Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stacktrace leak protection for Tomcat 7 #5740

Merged
merged 16 commits into from
Nov 3, 2023
Merged

Stacktrace leak protection for Tomcat 7 #5740

merged 16 commits into from
Nov 3, 2023

Conversation

ValentinZakharov
Copy link
Contributor

@ValentinZakharov ValentinZakharov commented Aug 19, 2023
edited by smola
Loading

What Does This Do

Added mechanism, to detect and suppress Stecktrace leaks (disabled by default).
Implemented error handler instrumentation in Tomcat 7 to catch exceptions before they could be populated to client.
To make it works - the IAST should be enabled -Ddd.iast.enabled=true
Suppression can be enabled with the option -Ddd.iast.stacktrace-leak.suppress=true

Motivation

The feature solves the “Stacktrace Exposure” problem. Currently still exist many web servers and frameworks that are returning exception details in response, revealing critical details about application internals to potential attacker. A classical example - you can perform SQLi attack by sending sequence of malicious requests, each time using exception message to validate SQL injection results. The solution provides both features: detection and prevention (displays ASM blocking page instead of stacktrace) disabled by default.

Additional Notes

This is an Innovation week project.
Since it's experimental feature, it's currently implemented for Tomcat 7+ only.

JIRA: APPSEC-11758

@ValentinZakharov ValentinZakharov added the comp: asm iast Application Security Management (IAST) label Aug 19, 2023
@ValentinZakharov ValentinZakharov self-assigned this Aug 19, 2023
@ValentinZakharov ValentinZakharov requested a review from a team August 19, 2023 21:47
@ValentinZakharov ValentinZakharov requested a review from a team as a code owner August 19, 2023 21:47
@pr-commenter
Copy link

pr-commenter bot commented Aug 19, 2023
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
commit 1.23.0-SNAPSHOT~23bbe149f2 1.23.0-SNAPSHOT~2bf64bda4e
config baseline candidate
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
module Agent Agent
parent None None
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 54 cases.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.23.0-SNAPSHOT~2bf64bda4e, baseline=1.23.0-SNAPSHOT~23bbe149f2

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.042 s) : 0, 1042153
Total [baseline] (8.759 s) : 0, 8758929
Agent [candidate] (1.036 s) : 0, 1036222
Total [candidate] (8.789 s) : 0, 8788964
section iast
Agent [baseline] (1.142 s) : 0, 1142273
Total [baseline] (9.352 s) : 0, 9351731
Agent [candidate] (1.15 s) : 0, 1149617
Total [candidate] (9.283 s) : 0, 9282956
section iast_TELEMETRY_OFF
Agent [baseline] (1.146 s) : 0, 1146217
Total [baseline] (9.299 s) : 0, 9299492
Agent [candidate] (1.148 s) : 0, 1148490
Total [candidate] (9.274 s) : 0, 9274203
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.042 s -
Agent iast 1.142 s 100.12 ms (9.6%)
Agent iast_TELEMETRY_OFF 1.146 s 104.065 ms (10.0%)
Total tracing 8.759 s -
Total iast 9.352 s 592.802 ms (6.8%)
Total iast_TELEMETRY_OFF 9.299 s 540.563 ms (6.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.036 s -
Agent iast 1.15 s 113.395 ms (10.9%)
Agent iast_TELEMETRY_OFF 1.148 s 112.268 ms (10.8%)
Total tracing 8.789 s -
Total iast 9.283 s 493.992 ms (5.6%)
Total iast_TELEMETRY_OFF 9.274 s 485.239 ms (5.5%) 
gantt
    title insecure-bank - break down per module: candidate=1.23.0-SNAPSHOT~2bf64bda4e, baseline=1.23.0-SNAPSHOT~23bbe149f2

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (650.361 ms) : 0, 650361
BytebuddyAgent [candidate] (646.172 ms) : 0, 646172
GlobalTracer [baseline] (295.993 ms) : 0, 295993
GlobalTracer [candidate] (294.211 ms) : 0, 294211
AppSec [baseline] (48.968 ms) : 0, 48968
AppSec [candidate] (49.049 ms) : 0, 49049
Remote Config [baseline] (705.405 µs) : 0, 705
Remote Config [candidate] (698.883 µs) : 0, 699
Telemetry [baseline] (11.421 ms) : 0, 11421
Telemetry [candidate] (11.467 ms) : 0, 11467
section iast
BytebuddyAgent [baseline] (761.677 ms) : 0, 761677
BytebuddyAgent [candidate] (764.259 ms) : 0, 764259
GlobalTracer [baseline] (272.737 ms) : 0, 272737
GlobalTracer [candidate] (274.058 ms) : 0, 274058
AppSec [baseline] (46.206 ms) : 0, 46206
AppSec [candidate] (46.514 ms) : 0, 46514
Remote Config [baseline] (558.439 µs) : 0, 558
Remote Config [candidate] (574.256 µs) : 0, 574
Telemetry [baseline] (10.46 ms) : 0, 10460
Telemetry [candidate] (11.042 ms) : 0, 11042
IAST [baseline] (16.322 ms) : 0, 16322
IAST [candidate] (18.773 ms) : 0, 18773
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (762.805 ms) : 0, 762805
BytebuddyAgent [candidate] (762.844 ms) : 0, 762844
GlobalTracer [baseline] (273.91 ms) : 0, 273910
GlobalTracer [candidate] (274.072 ms) : 0, 274072
AppSec [baseline] (46.782 ms) : 0, 46782
AppSec [candidate] (46.406 ms) : 0, 46406
Remote Config [baseline] (559.193 µs) : 0, 559
Remote Config [candidate] (574.315 µs) : 0, 574
Telemetry [baseline] (10.366 ms) : 0, 10366
Telemetry [candidate] (11.898 ms) : 0, 11898
IAST [baseline] (17.074 ms) : 0, 17074
IAST [candidate] (18.108 ms) : 0, 18108
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.23.0-SNAPSHOT~2bf64bda4e, baseline=1.23.0-SNAPSHOT~23bbe149f2

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.039 s) : 0, 1039309
Total [baseline] (9.285 s) : 0, 9284903
Agent [candidate] (1.034 s) : 0, 1033523
Total [candidate] (9.323 s) : 0, 9322836
section appsec
Agent [baseline] (1.118 s) : 0, 1117865
Total [baseline] (9.418 s) : 0, 9417675
Agent [candidate] (1.118 s) : 0, 1118467
Total [candidate] (9.388 s) : 0, 9387929
section iast
Agent [baseline] (1.153 s) : 0, 1152890
Total [baseline] (9.602 s) : 0, 9602242
Agent [candidate] (1.149 s) : 0, 1148922
Total [candidate] (9.552 s) : 0, 9551808
section profiling
Agent [baseline] (1.223 s) : 0, 1223057
Total [baseline] (9.595 s) : 0, 9594658
Agent [candidate] (1.222 s) : 0, 1221890
Total [candidate] (9.581 s) : 0, 9580561
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.039 s -
Agent appsec 1.118 s 78.556 ms (7.6%)
Agent iast 1.153 s 113.581 ms (10.9%)
Agent profiling 1.223 s 183.748 ms (17.7%)
Total tracing 9.285 s -
Total appsec 9.418 s 132.772 ms (1.4%)
Total iast 9.602 s 317.339 ms (3.4%)
Total profiling 9.595 s 309.755 ms (3.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.034 s -
Agent appsec 1.118 s 84.944 ms (8.2%)
Agent iast 1.149 s 115.399 ms (11.2%)
Agent profiling 1.222 s 188.367 ms (18.2%)
Total tracing 9.323 s -
Total appsec 9.388 s 65.093 ms (0.7%)
Total iast 9.552 s 228.972 ms (2.5%)
Total profiling 9.581 s 257.725 ms (2.8%) 
gantt
    title petclinic - break down per module: candidate=1.23.0-SNAPSHOT~2bf64bda4e, baseline=1.23.0-SNAPSHOT~23bbe149f2

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (649.684 ms) : 0, 649684
BytebuddyAgent [candidate] (644.745 ms) : 0, 644745
GlobalTracer [baseline] (293.865 ms) : 0, 293865
GlobalTracer [candidate] (294.248 ms) : 0, 294248
AppSec [baseline] (48.969 ms) : 0, 48969
AppSec [candidate] (48.457 ms) : 0, 48457
Remote Config [baseline] (690.311 µs) : 0, 690
Remote Config [candidate] (692.279 µs) : 0, 692
Telemetry [baseline] (11.356 ms) : 0, 11356
Telemetry [candidate] (11.165 ms) : 0, 11165
section appsec
BytebuddyAgent [baseline] (644.833 ms) : 0, 644833
BytebuddyAgent [candidate] (644.016 ms) : 0, 644016
GlobalTracer [baseline] (293.122 ms) : 0, 293122
GlobalTracer [candidate] (294.031 ms) : 0, 294031
AppSec [baseline] (138.038 ms) : 0, 138038
AppSec [candidate] (138.589 ms) : 0, 138589
Remote Config [baseline] (641.896 µs) : 0, 642
Remote Config [candidate] (644.874 µs) : 0, 645
Telemetry [baseline] (6.872 ms) : 0, 6872
Telemetry [candidate] (6.847 ms) : 0, 6847
section iast
BytebuddyAgent [baseline] (768.338 ms) : 0, 768338
BytebuddyAgent [candidate] (762.885 ms) : 0, 762885
GlobalTracer [baseline] (273.229 ms) : 0, 273229
GlobalTracer [candidate] (274.053 ms) : 0, 274053
AppSec [baseline] (46.452 ms) : 0, 46452
AppSec [candidate] (46.761 ms) : 0, 46761
Remote Config [baseline] (565.838 µs) : 0, 566
Remote Config [candidate] (608.759 µs) : 0, 609
Telemetry [baseline] (12.605 ms) : 0, 12605
Telemetry [candidate] (13.368 ms) : 0, 13368
IAST [baseline] (17.149 ms) : 0, 17149
IAST [candidate] (16.909 ms) : 0, 16909
section profiling
BytebuddyAgent [baseline] (658.643 ms) : 0, 658643
BytebuddyAgent [candidate] (657.843 ms) : 0, 657843
GlobalTracer [baseline] (359.957 ms) : 0, 359957
GlobalTracer [candidate] (359.469 ms) : 0, 359469
AppSec [baseline] (49.502 ms) : 0, 49502
AppSec [candidate] (49.296 ms) : 0, 49296
Remote Config [baseline] (642.209 µs) : 0, 642
Remote Config [candidate] (649.132 µs) : 0, 649
Telemetry [baseline] (11.319 ms) : 0, 11319
Telemetry [candidate] (11.402 ms) : 0, 11402
ProfilingAgent [baseline] (88.52 ms) : 0, 88520
ProfilingAgent [candidate] (88.878 ms) : 0, 88878
Profiling [baseline] (88.543 ms) : 0, 88543
Profiling [candidate] (88.901 ms) : 0, 88901
Loading

Load

Parameters

Baseline Candidate
commit 1.23.0-SNAPSHOT~23bbe149f2 1.23.0-SNAPSHOT~2bf64bda4e
config baseline candidate
end_time 2023-11-02T22:18:23 2023-11-02T22:34:50
start_time 2023-11-02T22:18:11 2023-11-02T22:34:37
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
variant iast iast

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 22 cases.

Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.23.0-SNAPSHOT~2bf64bda4e, baseline=1.23.0-SNAPSHOT~23bbe149f2
    dateFormat X
    axisFormat %s
section baseline
no_agent (363.19 µs) : 341, 385
.   : milestone, 363,
iast (461.3 µs) : 440, 482
.   : milestone, 461,
iast_FULL (519.23 µs) : 499, 540
.   : milestone, 519,
iast_INACTIVE (424.944 µs) : 404, 446
.   : milestone, 425,
iast_TELEMETRY_OFF (448.852 µs) : 428, 469
.   : milestone, 449,
tracing (426.548 µs) : 405, 448
.   : milestone, 427,
section candidate
no_agent (356.289 µs) : 335, 377
.   : milestone, 356,
iast (452.601 µs) : 432, 473
.   : milestone, 453,
iast_FULL (516.266 µs) : 496, 537
.   : milestone, 516,
iast_INACTIVE (424.399 µs) : 404, 445
.   : milestone, 424,
iast_TELEMETRY_OFF (453.681 µs) : 433, 475
.   : milestone, 454,
tracing (432.493 µs) : 411, 454
.   : milestone, 432,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 363.19 µs [341.312 µs, 385.068 µs] -
iast 461.3 µs [440.401 µs, 482.199 µs] 98.11 µs (27.0%)
iast_FULL 519.23 µs [498.56 µs, 539.9 µs] 156.04 µs (43.0%)
iast_INACTIVE 424.944 µs [403.911 µs, 445.977 µs] 61.753 µs (17.0%)
iast_TELEMETRY_OFF 448.852 µs [428.239 µs, 469.466 µs] 85.662 µs (23.6%)
tracing 426.548 µs [405.449 µs, 447.647 µs] 63.357 µs (17.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 356.289 µs [335.479 µs, 377.099 µs] -
iast 452.601 µs [431.895 µs, 473.308 µs] 96.313 µs (27.0%)
iast_FULL 516.266 µs [495.538 µs, 536.995 µs] 159.977 µs (44.9%)
iast_INACTIVE 424.399 µs [403.649 µs, 445.15 µs] 68.11 µs (19.1%)
iast_TELEMETRY_OFF 453.681 µs [432.787 µs, 474.574 µs] 97.392 µs (27.3%)
tracing 432.493 µs [411.338 µs, 453.648 µs] 76.204 µs (21.4%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.23.0-SNAPSHOT~2bf64bda4e, baseline=1.23.0-SNAPSHOT~23bbe149f2
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.329 ms) : 1309, 1349
.   : milestone, 1329,
appsec (1.705 ms) : 1680, 1729
.   : milestone, 1705,
iast (1.466 ms) : 1442, 1489
.   : milestone, 1466,
profiling (1.504 ms) : 1477, 1531
.   : milestone, 1504,
tracing (1.469 ms) : 1445, 1494
.   : milestone, 1469,
section candidate
no_agent (1.343 ms) : 1324, 1363
.   : milestone, 1343,
appsec (1.688 ms) : 1663, 1713
.   : milestone, 1688,
iast (1.467 ms) : 1443, 1491
.   : milestone, 1467,
profiling (1.453 ms) : 1427, 1478
.   : milestone, 1453,
tracing (1.426 ms) : 1402, 1451
.   : milestone, 1426,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.329 ms [1.309 ms, 1.349 ms] -
appsec 1.705 ms [1.68 ms, 1.729 ms] 375.951 µs (28.3%)
iast 1.466 ms [1.442 ms, 1.489 ms] 137.083 µs (10.3%)
profiling 1.504 ms [1.477 ms, 1.531 ms] 175.153 µs (13.2%)
tracing 1.469 ms [1.445 ms, 1.494 ms] 140.704 µs (10.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.343 ms [1.324 ms, 1.363 ms] -
appsec 1.688 ms [1.663 ms, 1.713 ms] 345.09 µs (25.7%)
iast 1.467 ms [1.443 ms, 1.491 ms] 124.003 µs (9.2%)
profiling 1.453 ms [1.427 ms, 1.478 ms] 109.529 µs (8.2%)
tracing 1.426 ms [1.402 ms, 1.451 ms] 83.374 µs (6.2%)

@ValentinZakharov ValentinZakharov requested a review from a team as a code owner August 24, 2023 15:37
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/stacktrace_leak_protection branch 3 times, most recently from 7e8787c to f9901fa Compare August 25, 2023 16:08
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/stacktrace_leak_protection branch from f9901fa to 5e1a4c6 Compare August 28, 2023 08:54
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/stacktrace_leak_protection branch 8 times, most recently from e98801a to c8202e0 Compare October 16, 2023 10:44
@ValentinZakharov ValentinZakharov enabled auto-merge (squash) October 19, 2023 13:49
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/stacktrace_leak_protection branch from 1399479 to 87d4422 Compare October 19, 2023 13:49
@smola smola requested a review from cataphract October 31, 2023 09:40
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/stacktrace_leak_protection branch 4 times, most recently from 0df6bbf to 58de69f Compare November 2, 2023 14:34
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/stacktrace_leak_protection branch from 1e33657 to 4af1908 Compare November 2, 2023 19:31
@ValentinZakharov ValentinZakharov force-pushed the vzakharov/stacktrace_leak_protection branch from 4af1908 to 3db28f3 Compare November 2, 2023 21:23
@ValentinZakharov ValentinZakharov merged commit 48d6aec into master Nov 3, 2023
10 of 11 checks passed
@ValentinZakharov ValentinZakharov deleted the vzakharov/stacktrace_leak_protection branch November 3, 2023 08:16
@github-actions github-actions bot added this to the 1.23.0 milestone Nov 3, 2023
@smola smola changed the title Stacktrace leak protection Stacktrace leak protection for Tomcat 7+ Nov 7, 2023
@smola smola changed the title Stacktrace leak protection for Tomcat 7+ Stacktrace leak protection for Tomcat 7 Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@cataphract cataphract cataphract approved these changes

@smola smola smola approved these changes

Assignees

@ValentinZakharov ValentinZakharov

Labels
comp: asm iast Application Security Management (IAST)
Projects
None yet
Milestone
1.23.0
Development

Successfully merging this pull request may close these issues.
4 participants
@ValentinZakharov @smola @cataphract @manuel-alvarez-alvarez