Skip to content

Match tainted objects with sources when checking unbounded vulnerabilities#6122

Merged
manuel-alvarez-alvarez merged 1 commit into
masterfrom
malvarez/iast-precise-reporting-with-objects
Dec 11, 2023
Merged

Match tainted objects with sources when checking unbounded vulnerabilities#6122
manuel-alvarez-alvarez merged 1 commit into
masterfrom
malvarez/iast-precise-reporting-with-objects

Conversation

@manuel-alvarez-alvarez
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez commented Oct 31, 2023
edited by atlassian Bot
Loading

What Does This Do

When reporting a vulnerability where the source tainted value has a single unbounded range (happens when we lose propagation over objects like URL, URI, ...), try to match the original source value with the final representation of the tainted object to do a better reporting,.

Motivation

From a customer standpoint sometimes is difficult to correlate the vulnerability with its original source in the cases that we lose exact propagation (for instance when creating URLs).

Additional Notes

Jira ticket: APPSEC-11922

@manuel-alvarez-alvarez manuel-alvarez-alvarez added the comp: asm iast Application Security Management (IAST) label Oct 31, 2023
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-precise-reporting-with-objects branch from ed724b7 to 1c623ca Compare October 31, 2023 13:09
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Oct 31, 2023
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master malvarez/iast-precise-reporting-with-objects
git_commit_date 1702285743 1702289485
git_commit_sha b1ae59a f52c736
release_version 1.26.0-SNAPSHOT~b1ae59a318 1.26.0-SNAPSHOT~f52c7363f9
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1702292148 1702292148
ci_job_id 386264344 386264344
ci_pipeline_id 24764384 24764384
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 9 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.26.0-SNAPSHOT~f52c7363f9, baseline=1.26.0-SNAPSHOT~b1ae59a318

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.044 s) : 0, 1043965
Total [baseline] (8.72 s) : 0, 8719602
Agent [candidate] (1.051 s) : 0, 1050795
Total [candidate] (8.738 s) : 0, 8738123
section iast
Agent [baseline] (1.161 s) : 0, 1160888
Total [baseline] (9.289 s) : 0, 9288769
Agent [candidate] (1.159 s) : 0, 1159066
Total [candidate] (9.248 s) : 0, 9248199
section iast_TELEMETRY_OFF
Agent [baseline] (1.153 s) : 0, 1152793
Total [baseline] (9.279 s) : 0, 9278880
Agent [candidate] (1.155 s) : 0, 1154934
Total [candidate] (9.23 s) : 0, 9229809
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.044 s -
Agent iast 1.161 s 116.923 ms (11.2%)
Agent iast_TELEMETRY_OFF 1.153 s 108.828 ms (10.4%)
Total tracing 8.72 s -
Total iast 9.289 s 569.167 ms (6.5%)
Total iast_TELEMETRY_OFF 9.279 s 559.278 ms (6.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.051 s -
Agent iast 1.159 s 108.271 ms (10.3%)
Agent iast_TELEMETRY_OFF 1.155 s 104.138 ms (9.9%)
Total tracing 8.738 s -
Total iast 9.248 s 510.077 ms (5.8%)
Total iast_TELEMETRY_OFF 9.23 s 491.686 ms (5.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.26.0-SNAPSHOT~f52c7363f9, baseline=1.26.0-SNAPSHOT~b1ae59a318

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (645.884 ms) : 0, 645884
BytebuddyAgent [candidate] (650.774 ms) : 0, 650774
GlobalTracer [baseline] (307.17 ms) : 0, 307170
GlobalTracer [candidate] (308.729 ms) : 0, 308729
AppSec [baseline] (48.763 ms) : 0, 48763
AppSec [candidate] (49.033 ms) : 0, 49033
Remote Config [baseline] (669.006 µs) : 0, 669
Remote Config [candidate] (677.208 µs) : 0, 677
Telemetry [baseline] (7.073 ms) : 0, 7073
Telemetry [candidate] (7.149 ms) : 0, 7149
section iast
BytebuddyAgent [baseline] (767.03 ms) : 0, 767030
BytebuddyAgent [candidate] (766.767 ms) : 0, 766767
GlobalTracer [baseline] (284.939 ms) : 0, 284939
GlobalTracer [candidate] (285.144 ms) : 0, 285144
AppSec [baseline] (46.347 ms) : 0, 46347
AppSec [candidate] (46.227 ms) : 0, 46227
IAST [baseline] (19.447 ms) : 0, 19447
IAST [candidate] (18.653 ms) : 0, 18653
Remote Config [baseline] (612.278 µs) : 0, 612
Remote Config [candidate] (602.987 µs) : 0, 603
Telemetry [baseline] (8.122 ms) : 0, 8122
Telemetry [candidate] (7.331 ms) : 0, 7331
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (759.117 ms) : 0, 759117
BytebuddyAgent [candidate] (761.812 ms) : 0, 761812
GlobalTracer [baseline] (285.171 ms) : 0, 285171
GlobalTracer [candidate] (286.394 ms) : 0, 286394
AppSec [baseline] (46.312 ms) : 0, 46312
AppSec [candidate] (46.094 ms) : 0, 46094
IAST [baseline] (19.263 ms) : 0, 19263
IAST [candidate] (16.252 ms) : 0, 16252
Remote Config [baseline] (609.537 µs) : 0, 610
Remote Config [candidate] (588.284 µs) : 0, 588
Telemetry [baseline] (8.02 ms) : 0, 8020
Telemetry [candidate] (9.433 ms) : 0, 9433
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.26.0-SNAPSHOT~f52c7363f9, baseline=1.26.0-SNAPSHOT~b1ae59a318

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.047 s) : 0, 1046794
Total [baseline] (9.368 s) : 0, 9368305
Agent [candidate] (1.044 s) : 0, 1044216
Total [candidate] (9.315 s) : 0, 9315422
section appsec
Agent [baseline] (1.138 s) : 0, 1137920
Total [baseline] (9.514 s) : 0, 9513916
Agent [candidate] (1.141 s) : 0, 1141257
Total [candidate] (9.441 s) : 0, 9440591
section iast
Agent [baseline] (1.161 s) : 0, 1161316
Total [baseline] (9.619 s) : 0, 9619483
Agent [candidate] (1.166 s) : 0, 1166275
Total [candidate] (9.556 s) : 0, 9556461
section profiling
Agent [baseline] (1.233 s) : 0, 1232644
Total [baseline] (9.588 s) : 0, 9588229
Agent [candidate] (1.242 s) : 0, 1241865
Total [candidate] (9.677 s) : 0, 9676958
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.047 s -
Agent appsec 1.138 s 91.127 ms (8.7%)
Agent iast 1.161 s 114.522 ms (10.9%)
Agent profiling 1.233 s 185.85 ms (17.8%)
Total tracing 9.368 s -
Total appsec 9.514 s 145.612 ms (1.6%)
Total iast 9.619 s 251.179 ms (2.7%)
Total profiling 9.588 s 219.924 ms (2.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.044 s -
Agent appsec 1.141 s 97.04 ms (9.3%)
Agent iast 1.166 s 122.059 ms (11.7%)
Agent profiling 1.242 s 197.649 ms (18.9%)
Total tracing 9.315 s -
Total appsec 9.441 s 125.169 ms (1.3%)
Total iast 9.556 s 241.039 ms (2.6%)
Total profiling 9.677 s 361.536 ms (3.9%) 
gantt
    title petclinic - break down per module: candidate=1.26.0-SNAPSHOT~f52c7363f9, baseline=1.26.0-SNAPSHOT~b1ae59a318

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (647.009 ms) : 0, 647009
BytebuddyAgent [candidate] (645.83 ms) : 0, 645830
GlobalTracer [baseline] (309.124 ms) : 0, 309124
GlobalTracer [candidate] (307.612 ms) : 0, 307612
AppSec [baseline] (48.565 ms) : 0, 48565
AppSec [candidate] (48.79 ms) : 0, 48790
Remote Config [baseline] (672.984 µs) : 0, 673
Remote Config [candidate] (664.524 µs) : 0, 665
Telemetry [baseline] (7.044 ms) : 0, 7044
Telemetry [candidate] (7.061 ms) : 0, 7061
section appsec
BytebuddyAgent [baseline] (649.95 ms) : 0, 649950
BytebuddyAgent [candidate] (651.876 ms) : 0, 651876
GlobalTracer [baseline] (308.453 ms) : 0, 308453
GlobalTracer [candidate] (309.812 ms) : 0, 309812
AppSec [baseline] (137.428 ms) : 0, 137428
AppSec [candidate] (137.428 ms) : 0, 137428
Remote Config [baseline] (648.487 µs) : 0, 648
Remote Config [candidate] (680.498 µs) : 0, 680
Telemetry [baseline] (6.916 ms) : 0, 6916
Telemetry [candidate] (6.896 ms) : 0, 6896
section iast
BytebuddyAgent [baseline] (768.002 ms) : 0, 768002
BytebuddyAgent [candidate] (768.812 ms) : 0, 768812
GlobalTracer [baseline] (285.916 ms) : 0, 285916
GlobalTracer [candidate] (287.6 ms) : 0, 287600
AppSec [baseline] (46.436 ms) : 0, 46436
AppSec [candidate] (47.011 ms) : 0, 47011
IAST [baseline] (17.23 ms) : 0, 17230
IAST [candidate] (20.459 ms) : 0, 20459
Remote Config [baseline] (608.264 µs) : 0, 608
Remote Config [candidate] (609.32 µs) : 0, 609
Telemetry [baseline] (8.833 ms) : 0, 8833
Telemetry [candidate] (7.395 ms) : 0, 7395
section profiling
BytebuddyAgent [baseline] (656.067 ms) : 0, 656067
BytebuddyAgent [candidate] (661.982 ms) : 0, 661982
GlobalTracer [baseline] (377.461 ms) : 0, 377461
GlobalTracer [candidate] (378.973 ms) : 0, 378973
AppSec [baseline] (48.4 ms) : 0, 48400
AppSec [candidate] (49.029 ms) : 0, 49029
Remote Config [baseline] (693.442 µs) : 0, 693
Remote Config [candidate] (676.519 µs) : 0, 677
Telemetry [baseline] (7.373 ms) : 0, 7373
Telemetry [candidate] (7.442 ms) : 0, 7442
ProfilingAgent [baseline] (88.487 ms) : 0, 88487
ProfilingAgent [candidate] (89.105 ms) : 0, 89105
Profiling [baseline] (88.512 ms) : 0, 88512
Profiling [candidate] (89.13 ms) : 0, 89130
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
end_time 2023-12-11T10:35:03 2023-12-11T10:51:36
git_branch master malvarez/iast-precise-reporting-with-objects
git_commit_date 1702285743 1702289485
git_commit_sha b1ae59a f52c736
release_version 1.26.0-SNAPSHOT~b1ae59a318 1.26.0-SNAPSHOT~f52c7363f9
start_time 2023-12-11T10:34:50 2023-12-11T10:51:23
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1702292148 1702292148
ci_job_id 386264344 386264344
ci_pipeline_id 24764384 24764384
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 8 metrics, 14 unstable metrics.

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.26.0-SNAPSHOT~f52c7363f9, baseline=1.26.0-SNAPSHOT~b1ae59a318
    dateFormat X
    axisFormat %s
section baseline
no_agent (366.751 µs) : 347, 387
.   : milestone, 367,
iast (476.101 µs) : 455, 497
.   : milestone, 476,
iast_FULL (537.268 µs) : 517, 558
.   : milestone, 537,
iast_INACTIVE (451.64 µs) : 430, 473
.   : milestone, 452,
iast_TELEMETRY_OFF (471.84 µs) : 451, 493
.   : milestone, 472,
tracing (437.398 µs) : 417, 458
.   : milestone, 437,
section candidate
no_agent (363.136 µs) : 343, 383
.   : milestone, 363,
iast (471.281 µs) : 450, 492
.   : milestone, 471,
iast_FULL (534.543 µs) : 514, 555
.   : milestone, 535,
iast_INACTIVE (443.145 µs) : 422, 464
.   : milestone, 443,
iast_TELEMETRY_OFF (466.146 µs) : 446, 487
.   : milestone, 466,
tracing (439.19 µs) : 419, 460
.   : milestone, 439,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 366.751 µs [346.991 µs, 386.511 µs] -
iast 476.101 µs [455.309 µs, 496.893 µs] 109.35 µs (29.8%)
iast_FULL 537.268 µs [517.02 µs, 557.517 µs] 170.517 µs (46.5%)
iast_INACTIVE 451.64 µs [430.4 µs, 472.88 µs] 84.889 µs (23.1%)
iast_TELEMETRY_OFF 471.84 µs [450.63 µs, 493.05 µs] 105.089 µs (28.7%)
tracing 437.398 µs [416.801 µs, 457.996 µs] 70.647 µs (19.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 363.136 µs [343.082 µs, 383.19 µs] -
iast 471.281 µs [450.37 µs, 492.193 µs] 108.145 µs (29.8%)
iast_FULL 534.543 µs [514.132 µs, 554.954 µs] 171.407 µs (47.2%)
iast_INACTIVE 443.145 µs [422.033 µs, 464.257 µs] 80.009 µs (22.0%)
iast_TELEMETRY_OFF 466.146 µs [445.674 µs, 486.618 µs] 103.01 µs (28.4%)
tracing 439.19 µs [418.645 µs, 459.735 µs] 76.054 µs (20.9%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.26.0-SNAPSHOT~f52c7363f9, baseline=1.26.0-SNAPSHOT~b1ae59a318
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.354 ms) : 1336, 1373
.   : milestone, 1354,
appsec (1.75 ms) : 1726, 1775
.   : milestone, 1750,
iast (1.525 ms) : 1501, 1550
.   : milestone, 1525,
profiling (1.505 ms) : 1479, 1530
.   : milestone, 1505,
tracing (1.489 ms) : 1465, 1514
.   : milestone, 1489,
section candidate
no_agent (1.359 ms) : 1340, 1378
.   : milestone, 1359,
appsec (1.759 ms) : 1734, 1784
.   : milestone, 1759,
iast (1.541 ms) : 1517, 1565
.   : milestone, 1541,
profiling (1.534 ms) : 1509, 1559
.   : milestone, 1534,
tracing (1.471 ms) : 1446, 1496
.   : milestone, 1471,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.354 ms [1.336 ms, 1.373 ms] -
appsec 1.75 ms [1.726 ms, 1.775 ms] 395.93 µs (29.2%)
iast 1.525 ms [1.501 ms, 1.55 ms] 171.075 µs (12.6%)
profiling 1.505 ms [1.479 ms, 1.53 ms] 150.31 µs (11.1%)
tracing 1.489 ms [1.465 ms, 1.514 ms] 135.068 µs (10.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.359 ms [1.34 ms, 1.378 ms] -
appsec 1.759 ms [1.734 ms, 1.784 ms] 400.223 µs (29.5%)
iast 1.541 ms [1.517 ms, 1.565 ms] 181.958 µs (13.4%)
profiling 1.534 ms [1.509 ms, 1.559 ms] 175.048 µs (12.9%)
tracing 1.471 ms [1.446 ms, 1.496 ms] 112.146 µs (8.3%)

@manuel-alvarez-alvarez manuel-alvarez-alvarez marked this pull request as ready for review November 2, 2023 12:49
@manuel-alvarez-alvarez manuel-alvarez-alvarez requested a review from a team as a code owner November 2, 2023 12:49
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-precise-reporting-with-objects branch 2 times, most recently from 3404e3e to fb9c957 Compare November 3, 2023 08:55
jandro996
jandro996 reviewed Nov 3, 2023
View reviewed changes
Comment thread dd-java-agent/agent-iast/src/main/java/com/datadog/iast/taint/Ranges.java Outdated
Copy link
Copy Markdown
Member

@jandro996 jandro996 Nov 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably it will be a super corner case, but it will be possible that the range start is != 0 and the length will be a negative number

I know that this is not possible from a new source point of view but, maybe dealing with the redaction or propagation...

Copy link
Copy Markdown
Member Author

@manuel-alvarez-alvarez manuel-alvarez-alvarez Nov 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR only tries to deal with ranges created by forObject:

  public static Range[] forObject(final @Nonnull Source source, final int mark) {
    return new Range[] {new Range(0, Integer.MAX_VALUE, source, mark)};
  }

  public static boolean isUnbound(@Nonnull final Range[] ranges) {
    if (ranges.length != 1) {
      return false;
    }
    final Range range = ranges[0];
    return range.getStart() == 0 && range.getLength() == Integer.MAX_VALUE;
  }

For other corner cases I'm not sure if we should try to do the matching

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-precise-reporting-with-objects branch from fb9c957 to bf1d27a Compare November 6, 2023 09:55
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-precise-reporting-with-objects branch 2 times, most recently from 8e30928 to 2cf53f0 Compare November 15, 2023 13:05
ValentinZakharov
ValentinZakharov reviewed Nov 16, 2023
View reviewed changes
Comment thread dd-java-agent/agent-iast/src/main/java/com/datadog/iast/taint/Ranges.java Outdated
Copy link
Copy Markdown
Contributor

@ValentinZakharov ValentinZakharov Nov 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we iterate over all ranges instead of checking only the first one?

Copy link
Copy Markdown
Member Author

@manuel-alvarez-alvarez manuel-alvarez-alvarez Nov 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay in the response, this PR only covers the case of unbounded tainted values that are created via:

  public static Range[] forObject(final @Nonnull Source source, final int mark) {
    return new Range[] {new Range(0, Integer.MAX_VALUE, source, mark)};
  }

There should not be other cases unless we have a bug of course.

@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-precise-reporting-with-objects branch 2 times, most recently from 944d779 to 0848a55 Compare November 22, 2023 10:03
@manuel-alvarez-alvarez manuel-alvarez-alvarez force-pushed the malvarez/iast-precise-reporting-with-objects branch from 0848a55 to f52c736 Compare December 11, 2023 10:11
@manuel-alvarez-alvarez manuel-alvarez-alvarez merged commit 00358aa into master Dec 11, 2023
@manuel-alvarez-alvarez manuel-alvarez-alvarez deleted the malvarez/iast-precise-reporting-with-objects branch December 11, 2023 12:35
@github-actions github-actions Bot added this to the 1.26.0 milestone Dec 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jandro996 jandro996 jandro996 approved these changes

@ValentinZakharov ValentinZakharov ValentinZakharov approved these changes

Assignees

No one assigned

Labels

comp: asm iast Application Security Management (IAST)

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

3 participants

@manuel-alvarez-alvarez @ValentinZakharov @jandro996