Shulou(Shulou.com)05/31 Report--

This article will explain in detail how RASP related technology implementation and product introduction are. The content of the article is of high quality, so Xiaobian shares it with you as a reference. I hope you have a certain understanding of relevant knowledge after reading this article.

Since Gartner identified RASP as a key trend in the application space in 2014, Internet enterprises are increasingly recognizing it as a robust solution with blurred boundaries. Readers need to realize that RASP and WAF are not products of the same latitude. The feature that "safety technology can be built into the application itself or the operating environment" can provide:

1. Real-time hot patches applied: No need to modify the source code when vulnerabilities occur, modify the agent program to add protection code.

2. Fundamentally block vulnerabilities: no longer consider rules being bypassed, etc., directly analyze whether sensitive functions are called at the execution level, and detect model blocking 0DAY based on call stack calls within the application.

3. Full-life monitoring of applications, audit and log collection functions in availability and non-repudiation.

4. Flexible integration of SIEM tools to take advantage of agent flexibility.

Disadvantages are increased performance consumption, decreased application stability, upper layer service unknown, mostly monitoring records, and few blocking modes.

products

There are Baidu open source OpenRASP products in China, which support JAVA containers (php versions will be launched in the future). Attack detection, CVE vulnerability coverage, server security baseline check, SIEM plug-in support. Another older version, javaopenrasp, was released on kcon and doesn't seem to have been updated recently. The commercial product is oneasp released by Lanhai Xuntong, and the official website cannot be opened. Abroad: HP: HP Application Defender、WARATEK: ApplicationSecurity for Java、OWASP: AppSensor 、Shandowd: Shadowd 、Prevoty: Prevoty Runtime Application Security

technology to realize

PHP RASP scheme is to judge and block the malicious function behavior and context content corresponding to the rule through the extension module. JAVA's technical solutions are relatively mature, including direct modification of jvm (Waratek product) and the use of jvm programming interface (Jvm tool interface). JDK1.5 provides JVM TI technology. Before the program main method runs, add-javaagent: parameter call when jvm starts. After writing agent program with lang.Instrument package, realize dynamic operation on java class in premain mode. The jdk1.6agentmain approach provides dynamic instruments and nativecode instruments for virtual machines after startup.

In terms of technical implementation, it is generally used to access the program in the premain mode, and the ClassTransformer method of the transform interface is implemented.

The test cases are as follows:

You can see the distinctive technical features of RASP are:

1. You can get VM information through inst;

2. agent and main programs use the same classloader, if the program custom loader needs to be adapted;

3. The ProtectionDomain of the class is the same, and permission elevation cannot be increased or decreased.

4. Return to JVM execution through the bytecode of the operation class, which can be implemented using asm or Javassist technology.

The next step is to implement specific adapters and filters to implement business-level operations and functions, which will not be repeated. Simple implementations of known layers of protection include:

SQL injection, CSRF, XSS, SSRF, arbitrary file read download, arbitrary file delete, executable file upload, command execution (OS injection, Struts2 command execution, deserialization).

After the code is compiled, configure premain-class as agent class name in mf file, and implement agent monitoring by setting-javaagent.

Generally speaking, from the aspect of engineering and systematization ability. At present, the implementation of middleware rasp is still exaggerated, the technology is not complex, the rules are still the core of development, and the current stage cannot achieve "adaptive" prediction, prevention, monitoring and response, but this is the focus of its later development.

About RASP related technology implementation and product introduction is how to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.