Upload
vuongnhi
View
230
Download
0
Embed Size (px)
Citation preview
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Dr. Markus Schumacher
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
March 18, Heidelberg
SAP Security 2014 – Protecting Your SAP Systems Against Hackers And Industrial Espionage
Ten golden rules for coding authorization checks in ABAP
Andreas Wiegenstein
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Andreas Wiegenstein (Twitter: @codeprofiler)
Founder of Virtual Forge (Heidelberg), responsible for R&D
SAP Security Researcher, active since 2003
Received Credits from SAP for 66 reported 0-day Vulnerabilities
Speaker at international Conferences
SAP TechEd (USA & Europe), DSAG (Europe)
BlackHat (Europe), Hack in the Box (Europe)
Troopers (Europe), IT Defense (Europe), RSA (USA)
Co-Author of „Sichere ABAP Programmierung" (SAP Press, 2009)
Co-Author of "ABAP Best Practices Guideline (DSAG, 2013/2014)
Created training class WDESA3 (ABAP Security) @ SAP University
My car, my house, my boat, …
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Authorizations in Custom Code
Ongoing survey, results as of March 12, 2014
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #1
Perform authority checks
General advice
Check with your business department, if (and which) authorizations
are required in order to execute the business logic you provide.
As a fallback, analyze code that is similar to your business process for
authorization checks.
If authority checks are required for your custom business logic, add
them to your code.
On average there are 866 missing authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #1
Perform authority checks (cont’d)
Specific advice
Don't rely on S_RFC authorizations. They only determine, *if* a function module can be
invoked remotely. They are by no means related to the specific business logic of your
custom code. You don't want users with S_RFC * authorizations to be able to issue
purchase orders or to raise someone's salary. Auditors don't like this either...
Don't rely on authorization groups assigned to reports. They are usually coarse
grained, as the same authorization group is used for multiple programs. And they are not
necessarily related to the specific business logic of your custom code.
Always check start authorizations when using CALL TRANSACTION, as no implicit start
authorization check is performed by the kernel.
Function module AUTHORITY_CHECK_TCODE
Since 740: CALL TRANSACTION … WITH AUTHORITY-CHECK
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #2
Perform authority checks according to SAP standard functionality
General advice
Always use functionality based on the ABAP command AUTHORITY-
CHECK in order to perform authorization checks.
(A common bad practice is to base authorizations on usernames.)
On average there are 187 hard-coded username checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #3
Check the result of an authority check
General advice
Always check the result of sy-subrc after you perform an
AUTHORITY-CHECK. sy-subrc with value zero means authorization
sufficient.
Since other ABAP commands also change sy-subrc, make sure to
perform the sy-subrc check *immediately* after the AUTHORITY-
CHECK.
On average there are 13 broken authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #4
Perform authority checks for the user that is actually logged on
General advice
Only check the authorization of the currently logged on user
(by avoiding the optional parameter FOR USER).
On average there are 2 ‘alias’ authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #5
Always use APIs instead of AUTHORITY-CHECK, if they exist
General advice
Always use specialized API functions for authorization checks instead of
AUTHORITY-CHECK.
Specific advice
Use AUTHORITY_CHECK_TCODE instead of S_TCODE
Use AUTHORITY_CHECK_DATASET instead of S_DATASET / S_PATH
On average there are 92 insufficient authority checks in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #6
Declare all fields of the authorization object
General advice
Always use specialized API functions for authorization checks instead of
AUTHORITY-CHECK.
Specific advice
Always make sure to specify all fields of the authorization object you check.
If there are fields you don't want to check, mark them as DUMMY in order to
make your intentions explicit.
No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #7
Don't use DUMMY values in important fields
General advice
Do not use DUMMY values in important authorization fields like 'ACTVT'
On average there are 8 DUMMY authority checks (ACTVT) in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #8
Don't program privileging authorization checks
AUTHORITY-CHECK OBJECT 'S_DEVELOP'
ID 'DEVCLASS' FIELD '*'
ID 'OBJTYPE' FIELD 'PROG'
ID 'OBJNAME' FIELD lv_prog
ID 'P_GROUP' DUMMY " Field not required in this context
ID 'ACTVT' FIELD '03'.
IF sy-subrc = 0.
READ REPORT lv_prog INTO lt_code.
ENDIF.
General advice
Avoid "*" values in authorization fields, as they force administrators to grant
unnecessarily high privileges to users
On average there are 2 privileging authority checks (ACTVT) in custom code.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #9
Make authorization checks early in your business logic
General advice
If an authorization check is required for a given business logic, it should be
checked as early as possible
No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Golden Rule #10
Perform authorization checks in order to avoid dumps
Specific advice
Always make sure to test for S_DATASET and S_PATH authorizations before
you open a server-side file.
No meaningful statistical information available at this time.
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Further Information
Blog Post “Ten golden rules for ABAP authorization checks”
https://www.virtualforge.com/en/blog/post/ten_golden_rules_authorizations_en.html
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Twitter: @codeprofiler
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Thank you for your attention
Andreas Wiegenstein
CTO
© 2011 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
© 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved. © 2014 Virtual Forge GmbH | www.virtualforge.com | All rights reserved.
Disclaimer
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained
in this document serves informational purposes only.
The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the
accuracy or completeness of the information, text, graphics, links, or other items contained within this material.
This document is provided without a warranty of any kind, either express or implied, including but not limited to the
implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or
consequential damages that may result from the use of this document.
No part of this document may be reproduced without the prior written permission of Virtual Forge GmbH.
© 2014 Virtual Forge GmbH.