miss<strong>in</strong>g Know-How• No Guidel<strong>in</strong>es, No Tra<strong>in</strong><strong>in</strong>gs, No Test Tools© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
2. PPT <strong>Compliance</strong> Masterfolie Riskszur Erstellung von Präsentationen© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Security <strong>in</strong> a <strong>Compliance</strong> ContextICS-Structure PPT Masterfolie<strong>in</strong> the ERP Environmentzur Erstellung von PräsentationenIT General Controls (ITGC)Change Management<strong>ABAP</strong> CodeBus<strong>in</strong>ess Risks regard<strong>in</strong>gCompletenessCorrectnessSegregation of DutiesRightsNon-Repudiation …Data Protection© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Code RisksExemplary technical Defects• PPT Unauthorized Masterfolie Execution of Bus<strong>in</strong>ess Logiczur Erstellung von Präsentationen• Authorization Defects, <strong>ABAP</strong> Command Injection, OS Command Injection• Unauthorized read Access to Bus<strong>in</strong>ess and Configuration Data• OSQL Injection, Cross-Client DB Access, Directory Traversal, <strong>ABAP</strong> Command Injection• Unauthorized write Access to Bus<strong>in</strong>ess and Configuration Data• OSQL Injection, ADBC Injection, Directory Traversal, <strong>ABAP</strong> Command Injection• Jeopardiz<strong>in</strong>g the Availability of the System• ADBC Injection, OS Command Injection, Directory Traversal, <strong>ABAP</strong> Command Injection• Adverse Effects on Non-Repudiation• ADBC Injection, <strong>ABAP</strong> Command Injection• Identity Theft• Alias Authorizations, Cross-Site Script<strong>in</strong>g, Cross-Site Request <strong>Forge</strong>ry© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
Check List BIZEC APP/11The most common Security Defects <strong>in</strong> <strong>ABAP</strong> ProgramsID PPT MasterfolieDefect Descriptionzur Erstellung von PräsentationenAPP-01 <strong>ABAP</strong> Command Injection Execution of arbitrary <strong>ABAP</strong> CodeAPP-02 OS Command Injection Execution of arbitrary Operat<strong>in</strong>g System CommandsAPP-03Improper Authorization(Miss<strong>in</strong>g, Broken, Proprietary, Generic)Miss<strong>in</strong>g or erroneous Authorization ChecksAPP-04 Generic Module Execution Unauthorized Execution of Modules (Reports, FuMo, etc.)APP-05 Cross-Client Database Access Cross-Client Access to Bus<strong>in</strong>ess DataAPP-06 SQL Injection Malicious Manipulation of Database CommandsAPP-07 Unmanaged SQL Usage of native SQL CommandsAPP-08 Cross-Site Script<strong>in</strong>g Manipulation of Browser UI, Authorization TheftAPP-09 Cross-Site Request <strong>Forge</strong>ry Execution of Bus<strong>in</strong>ess Logic <strong>in</strong> the Name of a different User.APP-10 File Upload (Malware) Storage of malicious Files on an SAP ServerAPP-11 Directory Traversal Unauthorized read/write Access to Files (SAP Server)© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
Risks of SQL Injection (APP-06)Exemplary Analysis of a technical Risk• PPT Illegal MasterfolieAccess to data of another SAP Client• zur Manipulation Erstellung of User von Accounts Präsentationenand Authorizations (SOX Violation)• E.g. assign SAP_ALL Rights to unauthorized Users• Undocumented Changes to critical Tables (SOX Violation)• No Entries <strong>in</strong> CDHDR, CDPOS, …• Read Access to HR Data (Violation of Data Protection Law)• E.g. Social Security Number (PA0002-PERID)• Access to Credit Card Data (PCI/DSS Violation)• E.g. BSEGC-CCNUM• Access to Bank Account Data of Customers and Suppliers• E.g. Customer Bank Data (KNBK-BANKN)• Manipulation von f<strong>in</strong>ancial Data (SOX Violation)• E.g. Manipulation of Table BSEG© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
SAP ALL <strong>in</strong> 5 M<strong>in</strong>utes (Part 2)PPT Masterfoliezur Erstellung von PräsentationenDEMO© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
3. PPT <strong>ABAP</strong> Masterfolie Security at the Process Levelzur Erstellung von Präsentationen© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
Secure Development Process (SDP)PPT Masterfoliezur Spezification Erstellung Design von PräsentationenImplementationTest<strong>in</strong>gGo<strong>in</strong>g LiveTools© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
The SDP Maturity ModelPPT Masterfoliezur Erstellung von PräsentationenThe SDP Maturity Model determ<strong>in</strong>es, to what degree an organization appliesMethods and (automated) Tools, <strong>in</strong> order to ensure the Quality of its DevelopmentProcess.SpezificationDesignImplementationTest<strong>in</strong>gGo<strong>in</strong>g Live• Ad-Hoc• Quality is a reactive Process• M<strong>in</strong>imal• Basic Awareness for Quality, but only m<strong>in</strong>imal Application of Tests• Without Feedback• Established Process, but Feedback/Results not used <strong>in</strong> order to improve it• Planned and controlled• Code-Quality is considered from the Beg<strong>in</strong>n<strong>in</strong>g• There are sufficient Metrics <strong>in</strong> order to supervise the Process• The Process is enhanced, whenever necessary© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
ChallengesPPT Masterfolie• zur Management Erstellung von Support Präsentationen• Responsibility, Budget• Deal<strong>in</strong>g with Legacy Problems• What must be corrected, what is a residual Risk ?• Developer Acceptance of the Process• Tolerant Introduction Phase• Support for Mitigations© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
4. PPT Practical Masterfolie <strong>ABAP</strong> Securityzur Erstellung von Präsentationen© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
Internal <strong>ABAP</strong> DevelopmentPPT Masterfoliezur Erstellung von Präsentationen• Central Requirements for secure <strong>ABAP</strong> Development• Security as Part of the Project• Time and Budget Plann<strong>in</strong>g• Mandatory Tra<strong>in</strong><strong>in</strong>g for all Developers• Development Guidel<strong>in</strong>es as Reference• Peer-Reviews• Internal Expert-Team for Questions• Test Tools• Regular Updates of all Information• Manual Penetration Test<strong>in</strong>g© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
Externe <strong>ABAP</strong> DevelopmentPPT Masterfoliezur Erstellung von Präsentationen• Central Requirements <strong>in</strong> the Call for Tenders• General contractual Conditions (Liability etc)• Tests on all external Code• Extensive manual Penetration Test<strong>in</strong>g© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
Automated Tests• Tool should have Focus on Security & <strong>Compliance</strong>PPT Masterfoliezur Erstellung von Präsentationen• Potential Synergies <strong>in</strong> other Test Doma<strong>in</strong>s should be leveraged• Data- and Control-Flow Analysis is important• Otherwise False-Positive Rate will be high• Performance und Scalability are important Factors• How often is new Test-Content delivered?• Explanations for F<strong>in</strong>d<strong>in</strong>gs should be detailed and comprehensive• What is the Problem? How is it solved?• Integration <strong>in</strong>to the Development Landscape / Workbench• TMS, ChaRM, SE80, …• Is SAP-specific Context considered?• Critical Tables, dangerous Kernel Calls, …© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
<strong>ABAP</strong> Security ResourcesPPT Masterfoliezur Erstellung von PräsentationenOrganizationsBIZEC – Bus<strong>in</strong>ess Security Initiativehttp://www.bizec.orgLiteratureSichere <strong>ABAP</strong>-Programmierung(SAP PRESS, 372 S., 2009)Andreas Wiegenste<strong>in</strong>, Markus Schumacher,Sebastian Sch<strong>in</strong>zel, Frederik WeidemannHandbuch SAP-Revision(SAP PRESS, 672 S., 2011)Maxim Chuprunov© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.
Questions?PPT Masterfoliezur Erstellung von PräsentationenVIRTUALFORGE GmbHAndreas.Wiegenste<strong>in</strong>@virtualforge.deSpeyerer Straße 669115 HeidelbergDeutschlandTelefon: + 49 (0) 6221 86 89 0 - 0Fax: + 49 (0) 6221 86 89 0 - 101© 2012 <strong>Virtual</strong> <strong>Forge</strong> GmbH | www.virtualforge.com | All rights reserved.