When discussing the risks of ABAP-based malware with companies, a typical early question is "Why should we care? We have an ABAP code scanner in place." An understandable question, especially since ABAP code scanners tend to be pretty expensive. So they should cover all ABAP risks, right? This blog post explains why ABAP code scanners are next to useless against ABAP malware.
In order to detect security risks in ABAP, scanners must analyze the ABAP source code for security risks. This approach is called Static Code Analysis (SCA). Dynamic Code Analysis for ABAP programs is not possible (for security risks), since ABAP is a proprietary language and SAP's ABAP runtime provides no mechanism for such analysis.
There are (at least) four reasons why ABAP code scanners are the wrong approach to defend against ABAP malware:
1. ABAP Code scanners use data flow analysis in order to detect security risks in code. This means they have a list of dangerous ABAP commands and check, if there is a path (data flow) between an external source (input) and a given dangerous command (sink). In such case the scanner will report a high security risk. However, this approach is only applicable to vulnerabilities that are exploited via input. This approach only helps, if a hacker is exploiting a vulnerability by injecting malicious commands into the software from the outside. But if a malware is already equipped with its own arsenal of malicious commands, there will be no dataflow from an external source. Hence data flow analysis fails to detect such risks. It is simply the wrong approach against malware.
2. ABAP Code scanners are designed to detect security vulnerabilities caused by mistake. However, there are various offensive coding techniques, such as SCA Evasion, that enable an attacker to write an exploit in a way that a scanner will not recognize its true risk and rate the criticality lower. Why is the criticality rated lower? Because whenever a scanner can not precisely determine whether a potential vulnerability is actually exploitable, it will rate the risk lower in order to avoid false positives. Because there is nothing worse to a scanner's acceptance than false-positives. No scanner acceptance, no sales. Vendors therefore fear false-positive results and design their evaluation algorithms accordingly.
3. ABAP Code scanners are a good and recommended way to assess the quality of ABAP applications, also with regards to security. But they are usually implemented as "gate keepers" to ensure that only code of good quality can make it from a development system to a test system, or from a test system to a production system. This means that code is scanned during its transition between different systems. But such gate-keeping logic would detect malware far too late. An ABAP-based malware starts its operation the moment it reaches an SAP system, which will most likely be a development system. Only a continuous scan of *all* ABAP systems would have a theoretical chance to detect ABAP malware in an early phase of infection. A "gate keeper" check does not.
4. The final reason is the most important one: An ABAP malware can manipulate arbitrary ABAP programs on the same server. Since ABAP code scanners are either written in ABAP or use an API which is written in ABAP, they can be manipulated by ABAP malware. In general, no ABAP program can be trusted any longer, once an SAP server is infected by an ABAP malware.
The capability to modify ABAP programs is an integral part of the technical design of ABAP (See blog post "SAP as a cyber weapon" for details). Therefore ABAP is equipped with commands to read, change, write and compile ABAP code. Since all ABAP code on an SAP server - SAP standard code, 3rd party application and custom code - is shipped as source code, all ABAP code can be modified on the fly.
As a consequence, defense against ABAP malware can't be achieved by code scanners and requires a totally different approach.
This is the second article in our malware series that provides you with insights into ABAP malware research, ABAP malware capabilities and ABAP malware defensive strategies.
If you'd like to know more about ABAP malware risks, please contact us.