subhashini (Moderator): hello everybody subhashini (Moderator): π a very good evening to all of you subhashini (Moderator): and welcome all of you to join us for the second part of the series chat subhashini (Moderator): on writing secure code subhashini (Moderator): Thansk to Vipul Patel (MVP) for hosting this series chat subhashini (Moderator): Guys, thanks to him, he’s based out of US and is currently hosting the chat during his odd hours subhashini (Moderator): Once again a quick rrun through the chat rules subhashini (Moderator): Please refrain from sending any private messages to the expert during the chat subhashini (Moderator): Chat Procedures: This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over. subhashini (Moderator): thansk to all of you for attending this chat. subhashini (Moderator): and lets welcome vipul Vipul Patel (Expert): Thanks Subhashini for the opportunity. Welcome to the second part of the series on Writing secure code. subhashini (Moderator): to continue the series subhashini (Moderator): Hi Vipul Vipul Patel (Expert): Hello all Vipul Patel (Expert): Those wo missed out yesterday: a quick recap. Yesterday the main focus was the need for writing secure code, threat modeling and we saw two security concerns: buffer overrun and ACLs. Vipul Patel (Expert): Today we shall focus on the other security concerns…. Vipul Patel (Expert): We begin with poor cryptographic tehcniques Vipul Patel (Expert): Crypto can help secure data from specific threats, but it does not secure the application from coding errors. Vipul Patel (Expert): Common mistakes people make when using cryptography include Vipul Patel (Expert): a. using poor random numbers Vipul Patel (Expert): b. using password to derive cryptographic Vipul Patel (Expert): Lets catch them one by one Vipul Patel (Expert): Did you know that the Random function provided by the Operating systems generetes the same sequence of random numbers everytime. Vipul Patel (Expert): Same case with the Frameworks…… Vipul Patel (Expert): Consider this code in C++
// Always print 52 4 26 66 26 void main() { srand(12366); for (int i = 0; o< 10 ; i++) { int i = rand() % 100; printf(“%d ” , i); }
} Vipul Patel (Expert): The above code snippet always results in the same sets of numbers….. Vipul Patel (Expert): lets see one in C# class Class1 { ///
/// The main entry point for the application. ///
[STAThread] static void Main(string[] args) { // // TODO: Add code to start application here // Random rnd = new Random(1234); for(int i = 0; i <20; i++) { Console.WriteLine(rnd.Next(100)); } } } Vipul Patel (Expert): The above code also results in the same sequence of random numbers being generated. Vipul Patel (Expert): The problem with using such functions is that if your application is of a secure nature like a financial institution application, such a dependency on system provided (read predictable) numbers can be easily tracked by the hacker…… Vipul Patel (Expert): If the random numbers are used for say saving the session key, then all the session information is at risk…. Vipul Patel (Expert): How to avoid such a situation….. Vipul Patel (Expert): For win32 applications use the CryptGenRandom class………………… Vipul Patel (Expert): and those of you coding in C#, Use the RNGCryptoServiceProvider class available in the system.Security.Cryptography namespace Vipul Patel (Expert): another poor cryptographic technique is “Using Passwords to Derive Cryptographic keys” Vipul Patel (Expert): some applications are based on a security model that you ask the user for the password for a specfic action and then this user-provided password is used as a cryptographic key. Vipul Patel (Expert): The problem with such a approach is that if the password is small, then it is easy to predict thru Dictionary attack…… Vipul Patel (Expert): Dictionary attack: try all possible words from the dictionary to see which works as an key…. Vipul Patel (Expert): Suggesstion: Keep your passwords long and randon. Vipul Patel (Expert): You can make this a network policy….. Vipul Patel (Expert): With Win2003 Server and later, you can validate password compliance with NetValidatePasswordPolicy. Vipul Patel (Expert): More information available at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp> Vipul Patel (Expert): Use Keyed Hash Vipul Patel (Expert): Keyed Hash: Is a hash that includes some secret data, data known only to the sender and recipients. It is typically created by hashing the plaintext concatenated to some secret key or a derivation of the secret key. It is one kind of message authentication code (MAC). Vipul Patel (Expert): the idea here is to not use a simple hash but to use a keyed hash…….. This is secure things a bit…. subhashini (Moderator): sorry guys, vipul subhashini (Moderator): might have just got logged out subhashini (Moderator): please hold on for coupel of mins. he would be back subhashini (Moderator): vipul has lost his wireless connection and has had to reboot subhashini (Moderator): so, he would be back any minute subhashini (Moderator): thanks for cooperating subhashini (Moderator): thanks guys Vipul Patel (Expert): sorry for the confusion guys… Vipul Patel (Expert): lets continue Vipul Patel (Expert): Creating a Keyed hash HMACSHA1 hmac = new HMACSHA1(); Hmac.Key = key; byte[] hash = hmac.ComputeHash(message); Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself. Vipul Patel (Expert): Creating a Keyed hash Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself. HMACSHA1 hmac = new HMACSHA1(); Hmac.Key = key; byte[] hash = hmac.ComputeHash(message); subhashini (Moderator): apologies for the technical tricks played on us by the chat tool π we are back and lets get the chat rocking! Vipul Patel (Expert): So how do you protect secrets? Vipul Patel (Expert): We usually hash the data….. Vipul Patel (Expert): But better than hash, do a salted hash… Vipul Patel (Expert): Hash: is a cryptographic algorithm that produces a different output, called a message digest, for each unique element of data Vipul Patel (Expert): Better than hash, use a salted hash Vipul Patel (Expert): Salt is a random number that is added to the hashed data to eliminate the use of precompiled dictionary attacks, making an attempt to recover the original secret extremely expensive. The salt is stored unencrypted with the hash. Vipul Patel (Expert): More information is available at <http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx> Vipul Patel (Expert): Coming to talk of DPAPI, lets see what is available in Windows 2000 and above Vipul Patel (Expert): In Windows 2000 and later, we can use the Data Protection API (DPAPI) functions CryptProtectData and CryptUnprotectData. Vipul Patel (Expert): http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx Vipul Patel (Expert): Guys the above link shoud work… Vipul Patel (Expert): These functions encrypt (DPAPI) and decrypt data by using a key derived from the user’s password. In addition, decryption can be done only on the computer where the data was encrypted unless the user has a roaming profile, in which case she can decrypt the data from another computer on the network. Vipul Patel (Expert): A Special Case: Client Credentials in Windows XP Vipul Patel (Expert): Windows XP includes functionality named Stored User Names And Passwords to make handling users’ passwords and other credentials, such as private keys, easier, more consistent, and safer. If your application includes a client component that requires you to prompt for or store a user’s credentials, you should seriously consider using this feature for the following reasons: • Support for different types of credentials, such as passwords and keys, on smart cards. • Support for securely saving credentials by using DPAPI. • No need to define your own user interface. It’s provided, although you can add a custom image to the dialog box. Vipul Patel (Expert): Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks. Vipul Patel (Expert): Other small nuances to take care of….. Vipul Patel (Expert): Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks Vipul Patel (Expert): Trust no input Vipul Patel (Expert): Always validate any user input for all possible values: minimum, maximum, boundary conditions, etc. You can check the format of the inputed data by regular expressions Vipul Patel (Expert): DOS device name vulnerability Due to compatility reasons, DOS device named have been carried over to Windows. That’s why you cant create a file named PRN or COM1, COM@ or LPT. Creating such files (even for temporary purpose) thru code should be avoided. Vipul Patel (Expert): Don’t trust PATH variable. Use Full path names If your application uses the PATH variable explicitly for a good number of reasons, it is better to create a custom environment variable for the purpose as PATH variable should not be dependede upon as a lot of applications may be and modify it.. Vipul Patel (Expert): SQL Injection attacks Vipul Patel (Expert): consider a SQL statement Vipul Patel (Expert): string sql = “select * from client where name = ‘” + name + “‘” Vipul Patel (Expert): imagine a user entering Blake’ or 1 = 1 Vipul Patel (Expert): Q: vipul, is SQL injection attacks fully prevantable through Stored procedures. A: no for SQL injection , SPs are not a solution. People use two solutions Vipul Patel (Expert): Q: vipul, is SQL injection attacks fully prevantable through Stored procedures. A: Correct solution is a. never ever connect as sysadmin (This limits database damage by SQL injection) b. Build your SQL statements securely, use Parameterized commands in your SP………….. Vipul Patel (Expert): Q: what are your strong recommendations to deal with SQL injection attacks A: a. never ever connect as sysadmin (This limits database damage by SQL injection) b. Build your SQL statements securely, use Parameterized commands in your SP………….. subhashini (Moderator): guys, we have the last 13 mins left for the chat to conclude for today subhashini (Moderator): please ask the last few questions to get them answered Vipul Patel (Expert): I agree with Chakravarthy: If possible prevent the user from entering “‘” when he is specifing text based information. But the problem is with names like L’Oreal… how to deal with that.. π Vipul Patel (Expert): Q: vipul, is there any other security areas that you need to highlight and you may not have time to disscuss them fully here. A: I will not be able to cover the security in .NET framework whcih I will cover tomorrow……. Vipul Patel (Expert): Q: i want to ask whether parameterized commands are foolproof. A: Depends on your code. But it is deemed and projected as quite secure.. Vipul Patel (Expert): Q: suppose, i have a web application, then..using encryption class is not going to help much, as encryption would occur at server side, after all data is transfered across the n/w with out encryption. m i right??? A: If you use SSL,, then your data will be secure when transferred from the client to the server…. Vipul Patel (Expert): Q: Hi, tell me more about DPAPI and what all complexities are involved implementing it ? A: already answered…. Vipul Patel (Expert): Yes,,, dont allow where word, if possible, I must add…. Vipul Patel (Expert): Chakravarthy: Whidbey: I shall answer that tomorrow….. subhashini (Moderator): So this brings us to teh end of today’s chat subhashini (Moderator): and hope to see you all tomorrow subhashini (Moderator): and hold on to your questions till tomorrow subhashini (Moderator): alos feel free to email vipul at vipul_d_patel@hotmail.com Vipul Patel (Expert): The best resource on writing secure code is a book by Michael Howard titled “Writing secure code”………. Google for more information on the book…. Vipul Patel (Expert): Chakravarthy:….. go ahead… subhashini (Moderator): go ahead chakravarthy Vipul Patel (Expert): For securing already written code, I suggest that you have a robust code review policy, revisit your design,, bascially perform a threat modelling for a already existing application.. Vipul Patel (Expert): That is a judgement call, if you feel that the previously written code is not secure, demo the failure to your team lead, and then suggest that the following remedies will apply…. Vipul Patel (Expert): what do you mean by wrapping mechanism? Vipul Patel (Expert): Best practises for writing secure code: Vipul Patel (Expert): a. Dont tell the attacker anything Vipul Patel (Expert): b. Dont leak information in banner strings and unhandled errors… Vipul Patel (Expert): Doubel check your error messagess and paths… Vipul Patel (Expert): Add security commenst to your code… Vipul Patel (Expert): Dont write user files to \Program Files Vipul Patel (Expert): Dont write user data to HKLM Vipul Patel (Expert): Allow long passwords… Vipul Patel (Expert): and have an application log. Vipul Patel (Expert): Thats all for today….. subhashini (Moderator): thanks again to all of you for attending teh chat Vipul Patel (Expert): if you have any further questions,,,, please email me at vipul_d_patel@hotmail .com or visit my unfrequented blog at http://spaces.msn.com/members/vipul and leave your comments there. I shall revert… subhashini (Moderator): see you alla gain tomorrow for the last part of this series subhashini (Moderator): have a lovely evening.
|