Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Reflection Injection support #6622

Merged
merged 18 commits into from
Feb 16, 2024
Merged

Add Reflection Injection support #6622

merged 18 commits into from
Feb 16, 2024

Conversation

jandro996
Copy link
Member

@jandro996 jandro996 commented Feb 6, 2024
edited by jira bot
Loading

What Does This Do

This is a fist version to be able to detect Reflection Injection Vulnerability

  • Add new REFLECTION_INJECTION vulnerability
  • Reflection injection module
  • java.lang.Class callsite instrumentation (forName, getMethod, getDeclaredMethod)

Motivation

Add basic Reflection Injection support

Additional Notes

There are more sink points to cover, we decide to do it in another PR

Jira ticket: APPSEC-17150

@jandro996 jandro996 added the comp: asm iast Application Security Management (IAST) label Feb 6, 2024
@pr-commenter
Copy link

pr-commenter bot commented Feb 7, 2024
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/reflection_injection
git_commit_date 1708008561 1708010060
git_commit_sha 142c8ca aa4f5bd
release_version 1.31.0-SNAPSHOT~142c8cac77 1.31.0-SNAPSHOT~aa4f5bdee1
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1708012948 1708012948
ci_job_id 435144746 435144746
ci_pipeline_id 28359286 28359286
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 46 metrics, 8 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.31.0-SNAPSHOT~aa4f5bdee1, baseline=1.31.0-SNAPSHOT~142c8cac77

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1060155
Total [baseline] (9.341 s) : 0, 9341095
Agent [candidate] (1.069 s) : 0, 1068784
Total [candidate] (9.365 s) : 0, 9364972
section appsec
Agent [baseline] (1.16 s) : 0, 1159756
Total [baseline] (9.522 s) : 0, 9521973
Agent [candidate] (1.159 s) : 0, 1158993
Total [candidate] (9.507 s) : 0, 9506995
section iast
Agent [baseline] (1.197 s) : 0, 1197246
Total [baseline] (9.728 s) : 0, 9727801
Agent [candidate] (1.189 s) : 0, 1189137
Total [candidate] (9.708 s) : 0, 9708071
section profiling
Agent [baseline] (1.277 s) : 0, 1277406
Total [baseline] (9.591 s) : 0, 9591347
Agent [candidate] (1.285 s) : 0, 1285498
Total [candidate] (9.574 s) : 0, 9574128
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent appsec 1.16 s 99.601 ms (9.4%)
Agent iast 1.197 s 137.09 ms (12.9%)
Agent profiling 1.277 s 217.251 ms (20.5%)
Total tracing 9.341 s -
Total appsec 9.522 s 180.878 ms (1.9%)
Total iast 9.728 s 386.706 ms (4.1%)
Total profiling 9.591 s 250.252 ms (2.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.069 s -
Agent appsec 1.159 s 90.209 ms (8.4%)
Agent iast 1.189 s 120.353 ms (11.3%)
Agent profiling 1.285 s 216.714 ms (20.3%)
Total tracing 9.365 s -
Total appsec 9.507 s 142.023 ms (1.5%)
Total iast 9.708 s 343.099 ms (3.7%)
Total profiling 9.574 s 209.156 ms (2.2%) 
gantt
    title petclinic - break down per module: candidate=1.31.0-SNAPSHOT~aa4f5bdee1, baseline=1.31.0-SNAPSHOT~142c8cac77

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (667.38 ms) : 0, 667380
BytebuddyAgent [candidate] (673.004 ms) : 0, 673004
GlobalTracer [baseline] (298.475 ms) : 0, 298475
GlobalTracer [candidate] (301.099 ms) : 0, 301099
AppSec [baseline] (51.745 ms) : 0, 51745
AppSec [candidate] (51.797 ms) : 0, 51797
Remote Config [baseline] (707.496 µs) : 0, 707
Remote Config [candidate] (706.867 µs) : 0, 707
Telemetry [baseline] (7.644 ms) : 0, 7644
Telemetry [candidate] (7.72 ms) : 0, 7720
section appsec
BytebuddyAgent [baseline] (668.082 ms) : 0, 668082
BytebuddyAgent [candidate] (667.684 ms) : 0, 667684
GlobalTracer [baseline] (298.76 ms) : 0, 298760
GlobalTracer [candidate] (298.395 ms) : 0, 298395
AppSec [baseline] (151.199 ms) : 0, 151199
AppSec [candidate] (151.191 ms) : 0, 151191
Remote Config [baseline] (635.918 µs) : 0, 636
Remote Config [candidate] (630.492 µs) : 0, 630
Telemetry [baseline] (6.846 ms) : 0, 6846
Telemetry [candidate] (6.828 ms) : 0, 6828
section iast
BytebuddyAgent [baseline] (789.135 ms) : 0, 789135
BytebuddyAgent [candidate] (781.422 ms) : 0, 781422
GlobalTracer [baseline] (291.139 ms) : 0, 291139
GlobalTracer [candidate] (290.51 ms) : 0, 290510
AppSec [baseline] (55.884 ms) : 0, 55884
AppSec [candidate] (53.6 ms) : 0, 53600
IAST [baseline] (19.022 ms) : 0, 19022
IAST [candidate] (22.054 ms) : 0, 22054
Remote Config [baseline] (603.639 µs) : 0, 604
Remote Config [candidate] (586.704 µs) : 0, 587
Telemetry [baseline] (6.597 ms) : 0, 6597
Telemetry [candidate] (6.57 ms) : 0, 6570
section profiling
BytebuddyAgent [baseline] (665.925 ms) : 0, 665925
BytebuddyAgent [candidate] (669.945 ms) : 0, 669945
GlobalTracer [baseline] (381.254 ms) : 0, 381254
GlobalTracer [candidate] (384.443 ms) : 0, 384443
AppSec [baseline] (52.18 ms) : 0, 52180
AppSec [candidate] (52.102 ms) : 0, 52102
Remote Config [baseline] (656.405 µs) : 0, 656
Remote Config [candidate] (661.101 µs) : 0, 661
Telemetry [baseline] (13.589 ms) : 0, 13589
Telemetry [candidate] (12.245 ms) : 0, 12245
ProfilingAgent [baseline] (109.257 ms) : 0, 109257
ProfilingAgent [candidate] (111.253 ms) : 0, 111253
Profiling [baseline] (109.282 ms) : 0, 109282
Profiling [candidate] (111.277 ms) : 0, 111277
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2024-02-15T15:38:26 2024-02-15T15:57:23
git_branch master alejandro.gonzalez/reflection_injection
git_commit_date 1708008561 1708010060
git_commit_sha 142c8ca aa4f5bd
release_version 1.31.0-SNAPSHOT~142c8cac77 1.31.0-SNAPSHOT~aa4f5bdee1
start_time 2024-02-15T15:38:13 2024-02-15T15:57:11
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1708012948 1708012948
ci_job_id 435144746 435144746
ci_pipeline_id 28359286 28359286
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 9 metrics, 16 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:petclinic:profiling worse
[+51.961µs; +106.903µs] or [+3.437%; +7.072%]		 unstable
[-655.642op/s; +427.721op/s] or [-21.308%; +13.901%]		 1.591ms 2962.963op/s 1.512ms 3076.923op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.31.0-SNAPSHOT~aa4f5bdee1, baseline=1.31.0-SNAPSHOT~142c8cac77
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.341 ms) : 1322, 1360
.   : milestone, 1341,
appsec (1.742 ms) : 1717, 1768
.   : milestone, 1742,
iast (1.502 ms) : 1477, 1527
.   : milestone, 1502,
profiling (1.512 ms) : 1487, 1536
.   : milestone, 1512,
tracing (1.486 ms) : 1461, 1511
.   : milestone, 1486,
section candidate
no_agent (1.372 ms) : 1354, 1391
.   : milestone, 1372,
appsec (1.776 ms) : 1751, 1801
.   : milestone, 1776,
iast (1.513 ms) : 1488, 1538
.   : milestone, 1513,
profiling (1.591 ms) : 1565, 1618
.   : milestone, 1591,
tracing (1.516 ms) : 1491, 1541
.   : milestone, 1516,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.341 ms [1.322 ms, 1.36 ms] -
appsec 1.742 ms [1.717 ms, 1.768 ms] 401.022 µs (29.9%)
iast 1.502 ms [1.477 ms, 1.527 ms] 160.771 µs (12.0%)
profiling 1.512 ms [1.487 ms, 1.536 ms] 170.444 µs (12.7%)
tracing 1.486 ms [1.461 ms, 1.511 ms] 144.614 µs (10.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.372 ms [1.354 ms, 1.391 ms] -
appsec 1.776 ms [1.751 ms, 1.801 ms] 403.28 µs (29.4%)
iast 1.513 ms [1.488 ms, 1.538 ms] 140.651 µs (10.2%)
profiling 1.591 ms [1.565 ms, 1.618 ms] 218.711 µs (15.9%)
tracing 1.516 ms [1.491 ms, 1.541 ms] 143.321 µs (10.4%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.31.0-SNAPSHOT~aa4f5bdee1, baseline=1.31.0-SNAPSHOT~142c8cac77
    dateFormat X
    axisFormat %s
section baseline
no_agent (366.869 µs) : 347, 387
.   : milestone, 367,
iast (475.996 µs) : 455, 497
.   : milestone, 476,
iast_FULL (536.08 µs) : 515, 557
.   : milestone, 536,
iast_GLOBAL (496.608 µs) : 475, 518
.   : milestone, 497,
iast_HARDCODED_SECRET_DISABLED (470.028 µs) : 449, 491
.   : milestone, 470,
iast_INACTIVE (440.291 µs) : 420, 461
.   : milestone, 440,
iast_TELEMETRY_OFF (480.481 µs) : 460, 501
.   : milestone, 480,
tracing (440.265 µs) : 420, 461
.   : milestone, 440,
section candidate
no_agent (375.574 µs) : 353, 398
.   : milestone, 376,
iast (469.371 µs) : 449, 490
.   : milestone, 469,
iast_FULL (539.407 µs) : 518, 560
.   : milestone, 539,
iast_GLOBAL (496.977 µs) : 476, 518
.   : milestone, 497,
iast_HARDCODED_SECRET_DISABLED (475.595 µs) : 454, 497
.   : milestone, 476,
iast_INACTIVE (444.175 µs) : 423, 465
.   : milestone, 444,
iast_TELEMETRY_OFF (474.069 µs) : 453, 495
.   : milestone, 474,
tracing (440.918 µs) : 420, 462
.   : milestone, 441,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 366.869 µs [346.689 µs, 387.049 µs] -
iast 475.996 µs [454.812 µs, 497.181 µs] 109.127 µs (29.7%)
iast_FULL 536.08 µs [515.32 µs, 556.841 µs] 169.211 µs (46.1%)
iast_GLOBAL 496.608 µs [474.845 µs, 518.37 µs] 129.738 µs (35.4%)
iast_HARDCODED_SECRET_DISABLED 470.028 µs [449.19 µs, 490.865 µs] 103.158 µs (28.1%)
iast_INACTIVE 440.291 µs [419.84 µs, 460.743 µs] 73.422 µs (20.0%)
iast_TELEMETRY_OFF 480.481 µs [459.784 µs, 501.179 µs] 113.612 µs (31.0%)
tracing 440.265 µs [419.535 µs, 460.995 µs] 73.396 µs (20.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 375.574 µs [353.018 µs, 398.129 µs] -
iast 469.371 µs [448.539 µs, 490.204 µs] 93.798 µs (25.0%)
iast_FULL 539.407 µs [518.392 µs, 560.422 µs] 163.833 µs (43.6%)
iast_GLOBAL 496.977 µs [475.654 µs, 518.301 µs] 121.404 µs (32.3%)
iast_HARDCODED_SECRET_DISABLED 475.595 µs [454.34 µs, 496.851 µs] 100.022 µs (26.6%)
iast_INACTIVE 444.175 µs [422.852 µs, 465.498 µs] 68.601 µs (18.3%)
iast_TELEMETRY_OFF 474.069 µs [452.915 µs, 495.223 µs] 98.495 µs (26.2%)
tracing 440.918 µs [420.056 µs, 461.78 µs] 65.345 µs (17.4%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/reflection_injection branch from 2488d17 to ef7e09e Compare February 8, 2024 06:30
@jandro996 jandro996 force-pushed the alejandro.gonzalez/reflection_injection branch from 9a213b4 to 5d3ae1b Compare February 8, 2024 09:42
@jandro996 jandro996 marked this pull request as ready for review February 8, 2024 12:28
@jandro996 jandro996 requested review from a team as code owners February 8, 2024 12:28
@manuel-alvarez-alvarez
Copy link
Member

manuel-alvarez-alvarez commented Feb 8, 2024
edited
Loading

I'm missing call sites for java.lang.ClassLoader#loadClass(String name); (close friend with the java.lang.reflect API), and then add support for the java.lang.invoke API in a future PR.

dougqh
dougqh reviewed Feb 12, 2024
View reviewed changes
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ReflectionInjectionModuleImpl.java
return;
}
final IastContext ctx = IastContext.Provider.get();
if (ctx == null) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some conditionals are var == null and some are null == var.
I don't care either way, but it would be nice to be consistent.

@jandro996 jandro996 merged commit 5b5dc25 into master Feb 16, 2024
79 checks passed
@jandro996 jandro996 deleted the alejandro.gonzalez/reflection_injection branch February 16, 2024 06:43
@github-actions github-actions bot added this to the 1.31.0 milestone Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dougqh dougqh dougqh approved these changes

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@smola smola Awaiting requested review from smola smola is a code owner automatically assigned from DataDog/asm-java

@ygree ygree Awaiting requested review from ygree ygree was automatically assigned from DataDog/apm-java

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Milestone
1.31.0
Development

Successfully merging this pull request may close these issues.
3 participants
@jandro996 @manuel-alvarez-alvarez @dougqh