secure software professional recommendations from cwe/sans
TRANSCRIPT
Secure Software
Professional Recommendations from
CWE/SANS
References
Material is from:: 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, Version 1.4, Oct
29, 2009. CISA ® Certified Information Systems Auditor All-in-One Exam Guide, Peter H
Gregory, McGraw-Hill
Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside
Contributors: Megan Reid, Todd Burri
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Objectives
Define attacks: Buffer overflow, SQL injection, OS command injection, cross-site scripting, cleartext, race condition, chatty error message
Define solutions: Sanitization, whitelist, blacklist, nonce, character encoding (UTF-8), jail or sandbox environment
Recognize major coding errors. Modify a Requirements Document to include
Security Requirements
Problem: Incorrect Input
Car SaleModel: Chevrolet XR2 Price $: 25.45VIN: 12K4FG436DDE842 Status: New
Sale to: Rubber Ducky2222 Atlantic OceanAntarctica, NY, 00000
Phone: 911 VISA: RUAFOOL444
Problem: Buffer overflow
Name Zzzzzzzzzz
Count 49, 425,222
State: 84
Return
address
0x246625
Frame
pointer
0x246625
Enter Name: Zzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzz
Fix: Input Validation
Assume all input is malicious! Validate: Length Type Syntax Context: Business RulesOr Use Special input checkers
Struts or OWASP ESAPI Validation API
Whitelist: List of acceptable input Blacklist: Reject suspect input
network
ValidateFirst!!!
Problem: Insecure Interaction Between Components
network
real ->
fake
->
Problem: Server assumes validation occurred in client Does not recheck
Attack: Code is reverse engineered and modified to act differently.
Program B
Program B*
Fix:Server-Side Authentication
Perform authentication and input validation on both client and server sides
Use encryption & hash between client & server
networkreal ->
Problem:SQL Injection Java Original: “SELECT * FROM
users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”;
Inserted Password: Aa’ OR ‘’=’ Java Result: “SELECT * FROM
users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘%
Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’
Login:
Password:
Welcome to My System
Fix: Input Sanitization
Avoid dynamically-constructed query strings
Disallow Meta-charactersPersistence Software: Oracle DBMS_ASSERT MySQL
mysql_real_escape_string() for C, PHP
Hibernate or Enterprise Java Beans if used properly Persistence Layer
Database
Business Logic
GUI - Validation
Problem: OS Command Injection
Problem: Command Injection into SQL
Inserts ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’ Data and control can
traverse same path
Login:
Password:
Welcome to My System
Fix: Avoid OS Command Injection Separate control information from data information.
E.g. where data-> database, control defines application Use library calls instead of external processes Avoid external control of command input Run code in “jail” or other sandbox environment (discussed in
further detail on next slide) Provide lowest possible permissions for executable
Control: Start WPI session, parms -lmk
Data: “Terry, Brian, Jerry, Ann, Louis, …”
Define Jail & Sandbox
Jail
OS imposes resource limits on programs. It may include:I/O bandwidth capsdisk quotasnetwork access restrictions restricted file system namespace
Sandbox
Quarantines an untrusted program as it runsCan execute untested/ untrusted programs from untrusted third-parties, suppliers, and users.
Problem:External Control of Critical State DataUser-side data can be
modified: Cookies Configuration files Profiles Hidden form fields Environmental variables Registry keys
Web request
Web Form
Form with fake data
Fix:Control Critical State Data Understand all locations that are
accessible to attackers Do not keep state info on client without
using encryption and integrity checking (e.g. HMAC)
Store state info on server side only: ASP.NET View State, OWASP ESAPI Session Mgmt
Problem:Insecure Interaction Between Components Web servers are
memoryless Do not remember
sending a form to a client – what type, info
Client side can remove checks, insert other code, return unexpected data, etc.
Web access
Web Formwith javascript
Revised form
With data and java script
Modifiesjavascriptto avoiderrorchecks
Problem:Cross-Site Scripting
A reputable site has links to an unknowingly disreputable site
The disreputable site generates a Javascript or VB script, which gets inserted into the reputable company’s html response.
The result looks like a valid web page from the reputable company.
E.g.: Error: Page not found
Web access
to product
link
Web Formwith javascript attack
reference
Should beerror (NotFound)Instead: fakeform
Fix:Preserve Web Page Structure Specify strong character encoding such as
UTF-8 or ISO-8859.Use on outputCheck on inputOr use other encoders: MS Anti-XSS library,
OWASP ESAPI Encoding, Apache Wicket Validate not only input data, but all parts of
the HTTP input.
Problem:Forgery
Web access
Web Formwith javascript
Fake form
With data and java script
Real form
Also known as Cross-Site Request Forgery
Problem:Improper Access Control
Web access
Web Form need authenticationReply to www.abc.com/123
Web Request for
www.abc.com/345
Web Form for actual datafor www.abc.com/345
Web Reply w. authent.
To www.abc.com/123
cache
Web Form for actual datafor www.abc.com/345
Fix:Access Permissions Use Role-Based Access
At least permissions: anonymous, normal, privileged, administrative Verify access control at server side Sensitive pages are never cached and must have active
authorization token Only provide higher level access when you need it; always run with
the minimum possible authorization level Check that files read have the required access level permissions;
administrators may not set them properly. Use a good random number generator when generating random
session keys – if not random, attackers will figure out next key sequence
Problem:Incorrect Access Permissions
Database Program
Sales AccountingManufac-
turing
Sell on WebSell to
DistributorAdjust Price
Add Inventory
Ship Order
What permissions to use for these forms???
Fix:Prevent Forgery Use a nonce for each
form (a number or CAPTCHA generated for a specific use, such as session authentication)
Verifier not predictable If dangerous operation,
send a separate confirmation request
Name: Ann Winkler
Address: 2526 Pratt Ave
Racine WI
Phone: 262-595-2111
Interests: Horses, Movies, Travel
Security Code: Johnson Rivers
Submit
Security Code:
Johnson
Rivers
Problem:Cleartext Transmit of Sensitive Info
Fix: Encrypt data with standard, reliable encryption
before transmission
Login: Ginger Password: Snap
Problem:Race Condition
Thread P1 Thread P2 Commentcin >> input; .. // read in "hello" into global.. cin >> input; // read in "good-bye" into globalout = input; out = input; // do a string copy (...use strcpy())cout << out; .. // print out "good-bye".. cout << out; // print out "good-bye“
Fix: Use Synchronization Primitives around critical code Minimize use of shared resources Test using artificial delays in race window Identify and trigger error conditions
Result: Data Corruption & Denial of Service
Problem:Chatty Error Messages“Cannot find file:
C:/users/Lincke/validation.txt”
“Invalid password for login ID”
“Lab.cs.uwp.edu error: divide by zero error”
Fix: Error messages
should avoid file, network configuration, and PII information.
Must be helpful to user
Remove debug info before release
Problem:External Control of Path If you download an external file or navigate to a URL – and execute If you provide access to a file on your system
Attacker can insert ../../ and access files outside privilege.
Fix: Run as low-privilege user Provide fixed input values Run code in ‘jail’: Unix chroot jail and AppArmor
Submit File:Enter pathname: BrowseBrowse
Problem:Adopting Untrusted SoftwareFix: Use monitoring tools that
examine processes as it interacts with the OS Truss (Solaris) Strace (Linux) FileMon, RegMon, Process
Monitor, Sysinternals (Windows)
Sniffers, Protocol analyzers
Download
File
Free Software … Is it Safe?
Problem:Other Security ErrorsFind the errors:Security() { String contents, environment; String spath = “security.dat” File security = new File(); if (security.open(spath) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”);}
Problem:Other Security ErrorsFind the errors:Security() { String contents, environment; String spath = “security.dat” File security = new File(); if (security.open(spath) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not
found”);}
1. Variables contents & environment not initialized Can cause problems if executed
in certain ways Attacker can initialize or read
variables from previous session2. “security.dat” is not full
pathname. File can be replaced if run from
another location3. File ‘security’ not closed
Leaves file open to attack Keeps unnecessary resources
busy4. Error message indicates file
name Can give attacker important info
Problem:More Security ErrorsFind the errors:purchaseProduct() { password = “N23m**2d3”; count = form.quantity; // input total = count * product.cost(); Message m = new Message( name,product,total); m.myEncrypt(); server.send(m);}
Problem:More Security ErrorsFind the errors:purchaseProduct() { password = “N23m**2d3”; count = form.quantity; total = count * product.cost(); Message m = new Message( name,password,product,total); m.myEncrypt(); server.send(m);}
Errors:1. Password is hardcoded
If attacker finds it, every system can be broken into before software is changed on all computers
Passwords may only be stored in encrypted file
2. Total may overflow, producing very small number Input is not checked (could be
zero or invalid)3. Encryption should be standard
algorithm Home-written variety can be
broken into easily
Fix: Test All Software!!! Dynamic Tools: use large test suites such as fuzz
testing, robustness testing, and fault injection. Software may slow down but should not crash or generate incorrect results
Use automated static analysis tools, e.g., warnings on program analysis tools
Use manual tests such as penetration testing, threat modeling, and interactive tools to reach beyond auto testing tools
Run program under low memory conditions, insufficient privileges, interrupt a transaction or disable connectivity before transaction completed.
Definition Matching
Whitelist
Blacklist
Nonce
Jail
Sandbox Environment
1. A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas).
2. Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA)
3. List of acceptable input
4. A security mechanism for quarantining untrusted running programs.
5. Reject suspect input
Definition Matching
Whitelist
Blacklist
Nonce
Jail
Sandbox Environment
1. A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas).
2. Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA)
3. List of acceptable input
4. A security mechanism for quarantining untrusted running programs.
5. Reject suspect input
Question
A third party inserts attack data into another organization’s html response. This is known as:
1. Cross-Site Scripting2. Blacklist3. Race Condition4. Cleartext
Question
What technique would NOT be appropriate in avoiding OS Command Injection?
1. Separate control information from data information
2. Use library calls instead of external processes
3. Run code in “jail” or other sandbox environment
4. Use a hard-coded password to enable access
Question
Which of the following is true concerning web servers?
1. Servers cannot retain web session state, and thus the client must do it
2. The single best place to do input validation and authentication is at the client-side
3. Using client as storage is safe if encryption and integrity checking are used
4. The server can trust web input if it validates the data in the web form
Question
The BEST way to ensure input validity at the client is:
1. Nonce
2. Whitelist
3. Blacklist
4. Integrity Checking
Question
The BEST implementation of Access Control would be:
1. Do not provide caches for sensitive data
2. Always use minimal possible permissions in code, for as short of a time as possible
3. Avoid using cookies and hidden fields
4. Never provide an authorization above ‘guest’ to web users
Question
SQL Injection is BEST protected against by using:
1. Cleartext
2. Encryption and Integrity Checking
3. Sanitization
4. Clearly defined code such as UTF-8
Question
The main way to avoid replay between a client and server is:
1. Integrity checking
2. Whitelist
3. Blacklist
4. Nonce
Question
An attack that could cause the MOST problems includes:
1. Hard-coded password
2. Race condition
3. Denial of Service
4. Chatty error message
Question
The BEST way to ensure no message modification occurs is:
1. Hashing
2. Whitelist
3. Blacklist
4. Encryption
Question
All of the following EXCEPT which answer can result in invalid data AND break-in?
1. Non-random random number generator
2. Buffer overflow
3. Uninitialized variables resulting in error messages
4. Race conditions