Runtime Application Self Protection (RASP)

Traditional security measures, including firewalls, intrusion detection systems and AVs aim to prevent malicious activities by identifying and blocking known threats before they can cause harm. These security measures frequently employ signature-based detection methods, complemented by heuristic, machine learning and behavior analysis techniques.

RASP (in short for Runtime Application Self Protection) is a security technology that provides an additional layer of security by monitoring applications in real-time and detecting any suspicious activity. Unlike traditional security measures, RASP is integrated into the application itself, allowing it to monitor the application's runtime environment and detect any anomalies that may indicate an attack.

RASP can detect both known and unknown threats, as it analyzes the application's behavior and looks for any deviation from the expected behavior. This allows RASP to detect zero-day attacks and other advanced persistent threats, which may not be detected by traditional security measures.

Consider Log4Shell or Spring4Shell as examples. If RASP had been implemented, the remote code execution (RCE) exploit would have been prevented. RASP achieves this by instrumenting crucial APIs, such as the JDK's java.lang.ProcessBuilder class used for creating operating system processes. However, RASP's capabilities extend beyond this aspect, offering numerous features to empower applications in safeguarding themselves.

Pre-reading Requirements

I assume readers have a basic understanding of the fundamentals of software engineering.

Summary:

• Runtime Application Self-Protection (RASP) is used to safeguard particularly sensitive classes that perform critical operations, such as process creation.
• RASP plays a vital role by enabling applications to protect themselves, reducing their exclusive reliance on external runtime tools such as Endpoint Detection and Response (EDR) or Web Application Firewalls (WAF).
• RASP operates by instrumenting critical operations, known as sinks, such as database connection, to monitor and control application behavior, thereby preventing it from executing unintended actions. With proper implementation, RASP could potentially thwart attacks like Spring4Shell and Log4Shell by controlling access to and usage of sensitive operations within almost any class, albeit there are some exceptions within JDK classes.
• Despite the fact that deserialization attacks are not new, they continue to be employed in real-world scenarios, e.g. CVE-2023-46604-Rapid7 Blog. RASP could potentially have prevented such an attack as well.

What is RASP?

RASP stands for Runtime Application Self-Protection. It is a form of cyber security that monitors and protects applications while they are running.

RASP was first introduced by Gartner in 2012, since then it has become a popular security technology, and it is being used by many organizations to enhance their overall security posture and protect their applications against cyber-attacks.

RASP works similar to a vaccine, it injects probes into an application to prevent it from being misused. As a result of instrumentation, the application can protect itself at runtime by blocking attacks and reporting them.

In RASP, runtime instrumentation takes advantage of information within running software in order to detect and prevent attacks. It differs from perimeter-based protections, like firewalls, which use network information without contextual awareness to detect and block attacks.

One of the key advantages of RASP is that it requires no modifications to the application source code. This means that the application can be protected without the need to change its underlying structure or functionality, which can be a significant advantage in situations where it is difficult to make changes to the code.

RASP also provides protection against most OWASP vulnerabilities, which are a set of the most common security risks facing web applications. These vulnerabilities include SQL injection, cross-site scripting (XSS), and sensitive data leakage. RASP can detect and block these vulnerabilities, which helps to protect the application and the data it handles from being compromised.

RASP Versus WAF

WAFs works by filtering, monitoring, and analyzing HTTP traffic between the web application and the internet. While WAFs are effective at filtering out the majority of malicious requests, they do not know the context of the application runtime. This will inevitably lead to a certain amount of misinformation, leaving open the possibility that attackers who have slipped past the firewall may be using the application to advance the attack plan.

WAF and RASP are complementary, not competing, solutions for application security. WAFs filter out many threats before they reach the target application. By having deep visibility into these applications, RASP can spot and block attacks that get past the WAF. This two-pronged approach gives a comprehensive layer of protection from internal and external threats. WAFs can monitor traffic from outside sources and detect malicious requests, while RASP can detect malicious activity from within the application itself. For instance, WAFs can inspect incoming requests and block those that contain malicious HTML code, while RASP can detect malicious code being executed within the application and block it from running.

RASP Versus EDR

RASP and EDR are both security solutions that organizations can employ to safeguard their assets, but there are distinct differences between the two. RASP operates in close proximity to applications and strives to thwart attacks before they even reach the point at which EDR operates. One example of such attacks is Deserialization attacks, which RASP can remove at the initial stage, even before it reaches EDR (through system calls for example), where EDR's components may detect it. Moreover, EDR solutions lack visibility and control over web applications and their associated databases. For instance, EDR solutions are not designed to protect against SQL injection attacks, whereas RASP can intervene and provide protection. Finally, RASP has a profound level of visibility over the application's behavior, enabling the addition of a fine-grained security layer to strengthen the security posture, especially in the microservices era.

How RASP Works?

Instrumentation is used to monitor the application at runtime and detect when malicious activity is taking place. The instrumentation allows the RASP system to detect malicious activity before it can cause any damage, and then take action to block it. RASP is more accurate than traditional perimeter defenses because it works inside the application instead of just analyzing network traffic.

In the same manner as IAST (in short for Interactive Application Security Testing), probes are inserted in specific spots within the application. IAST is geared towards analysing the application code to detect any weaknesses that can be exploited by attackers. RASP, on the other hand, works by inserting guards around sensitive components of the application. These guards monitor the application's behaviour and alert the system if any malicious activity is detected. For instance, the guards can be used to detect SQL injection attempts, malicious file uploads, system command execution and other malicious activity that could be used to compromise the application and the underlying system.

RASP Products In The Market

Among the vendors offering RASP are Sqreen and Contrast Security. Contrast Security utilizes the Java Instrumentation API, which does not require any changes to the Java Virtual Machine or application source code. This makes it extremely easy to deploy and provides an effective way to detect and block exploits without the need to modify any code. In addition, Contrast Security's agents are lightweight and don't require much system resources, making them suitable for use in production environments.

Another highly flexible solution is OpenRASP, which is an open-source RASP solution. OpenRASP offers users the ability to customize the security of their applications according to their own needs and specifications. Additionally, OpenRASP logs alarms in JSON format, this allows to easily integrate OpenRASP alerts with their existing log management and analytics solutions, making it easier to track and analyze security events (through SIEM or SOC). It also offers a range of features and protections, from basic to advanced, which can be tailored to suit individual needs.

RASP Demo

For demonstration purposes, we'll use a specific vulnerability related to spring spel injection, identified as CVE-2022-22963. The complete code for reproducing the poc is available on GitHub at : https://github.com/mouadk/rasp-poc.

Our RASP agent will specifically focus on the protection of the internal JDK class: java/lang/ProcessBuilder. This class, in certain scenarios, can be misused to execute arbitrary commands leading to potential security risks.

To effectively implement RASP, we'll modify the JVM initialization process. This will allow us to intercept and alter the behavior of specific classes before they're used by the application.

ASM is a Java bytecode manipulation framework. We'll use this tool to modify the bytecode of the java/lang/ProcessBuilder class to add our security checks. Here's a basic outline of what we'll do: