• No results found

Programming Flaws and How to Fix Them

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Programming Flaws and How to Fix Them"

Copied!
11
0
0

Loading.... (view fulltext now)

Download now ( 11 Page )

Full text

(1)

19

ö¥

Programming Flaws and

How to Fix Them

MICHAEL HOWARD

DAVID LEBLANC

JOHN VIEGA

McGraw-Hill /Osborne

New York Chicago San Francisco Lisbon London Madrid Mexico

City-Milan New Delhi San Juan Seoul Singapore Sydney Toronto

(2)

CONTENTS

Foreword xv Acknowledgments xvii

Introduction xix

1 Buffer Overruns 1

Overview of the Sin 2 Affected Languages 2 The Sin Explained 3

SinfulC/C++ 6 Related Sins 8 Spotting the Sin Pattern 9 Spotting the Sin During Code Review 9

Testing Techniques to Find the Sin 9

Example Sins 10 CVE-1999-0042 10 CVE-2000-0389-CVE-2000-0392 11

CVE-2002-0842, CVE-2003-0095, CAN-2003-0096 11

CAN-2003-0352 12 Redemption Steps 12

Replace Dangerous String Handling Functions 12

Audit Allocations 13 Check Loops and Array Accesses 13

Replace C String Buffers with C++ Strings 13 Replace Static Arrays with STL Containers 13

Use Analysis Tools 13 Extra Defensive Measures 14

Stack Protection 14 Non-executable Stack and Heap 14

Other Resources 15 Summary 16

2 Format String Problems 17

Overview of the Sin 18 Affected Languages 18 The Sin Explained 18

SinfulC/C++ 21 Related Sins 21 Spotting the Sin Pattern 21 Spotting the Sin During Code Review 22

(3)

Testing Techniques to Find the Sin 22 ExampleSins 22 CVE-2000-0573 23 CVE-2000-0844 23 Redemption Steps 23 C/C++Redemption 23 Extra Defensive Measures 24

Other Resources 24 Summary 24

3 Integer Overflows 25

Overview of the Sin 26 Affected Languages 26 The Sin Explained 26

Sinful C and C++ 26 Sinful C# 31 Sinful Visual Basic and Visual Basic .NET 33

Sinful Java 34 Sinful Perl 34 Spotting the Sin Pattern 35 Spotting the Sin During Code Review 36

C/C++ 36 C# 38 Java 38 Visual Basic and Visual Basic .NET 38

Perl 39 Testing Techniques to Find the Sin 39

Example Sins 39 Flaw in Windows Script Engine

Could Allow Code Execution 39 Integer Overflow in the SOAPParameter

Object Constructor 39 Heap Overrun in HTR Chunked Encoding

Could Enable Web Server Compromise 40

Redemption Steps 40 Extra Defensive Measures 42

Other Resources 42 Summary 43

4 SQLInjection 45

Overview of the Sin 46 Affected Languages 46 The Sin Explained 46

Sinful C# 47 Sinful PHP 48 Sinful Perl/CGI 48 Sinful Java and JDBC 49

Sinful SQL 50 Related Sins 51

(4)

Contents

Spotting the Sin Pattern 52 Spotting the Sin During Code Review 52

Testing Techniques to Find the Sin 53

Example Sins 54 CAN-2004-0348 54

CAN-2002-0554 55 Redemption Steps 55

Validate All Input 55 Never Use String Concatenation to Build SQL Statements 55

PHP 5.0 and MySQL 4.1 or Later Redemption 56

Perl/CGI Redemption 57 Java Using JDBC Redemption 58 ColdFusion Redemption 59 SQL Redemption 59 Extra Defensive Measures 59

Other Resources 59 Summary 60

5 Command Injection 63

Overview of the Sin 64 Affected Languages 64 The Sin Explained 64

Related Sins 66 Spotting the Sin Pattern 66 Spotting the Sin During Code Review 66

Testing Techniques to Find the Sin 68

Example Sins 68 CAN-2001-1187 68

CAN-2002-0652 69 Redemption Steps 69

Data Validation 69 When a Check Fails 71 Extra Defensive Measures 72

Other Resources 72 Summary 72

6 Failing to Handle Errors 73

Overview of the Sin 74 Affected Languages 74 The Sin Explained 74

Yielding Too Much Information 74

Ignoring Errors 74 Misinterpreting Errors 75 Using Useless Error Values 75 Handling the Wrong Exceptions 75 Handling All Exceptions 76

SinfulC/C++ 76 Sinful C / C + + o n Windows 77

(5)

Sinful C#, VB.NET, and Java 78

Related Sins 79 Spotting the Sin Pattern 79 Spotting the Sin During Code Review 79

Testing Techniques to Find the Sin 80

Example Sin 80 CAN-2004-0077 Linux Kernel do_mremap 80

Redemption Steps 80 C/C++Redemption 80

C#, VB.NET, and Java Redemption 81

Other Resources 82 Summary 82

7 Cross-Site Scripting 83

Overview of the Sin 84 Affected Languages 84 The Sin Explained 84

Sinful C / C++ IS API Application or Filter 85

Sinful ASP 85

Sinful ASP.NET Forms 86

Sinful JSP 86 Sinful PHP 86 Sinful CGI Using Perl 86

Sinful mod_perl 87 Spotting the Sin Pattern 87 Spotting the Sin During Code Review 87

Testing Techniques to Find the Sin 88

Example Sins 89 IBM Lotus Domino Cross-Site Scripting

and HTML Injection Vulnerabilities 89 Oracle HTTP Server "isqlplus" Input Validation Flaws Let

Remote Users Conduct Cross-Site Scripting Attacks 90

CVE-2002-0840 90 Redemption Steps 90

ISAPIC/C++Redemption 90

ASP Redemption 91

ASP.NET Forms Redemption 91

JSP Redemption 92 PHP Redemption 94 CGI Redemption 95 mod_perl Redemption 95 A Note on HTML Encode 96 Extra Defensive Measures 96

Other Resources 97 Summary 98

8 Failing to Protect Network Traffic 99

Overview of the Sin 100 Affected Languages 100 The Sin Explained 100

(6)

Contents

Related Sins 102 Spotting the Sin Pattern 103

Spotting the Sin During Code Review 103 Testing Techniques to Find the Sin 106

Example Sins 106 TCP/IP 107 E-mail Protocols 107 E T r a d e 107 Redemption Steps 108 Low-Level Recommendations 108

Extra Defensive Measures 111

Other Resources 111 Summary 111

9 Use of Magic URLs and Hidden Form Fields 113

Overview of the Sin 114 Affected Languages 114 The Sin Explained 114

Magic URLs 114 Hidden Form Fields 115 Related Sins 115 Spotting the Sin Pattern 115 Spotting the Sin During Code Review 116

Testing Techniques to Find the Sin 117

Example Sins 118 CAN-2000-1001 118 MaxWebPortal Hidden Form Field Modification 118

Redemption Steps 118 Attacker Views the Data 119

Attacker Replays the Data 119 Attacker Predicts the Data 121 Attacker Changes the Data 122 Extra Defensive Measures 123

Other Resources 123 Summary 123

10 Improper Use of SSL and TLS 125

Overview of the Sin 126 Affected Languages 126 The Sin Explained 126

Related Sins 129 Spotting the Sin Pattern 130 Spotting the Sin During Code Review 130

Testing Techniques to Find the Sin 132

Example Sins 132 E-mail Clients 132 Safari Web Browser 133 The Stunnel SSL Proxy 133

Redemption Steps 134 Choosing a Protocol Version 134

(7)

Choosing a Cipher Suite 135 Ensuring Certificate Validity 136 Validating the Hostname 137 Checking Certificate Revocation 138

Extra Defensive Measures 140

Other Resources 140 Summary 140

11 Use of Weak Password-Based Systems 143

Overview of the Sin 144 Affected Languages 144 The Sin Explained 144 Related Sins 146 Spotting the Sin Pattern 146

Spotting the Sin During Code Review 146 Password Content Policy 147 Password Changes and Resets 147

Password Protocols 148 Password Handling and Storage 148

Testing Techniques to Find the Sin 149

Example Sins 149 CVE-2005-1505 150 CVE-2005-0432 150 TheTENEXBug 150 The Paris Hilton Hijacking 151

Redemption Steps 151 Multifactor Authentication 152

Storing and Checking Passwords 152 Guidelines for Choosing Protocols 156 Guidelines for Password Resets 156 Guidelines for Password Choice 157

Other Guidelines 158 Extra Defensive Measures 158

Other Resources 159 Summary 159

12 Failing to Store and Protect Data Securely 161

Overview of the Sin 162 Affected Languages 162 The Sin Explained 162

Weak Access Controls to "Protect" Secret Data 162

Sinful Access Controls 164 Embedding Secret Data in Code 166

Related Sins 166 Spotting the Sin Pattern 166 Spotting the Sin During Code Review 167

Testing Techniques to Find the Sin 168

Example Sins 170 CVE-2000-0100 171 CAN-2002-1590 171

(8)

Contents

CVE-1999-0886 171 CAN-2004-0311 171 CAN-2004-0391 171 Redemption Steps 172

Use the Operating System's Security Technologies 172 C/C++ Windows 2000 and Later Redemption 173

ASP.NET 1.1 and Later Redemption 175

C# .NET Framework 2.0 Redemption 175 C / C + + M a c OS Xvl0.2 and Later Redemption 175

Redemption with No Operating System Help

(or Keeping Secrets Out of Harm's Way) 176 A Note on Java and the Java KeyStore 178

Extra Defensive Measures 180

Other Resources 180 Summary 181

13 Information Leakage 183

Overview of the Sin 184 Affected Languages 184 The Sin Explained 184

Side Channels 185 TMI: Too Much Information! 186

A Model for Information Flow Security 188 Sinful C# (and Any Other Language) 190

Related Sins 190 Spotting the Sin Pattern 190 Spotting the Sin During Code Review 191

Testing Techniques to Find the Sin 192 The Stolen Laptop Scenario 192

Example Sins 192 Dan Bernstein's AES Timing Attack 192

CAN-2005-1411 193 CAN-2005-1133 193 Redemption Steps 194

C# (and Other Languages) Redemption 194

Network Locality Redemption 195

Extra Defensive Measures 195

Other Resources 195 Summary 196

14 Improper File Access 197

Overview of the Sin 198 Affected Languages 198 The Sin Explained 198

Sinful C / C + + o n Windows 199

Sinful C/C++ 199 Sinful Perl 200 Sinful Python 200 Related Sins 200

(9)

Spotting the Sin Pattern 201 Spotting the Sin During Code Review 201

Testing Techniques to Find the Sin 202

Example Sins 202 CAN-2005-0004 202 CAN-2005-0799 202 CAN-2004-0452 and CAN-2004-0448 203

CVE-2004-0115 Microsoft Virtual PC for the Macintosh 203

Redemption Steps 203 Perl Redemption 204 C/C++ Redemption on *nix 204

C/C++ Redemption on Windows 204 Getting the Location of the User's Temporary Directory 205

.NET Code Redemption 205 Extra Defensive Measures 205

Other Resources 206 Summary 206

15 Trusting Network Name Resolution 207

Overview of the Sin 208 Affected Languages 208 The Sin Explained 208

Sinful Applications 210 Related Sins 211 Spotting the Sin Pattern 211 Spotting the Sin During Code Review 212

Testing Techniques to Find the Sin 212

Example Sins 212 CVE-2002-0676 213 CVE-1999-0024 213 Redemption Steps 213 Other Resources 214 Summary 215 16 Race Conditions 217

Overview of the Sin 218 Affected Languages 218 The Sin Explained 218

Sinful Code 220 Related Sins 220 Spotting the Sin Pattern 221 Spotting the Sin During Code Review 221

Testing Techniques to Find the Sin 222

Example Sins 222 CVE-2001-1349 222 CAN-2003-1073 223 CVE-2000-0849 223 Redemption Steps 223 Extra Defensive Measures 225

(10)

Contents

Other Resources 225 Summary 226

17 Unauthenticated Key Exchange 227

Overview of the Sin 228 Affected Languages 228 The Sin Explained 228 Related Sins 229 Spotting the Sin Pattern 230

Spotting the Sin During Code Review 230 Testing Techniques to Find the Sin 231

Example Sins 231 Novell Netware MITM Attack 231

CAN-2004-0155 231 Redemption Steps 232 Extra Defensive Measures 232

Other Resources 233 Summary 233

18 Cryptographically Strong Random Numbers 235

Overview of the Sin 236 Affected Languages 236 The Sin Explained 236

Sinful NonCryptographic Generators 237 Sinful Cryptographic Generators 237 Sinful True Random Number Generators 238

Related Sins 239 Spotting the Sin Pattern 239 Spotting the Sin During Code Review 239

When Random Numbers Should Have Been Used 239

Finding Places that Use PRNGs 240 Determining Whether a CRNG Is Seeded Properly 241

Testing Techniques to Find the Sin 241

Example Sins 242 The Netscape Browser 242

OpenSSL Problems 242 Redemption Steps 243 Windows 243 .NET Code 243 Unix 244 Java 245 Replaying Number Streams 245

Extra Defensive Measures 246

Other Resources 246 Summary 246

19 Poor Usability 247

Overview of the Sin 248 Affected Languages 248

(11)

The Sin Explained 248 Who Are Your Users? 249

The Minefield: Presenting Security Information

to Your Users 249 Related Sins 250 Spotting the Sin Pattern 250 Spotting the Sin During Code Review 250

Testing Techniques to Find the Sin 251

Example Sins 251 SSL/TLS Certificate Authentication 251

Internet Explorer 4.0 Root Certificate Installation 252

Redemption Steps 253 When Users Are Involved, Make the UI Simple and Clear 253

Make Security Decisions for Users 253 Make Selective Relaxation of Security Policy Easy 255

Clearly Indicate Consequences 255

Make It Actionable 258 Provide Central Management 259

Other Resources 259 Summary 259

A Mapping the 19 Deadly Sins to the OWASP "Top Ten" 261

B Summary of Do's and Don'ts 263

Sin 1: Buffer Overruns Summary 264 Sin 2: Format String Problems Summary 264 Sin 3: Integer Overflows Summary 264 Sin 4: SQL Injection Summary 265 Sin 5: Command Injection Summary 266 Sin 6: Failing to Handle Errors Summary 266 Sin 7: Cross-Site Scripting Summary 266 Sin 8: Failing to Protect Network Traffic Summary 266

Sin 9: Use of Magic URLs and Hidden Form Fields Summary 267

Sin 10: Improper Use of SSL and TLS Summary 267 Sin 11: Use of Weak Password-Based Systems Summary 268

Sin 12: Failing to Store and Protect Data Securely Summary 269

Sin 13: Information Leakage Summary 270 Sin 14: Improper File Access Summary 270 Sin 15: Trusting Network Name Resolution Summary 270

Sin 16: Race Conditions Summary 271 Sin 17: Unauthenticated Key Exchange Summary 271

Sin 18: Cryptographically Strong Random Numbers Summary 271

Sin 19: Poor Usability Summary 271

References

Download now ( PDF - 11 Page - 2.34 MB )

Related documents

Four essays on the entanglement of career choices and gender in the information and communication technology industry

To sum up, it is the aim of the dissertation to shed light on the possibilities to encounter the shortage of skills in the ICT-industry which are to analyze the career choices

Distance matrix and Laplacian of a tree with attached graphs

On the other hand, when the attached graphs are paths, we obtain results for the distance matrix of the tree associated with a basic feasible solution of a transportation problem..

Children with autism do not overimitate

There is an important contrast between our results and a recent study in which children with autism saw unnecessary actions on novel objects and showed the same rate of

German validation of Quality of Life after Brain Injury (QOLIBRI) assessment and associated factors

We followed the approach used in the international sample, as described in detail elsewhere [ 22 , 23 ]. Data were analysed using PASW 18 software. Item scores on the “bothered”

The Balcan Clarinet Clarinet Solo

Eb Bass Bb Bass Timp... Eb Bass Bb

Organizational Learning: Core Issues for Mustering Growth in Learning Organization.

However, if an organisation has a culture open to learning, this makes it easier to change human resources development practices, such as devolving responsibility

Interim Group Report. January 1 to June 30, 2013

We have reviewed the interim condensed consolidated financial statements, comprising the consoli- dated statement of financial position, the consolidated income statement,

Computer Security. Introduction to. Michael T. Goodrich Department of Computer Science University of California, Irvine. Roberto Tamassia PEARSON

Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montreal Toronto Delhi Mexico City Sao Paulo Sydney Hong Kong Seoul Singapore