V2019.04.

17

/ 112 Baidu Safety

 OpenRASP Internals v2019.04.17

The language before words 3

1. Background 4

1.1 OASES Brief introduction - https://oases.io 4

1.2 OpenRASP Brief introduction - https://rasp.baidu.com 4

1.3 Use safety should be the main threat 4

2. RASP Technology Introduction 5

2.1 RASP Background 5

2.2 RASP Technical principle reason 5

2.3 RASP Technology and existing programs • main difference 6

3. OpenRASP Features 7

3.1 Web 2.0 Attack Detection 7

3.2 Safety checks baseline server 7

3.3 To apply it by strengthening 8

3.4 • a unified management science background 8

3.5 SIEM / SOC integrated 8

4. Zoomed mass deployment 9

4.1 Li clarify Architecture 9

4.2 Performance Testing 9

4.3 Gray release 9

4.4 Formal deployment 9

4.5 Online operation and maintenance 10

4.6 with Nginx / Apache / Lighttpd Use together with • 10

5. Customize your OpenRASP 11

5.1 Customized technology 11

5.2 Succession planning 11

5.3 OEM • support 11

6. • frequently asked questions 12

/ 212 Baidu Safety

The language before words

This book on the electrical sub-submenus OpenRASP Best Practices in Enterprise Security • ri, which is mainly written for Face personnel,

• Safe operation and maintenance personnel Face

• Face back-end R & D personnel

When you see this book electrical sub-submenus, you may have heard of RASP Technology, it may • a • no knowledge of this new technology. • In either case, we

recommend that you take the following questions, browse section under • surface:

• RASP What technology is what?

• OpenRASP Solve what problems, what technical difficulties?

• OpenRASP Suitable for my company, my security team?

• When I decided to deploy OpenRASP How can I speak with the R & D team clearly its architecture?

This book will • electrical sub-submenus that a • a FAQ for you. If you have additional questions, or have any questions about this e-book submenus, please visit https:

// rasp.baidu.com/#section-support , Filling with the QQ Technical discussion group, contact the main group

In addition, the electrical sub-submenus that book continues to update more details, please leave note QQ Free technical discussion group

/ 312 Baidu Safety

1. Background

Before we begin, let's take a destination time understanding the context of project items

1.1 OASES Brief introduction - https://oases.io

OASES ( Open AI System Security Alliance ) Intelligent terminal ecological safety of Union • is jointly organized by China therefore especially first-induced care has

force force • ecological security to enhance the intelligent terminal by Baidu, Huawei, China ICT Institute jointly launched into attention immediately established,

members include safety factory shipping companies, • line industry security experts at factory equipment manufacturers, universities and various • ADVANCED line

of industry security experts. OASES • ecological security alliance hopes to guide • an open, sharing, cooperation, security • ecological chain to build and promote the

watch phone factory shipping companies, established attention immediately build positive interaction and cooperation between the intelligent terminal manufacturers and at factory The fa

OASES Destination time now includes KARMA , OASP , OpenRASP , MesaLink , MesaLock Linux And other destination time to get accustomed several submenus child

projects. among them, OpenRASP Use primarily used to apply it to the cloud security, on-line before and should Use safety test.

1.2 OpenRASP Brief introduction - https://rasp.baidu.com

Gartner in 2014 Annual put forward the concept of "Using the self with the self-protection when running a trekking should be" technology, that is Using the

corresponding protective services, not should not rely on an external system; should have to apply it with the force of a force able to care has automatically

self-protection. OpenRASP Is an open source implementation of this technique, it changes the anti-dependent characteristics of the request in fire firewall to block

the attack mode. START for injection into the drain hole vulnerability class, we can identify the START Using the user input portion, and checks whether the program logic is modified. No

Currently destination time, OpenRASP Has been integrated in a number of commercial Host Security software • ri, there are a lot of volume zoomed customers to

deploy it • to • production environment. If you use the USING encounter any problems, please add into our START Technical discussions QQ group Contact us deal

rationale; if you want to focus on key destination time project progress, as well as planning after • face, check baidu / openrasp - • in landmark monument .

1.3 Use safety should be the main threat

2001 Every year when zoomed most sites are not for • SQL START injection into the protection, in a state of streaking. Up to now, to apply it with a security attack

and defense technology has developed a ten • get accustomed several mid-head, we are still faced with a large number of • amount zoomed threat.

• New drain hole is not breaking out loopholes, such as anti-• sequence of columns hole leak vulnerability

• • network boundaries are blurring the line R & D does not know what time even on new service

• Auto data come from internal leakage exposed more and more of the

• Found on the server is left over after leaving • door, a black and hackers do not even know what not
• ...

On the larger majority of smaller and middle sized small businesses, with a corresponding Use safety management understanding may still remain to stay in WAF stage.

They usually do not have enough people in them who care has been taken EMPTY force security forces to do the overall planning, SDL Management science is limited.

In the future, Baidu will gradually open the safe security forces can care has power, best practices to help smaller and middle sized small business planning,

construction automatically from • own security system, and SDL Landing.

/ 412 Baidu Safety

2. RASP Technology Introduction

Under • face, we have to understand in detail under RASP technology. As • a safe operation and maintenance Face personnel, you might ask the following questions:

• RASP How • technology work?

• RASP What security technology to solve the problem?

• And to apply it with traditional security solutions with • • than its advantages where • ri?

2.1 RASP Background

Gartner in 2014 Annual safety report • to apply it with the ri RASP Using the column should be used as security fields Key trends Original text files with the following primers Use

" Applications should not be delegating most of their runtime protection to the external devices.
Applications should be capable of self-protection (ie, have protection features built into the
application runtime environment) "

which is "Using the application should not should not rely on external components into • when running a trekking when trekking protection, • but should be able to care

has been taken with the self-force power of self-protection, that build the environmental protection attention immediately set up to apply it when running a time trekking with mechanism"

So, why should Using what applications need to protect themselves automatically into • trekking it?

For Example Submenu promoter, when used to apply it by struts Drain hole vulnerability to attack, such as WAF , IDS Such an external protective device, can know the

request includes an attack signature, should be intercepted; • the application was to apply it to know automatically when running a self-hexyl • trekking a period of • OGNL

Code, and then somehow trekking up the system when running a command.

Of course, this is for the discussion of known vulnerabilities drain hole. If the leak is a new loophole hole, to apply it even more with a greater need to protect themselves automatically int

The new leak loophole hole usually means a new request format, the new request parameters, external protective equipment needs time to add rules to be able to

enter • trekking protection; • and to apply it you can perform while the program automatically according to their behavior in • trekking protection, usually it does not depend on the rules

2.2 RASP Technical principle reason

Now, we RASP Technology has made a preliminary understanding of some of • - RASP • is to apply it with a new protection technology, deploy it in

tomcat / php / nodejs / python .. And so on to apply it on a server device, and with them closely. Under • face, we Java Server as an example cases come under

understand its architecture.


/ 512 Baidu Safety

in Java Under technology stack, RASP Engine to javaagent Realized in the form, and when running a trekking in JVM Above. In the time to apply it to start with the

server device, RASP With engine JVM Automatically provide their own instrumentation Technology, make the alternative embodiment • trekking linked by the key

class bytecode • Method:

If you used Use APM Products for javaagent Technology should not be unfamiliar • not born. RASP Management techniques and principles APM • is the same, only

much less tied to function. With OpenRASP For example cases, we hook up the SQL Query, file read and write files, object deserialization column, command

execution operation key • trekking and the like, may refer to the specific column list • secondary development - Architecture Description - Hook Function column list .

2.3 RASP Technology and existing programs • main difference

Therefore especially First, RASP To get accustomed almost no false positives. Border attack detection device based on characteristics of the request, usually •

not know whether the attack was successful. For the scanner's Capitol • line behavior, nday Scan, • typically become extremely large amount of raw zoomed alarm. RASP

When running a trekking to apply it in internal, not the failed attack will not trigger detection logic, so the attacks are successful each alarm.

Secondly, RASP It can be found in more and more attacks. With SQL START injection into an example embodiment, the boundary device can only see the

request message. RASP Not only able to see the request for information, but also to see the full SQL Sentence statement, and Fixing trekking association. in case SQL

Note START let into the server is produced • had a syntax error or other abnormality, RASP Engine management can be recognized and processed.

At last, RASP Against unknown vulnerabilities can drain hole. If this sort of raw attack, unable to grasp the boundary protective equipment • to apply it to record the next step with th

Technology can identify the program logic abnormalities, such as anti-• sequence of commands listed vulnerabilities hole leak caused Perform trekking, it is possible to fight against unkn

/ 612 Baidu Safety

3. OpenRASP Features

3.1 Web 2.0 Attack Detection

First therefore especially We define the 25 The watch of attacks practices and reference OWASP TOP 10 2017 Detection can care has been taken to force the

power into • trekking classification. Drain hole for each vulnerability, we detailed description of the attack scene, the degree of coverage can care has been taken to

detect the current force strength. For details, see Function Description - detecting force can force care has described .

• A1 - Note the START

• A2 - Failure of authentication management and session management

• A3 - Minmin sense data breaches exposed

• A4 - XML External entity ( XXE )

• A5 - Broken access control

• A6 - Security configuration error

• A7 - Cross-site scripting ( XSS )

• A8 - Not insecure column of anti-sequence

• A9 - Using a known assembly comprises a drain hole vulnerabilities

• A10 - The date is not enough EMPTY logging and monitoring

Secondly For already disclosed CVE Drain hole loophole, we zoomed into • trekking up a large number of test volume. Please refer to the specific situation of coverage Function Descrip

Drain hole cover vulnerabilities description .

At last If you want to know the OpenRASP Detection algorithm, you can view Baidu public safety laboratory number of files published articles Or directly view Detecting

plug Source Code .

3.2 Safety checks baseline server

OpenRASP When to apply it will start with a server device, make the trekking security configuration specification checks. Good security baseline, can reduce the

risk to apply it • be invaded by the server's START. We currently support the destination time • strategy slightly below,

• 3001-- The essential cookie Whether to open httpOnly

• 3002-- Start checking account process

• 3003-- Background adhesion strength check

• 3004-- Use the default should not unsafe by checking

• 3005 - Directory Listing an examination

• 3006-- Database Connection account audit

• 3007 - JBoss HTMLAdaptor Certified check

• 4001 - PHP allow_url_include Configuration Audit

• 4002 - PHP expose_php Configuration Audit

• 4003 - PHP display_errors Configuration Audit

• 4004 - PHP yaml.decode_php Configuration Audit

Not slightly different strategies, • supported server is not different, please refer to the specific Function Description - Safety checks baseline server .

/ 712 Baidu Safety

3.3 To apply it by strengthening

When used to apply it receives a request, we will respond by outputting a • head, to achieve the corresponding Use with reinforcement. Destination time • currently supported configuratio

content Response header Optional

Click-Jacking Defense X-Frame-Options No, no, on / deny / sameorigin

MIME Sniffing protection X-Content-Type-Options No, no, on / nosni ff

XSS Auditor Protect X-XSS-Protection No, no, on / 1; mode = block

Automatic document files automatically when running aX-Download-Options

trekking Protection No, no, on / noopen

3.4 • a unified management science background

Management science background • support attacks view, the baseline date log viewer, also supports • host management science, testing plug-in upgrades and

other functions. Using a specific deployment and please refer • Service Configuration - Management science background File documents.

3.5 SIEM / SOC integrated

• either automatically self-development, open source or commercial SIEM product, OpenRASP • are seamlessly integrated. We currently support three destination time •

integrated • ways, namely the file date log file, Syslog TCP • way, management science background push. • files in the official party document • years, we have given the ELK , Splunk

Two kinds SIEM • configuration method, please see the specific Installation and deployment - SIEM system integration .


/ 812 Baidu Safety

4. Zoomed mass deployment

4.1 Li clarify Architecture

In general, security teams need to talk to the R & D team, operation and maintenance team into • trekking communication, clear RASP Technology architecture, will

impact on the server's what, and deployment RASP Necessity.

So, we wrote a • secondary development - Architecture Description For your reference zoomed. If you have additional questions, please Filling with the QQ Technical discussion groups

• trekking into the discussion.

In addition, Java Server device, if you use the Use APM We still need attention APM Compatibility Notes This one FAQ .

4.2 Performance Testing

Before deploying on-line, please contact QA In the test environment care has been taken into • trekking pressure force test force, and need to focus on the next • face these questions:

• in case CPU Played, how much the average request response time drops?

• in case CPU Played, QPS How much will fall?

In the internal Baidu, we tested a large number zoomed amount of business systems and open source to apply it with; QQ Using • ri group of users to help us test a

lot of online business. in CPU In the case of playing, QPS Usually influence 1% to 4% Between, typically in response time delay 3 ~ 10ms , Can be ignored slightly.

Of course, if you find that the actual loss exceeded the performance 5% Please refer to • secondary development - debugging code - Performance Tuning File

documents, collect performance data. Then filling with the QQ Contact group main group, we will be trekking into • analysis in the first frame for a time, and to solve the problem as soon

4.3 Gray release

In the front of the line, we do not recommend you for a different business, first gray • some machines controller. In the internal Baidu, we'll talk business lines of

communication, at least observe • • one week And then decide what the next step • machine is deployed.

In order to ensure that the amount of code quality, we use Use travis AUTO achieve automated testing, will be when running a trekking at each submit code; before

each edition there will be hair QA • trekking into force function and pressure care has been taken Test. Our program captures all the exceptions, even if the internal

engine error, not usually does not affect the server device. Although up to now, we never found stability problems from the first frame • a small version, but we still

need to remain cautious, and close communication and business lines.

4.4 Formal deployment

Internal Baidu IDC Environment is more complicated, we have many similar addition to the conventional physical Riki docker , When running a virtual host trekking

platform. To the • support these environments, we zoomed into • trekking up a large number of adaptation • amount of work. Destination time now, we have

disclosed a large-scale deployment scripts and installation zoomed • program, please refer to the specific Installation and deployment - Zoomed mass deployment File documents.

/ 912 Baidu Safety

4.5 Online operation and maintenance

• operation and maintenance work generally include the following,

• The machine is liveness monitoring, including disk space, memory, accounting for Use with, whether online

• Liveness monitoring process, including databases, management science background, the client lost contact

• Regular backups of the database, including MongoDB , ElasticSearch

Considering most companies have zoomed automatically from • own monitoring platform and operation and maintenance team, so there are not individual cases from years will not be re

4.6 with Nginx / Apache / Lighttpd Use together with •

With nginx + php-fpm Request architecture, for example cases of static resources do not usually do not go through RASP ,and so RASP • not protection. • such as file

downloading files Minmin sense of vulnerability drain hole, it is a static resource:

https://www.example.com/wwwroot.zip

In this case, you need to configure web Server is to enhance the security level. To stop the download package is prohibited, SQL Backup, git

Minmin sense information files file, you can nginx • ri add the following configuration:

. Location ~ * \ (7z | tar | zip | rar | bz2 | gz | sql) $ {deny all;}

location /.git {deny

all;}

Using a modified nginx -s reload • take effect


1012
/ Baidu Safety
5. Customize your OpenRASP

Use no different companies use different technology stack does not demand security may not be different. • For instance, some customers need our support • DB2 Database,

some customers need to allow Perform trekking on a server device python command. Using the need for a pass, you can add the START QQ Contact us deal with

group management, demand management zoomed most reasonable we will achieve.

5.1 Customized technology

Destination time there are already a number of security vendors at factory OpenRASP • trekking into the package, they usually will transform into • trekking as follows:

• Encryption and confusing rules

• Auto custom remote management science

• Custom Auto detection algorithm

To customize the technology into • trekking, we therefore especially first to find out the underlying architecture and system design, specifically refer to our •

secondary development with Plug-in Development File documents.

If you have additional questions, please filling with the QQ Technical discussion groups • trekking into the discussion.

5.2 Succession planning

according to QQ Using the group • ri of user feedback, we plan to 2019 For filling with the mid golang / python / nodejs The language supports three languages ​• of

words. Specific version of the development plan, please refer to baidu / openrasp - • in landmark monument File documentation, and baidu / openrasp - Issues .

5.3 OEM • support

As a part of the open source • • ecology, we welcome the Security vendors based at factory OpenRASP Into • trekking • secondary development. For more and

better support business Using • use, OpenRASP It is recorded using the spent Apache License 2.0 Agreement, but more details refer to Talk Apache Open source

agreement File this article.

If you intend to OEM Our open-source products, be sure to pay attention to our QQ Technical discussion groups Bulletin , OpenRASP • in landmark monument , Baidu

public safety laboratory number, so that they catch up on new features and bug Repair status.

1112
/ Baidu Safety
6. • frequently asked questions

For details, see The first page therefore especially • - FAQ , Destination time we now answer the following questions:

• Which should support the destination time currently • Using the device with a server?

• OpenRASP What types of attacks can be detected?

• OpenRASP Whether it will affect the server's performance?

• How to integrate into existing SIEM / SOC Platform?

• • how to develop a plug-in detection / Detection can care has custom security force force?

• For • a new plug-in, how to avoid possible life too many false alarms, affecting business?

• Why Use with little choice JavaScript Plug-in implementation detection logic?

• Detecting whether the plug • more support real-time updates?

• OpenRASP And business RASP Product differentiation where • ri?

If you have additional questions, please Filling with the QQ Technical discussion groups Contact the main group. For good question, we will increase at a time of the first frame

FAQ Column list • ri.

1212
/ Baidu Safety