 For the last couple of months I've been playing with different SAS tools. I'm playing with SAS tools because part of my job and part of my actually interest is how to secure code in the best way and doing so we always start by playing with SAS. After SAS there are much more highest and dust but this talk will focus about static tools and I tend to play with them and abuse them in different ways and I will show you how. So who am I? I'm Rotem, nice to meet you. I'm the head of marketplace at CIDR Security, it's a start-up I joined a few months ago. But more important I'm a bug bounty researcher. I play with lots of different programs over the years and I'm a cyber paradigm for the last 20 years now. So I started my InfoSec career 20 years ago and I'm just playing around with different form application testing to infrastructure testing to developing different SAS tools and now playing and abusing SAS tools and I will show you what I've done. So first of all who is my target audience? So I'm targeting different type of people and I think this will interest also security engineers who want to fix problems and to tell other people where they have gone wrong. I'm targeting DevOps people because they are in charge of large scale deployments and every day we have more and more automation and more automated deployments going out every day. SAS builders of course it's different, this talk is about SAS. So I'm targeting you guys and a bit of bad guys people who have decided to harm other people for a living. I hope none are in the audience here but if you are please go to the good side and start helping people. So a bit about what I will be talking about it's SAS how it works. I'm going to give a brief intro about how everything works and why I started this research. I will show a bit the hacking and what I've done and I will wrap up with different conclusions and what is the impact of all of this. So SAS 101. What is SAS? SAS is static application security testing. This means that we are testing applications in a static manner. So I want Wikipedia and Wikipedia says it very easy that static program analysis is the analysis of computer software that is performed without actually executing any programs. So this is very important because static analysis can happen on different targets with different types of trust and we don't want to execute any programs. Let's say we have different fuzzles that do execute programs in the sandbox environments but SAS is supposed not to execute nothing. So why do we run SAS? The first thing is to stop bad security practices. We want to make sure that nobody inserts a bad code into our organization. We want to prevent infrastructure mistakes and now we have lots of infrastructure as code. We want to assess code so if we have like a big security test sometimes I will run a bunch of SAS tools to check the code. And I want to create standardization and consistency across lots of codes. So let's say we want to say there's no evil in our code. We can create a rule no evil and we run it and it would be standardized. So why SAS? We have different pros and cons. But the pros, it's very fast. It can run on code. Different SAS have different times but it's much faster than DUST and much faster than other fuzzing and highest solutions. It's safe, it doesn't execute any code. And it's easy. We can run on the code. We usually don't need any other resources. Sometimes we have imports and stuff like that but usually it's inside the same code base and we don't need external resources for it. About the cons, we have lots of fast positives. Like SAS can do as much as looking at the code but it doesn't know what's the logic and it doesn't know how it is used. It's very hard to track flow control so if you have lots of complex flows SAS will be a nightmare over here. But not why SAS but how do they work? How does the scanners work exactly? So first of all the scanners take the code, they parse the code and they look for different, let's say JavaScript so they look for JavaScript files and then they start converting these JavaScript text files into AST structures. AST is a structure of how to template code in a way we can process it later. So after we create this AST and I will show you later how it looks like we start processing it. When we process the code we just look for in basic we have different rules and different findings we want to look for so complex SAS we have flow control analysis and we start looking for sources and syncs but then we have all the results and we create a result based SAS usually today we have SAS if it's a very fun format that lots of tools are starting to adopt and we are working with this and we are creating the results so other systems can consume them. Let's take an example. If we have a log 1 plus 2 times 3 it's a very simple function that does a arithmetic compression and how does it look like in AST? So first of all if we look at the binary of the tree so we see the program it's calling the expression, the call expression is log it has a plus expression and then there's a split like 1 and because times is before plus this is a basic math so we have a split over there and then there's the 2 and 3 sometimes these ASTs are by ANTLR it's like destructuring tokenizer language or by other means it doesn't matter how it created but then it creates this tree from this tree we can create a JSON or XML or however we want to represent it but we are creating the data that we can start looking up on it so let's say we have here a call expression and then again with a callee and arguments and you can see the binary expression so now we can start working the tree and start understanding what's happening over here If we take a basic rule let's say we want that if this is a call expression and we have a log and the length is above 0 we have arguments then we can say there's a log function with more than one argument it can get complex we can have more very flow control and very complex architectures so let's say we have this if and then and all this goes into a variable we call source and we tag it as a source and then we create another argument another lookup for syncs and if we're using Neo4j or some other graph database we can start connecting syncs and source and seeing the whole trace and then if there's a trace we can report a finding so it can get very complex and very fast and this is why but still it's very functional it's very static there's no we never execute the code so as Wikipedia said it really doesn't execute the code we don't have any execution over here and we are all good to go and we can start using the SAS to assess even the most malicious programs in malicious code areas so my hypothesis and my question was what if I could write code that would intentionally abuse a scanner one scanned one statically scanned so this means can I create a method or a way with these areas to do to change the behavior of the scanner to abuse it or change it so I looked up at different previous researchers and we had in the past there was a check of remote code execution it was fixed and a check of two when they created it someone could create a malicious telephone file and with this telephone file it could execute code inside check of and when executing the code it had access to the whole environment of where it was executed and there was a very simple check workaround do not run check of telephone files from untrusted sources or pull request but I want to run check of untrusted sources this is why I'm doing it so it's a bit of a mix so they fixed it now I feel I'm ok and I can run again check of but I was playing with it was a lintel but you can use it also as a sas it's a closure lintel that you can use also as a sas tool and create different types of rules and I will expand about it a bit later but I opened a bug about it that it actually evaluates code I will show you exactly what it does and how it does it but in the comment I talked with the guy over there and they said ok but this is how this kind of works and we have nothing to do about it maybe add documentation so I'm looking at telephone and telephone is actually it's not a sas I know sas canals like SNEC or TELOSCAN that do rely on the telephone plan so one of the recommendations inside CICD environments is before running like SNEC IAC is to create a TF plan and they show here in the documentation run telephone plan and then telephone show we have telephone telephone has a plan and then apply and in the apply it does actually do stuff with the environment and executes code but the plan shouldn't do anything malicious but then we had Hiroki Soezza is someone I talked with in one of the cloud forums and he pointed that actually telephone plan can run code you can create a telephone provider exec and you can run code with it so if you're running any sas that is relying on telephone plan and you're doing telephone plan as a step before the sas then you should know that someone can create a provider and you can create even an unofficial provider that will download it from my HTTP server and execute so you can see also Alex Cascasso has created a very nice blog about it but this is out there so a bit of hacking time and now we are coming into the front stuff but first I want to have a small disclaimer I believe in open source and I think that it makes the world secure and it makes our life easier with open source but we need to use it responsibly because open source is not a full blown commercial tool it didn't have the years of development and lots of clients maybe it did have lots of clients but it doesn't have enough resources to always be and the best security maturity level and we need to understand this because when we use open source and I believe in using it but we need to make sure that we run it and we treat it as something that is not like is not fully baked or is not like some are more mature some are less mature and we have to know about these areas and one of the parts of my mission and what I want to do is to make sure that it will be safer and safer to use open source in companies and in real life but for starters we have to make sure that we are running in a safe environment and that everything is configured and we know how to configure it properly so that's about that but my experiment so my experiment is very simple I looked at different scanners scanners I collected through my experience and then I started looking at how they will execute what can I do with them and I created different kinds of evil files what is evil files I will show you in the experiments now but I am adding these evil files to the repo I am letting the environment clone the repo and I am assuming the scanner will work in the same working directory as the repo cloned now this is an assumption based on different levels of knowledge in companies and they saw in lots of places so they are running inside the same working directory as the repo and scanning themselves scanning the repo itself then executing the scanner and they want to see what is the outcome what can I do so experiment number one check off before we had the RC on check off and this is why I started looking at it and I started looking and in the documentation check off is actually running against you can run it against the directory against the working directory the same working directory or the home directory and when when you are running it against the directory it looks for .checkOfYML file to load it as a config file and this is interesting because it is actually how you need to work with check off or with other SAS tools the SAS tools assume there are different changes and different types of levels of maturity inside the code and developers are able to skip rules and optimize each repo according to what they want to do but this means that also if I will take a repo I will scan it and I added the check off YML file into the repo I can say check none I can give it a check none file and what will happen is that the check off will pick the configuration up if there is no if there is no forced configuration it's a big if most places I saw don't have forced configuration so it will actually not scan the code it will give you everything is okay and this is in a philosophical way a question if this is how we should run code because we are giving the developer lots of permission and lots of ability to configure properly what he wants to do but at the same time we are giving him the permission to do nothing to say just skip it let's bypass security altogether and just leave me alone this is a good question about how what as a security team I should do but let's look at a demo and here we took tera goat the tera goat is a let's see we can see it here first thing doesn't work but we took tera goat tera goat is a repo that has lots of problems for check off and you can see we have lots of failed checks and then the echo this is a very important thing the return code is 1, 1 means there was a problem and if it was in a CICD environment it would fail the build now I am echoing again the same thing but I am adding the bypass checks into dot check of YML and running again check off nothing, everything is good there are no errors, no nothing the error code is 0 everything is awesome so this means very simple adding of the rule adding of this file we bypassed the whole scanner configuration so after we saw what we can do with check off I looked into different other tools and they all as I say by definition or not all but lots of them give you the same configuration they have a different configuration file you can create it and then bypass or create different rules and we can see here PHP Stan and TFsec and KICS and Bandit and breakman and check off and some group and I am sure there are more that I didn't check we have the different configuration and if you put this different configuration and tell them bypass all rules they will bypass all the rules and you can see there are so many stars on these canals I think it's about 12 15 we have 25, we have lots of get up stars over here it's a get up star that we are looking at but we want before we want more I want to emphasize and talk about the scanner hijacking so when we were done we were able to alter the source code in a manner that we were able to manipulate and abuse how this kind of works this kind of behavior itself so if someone adds a file inside repo and I am running it I am able to tell him now everything is okay just skip security and we know that we can do it and sometimes we don't know about it we don't have the proper visibility if someone really did it I don't look at all the files out there in my 1,000 people inside my organization and start looking did someone manipulate and abuse and bypass my scanners this is not what I am doing and the scanners don't tell you please check this so it's a good place to think about and understand what we want to do with this for the future but let's go this is DEF CON so I am going into experiment number 2 it is much more interesting so I continue to look inside check off and I saw those external checks do now there is a directory for custom checks to be loaded I like custom checks because custom checks means code so looking at the different what I can do so again I created a repo that I can clone it, scan it it has check of why am I inside I load the configuration and inside I tell it go to external checks or inside the directory checks now I control the clone I control the repo so I created a directory with check with my initpy and then inside I can create any python file I want and it will load it like one check off will scan it will first load my files and execute them so now not only I am able to bypass the configuration I am actually able to execute code inside the environment the scanner is running and let's see a demo about this if we have any demos so I created here like I have my pipeline that is waiting for an event I have a rc file over here and I created that check of why am I file with different runnals inside the runnals it just creates it calls the rcsh with check off rcsh just send something to my pipeline so what do you get I don't remember and as you see at the moment I ran check off I see a post I got something from check off I even see it had a pycash it compiled my my files I saw it did stuff so it's actually pretty cool now with this command execution I can execute I can access environment variables I can access different networks I am actually running as the files themselves so what's important experiment number 3 now I talked about kibbit before about Clojure Clojure is a very interesting language it's very very dynamic and very fun and this is a a bit of the source code of kibbit there's a read file and this is how it reads the files themselves the source code it uses a function called read now we have a warning inside the Clojure source code that you should not use Clojure core read or read string which is weird because every developer junior developer will try to read string and read data from untested sources so this means that the question is why like you may be asking why why is this warning what read actually does is reads Clojure code and evaluates it and then Clojure we have something called like a self-evaluating form I will get to it in the later slide but this is kibbit kibbit is a static code analyzer it takes some code and when you run it you run it with line usually it's line is like the npm of Clojure and you run it with line and it tells you this is a problem consider using one instead of if but then if you use a self-evaluating form that's hashtag equals something this will actually run if you run it through or read the function so I created again I load different libraries because Clojure is very dynamic I can load and everything I want and I did print line to a shell to run again the same RCE kibbit and then shutdown agent just to exit nicely so I run it, line kibbit running code and then I see the exit code exit1 out success I'm able to run my code experiment number 4 so we see we have preprocessing so Robocop for instance has a configuration file that is very cool and very dynamic and so dynamic when it sees ERB templating it executes it so and I saw the documentation let's do get status so I just did run RCE Robocop exit it worked so the moment I load Robocop it looks for .Robocop YML executes my codes and exit great success experiment number 5 and this is a bit different than the others because I didn't find in PMD anyway to have a configuration file but it looks for so much environment variables and one of the environment variables is the Java Ops so you can tell it what options to give Java when running PMD so I told them use jar use my jar instead of your jar and just you can run an evil jar and prox and you can load another jar but the question is how can I tell it the environment variable so in some CIE environments or in some areas I know even I know my ZSH you can create a plugin that if you see a .env file load it automatically and so if I also submit a .env file sometimes it will load the environment variables before running the scanner so it's a good way to do stuff where I played with it some did some areas I were able to put a .env file and load the different environment variables and they executed my code so if I'm concluding and I have much more scanners the pipeline to check and I have different areas but this is a bit about the stuff that I talked about we have checkoff through the configuration file we have kibbit through code I can create code that will execute I have PMD and CDHGN and DepthScan I didn't talk about them but same thing with environment variables and I have more every time someone shows me now a static I'm checking what's the configuration file does it have some kind of loading of the rules and more and more every day I'm finding more and more so what we keep idea says is correct it doesn't actually execute the program of the static program but it does execute programs so I am able to execute programs through different we can call side channels from the configuration or from other methods of the scanners themselves to be dynamic but except kibbit that does execute programs so anomaly but all the others are really through the ecosystem the framework that we are using so I'm saying like your code will probably be able to execute other programs and this is something we need to understand and know and live with so the big question is what is the impact if I'm looking at the impact and I'm trying to look at what did it what it can do to my environment then I need to understand where I'm running it so I can run static analysis in developer machines usually accept if someone will do a get clone from untrusted sources and just load it into his idea or some other areas and the security automatically analyzes it or he decides to analyze it this is a risk for the researchers if I want to scan untrusted code how do I do it because SAST may execute code and I don't want to execute code on my computer but my environment and what I'm researching mainly in the last couple of months is the CI CD so inside the CI CD how does it work first of all developers commit and push to development branches when you commit and push lots of systems do CI checks and every push and they do it in their internal cloud or in Jenkins or in other CI environments but they run different types of testing security testing on the code so we make sure that the code will be inserted into production but maybe we can attack these systems themselves the next place is the pull request we have on every pull request and this is the request I want to merge this code into production we are doing lots of checks and lots of checks usually are also done against the production environment or against production environments that have real credentials into areas and lastly we have merge into production so the merge into production we can merge from people that by mistake or by intention push directly into the master branch and through the pull request but the same we have to have the CI checks and then we need CD deployments to deployment this gets tricky because sometimes companies forget to separate between the checks and the deployments or give too much permissions to the checks the implications over here first of all I can extract sensitive data we had different attacks in the last couple of months that running code inside our CI CD environment extracted sensitive data and like environment variables and different AWS keys and different even code and send them back home if you have access to the internet it's problematic you can bypass protections let's say we don't even have command execution but we do have the configuration bypass we can create like a policy to bypass the code to say skip security I don't need them I don't want them they're just making it harder for me to deploy into production we can infiltrate the network we can go into use this as a stepping stone inside the network itself lots of red teams I've done I played with from one place inside the internal network and mapping you can start going out a SNMP you can do lots of stuff into other areas maybe it's connected and the last but most important maybe you can deploy assets to production you can skip the CI checks you can force deployment through the CI and this is problematic assume code will execute this is my assumption and we need to put around this code as much guards and lasers and boxes and sandboxes and different areas we can that eventually someone will find a way to execute code if it's from a very small open source saster to a very large commercial saster or some other things let's see code coverage tools I don't know someone can hack a code coverage tool can be awesome we can we assume the code will execute and if the code executes we need to be prepared to make sure that nobody that it can't do nothing and we know about it a bit about before I showed the work for the CI CD workflow but in this attack flow I can add code execution to a scan on configuration file we can push new commits into the branch and then create a PR request this is every user inside the organization can do it sometimes we can do it from the outside even let's say in GitHub from Folk actually GitHub fixed this problem but made it much harder because now today new committers don't execute the workflow automatically and this is lots of attacks I've tried got stopped in this area but other areas less mature and do execute code if you push it to a branch or to a PR but then one repo will be scanned by a scanner and the PR it will execute this execution has access to our network and sometimes also it's the same network and same environment variables that the deployments and the CD deployments have we can also just skip the whole check and tell the scanner all is good and continue on into production even that we introduce very bad code practices back those or whatever want a bit about high level possible resolutions I don't want to go into much use or just print screen this but the network protected deny filters deny access to the outside isolate only what you need inside the host the same create containers and pods and run everything in the least pre permissions verify everything is deleted sometimes if you have a pod that is running for 10 hours maybe it's a crypto mining maybe it's just monitor everything just monitor everything that you can do and look for malicious activity we need to understand the risks on running unverified code inside our laptop and inside our CICD environments we need to educate ourselves educate the organization educate our DevOps and what's the best and how to do it properly do red teams on the CICD we want to verify the tools we are running are good but we don't have enough resources to do it so we need to create a framework to check that how how we can ensure that the execution is running in the most secure way just ensure that your scanners aren't doing any malicious stuff try to stick to sast to static and deny any execution possible if you can make sure configuration is really picked up by your configuration hard code and the configuration lots of tools have option to hard code the configuration to something specific so it won't pick up the default configuration files also environment variables unset them if you don't need them and the list goes on and on I think that security needs getting bigger bigger every day it's not only I think I see it like I see it and we are getting into massive automation we're going into DevOps deploying different production features every minutes seconds even and we have to be proactive and understand the next generation of attackers and how they will abuse our infrastructure, our automations how they will attack us from side channels from internally abusing our just abusing all our automation that we are doing in order to make our lives easier and secure it's also other static code analysis tools it's not only security, it's also lintels it's also code coverage, it's testing frameworks we have much more automations coming on we need to deep dive and understand the different SaaS scanners we want to analyze wrappers let's say we have GitHub actions I didn't talk about it over here but different GitHub actions or wrapping or orbs wrapping all the scanners and creating it more difficult to add configuration files to add it's more difficult to check if there is a configuration file or to run it securely we need to analyze them we need to create a standard for securely working with code analysis tools of any kind I would want a standard not only for the output but also for the input how am I running security code tools maybe do a SAST for executing security tools I don't know it's a bit meta but we have much more to do so first of all I want to thank you guys for coming to my presentation and I want to thank all the open source developers out there for creating the awesome tools they are developing to tons of work and we have millions thousands of companies working with these tools and you are helping them in so much ways I created a bit of a POC what I talked about CICD lamb you can check it out over here this POC is running is once scanned with different scan tools it's time to execute them you can just pick it up try to use it don't attack nobody just do it for research purposes and start to understand how can you run it better I started creating a community I called it security tools DEF CON this link code goes to a Slack and I want to start connecting between all the open source developers out there and I don't know anyone else that want to join and start thinking about how can we standardize our tools how can we create better documentation and better ways to make sure that when people are running our tools they are doing it in the most secure way so I want to raise awareness about this you can you can ping me up on the Twitter you can ping me up on the Slack I will be in DEF CON I will be going around just send me a message hey let's meet I have an idea I want to talk I will be happy to talk with you and have a beer go to a party just hang around thanks again and we'll see you at DEF CON