Webchat Transcipt – Writing Secure code – Part 2

















Chat Topic : Writing Secure Code -II
Chat Expert : Vipul Patel (MVP)
April 14, 2005
 




 




subhashini (Moderator):
hello everybody
subhashini (Moderator):
🙂 a very good evening to all of you
subhashini (Moderator):
and welcome all of you to join us for the second part of the series chat
subhashini (Moderator):
on writing secure code
subhashini (Moderator):
Thansk to Vipul Patel (MVP) for hosting this series chat
subhashini (Moderator):
Guys, thanks to him, he’s based out of US and is currently hosting the chat during his odd hours
subhashini (Moderator):
Once again a quick rrun through the chat rules
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
thansk to all of you for attending this chat.
subhashini (Moderator):
and lets welcome vipul
Vipul Patel (Expert):
Thanks Subhashini for the opportunity. Welcome to the second part of the series on Writing secure code.
subhashini (Moderator):
to continue the series
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Hello all
Vipul Patel (Expert):
Those wo missed out yesterday: a quick recap. Yesterday the main focus was the need for writing secure code, threat modeling and we saw two security concerns: buffer overrun and ACLs.
Vipul Patel (Expert):
Today we shall focus on the other security concerns….
Vipul Patel (Expert):
We begin with poor cryptographic tehcniques
Vipul Patel (Expert):
Crypto can help secure data from specific threats, but it does not secure the application from coding errors.
Vipul Patel (Expert):
Common mistakes people make when using cryptography include
Vipul Patel (Expert):
a. using poor random numbers
Vipul Patel (Expert):
b. using password to derive cryptographic
Vipul Patel (Expert):
Lets catch them one by one
Vipul Patel (Expert):
Did you know that the Random function provided by the Operating systems generetes the same sequence of random numbers everytime.
Vipul Patel (Expert):
Same case with the Frameworks……
Vipul Patel (Expert):
Consider this code in C++

// Always print 52 4 26 66 26
void main()
{
srand(12366);
for (int i = 0; o< 10 ; i++)
{
int i = rand() % 100;
printf(“%d ” , i);
}

}
Vipul Patel (Expert):
The above code snippet always results in the same sets of numbers…..
Vipul Patel (Expert):
lets see one in C#
class Class1
{
///


/// The main entry point for the application.
///


[STAThread]
static void Main(string[] args)
{
//
// TODO: Add code to start application here
//
Random rnd = new Random(1234);
for(int i = 0; i <20; i++)
{
Console.WriteLine(rnd.Next(100));
}
}
}
Vipul Patel (Expert):
The above code also results in the same sequence of random numbers being generated.
Vipul Patel (Expert):
The problem with using such functions is that if your application is of a secure nature like a financial institution application, such a dependency on system provided (read predictable) numbers can be easily tracked by the hacker……
Vipul Patel (Expert):
If the random numbers are used for say saving the session key, then all the session information is at risk….
Vipul Patel (Expert):
How to avoid such a situation…..
Vipul Patel (Expert):
For win32 applications use the CryptGenRandom class…………………
Vipul Patel (Expert):
and those of you coding in C#, Use the RNGCryptoServiceProvider class available in the system.Security.Cryptography namespace
Vipul Patel (Expert):
another poor cryptographic technique is “Using Passwords to Derive Cryptographic keys”
Vipul Patel (Expert):
some applications are based on a security model that you ask the user for the password for a specfic action and then this user-provided password is used as a cryptographic key.
Vipul Patel (Expert):
The problem with such a approach is that if the password is small, then it is easy to predict thru Dictionary attack……
Vipul Patel (Expert):
Dictionary attack: try all possible words from the dictionary to see which works as an key….
Vipul Patel (Expert):
Suggesstion: Keep your passwords long and randon.
Vipul Patel (Expert):
You can make this a network policy…..
Vipul Patel (Expert):
With Win2003 Server and later, you can validate password compliance with NetValidatePasswordPolicy.
Vipul Patel (Expert):
More information available at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp>
Vipul Patel (Expert):
Use Keyed Hash
Vipul Patel (Expert):
Keyed Hash: Is a hash that includes some secret data, data known only to the sender and recipients. It is typically created by hashing the plaintext concatenated to some secret key or a derivation of the secret key. It is one kind of message authentication code (MAC).
Vipul Patel (Expert):
the idea here is to not use a simple hash but to use a keyed hash…….. This is secure things a bit….
subhashini (Moderator):
sorry guys, vipul
subhashini (Moderator):
might have just got logged out
subhashini (Moderator):
please hold on for coupel of mins. he would be back
subhashini (Moderator):
vipul has lost his wireless connection and has had to reboot
subhashini (Moderator):
so, he would be back any minute
subhashini (Moderator):
thanks for cooperating
subhashini (Moderator):
thanks guys
Vipul Patel (Expert):
sorry for the confusion guys…
Vipul Patel (Expert):
lets continue
Vipul Patel (Expert):
Creating a Keyed hash
HMACSHA1 hmac = new HMACSHA1();
Hmac.Key = key;
byte[] hash = hmac.ComputeHash(message);
Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself.
Vipul Patel (Expert):
Creating a Keyed hash
Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself.
HMACSHA1 hmac = new HMACSHA1();
Hmac.Key = key;
byte[] hash = hmac.ComputeHash(message);
subhashini (Moderator):
apologies for the technical tricks played on us by the chat tool 🙂 we are back and lets get the chat rocking!
Vipul Patel (Expert):
So how do you protect secrets?
Vipul Patel (Expert):
We usually hash the data…..
Vipul Patel (Expert):
But better than hash, do a salted hash…
Vipul Patel (Expert):
Hash: is a cryptographic algorithm that produces a different output, called a message digest, for each unique element of data
Vipul Patel (Expert):
Better than hash, use a salted hash
Vipul Patel (Expert):
Salt is a random number that is added to the hashed data to eliminate the use of precompiled dictionary attacks, making an attempt to recover the original secret extremely expensive. The salt is stored unencrypted with the hash.
Vipul Patel (Expert):
More information is available at <http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx>
Vipul Patel (Expert):
Coming to talk of DPAPI, lets see what is available in Windows 2000 and above
Vipul Patel (Expert):
In Windows 2000 and later, we can use the Data Protection API (DPAPI) functions CryptProtectData and CryptUnprotectData.
Vipul Patel (Expert):
http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx
Vipul Patel (Expert):
Guys the above link shoud work…
Vipul Patel (Expert):
These functions encrypt (DPAPI) and decrypt data by using a key derived from the user’s password. In addition, decryption can be done only on the computer where the data was encrypted unless the user has a roaming profile, in which case she can decrypt the data from another computer on the network.
Vipul Patel (Expert):
A Special Case: Client Credentials in Windows XP
Vipul Patel (Expert):
Windows XP includes functionality named Stored User Names And Passwords to make handling users’ passwords and other credentials, such as private keys, easier, more consistent, and safer. If your application includes a client component that requires you to prompt for or store a user’s credentials, you should seriously consider using this feature for the following reasons:
• Support for different types of credentials, such as passwords and keys, on smart cards.
• Support for securely saving credentials by using DPAPI.
• No need to define your own user interface. It’s provided, although you can add a custom image to the dialog box.
Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks.
Vipul Patel (Expert):
Other small nuances to take care of…..
Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks
Vipul Patel (Expert):
Trust no input
Vipul Patel (Expert):
Always validate any user input for all possible values: minimum, maximum, boundary conditions, etc.
You can check the format of the inputed data by regular expressions
Vipul Patel (Expert):
DOS device name vulnerability
Due to compatility reasons, DOS device named have been carried over to Windows. That’s why you cant create a file named PRN or COM1, COM@ or LPT. Creating such files (even for temporary purpose) thru code should be avoided.
Vipul Patel (Expert):
Don’t trust PATH variable. Use Full path names
If your application uses the PATH variable explicitly for a good number of reasons, it is better to create a custom environment variable for the purpose as PATH variable should not be dependede upon as a lot of applications may be and modify it..
Vipul Patel (Expert):
SQL Injection attacks
Vipul Patel (Expert):
consider a SQL statement
Vipul Patel (Expert):
string sql = “select * from client where name = ‘” + name + “‘”
Vipul Patel (Expert):
imagine a user entering
Blake’ or 1 = 1
Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through Stored procedures.
A: no for SQL injection , SPs are not a solution.
People use two solutions
Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through Stored procedures.
A: Correct solution is
a. never ever connect as sysadmin (This limits database damage by SQL injection)
b. Build your SQL statements securely, use Parameterized commands in your SP…………..
Vipul Patel (Expert):
Q: what are your strong recommendations to deal with SQL injection attacks
A: a. never ever connect as sysadmin (This limits database damage by SQL injection)
b. Build your SQL statements securely, use Parameterized commands in your SP…………..
subhashini (Moderator):
guys, we have the last 13 mins left for the chat to conclude for today
subhashini (Moderator):
please ask the last few questions to get them answered
Vipul Patel (Expert):
I agree with Chakravarthy: If possible prevent the user from entering “‘” when he is specifing text based information. But the problem is with names like L’Oreal… how to deal with that.. 😀
Vipul Patel (Expert):
Q: vipul, is there any other security areas that you need to highlight and you may not have time to disscuss them fully here.
A: I will not be able to cover the security in .NET framework whcih I will cover tomorrow…….
Vipul Patel (Expert):
Q: i want to ask whether parameterized commands are foolproof.
A: Depends on your code. But it is deemed and projected as quite secure..
Vipul Patel (Expert):
Q: suppose, i have a web application, then..using encryption class is not going to help much, as encryption would occur at server side, after all data is transfered across the n/w with out encryption. m i right???
A: If you use SSL,, then your data will be secure when transferred from the client to the server….
Vipul Patel (Expert):
Q: Hi, tell me more about DPAPI and what all complexities are involved implementing it ?
A: already answered….
Vipul Patel (Expert):
Yes,,, dont allow where word, if possible, I must add….
Vipul Patel (Expert):
Chakravarthy: Whidbey: I shall answer that tomorrow…..
subhashini (Moderator):
So this brings us to teh end of today’s chat
subhashini (Moderator):
and hope to see you all tomorrow
subhashini (Moderator):
and hold on to your questions till tomorrow
subhashini (Moderator):
alos feel free to email vipul at vipul_d_patel@hotmail.com
Vipul Patel (Expert):
The best resource on writing secure code is a book by Michael Howard titled “Writing secure code”………. Google for more information on the book….
Vipul Patel (Expert):
Chakravarthy:….. go ahead…
subhashini (Moderator):
go ahead chakravarthy
Vipul Patel (Expert):
For securing already written code, I suggest that you have a robust code review policy, revisit your design,, bascially perform a threat modelling for a already existing application..
Vipul Patel (Expert):
That is a judgement call, if you feel that the previously written code is not secure, demo the failure to your team lead, and then suggest that the following remedies will apply….
Vipul Patel (Expert):
what do you mean by wrapping mechanism?
Vipul Patel (Expert):
Best practises for writing secure code:
Vipul Patel (Expert):
a. Dont tell the attacker anything
Vipul Patel (Expert):
b. Dont leak information in banner strings and unhandled errors…
Vipul Patel (Expert):
Doubel check your error messagess and paths…
Vipul Patel (Expert):
Add security commenst to your code…
Vipul Patel (Expert):
Dont write user files to \Program Files
Vipul Patel (Expert):
Dont write user data to HKLM
Vipul Patel (Expert):
Allow long passwords…
Vipul Patel (Expert):
and have an application log.
Vipul Patel (Expert):
Thats all for today…..
subhashini (Moderator):
thanks again to all of you for attending teh chat
Vipul Patel (Expert):
if you have any further questions,,,, please email me at vipul_d_patel@hotmail .com or visit my unfrequented blog at http://spaces.msn.com/members/vipul and leave your comments there. I shall revert…
subhashini (Moderator):
see you alla gain tomorrow for the last part of this series
subhashini (Moderator):
have a lovely evening.

No comments yet. Be the first.

Leave a Reply