Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitHub / GitHub Satellite 2020 - Work / 7 May 2020
GitHub / GitHub Satellite 2020 - Work / 7 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Stopping vulnerabilities at the source - GitHub Satellite 2020

Description

Presented by Grey Baker and Pavel Avgustinov, GitHub

Wouldn’t it be better if we could stop vulnerabilities from ever getting merged into our code base? By building security into our core workflows on GitHub and sharing the amazing knowledge of the combined global security community, we’re aiming to drastically reduce the number of vulnerabilities that get through your pull requests. In this session, we'll go deep into the CodeQL queries that help us find vulnerabilities across the source code, and how to create a query once you're aware of a new exploit, attack vector, or CVE.

GitHub Satellite: A community connected by code

On May 6th, we threw a free virtual event featuring developers working together on the world’s software, announcements from the GitHub team, and inspiring performances by artists who code.

More information: https://githubsatellite.com
Schedule: https://githubsatellite.com/schedule/

A

Let's hear from our friend mr. great Baker, you heard from him in the keynote he's gonna come back and talk to us more about stopping vulnerabilities at the source. We're also joining us is Pavel Augustine Oh breakfast that last night Pablo I love you his handle is p0 and always will be mocking zero, but they're gonna come and talk to us about stopping vulnerabilities at the source and I am so excited to have more information about this wonderful tool. Take it away. Pavel gray,.

A

You.

B

Pavel and I here to talk to you about stopping vulnerabilities at the source, so you've got me gray and PM for advanced security and I'm delighted to have Pavel here, he's a director of engineering at github and he's the co-creator of code, QL hi everyone, so we're gonna be talking me through the state of security to start with, and then I'm gonna talk to you about how code scanning works, how it can embed natively into github for you and then Parvez gonna talk a bit more about the queries underneath it and how code ql the underlying engine works.

B

So, let's get started. I'll power through this security stuff fast you saw net show this slide more coding is more problem. This is such a stubborn link between lines of code, written and security threats and what it says is we're not getting better we're not getting better at preventing security vulnerabilities from entering our applications, and there were a bunch of reasons for that. One of them is this security. Researchers are hopelessly outnumbered today for every security researcher, they're around 570 developers.

B

What hope do security researchers have giving timely analysis to prevent vulnerabilities the best that we can do with that kind of ratio is reactive, and then we hear a lot of talk about dev, sec, ops, but in so many organizations this is still an aspiration rather than an achievement. This graph shows you static analysis scans, the frequency of them for folks that are running static, analysis already and, as you can see, less than 10% of folks that are running security scans are doing so more than once a week and almost nobody is scanning every commit.

B

We haven't really embedded security into the developer workflow. We have better processes for security teams better tooling, but it's not being the responsibility of developers and when it's not the responsibility of developers, it's not something where we can really prevent vulnerabilities before they enter our applications and don't forget this was for applications that are actually using static analysis that are doing security scans at all. The vast majority of us don't have any kind of support, mated security to link running on our applications.

B

So what do we do about it? Well, we've built github code scanning to help and the idea is simple: it's that we introduce security review as an automated process. At the pull request.

B

This diagram shows the kind of age-old git flow where you branch off of master, you start making some commits, and then you submit a pull request and that pull request gets discussed.

B

There might be some motivations that are required more discussion, but eventually it ends up back on master automated code scanning insert automated security review at the pull request time and in every commit that you're making after that pull request as well, so that you can see whether or not any vulnerabilities you fit you've introduced have been fixed and it'll also allows you to run automated scans on your master branch on a periodic basis, so that you know that even if it's not due to new code you're up to date with the latest scans, all of like open source queries that are being created all the time you've got the latest security research running against your repository, so I'm going to show you a demo of that in action.

B

If you watch the keynote, you'll have seen some of this, but I'm going to demo a completely different vulnerability here. It's another case that code scanning can pick up and I'm going to talk you through some of the subtleties in the setup of code scanning.

B

So here we are. This demo is based on concourse and I'm, going to show just how easy it is to set up code scanning again. I said before it's just for clicks, so you scroll down click, set up code scanning on your Reaper and then we'll set up. We end, but I do want to call out the partnerships that github has and how code scanning is extensible everything we build at github.

B

We try to build extensively, we add api's for it and in this case we have the ability for partners to input into all of the interfaces that you're going to see with code scanning.

B

We have shift left and robocop integrations ready to go today, but we also have integrations coming soon from solar source from ankle for container scanning and from a number of other companies, and we have the integrations in the marketplace as well from a wasp's at the most popular desk tool in the world. Ok, let's click in to the code. Key well setup flow I saw through this in the keynote, but because we're in actions we've got complete control over when code scanning runs and we've also got the ability to customize it now.

B

In most cases, Kokoro will run straight out of the box with no customization required, but if you're using a built language like Java or perhaps C++ or C, you might need to customize the build steps in order to get code scanning working. It's nothing to argument arduous. It's exactly the same kind of customization you'd make to get your CI running and because we're in actions you can make all those changes straightforwardly- and you can see here. Code scanning supports, go JavaScript, c-sharp, Python, C, C++ and Java.

B

Okay. Let's get this committed and started running.

B

It's that easy and again code scanning is now me running on every push and on a schedule on this week and if I click across the actions tab there, it is running its first scan. We're not gonna wait for that. We don't have time so instead, I'm gonna show you the results once it's runs. This is the same repo. These would just run a little bit earlier and you can see the analysis ran took eight minutes in this case.

B

This is a big reaper and hounds three results, because this is a fork but an old fork of Concours and it's a vulnerable version. Concours had a vulnerability in 2019 that allowed for potentially well, it allowed you to inject data into the database. So this is an SQL injection vulnerability and it had that because it had unsafe, quoting so if you would have input, data and cocci well has picked up, because this is Jason. That's getting Marshall that this is almost certainly a user input.

B

If any of that had a single quote in it, then that could be used to escape.

B

The closing quotes in this database command and that's obviously extremely problematic. If you can escape a database command, you can do some sorts of nefarious things like dropping the date place. It's really bad, so the team responded to this quickly once it was disclosed, they patched it. It was issued a CVA. You know the majority of folks. Are you know, going to be running a safe version, particularly if you've got any of github z-- supply chain to learning such as dependable?

B

Not automated security fixes running you'll, get those fixes and be able to react very fast, but with code canning and code QL they could have prevented this from ever being introduced if those tools have been available now, I want to talk to you about the flow in the pool request when something isn't a vulnerability. Every security scanning tool has false positives as well as true positives, we're incredibly proud of the true positive rate on Kokua. In fact, we see less than 30% of the vulnerabilities that we flag are ever marked as false positives.

B

The other 70% get addressed in pull requests, but if you need to flag something say it's a vulnerability, but it's just in your test code, rather than in your production code. It's straightforward to do so. Code scanning is never going to get in your way. All you do is hit the pros and say used in Texas and as you'll see this pull request, which had a broken bill before now has poked you well passing, and this would be free too much if you're on a security team.

B

You'll want to see this, because, when we've marked that we haven't removed it in any way and if I click into that I can see an audit trail for this, which shows that I chose to close this as used in tests 22 seconds ago.

B

The idea is to make it easy for developers to get what they need done and for those that are cutting code every day to be that first line of defense, but for there'd always be an audit trail which be straightforward for you, as a security researcher, to make sure that your tooling is being used. The way it should and we're looking to introduce new policies around, but would mean only a security researcher can mark something else as a false positive. If you want to have that set up.

B

Okay, I showed you a vulnerability there, a real one in concourse that was patched in 2019, but I could have shown you any number of other demos which will some of these in the keynote, but they were even to list on slide.

B

All of these are serious. All of these were fixed. The maintainer for them did a fantastic job, but with Coke ul and with code scanning, they could have been prevented entirely and I hope is that we're going to reduce the number of CVS that we're seeing, because more of these things are going to be caught in pull requests and before they ever hit master and certainly before they released. I also talked a little bit about the co QL queries.

B

One of super powers of coke ul is that those queries are open source that allows contributors from the world's leading security teams and independent security researchers to be contributing to us the sum total of our knowledge of vulnerabilities and protecting the world's open source. It also allows an iterative approach to these queries, where false positives can be refined out and any true pod. The mist can be added in and to talk to you more about that process of writing code QL and refining it. We've got parvo as a co-creator of coqui.

B

Well, this gonna be a bit like learning guitar from Jimi Hendrix, but Pavel's promised me he's gonna go slow Pawel over to you.

C

Thanks very much great, that's quite the intro. That's you that you gave me there great presentation on the on the code scanning side and what we're trying to do with building this all into the developer. Workflow. What I thought I would do it show you a little bit behind the scenes. How do we actually get some of these vulnerabilities at ported best fun? How do we find them?

C

What's the security researchers workflow rather than a developers, so I'm going to base this on the Express project, which, as you can see, is an admin interface for MongoDB, it's built on top of node.js and Express with code QL. The general idea is that we treat the source code as data.

C

We allow you to write arbitrary queries over it and there is a large number of free packaged analysis building blocks that you can combine and use together in order to quickly express what you're interested in so here I am in Visual Studio code, as, as we said before, this is everything is live. So please bear with me if something breaks, I floated a database representing Express.

C

Now, if I'm, just starting to look at it, one of the things I would commonly focus on is how the application deals with network data, and we saw on the github repo page, but Express uses the Express framework. So as a starting point, we might actually write a query that uses the code, ql library models for express to show us all of the route handlers that are defined in the code base now a root end ler is essentially a JavaScript function which is registered with the framework and we'll process Network data.

C

So let's take a look at some of the examples. This is a fairly typical pattern, we're registering with Express this function. It takes the request, object and the response object and a bunch of other parameters and data from the URL which is potentially controlled by a malicious attacker is presented to the JavaScript code. For example, like this dot, query exposes the querystring of the URL and I might have been tricked into tricked into clicking a particular URL by an attacker.

C

So what can we do with all that? I think the the most interesting question when we're looking at network data, an application is: where does it flow and how is it used?

C

What could an attacker do to subvert my expectations as the developer by providing especially crafted in the interest of time a little bit I'm going to literally go to other data flow cheat sheet, which is one of the pages on the learning code qlae website and I'm going to copy this template query for doing taint tracking faith tracking is a common type of analysis, where we want to explore how data propagates in an application- and so here the full details aren't terribly important.

C

But what I do want to draw your attention to is that I simply have to fill in to essentially blank spaces in the templates. The first one indicates what the sources of tainted data are for my particular analysis, and the second will say what other syncs, where do I want the tative data to not get now. I already told you what my sources are going to be I'm, looking for essentially a code that does something like this record query.

C

Dot user would read the query property of the request, object and then take the user parameter of the HTTP request. How do we phrase this in code ql'? Well, there are many ways inevitably, but one example is that I can look for parameter nodes on which we read the property and the property that we read is called query I'm just going to make this window a little bit. No! Well now that's for the sink. This is kind of where a little bit of creativity comes into it.

C

Depending on how we define this, we might find places where the network data reaches a sequel query and allows the database compromise a sequel injection or we might find places where it reaches the HTML body of the output documents and give us cross-site scripting in exploration mode.

C

Maybe I don't want to pin myself down already I want to kind of audit lots of interesting places where the application does something unfamiliar with the network data, and so what I'm going to to look for this cases where the network data is passed as an argument to an invoke note, that's what you call something in JavaScript, but just then it's going to give you very many results.

C

Actually I'm going to narrow it down further I'm, going to say I'm looking for places where you call a function that is not defined in the current project, so either it's a built in like eval or it's from a dependency, and so we in order to understand whether it's risky. We need to understand what the dependency is doing.

C

The way that I would do that method, I, would say, not exists and get that call me so we're looking for an invoke note for which we don't know what it's calling it's going to quickly format this, to give us a better view on it, and that's it I'm, going to run this query and note that I haven't yet specifically restricted the results. To definitely be vulnerabilities, this is very much an exploratory query and I'm going to have to apply my judgment to see which results are interesting and which are not.

C

This is a fairly common pattern when you are first getting to know a particular project or codebase, and it's very helpful to be able to quickly zoom in on the places where network data is handled. In this case, we see 17 results being reported. So let's actually take a look at some of here.

C

We have indeed a read from the query string of the projection parameter, and the analysis tells me that it ends up as an argument here. You can actually see how it happens on this very screen. We assign it to the JSON projection variable, and this variable is then interpolated into this string and concatenate it with some URL computed by another function before being passed. To result redirect- and this is actually the Express API for redirecting the response to another page so a priori. This could already be an open, redirect vulnerability, but actually we're safe.

C

It was safe because there is a question mark before the network data is added to the URL and so at best we're going to be able to control the parameters. Okay, so far, so good, let's hold it some of the others. So you can see there are actually six rows that refer to this particular URL construction and that's because there are six different parts of the query string that can end up there. It's the skip or key or value or type parameter, and so on. So all of these seem okay.

C

Let's take a look at this one here. This query string is derived from this string. Rather it's derived from the network data and is passed to the m dot run in new context. This is this: if you're familiar yeah, I actually a function that will take a piece of string as evaluated this javascript. So if this is true, that's actually a code injection vulnerability. Where does it come from well over here? Yes, it's a read of part of the request, but it's a fairly it's a completely different file.

C

It's unclear how the data might get there, except that the Coquille analysis has shown us its reasoning by giving us the path here. So we assign the query to a variable called JSON query. Pass it to this function called to safe B's on in that function. We pass it to another function in this function.

C

We do several string replacements, which don't actually do anything to protect us from a code injection, and here we are passing it to node.js, so you can see how starting from almost nothing I was able to quickly zoom in on the places of interest in this codebase and inspect how the network data is used.

C

Of course, the good news is, you don't have to do this every time there are hundreds of open source queries that have been contributed to the coat closet area and, of course, code injection is in fact one of them, so you can see that I could, if instead run this out-of-the-box query to find this vulnerability, and in fact this finds a few more interesting results, including cases where the dates that comes from the body of the request.

C

So that's HTTP POST a similar, so the the analysis model understands enough about the Express API to show us this. Well, let's quickly report this to the project. Well, of course, I wouldn't be showing this to you. If it really was a zero date, if we go to the Security tab and look at the security advisories.

C

In fact, this is exactly the CVE that is listed there, that we discovered it has been patched in a recent version of Romeo Express and, what's worth noting, is that was discovered by Jonathan light show of the gradle security team by perusing the results of code QL analysis.

C

So hopefully it gives you an overview of how you might approach building up a code, QL query from scratch and exploring what's possible if I've piqued your interest. I would like to draw your attention to the workshops tomorrow. There are two workshops organized by the security lab at github that teach you how to find security vulnerabilities in Java code and in JavaScript code, essentially from scratch. Please join us there and thank you very much for your attention.

A

You so much pollen grade that was awesome. Hearing about all the code scanning. You know lots of love for code QL, but you know we just love it so much. My favorite part was four clicks to set up, you know, being a lazy engineer or as I like to call it an efficient engineer. That's probably you know my favorite setup of all this. So where can folks go ask more Martin.

D

If you want to go, ask more, if you come along Caleb satellite comm, slash discussions, you can ask questions, answers we're gonna speed along now. So if we just say goodbye to Pavel and gray, they're gonna be heading into the discussion so see you later champs.