Reading: 16263
What is rasp? What is the performance comparison between rasp and WAF? What is the implementation idea of rasp, which will be introduced in detail in this article
RASP overview
What is rasp
Rasp (runtime application self-protection) runtime application self-protection,
RSAP injects itself into the application program, integrates with the application program, monitors and blocks attacks in real time, so that the program has the ability of self-protection. And the application does not need to make any changes in the coding, just a simple configuration
Run inside the application;
The detection point is located at the input and output position of the application program;
Input points include user request, file input, etc;
The output point includes database, network, file system, etc.
What rasp can do
Rasp vs WAF < deployment >
WAF
Unified deployment of external boundary entrance
Support transparent (in series), bypass and reverse proxy
It is easy to form a single point of failure, with a large impact area
RASP
Ø the server is deployed separately and embedded in the application program, so the application code is not aware
Java program, add the – javaagent rasp.jar parameter at startup
The development language is strongly related, but the protection plug-ins can be shared
Learn more about application context
Rasp vs WAF < performance >
WAF
The more regular matching rules, the lower performance
? related to hardware specifications
The service message has one more socket forwarding, and the delay is large
No impact on server CPU
RASP
Ø not all requests match all rules because they are only detected at key points
Some manufacturers claim that the impact on server CPU performance can be reduced to 2%
Ø the delay of unprotected state increases by 3-5%, and the delay of protected state increases by 4.6-8.9%
Rasp vs WAF < product features >
Rasp vs WAF < detection capability >
(from https://www.oneasp.com/topic/raspwaf.html)
RASP prospects
“The RASP market size is expected to grow from USD 294.7 million in 2017 to USD 1,240.1 million by 2022, at a Compound Annual Growth Rate (CAGR) of 33.3% during the forecast period. “
Rasp technology implementation (Java)
Rasp implementation ideas
How to inject detection code
In which access control points to inject
How to detect attacks after injection
How to deal with attacks detected
Rasp injection method (Java)
Servlet filter: on the request response path, only HTTP messages can be filtered
JVM Refactoring: embedded in the JVM, rasp container is implemented based on the security control layer of the JVM. It is very difficult to be familiar with the JVM. Waratek abroad adopts this method
Java instrument: the most common approach
Java Foundation: source code, compilation and operation
What is java instrument
The new features of Java se 5 rely on JVMTI.
Used to monitor and assist programs running on the JVM, and even to replace and modify the definition of some classes
- the javaagent parameter specifies the jar file of the instrumentation function to run the program:
java –javaagent:K:\java\MyAgent.jar app.HelloWorld
What is JVMTI
The full name JVM tool interface is a collection of local programming interfaces exposed by the JVM for users to extend.
Based on event driven, every time the JVM executes certain logic, it will actively call some event callback interfaces, which can be used by developers to extend their own logic.
Principles of Java instrument
How to implement intrument
JDK reflection
concept
Java recognizes information about objects and classes at runtime in two ways:
Traditional RTTI: determine whether a class is loaded by the JVM at compile time;
Reflection mechanism: in the running state, all the properties and methods of any class (including those not loaded) can be known; for any object, any method and property can be called;
With the help of the "self auditing" ability and polymorphism of class structure exploration, we can give full play to the flexibility of Java.
Use
Java provides a library called reflect, which encapsulates methods, constructors, fields, proxies, invocationhandler and other classes
function
At runtime, judge the class to which any object belongs.
Construct an object of any class at run time.
At runtime, judge the member variables and methods of any class.
Call the method of any object at runtime
Generate dynamic agent
JDK reflection - Example 1
Dynamic loading
JDK reflection - Example 2
Dynamic proxy
JDK reflex - conclusion
Although dynamic agent has high flexibility, it still needs to use the relevant class library to configure the dynamic agent and integrate it into the application source code, which is not an ideal solution.
No suitable method was found to proxy the existing classes without modifying the application code
Javassist
concept
An open source class library for analyzing, editing, and creating Java bytecode.
Founded by Shigeru Chiba (Chiba Zi) of the Department of mathematics and computer science, Tokyo Institutet of Technology. It has joined the open source JBoss application server project to implement the dynamic "AOP" framework for JBoss by using javassist to operate bytecode.
Allows developers to freely add new methods to a compiled class, or modify existing methods.
A way of Java instrumentation.
Advantage
Simple, directly using java coding form, without understanding the virtual machine instructions, can dynamically change the structure of the class, or dynamically generate the class.
Use
Javassist library, encapsulating classpool, ctclass, ctmethod and other classes;
Javassist - instance 1
Dynamic construction class
Javassist – instance 2
Instrument
Premain function:
Transform function:
If it is a class to be modified, find the function to be injected in the middle of the class, and add a detection function before and after the function (the figure below is just a sketch).
ASM
concept
An open source application framework for Java bytecode analysis, creation and modification.
Allows developers to freely add new methods to a compiled class, or modify existing methods.
A way of Java instrumentation.
Advantage
It can operate bytecode directly with JVM instruction, which is more flexible;
High performance;
More functions;
Use
ASM library / tools http://asm.ow2.org/
Encapsulate many functional classes such as classreader, classvisitor and classwriter
Need to understand JVM instructions and class file structure
ASM - common classes
ASM - class diagram
Typical static agent mode:
ASM - bytecode resolution process
ASM - Example 1
Dynamic construction class
ASM - Example 2
Modification class