Webchat Transcript – Writing Secure Code – Part 1

















Chat Topic : Writing Secure Code – I
Chat Expert : Vipul Patel (MVP)
April 13, 2005
 




 




subhashini (Moderator):
hello everbody . A very good evening to all of you. 🙂
subhashini (Moderator):
Welcome to today’s webchat on writing secure code
subhashini (Moderator):
This is a chat in series
subhashini (Moderator):
and today is the part one of the series
subhashini (Moderator):
we have with us our MVP Vipul Patel
subhashini (Moderator):
with us today for the chat.
subhashini (Moderator):
To give a quick intro about him
subhashini (Moderator):
After pursuing a bachelor’s degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India’s college chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.
subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com or vipul.patel@patni.com.
subhashini (Moderator):
As always , few chat rules
subhashini (Moderator):
before we beging the chat
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts.
subhashini (Moderator):
We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
lets get the chat rolling
subhashini (Moderator):
let us welcome Vipul
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Thanks Subhashini and welcome to all to the first of the series of webchats on “Writing secure code”
Vipul Patel (Expert):
Our topic Writing secure code is gaining popularity day by day and we are here to discuss about the same.
Vipul Patel (Expert):
I shall start with small introduction.
Vipul Patel (Expert):
If you have any questions , please feel free to send them to me thru “expert chat” radio button
Vipul Patel (Expert):
As the Internet grows in importance, applications are becoming highly interconnected.
Vipul Patel (Expert):
Earlier computers were not as highly interconnected as they are today, and hence most people wouldn’t care much about security.
Vipul Patel (Expert):
But times have changed. Virtually all computers—servers, desktop personal computers, and, more recently, cell phones, pocket-size devices, and other form factor devices such as embedded systems—are interconnected.
Vipul Patel (Expert):
that means that if one of the interconnected system is affected, it can affect the whole network
Vipul Patel (Expert):
No wonder why the World Wide Web is often referred to as the Wild Wild Web. 😉
Vipul Patel (Expert):
It is not only important to write robust code, the need of the day is to produce reliable & secure systems.
Vipul Patel (Expert):
Your system, if connected to Internet, is a potential victim for an attack.
Vipul Patel (Expert):
So Why is security important for you and me?
Vipul Patel (Expert):
1. The Media (and Your Competition) Leap on Security Issues: This is a business impact. If your application makes a security breach headlines, you are bound to lose a chunk of your business, not mentioning the bad publicity that you get. The media will hound you for days and your competition will mention it for years to come….
Vipul Patel (Expert):
2. People Shy Away from Products That Don’t Work As Advertised: If your application keeps crashing every now and then, then people will start avoiding your product.
Vipul Patel (Expert):
3. Security Vulnerabilities Are Expensive to Fix: If security flaws are detected after the product is released to market, then the cost of fixing that Vulnerability as well as deployment costs for the fix are enormous.
Vipul Patel (Expert):
With that background, lets begin our discussion on designing secure systems.
Vipul Patel (Expert):
What are the two most common security mistakes made by software companies?
Vipul Patel (Expert):
a. The application is designed, written, tested, and shipped to customers, but the developers forget to make it secure. Or they think they have, but they got the design wrong. It’s wrong because they added some security technology to their application to be “buzzword-compliant,” but the technology doesn’t mitigate any real security threats
Vipul Patel (Expert):
b. The second mistake is adding security to the application as an afterthought. Security aspect of the code should be from the design phase itself.
Vipul Patel (Expert):
Adding security features after the application is developed should be prevented for the following reasons:
Vipul Patel (Expert):
i. Adding security later is wrapping security around existing features, rather than designing features and security with both in mind
Vipul Patel (Expert):
ii. Adding any feature, including security, as an afterthought is expensive
Vipul Patel (Expert):
iii. Adding security might change the way you’ve implemented features. This too can be expensive
Vipul Patel (Expert):
iv. Adding security might change the application interface, which might break the code that has come to rely on the current interface.
Vipul Patel (Expert):
There is a need for the security principles to be imbibed in a software developement process. These principles are as under:
Vipul Patel (Expert):
a. Establish a security process
Vipul Patel (Expert):
b. Define the product security goals]
Vipul Patel (Expert):
c. Consider security as a product feature
Vipul Patel (Expert):
d. Learn from mistakes
Vipul Patel (Expert):
e. Use least privilege
Vipul Patel (Expert):
f. Use defense in depth
g. Assume external systems are insecure
h. Plan on failure
i. Fail to a secure mode
j. Employ secure defaults
h. Remember that security features != secure features
i. Never depend on security through obscurity
Vipul Patel (Expert):
Please let me complete the section theory for today, then I will jump to examples…. 🙂
Vipul Patel (Expert):
and then take up all the questions raised.
Vipul Patel (Expert):
How to incorporate security features thru design? The answer is thru Threat Modelling
Vipul Patel (Expert):
You cannot build a secure system until you understand your threats. It’s as simple as that.
Vipul Patel (Expert):
A threat model is a security based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves.
Vipul Patel (Expert):
The goal is to determine which threasts require migitation and how to migitate the threats.
Vipul Patel (Expert):
Benefits of threat modeling
Vipul Patel (Expert):
a. It helps to understand the threat better.
Vipul Patel (Expert):
b. Threat models helps you find bugs.
Vipul Patel (Expert):
b. Threat models helps you find bugs.
Vipul Patel (Expert):
c. You can discover serious design bugs in the process
Vipul Patel (Expert):
d. Threat models can help new team members understand the application in detail.
Vipul Patel (Expert):
Threat modeling process:
Vipul Patel (Expert):
1. Assemble the threat-modelling team
Vipul Patel (Expert):
2. Decompose the application
Vipul Patel (Expert):
3. Determine the threats to the application using STRIDE model
Vipul Patel (Expert):
4. Rank the threats by decreasing risk
Vipul Patel (Expert):
5. Choose how to respond to the threats
Vipul Patel (Expert):
6. Choose techniques to mitigate the threats
Vipul Patel (Expert):
We are now done with the theory 😉 . and we shall begin examples of security vulnerabilities.
Vipul Patel (Expert):
The biggest security issue has been the Buffer overrun….
Vipul Patel (Expert):
Q: what is STRIDE model?
A: STRIDE model is a model to understand the security flaws. It includes analysis for the following type of flaws: “Spoofing identity”, “Tampering with data” , “Repudiation”, “Information disclosure”, “Denial of service”, “Elevation of privilege”
More details are available at http://msmvps.com/secure/archive/2004/06/22/8728.aspx
Vipul Patel (Expert):
No Sundar: The good thing about the .NET Framework is that it is no longer a security issue with .NET using C# and VB.NET. With VC++.NET, you need to compile your project with /GS option to identify any such possible buffer overflows in your project.
Vipul Patel (Expert):
Sai: Your question has been answered in the previous post.
Vipul Patel (Expert):
Q: How can Buffer Overrun be a security issue ?
A: I am coming to that with an example
Vipul Patel (Expert):
Defintion of buffer overrun: A stack based buffer overrun occurs when a buffer declared on the stack is overwritten by copying data larger than the buffer.
Vipul Patel (Expert):
Variables declared on the stack are located next to the return address for the function’s caller. The culprit here is the return address for the function gets overwritten by an address chosen by the attacker.
Vipul Patel (Expert):
e.g. code
void food (const char* input)
{
char buf[10];

// print statement to see the stack
printf (“Stack status :\n%p\n%p\n%p\n%p\n%p\n\n”);


strcpy(buf, input)
printf(“%s\n”, buf);


printf (“New Stack status :\n%p\n%p\n%p\n%p\n%p\n\n”);
}


void bar(void)
{
printf (“Uh Oh”);


}


int main (int argc, char* argv[])
{
printf(“Address of foo = %p\n”, foo);
printf(“Address of bar = %p\n”, bar);


if (argc != 2)
{
printf(“Please supply a string as argument\n”);
return -1;
}
foo(argv[1]);
return 0;
}
Vipul Patel (Expert):
please read “foo” instead of foo for the first function declaration.
Vipul Patel (Expert):
sat: which kind of failure is being talked of here?
Vipul Patel (Expert):
IN the above code sample : observe the code
// print statement to see the stack
printf (“Stack status :\n%p\n%p\n%p\n%p\n%p\n\n”);
This code is used to see the stack contents
Vipul Patel (Expert):
Q: What are other major security issuess to be taken care of , mainly with .NET ?
A: This concern will be addressed in the third webchat of the series scheduled on Friday this week..
Vipul Patel (Expert):
If we pass a string of less than 10 characters, it will work fine. Example of execution:
c:\Mycode>StackEx.exe Hello
Address of foo = 00401000
Address of bar = 00401045
Stack status:
00000000
00000000
7FFDF000
0012FF80
0040108A <This is the address we want to overwrite
00410EDE


Hello
New stack status:
6C6C6548 < You can see where Hello was copied in
0000000F
7FFDF000
0012FF80
0040108A
00410EDE
Vipul Patel (Expert):
See that the first memory location gets modified with the text. The second memory location is the instruction set for the second call.
Vipul Patel (Expert):
Now input a long string
:\Mycode>StackEx.exe AAAAAAAAAAAAAAAAAAAAAAA
Address of foo = 00401000
Address of bar = 00401045
Stack status:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410EDE


AAAAAAAAAAAAAAAAAAAAAAA
New stack status:
41414141
41414141
41414141
41414141
41414141
41414141
Vipul Patel (Expert):
If you use a longer string the whole stack buffer gets rewritten with the data from the string input…..
Vipul Patel (Expert):
And we also get an application error claiming the instruction at 0x41414141 tried to access memory at address 0x41414141.
Vipul Patel (Expert):
Q: But Vipul….is’nt this limitation limited to Unmanaged code in the .Net…..i mean over-writing the return address of a function in the stack….
A: Yes, thats the limitattion limited to unmanaged code in the .NET. That is not an issue with .NET application. I agree
Vipul Patel (Expert):
Q: what kind of security issues normally hit the web applications
A: For web applications, you need to make sure to consider the following during threat modelling:
a. Unvalidated paramaters
b. Broken access control
c. Borken authentication and session management
d. Cross site scripting flaws
e. Buffer overflows
f. Command injection flaws
g. Error handling problems
h. Insecure storage
i. Denial of service (!!! The top most threat)


You also need to see that there is no undue priviledge evevation
Vipul Patel (Expert):
If a smart hacker were to know of this vulnerability, he will write a script to execute the above executable with a specifc string which will expose this flaw.
Vipul Patel (Expert):
More information about this is available at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp
Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?
A: Yes, Buffer overrun can be migitated by the following steps
a. Always validate your input for the type and length.
b. Make sure your string handling operations are safe
Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?
A: in the above code if we had the following check it could have been prevented



if (strlen (input) < sizeof(buf))
{
// everything in place
strcpy(buf, input)
}
else
{
// do the processing for failure…
}
Vipul Patel (Expert):
Q: How does MS address the Denial of Service…..i mean does the web-server has any means of preventing it…and does IIS have any feature of this kind….?
A: Hello Rakesh, we will take up Denial of Service tomorrow… Today we shall be limiting ourselves to Buffer overrun and ACLs..
Vipul Patel (Expert):
Sundar: you are right about storing int like data structure on the stack and the reference types on heap..
Vipul Patel (Expert):
But heap buffer overrun is also posisble, but it is dificult to exploit.
Vipul Patel (Expert):
Q: You never answerd what’s the impact of buffer overrun in .Net world, in C run time world I think those who familier with that have better understanding 🙂
A: Fortunately, buffer overrun is not an issue with .NET. The .NET framework handles the issue with buffer overruns…. it is only an issue with legacy applications and unmanaged code written in VC++.NET
Vipul Patel (Expert):
Q: in C# i guess only the basic data types like int variables are stored in stack . basically the reference objects are stored in heaps so the risk is very low. in this case how ill a function get executed?
A: This is not applicable to .NET applications in C#
Vipul Patel (Expert):
Q: other than String Handling errors and Array indexing errors what are all the possible causes for Heap overruns
A: Unicode and ANSI Buffer size mismatches are another source for the heap overruns
Vipul Patel (Expert):
Q: can u please throw some light on Array Indexing errors and its impact on Heap over runs?
A: I shall discuss this later
Vipul Patel (Expert):
Q: Why did microsoft not consider the /GS behavior default ?
A: it is only applicabel for unmanaged code in VC++.NET
Vipul Patel (Expert):
Q: is there any way in .Net to avoid Heap Over runs? because there are ways to have non executable stacks in operating systems and there are also tools like StackGuard to avoid stack based overruns. is there something like that for heap over runs
A: safe string handling for one..
I need to investigate this more…..
Vipul Patel (Expert):
Q: Oh sorry I got a look at the article you reffered recently, so strsafe.h is the solution right
A: yes
Vipul Patel (Expert):
Q: Recently C librarys has improved functions, like the one I mentioned earlier nstrcpy(), is that type of implementations are missing in VC++
A: it was missing in VC++ 6.0
Vipul Patel (Expert):
Q: Give a simple security method for a windows application which is connecting to www or some Dedicated line often
A: Have a firewall installed
Vipul Patel (Expert):
Q: What are the different ACLs that can be employed and how to chose the best of it?
A: ACL strategy
1. Determine the resource you need
2. Determine the business defined acccess requirement
3. Determine the appropriate access control technology
4. Convert the access requirements to access control technology
Vipul Patel (Expert):
Q: is one required to have diffrent security model for “Intranet” or “Internet” application
A: no, if you have Single Signon for INtranet, yes other wise, because the scenarios are different for both
subhashini (Moderator):
We have almost come to the end of this chat today. Space for one more question!
subhashini (Moderator):
I willw ait for Vipul to complete answering the questions to announce the closure of this chat.
Vipul Patel (Expert):
Most of us are admin on our machines. Imagine what will happen when you download a malicious script and the script gets running in admin mode… your machine is bound to be infected.
subhashini (Moderator):
So that brings us to the end of today’s chat
subhashini (Moderator):
Hold on to your questions till tomorrow
subhashini (Moderator):
because this chat is a series chat
Vipul Patel (Expert):
Q: but is’nt this discrimination between intranet and internet handled by .Net CLR implicitly…..
A: We are not talking from .NET CLR perspective, but rather from a developer point of view using any developement language.
subhashini (Moderator):
that willc ontinue till friday
subhashini (Moderator):
So friends , meet you again tomorrow
subhashini (Moderator):
and be ready with your questions ..let’s shoot it out to Vipul
subhashini (Moderator):
🙂
subhashini (Moderator):
So lets catch up with teh seciond series of this chat tomorrow at 5pm
subhashini (Moderator):
Till then , have a lovely evening
Vipul Patel (Expert):
Q: And what are security issues with desktop or client server applications ?
A: improper file permission, undue Access control to name a few
Vipul Patel (Expert):
Q: what are security issues with desktop or client server applications ?
A: improper file permission, undue Access control to name a few
subhashini (Moderator):
And lets thank Vipul for his great spirit to take this chat in succession
subhashini (Moderator):
🙂 Thanks Vipul
subhashini (Moderator):
And all of you have a lovely evening ..
Vipul Patel (Expert):
One of the best articles on running with least privildge is http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx\
Vipul Patel (Expert):
THats all for today. See you all tomorrow when we discuss about Cryptographic Foibles, Storing Secrets, Canonical Representation Issues and Network-Based Application Considerations
Vipul Patel (Expert):
good day to all…. and a good morning to me… its 5:45 am in los angeles and time to go to work…..

No comments yet. Be the first.

Leave a Reply