CORE GRASP FREQUENTLY ASKED QUESTIONS
1. General
2. Installation
3. Features
4. MISC
  1. GENERAL
    • WHAT IS CORE GRASP?
      CORE GRASP is an open-source web-application security project. It is an effort to develop and deploy a technology that protects existing web applications running in a web server from security and privacy threats, including SQL-injection attacks, cross-site scripting (XSS) attacks, shell-command injection attacks and directory-traversal attacks. The technique we use does not rely on signatures, or statistical training and also blocks zero-day attacks. The project was first made public at the Black Hat USA 2007 Briefings, and GRASP for PHP was released as open source.

    • WHAT IS GRASP FOR PHP?
      GRASP FOR PHP is an implementation of the CORE GRASP protection technology for PHP. PHP is a scripting language typically used for web development (see http://www.php.net).

    • WHAT IS INCLUDED IN THIS VERSION?
      GRASP FOR PHP v3 is a partial implementation of the GRASP view. In particular, it includes complete protection against SQL-injection attacks for the MySQL engine (see http://www.mysql.org), mark propagation in string functions, pcre regular expressions and initial cross-site scripting protection with htmlentities() & htmlspecialchars() functions.

    • WHAT ARE SQL-INJECTION ATTACKS? WHY ARE THEY SO DANGEROUS?
      SQL Command Injection attacks are dangerous, since they allow attackers to execute arbitrary database commands. For example, an attacker exploiting a SQL-injection vulnerability can:
      • Read information that that is stored in the internal databases (such as information regarding other users);
      • Bypass authentication mechanisms even without having valid credentials; and
      • In general, might manipulate existing databases at will, deleting them, inserting new entries or modifying existent ones.

      Roughly speaking, these attacks are accomplished by attackers, who pass themselves as standard users of a web application and enter ill-constructed data (e.g., on a web form of the targeted web application). This data is not correctly validated by the web application, and results in modifying the behavior of the database API in the application (i.e., the module that communicates with the SQL engine). Due to the continuous flow of SQL-injection attacks that are widely reported today, it appears that there are no means, including security tools, for developers to take that can effectively stop these attacks.

    • HOW DOES CORE GRASP STOP THESE ATTACKS?
      CORE GRASP incorporates a new technology, developed by CoreLabs, that permits us to validate potentially offensive API commands - which are the subject of today's most dangerous and common attacks. Roughly speaking, the CORE GRASP technology allows us to know whether a piece of internal data has been entered by a user or by the original developer. In the case of SQL-injection attacks, this assists an interface to the database API that stops all the potentially dangerous commands entered by users (e.g., all metacharacters that are entered by a user constitute a potential attack).

    • HOW SECURE IS CORE GRASP? WHAT IS THE RATE OF FALSE POSITIVES AND FALSE NEGATIVES?

      • First and foremost, CORE GRASP is a deterministic solution, meaning that its success (in stopping attacks) does not depend on the training of the tool, or other probabilistic factors, but on the implementation of a secure and tight theoretical model. This model does not depend on static signatures, but instead on a semantic description that allows to distinguish the correct from the abusive usage. In testing GRASP for PHP with widely-used web applications (e.g., standard content-management systems) at our laboratory, we found a very low false-positive rate. Also, we tested how CORE GRASP protects existent web applications with known bugs (e.g., unpatched public content-management systems) against a top 10 list of SQL-injection attacks, taken from the Bugtraq archives. The result was that 100% of these attacks were stopped by GRASP for PHP.


    For more details, you can download other documentation and papers from here.


  2. INSTALLATION
    • WHAT PLATFORMS ARE SUPPORTED?
      Linux, other Unixes and Windows are supported.

    • WHAT ABOUT THE INSTALLATION PROCESS?
      CORE GRASP for PHP does not require either additional hardware or administration configuration efforts. Requirements match the requirements for running PHP 5, and installation takes approximately the same effort as installing PHP5. Installation is automatic in either Windows or Linux and amounts to installing an Apache server, and either building GRASP FOR PHP from its source tree in Unix or extracting our Windows installation package.

    • HOW DO I UNINSTALL CORE GRASP FOR PHP?
      To uninstall GRASP you need to stop the Apache server and delete the PHP directory tree. Notice that PHP web applications will stop to run and a fresh PHP should be installed for them to be re-deployed. On the other hand, the GRASP protection can be disabled from PHP.ini.


  3. FEATURES
    • CAN I CHECK ATTACK PREVENTION EVEN IF I DON'T HAVE PHP APPLICATIONS?
      We have provided a small set of vulnerable PHP code which you can run with and without GRASP FOR PHP protection in order to corroborate that SQL-injection attacks are stopped. Check Downloads page.

    • WHAT LOGGING CAPABILITIES DOES GRASP INCLUDE?
      CORE GRASP FOR PHP maintains log files for all database activity and for attack attempts. This information can be viewed by invoking the graspinfo() function.

    • HOW CAN I DISABLE CORE GRASP PROTECTION AND LOGGING?
      GRASP protection and logging capabilities can be switched off by editing the CORE GRASP section in the php.ini file. Settings can be accessed by invoking the graspinfo() function.

    • ARE EXTENSIONS PROTECTED?
      Extensions which do not come with the PHP source are not protected by default. GRASP for PHP might not work properly with web applications that use extensions. An extension developer can rewrite her extension using the modified version of zend_parse_parameters() which includes a new 'S' placeholder so she can receive strings with their secmarks inside the extension. For more information please download GRASP's readme file from here.


  4. MISC
    • CAN I CONTRIBUTE TO THE CORE GRASP PROJECT?
      Yes. You can join the mailing list (check out the mailing list section) and discuss matters there.

    • I FOUND A BUG, WHAT DO I DO?
      Please contact us at grasp-bug-report@coresecurity.com.

    • SUOSHIN & GRASP
      Suoshin is a hardening project which is the evolution of the hardening patch (http://www.hardened-php.net/suhosin/index.html). It is aimed to secure, mainly, binary vulnerabilities inside the PHP interpreter (such as buffer overflows and format strings). It is also composed by an extension which implements other run-time protection features such as cookie encryption, per virtual host white/black lists, and other important features (http://www.hardened-php.net/suhosin/a_feature_list.html). Grasp is not a replacement to Suoshin, by the contrary, they might be used together to enhance the security on PHP applications. Grasp is intended to protect the deployed web applications against injection attacks (SQL-Injection in first release) and not binary vulnerabilities inside the interpreter.

      We did some experiments testing Grasp on different environments including OpenBSD (which includes suoshin patch by default while installing PHP) and it seemed to work properly.