Random function flaw leads to ‘Patient zero’

The computer used to kick-start a global worm outbreak in March 2004 has been traced using crucial kinks in its code.


The worm code involved using a random function to generate the next set of targets. Since Randon function provided by operating systems results in generating the same sequence of random numbers, by reverse tracing, the team of Nicholas Weaver and Vern Paxson from the University of California, Berkeley, and Abhishek Kumar from the Georgia Institute of Technology, painstakingly retraced its steps back to the first computer – or “patient zero” – of the outbreak.


More details ate avilable at http://www.newscientist.com/article.ns?id=dn7441&feedId=online-news_rss20



Tip: Dont use the Rand function. Use special classes like CryptGenRandom in Windows : Source: Writing Secure code by Michael Howard , MS Press

Free Microsoft .NET Compact Framework Training

Microsoft and HP have teamed up to bring you an intensive, 8-hour class focused on developing for Windows Mobile devices. Part of the HP Virtual Classroom Series, this session covers everything you need to know to take your code mobile.  The training takes place over two days, June 15 and 16, with two time slots available.  For Session 1 from 11 am-3 pm EDT, use Event ID 303702; for Session 2 from 4 pm – 8 pm EDT, use Event ID 303703.


More details at http://www.hp-microsoft.net/Compact/login.aspx?ReturnUrl=%2fcompact%2findex.aspx

Developer elearning for free

Most of you must be aware, but here’s a reminder from my side.

Developer Elearning is a new elearning venture opened by Microsoft. It’s all about features and functions served up specifically for the developer audience. It’s free and accessible 24/7 at http://msdn.microsoft.com/elearning.

You can check out http://msdn.microsoft.com/elearning for more details.

There are also grand prizes if you complete a survey.

Grand Prize Sony 50″ Plasma WEGA High Definition TV ultimate home theater package 2nd Prize Nikon D70 SLR Digital Camera package 3rd Prize Bose Acoustic Wave 5-CD Music System 4th Prize Bose Acoustic Noise Cancelling Headphones

 

Id you are interested that I cover any specific topics, please leave a feedback and I shall blog about it.

Webchat Transcript – Writing Secure .NET Code

Chat Topic : Writing Secure .NET Code
Chat Expert : Vipul Patel
April 20, 2005
 
 

subhashini (Moderator):
the chat begins at 5.00 pm IST
subhashini (Moderator):
Request all of you to refrain from sending any private messages as that lead sto disconnection of the expert from the chat
subhashini (Moderator):
hello everbody . A very good evening to all of you.
subhashini (Moderator):
welcome to today’s chat on writing Secure .NET code
subhashini (Moderator):
we had chats on writing secure code earlier on 13’th and 14’th April .
and today is the last part in series.
subhashini (Moderator):
We have with us Vipul Patel (MVP)
subhashini (Moderator):
to host today’s chat
subhashini (Moderator):
After pursuing a bachelor’s degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India’s college chapter at Nirma Institute of Technology (www.nit.edu ) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.
subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com or vipul.patel@patni.com
subhashini (Moderator):
before we begin the chat
subhashini (Moderator):
few chat rules
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
This leads to disconnection of the expert from the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
let’s welcome Vipul and hope you find this chat useful and informative
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Thanks Subhashini
Vipul Patel (Expert):
Welcome all to the final episode of writing secure code. Today we shall focus on “Writing Secure .NET code”
Vipul Patel (Expert):
I shall skim thru the best practises and tips on writing secure .NET code…. and will answers the questions on completion of the best practises.
Vipul Patel (Expert):
While the .NET Framework is a robust one, we need to exercise care while coding to make the application secure.
Vipul Patel (Expert):
The good thing about .NET Framework is that common security attacks are not bound to happen with .NET application. But vulnerabilities are still possible.
Vipul Patel (Expert):
A classical example will be sQL injection…. To avoid such an attach, you need to follow the best practises as outlines in the earlier web chats…..
Vipul Patel (Expert):
today will focus more on the .NET side of coding practises…
Vipul Patel (Expert):
Dont forget to apply secure coding techniques like:
Vipul Patel (Expert):
a. Dont store secrets in code or web.config files
Vipul Patel (Expert):
b. Dont create your own encryption; use the one provided by the framework. Use the classes in the System.Security.Cryptography namespace.
Vipul Patel (Expert):
c. Dont trust user input till you have validated its correctness.
Vipul Patel (Expert):
.NET code helps migitate a number of common security vulnerabilities such as buffer overruns. Security in .NET provides code with different level of trust based not only on the user’s capabilities but also on system policy and evidence (digital signature) of code.
Vipul Patel (Expert):
But before that a question to the audience…..
Vipul Patel (Expert):
How many of you are aware of FxCop?
Vipul Patel (Expert):
please reply using the Guest Chat option…..
Vipul Patel (Expert):
thats great. we have one user who actively uses that….
Vipul Patel (Expert):
Tip: Add your own rules to FxCOp if you want to implement coding rules beyond the ones provided by the FxCop…
Vipul Patel (Expert):
For those who are not aware, Fxcop is available from http://www.gotdotnet.com. It is a code analysis tool that checks.NET assemblies for conformation to .NET Framework Design guidelines at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconnetframeworkdesignguidelines.asp
Vipul Patel (Expert):
FxCop can produce an XMLfile that lists any design guideline violoations in your assembly.
Vipul Patel (Expert):
What are the two most common errors flagged by FxCop are ?
Vipul Patel (Expert):
a. Lack of strong name on the assembly
Vipul Patel (Expert):
b. Failure of the assembly to specify permssion requests.
Vipul Patel (Expert):
How to prevent these errors. Lets take them one by one
Vipul Patel (Expert):
Use strong name for assemblies:
Lack of strong name
Vipul Patel (Expert):
sn -k keypair.snk
Vipul Patel (Expert):
Over and above strong names, you may want to Authenticode-sign an assembly to identify the publisher. Do this after strong naming your assemblies.
Vipul Patel (Expert):
You cannot use Authenticode first because the string name signature will appear as “tampering” to the Authenicode signature check.
Vipul Patel (Expert):
Additionally, You can delay-sign your assemblies to prevent information disclosure by a careless developer.
Vipul Patel (Expert):
Tip: Strong nammed assemblies can only refer to other strong named assemblies. Get your application design ready to use GAC.
Vipul Patel (Expert):
Next we come to second most popular finding of FxCop – Failure of the assembly to specify permssion requests.
Vipul Patel (Expert):
pinto: can you rephrase your question?
Vipul Patel (Expert):
For that, we need to know about CAS or Code Access Security: The theory of the same is located at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconcodeaccesssecurity.asp
Vipul Patel (Expert):
Best practises for CAS
Vipul Patel (Expert):
a. Request minimal permission set: Requesting helps ensure that your code is granted only the permissions it needs.
Vipul Patel (Expert):
eg. if your appliation requires only FileIOPermissions to read one file, and nothing more, add this line to your code:
Vipul Patel (Expert):
[assembly: FileIOPermission(SecurityAction.RequestMinimum, Read = @"c:\FileName.xml")]
Vipul Patel (Expert):
pinto: that depends on your FxCop settings…..
Vipul Patel (Expert):
pinto: you need to disable this rule if it is already on….
Vipul Patel (Expert):
coming back to CAS, you should use RequestMinimum to define the minimum must-have grant set. If the runtime cannot grant the minimum set to the application, it will raise a PolicyException exception and your application will not run.
Vipul Patel (Expert):
b. Refuse Unneeded Permission: Simply refuse permissions you dont need.
Vipul Patel (Expert):
e.g. If there is no FileIO operations in the application,
[assembly: FileIOPermission (SecurityAction.RequestRefuse, Unrestricted= true)]
Vipul Patel (Expert):
a simple code snippet such as above will refuse File IO access thru your secure code…..
Vipul Patel (Expert):
Tip: If you dont get the requisite permissions, there will be exceptions. Handle these possible exceptions that may arise if the requested permissions are not granted.
Vipul Patel (Expert):
c. use Assert wisely
Vipul Patel (Expert):
What we need to apply for this is that we should make sure that code permissions are granted rationally.
Vipul Patel (Expert):
Suppose A has permissions to do anything on the server
And B has permission to make calls on A.
Vipul Patel (Expert):
now if A makes an Assert statement, B will get access to all resources permitted to A.
This implies that Thru A, B can make any changes on the server and this may not be the desired scenario.
Vipul Patel (Expert):
Q: aren’t you trying to say about the SecurityExceptions?
A: no, the exception being referred here is PolicyException…..
Vipul Patel (Expert):
d. Keep the Assertion as small as possible
Vipul Patel (Expert):
If you do need to Assert, make sure that you revertAssert as soon as you are done.
Vipul Patel (Expert):
in C# code, this will be implied by
CodeAccessPermission.RevertAccess();
Vipul Patel (Expert):

Tip: When Deny, Assert and PermitOnly are used together, Deny has the highest precedence.
Vipul Patel (Expert):
e. Limit who uses your code
Vipul Patel (Expert):
How: Consider sealing your classes. This will make them non-inhertiable.
Vipul Patel (Expert):
Also, You can use InheritanceDemand to require that derived classes have a specified identity or permission.
Vipul Patel (Expert):
[EnvironmentPermission (securityAction.InheritanceDemand, Unrestricted = true)]
public class A
{
}
public class B : A
{
}
Vipul Patel (Expert):
this will imply that if the inheriting class request a actions thru an inherited class, the framework will see if the calling class has the permissions needed to do the action…..
Vipul Patel (Expert):
in the earlier example, B must have environmentPermission, if it were to inherit A.
Vipul Patel (Expert):
Other security Tips for .NET programmers
Vipul Patel (Expert):
Q: How to protect Images in a ASP.NET Project i.e Print, Print Screen, Save Page…. etc
A: i <b>believe<b> that disabling menu options on browsers is achievable thru JavaScript……. I need time to investigate this in details. Please email me at vipul_d_patel@hotmail.com stating your complete requirement.
Vipul Patel (Expert):
a. No Sensitive Data in XML or Configuration files
Vipul Patel (Expert):
Storing data of non secure nature is ok in configuration files such as web.config.
subhashini (Moderator):
Please use the radial button “submit a question ” to ask any questions to the expert
Vipul Patel (Expert):
It is an oxymoron that storing data in registry is safer than storing in the web.config… We need to make a judicious call here…as registry access violates No touch deployment fundas.
Vipul Patel (Expert):
A better option will be to use SQL Server as data storage for confidential information.
Vipul Patel (Expert):
ASP.NET v1.1 supports optional data Protection API encryption of secrets stored in registry. The configurations ectiosn that take advantage of this are <processModel>, <identity>, and <sessionState>….
Vipul Patel (Expert):
aspnet_setreg.exe is a cool tool to explore for using registry to store confidential information….
Vipul Patel (Expert):
Tip: Review Assemblies that allow partial trust
Vipul Patel (Expert):
if you want your assembly to be invoked from partially trust sources, you need to tag it
[assembly: AllowPartiallyTrustedCallers]
Vipul Patel (Expert):
Further more you need the review in details all the assemblies that make calls to this assembly in partial trusted mode… thats because a partial trusted code has considerable access on the resources handled by the called assembly…
Vipul Patel (Expert):
IMP: Assemblies that allow partially trusted callers should never expose objects from assemblies that do not allow partially trusted callers.
Vipul Patel (Expert):
Never forget to review the code of the calling assembly lest it causes any security breach.
Vipul Patel (Expert):
Tip: Check Managed Wrappers to Unmananged code for correctness
Make sure that code calling into unmanaged is well written and safe.
Vipul Patel (Expert):
Issues with Serialization
Vipul Patel (Expert):
Give special attention to classes that implement the ISerializable interface if an object based on the class could contain sensitive object information.
Vipul Patel (Expert):
If these classes store password, it could pose as a considerable security concern.
Vipul Patel (Expert):
Q: Vipul: i have learned that you can save the session in SQL to identify the broken sessions to continue with where they stoped… and do you think suggest such kind of storage?
A: yes, storing session information in SQL server would be a good option… optionally if that code or the user has access to registry, you can use the DPAPI also….
SQL server is better…
Vipul Patel (Expert):
Using Isolated storage
Vipul Patel (Expert):
using Isolated STorage provided by the .NET Framework has the advantage that only the code in a given assembly can access the isolated data when any of the following conditions are met: application is running when the assembly created the store is using the assembly, or when the user who created the store is running the application.
Vipul Patel (Expert):
using System.IO.IsolatedStorage;
..
IsolatedStorageFile isoFile = IsolatedStorageFile.GetStore (IsloatedStorageScope.User || IsloatedStorageScope.Assembly, null, null);
Vipul Patel (Expert):
The major advantage of using isolated storage is that it does not require FileIOPermission to operate correctly.
subhashini (Moderator):
Friends , we have the last 15 minutes left for the chat to conclude
Vipul Patel (Expert):
But Don’t use isolated storage to store sensitive data, because it is not protected from highly trusted code or trusted users of the computer.
Vipul Patel (Expert):
Other tips
Vipul Patel (Expert):
Disable Tracing and Debugging Before Deploying ASP.NET Application
Vipul Patel (Expert):
Because: you can potentially give an attacker too much information
subhashini (Moderator):
So please rush in your questions to Vipul
Vipul Patel (Expert):
How to do this:
Vipul Patel (Expert):
1. Remove Debug verb from IIS.
2. Disable debugging ad tracing within ASP.NET aplication pAge directive
<%@ Page Language=”VB” Trace=”False” Debug=”False” %>
3. In web.Config file
<trace enabled = ‘false’/>
<compilation debug =’false’/>
Vipul Patel (Expert):
Also, Do not deserialize data from untrusted sources.
Vipul Patel (Expert):
in case the application fails, do not tell the attacker too much when you fail.. Rather , write to the application log an error code which is known only to developers
Vipul Patel (Expert):
Thats all for the tips and tricks. Now to your questions…..
Vipul Patel (Expert):
Q: Vipul: can you through some light on “SecurityException”?
A: Security exception occurs when a security error is detected, like making IO calls when the user does not rights on it…
POlicyexception on the other hand is generated when code requests more permissions than the policy will grant or the policy is configured to prohibit running the code.
Vipul Patel (Expert):
OK team,,, the recsources that should keep you going…..
Vipul Patel (Expert):
A book by Michaol Howard titles “Writing Secure Code”. It is by Microsoft Press. Its an extremely good book. Recommend all to read when you get time….
Vipul Patel (Expert):
visit digitalblackbelt.com and view the webcasts on security they are great.
Vipul Patel (Expert):
Also on MSDN webcasts, there is a series of webcasts on Writing Secure Code, you can view them if you can get hands on the book….
Vipul Patel (Expert):
thats all from my side….
Vipul Patel (Expert):
Q: Vipul: i have a small situation.. can i ask you now?
A: sure..
Vipul Patel (Expert):
Q: thnx vipul
A: anytime man
Vipul Patel (Expert):
u can visit http://msdn.microsoft.com/asp.net/articles/security/default.aspx for more information on security /
subhashini (Moderator):
Well, we are almost close to time-up!
subhashini (Moderator):
There’s time for one last question
subhashini (Moderator):
To ask any additional queries , please feel free to email Vipul
subhashini (Moderator):
at vipul_d_patel@hotmail.com
subhashini (Moderator):
Hope this chat in series was informative
subhashini (Moderator):
To read chat transcripts of earlier chats , visit http://www.microsoft.com/india/communities/chat/Transcripts.aspx
subhashini (Moderator):
thanks to all of you for attending today’s chat\
Vipul Patel (Expert):
chakravarty: can you email me this question? I shall reply ASAP. My email id is vipul_D_patel@hotmail.com
subhashini (Moderator):
Special thanks to Vipul for taking time out for this informative session with his geographical constraints regarding timings
Vipul Patel (Expert):
Thanks all for attending this chat
subhashini (Moderator):
Thanks a lot Vipul
Vipul Patel (Expert):
welcome subhashini
subhashini (Moderator):
request all of you to pool in your queries through email
subhashini (Moderator):
Have a lovely evening
subhashini (Moderator):
Also feel free to pool in your feedback for these chats at commind@microsoft.com
subhashini (Moderator):
enjoy your evening all of you and Vipul , have a great day :-)