subhashini (Moderator): hello everbody . A very good evening to all of you. 🙂 subhashini (Moderator): Welcome to today’s webchat on writing secure code subhashini (Moderator): This is a chat in series subhashini (Moderator): and today is the part one of the series subhashini (Moderator): we have with us our MVP Vipul Patel subhashini (Moderator): with us today for the chat. subhashini (Moderator): To give a quick intro about him subhashini (Moderator): After pursuing a bachelor’s degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India’s college chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries. subhashini (Moderator): He can be contacted at vipul_d_patel@hotmail.com or vipul.patel@patni.com. subhashini (Moderator): As always , few chat rules subhashini (Moderator): before we beging the chat subhashini (Moderator): Please refrain from sending any private messages to the expert during the chat subhashini (Moderator): Chat Procedures: This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. subhashini (Moderator): We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over. subhashini (Moderator): lets get the chat rolling subhashini (Moderator): let us welcome Vipul subhashini (Moderator): Hi Vipul Vipul Patel (Expert): Thanks Subhashini and welcome to all to the first of the series of webchats on “Writing secure code” Vipul Patel (Expert): Our topic Writing secure code is gaining popularity day by day and we are here to discuss about the same. Vipul Patel (Expert): I shall start with small introduction. Vipul Patel (Expert): If you have any questions , please feel free to send them to me thru “expert chat” radio button Vipul Patel (Expert): As the Internet grows in importance, applications are becoming highly interconnected. Vipul Patel (Expert): Earlier computers were not as highly interconnected as they are today, and hence most people wouldn’t care much about security. Vipul Patel (Expert): But times have changed. Virtually all computers—servers, desktop personal computers, and, more recently, cell phones, pocket-size devices, and other form factor devices such as embedded systems—are interconnected. Vipul Patel (Expert): that means that if one of the interconnected system is affected, it can affect the whole network Vipul Patel (Expert): No wonder why the World Wide Web is often referred to as the Wild Wild Web. 😉 Vipul Patel (Expert): It is not only important to write robust code, the need of the day is to produce reliable & secure systems. Vipul Patel (Expert): Your system, if connected to Internet, is a potential victim for an attack. Vipul Patel (Expert): So Why is security important for you and me? Vipul Patel (Expert): 1. The Media (and Your Competition) Leap on Security Issues: This is a business impact. If your application makes a security breach headlines, you are bound to lose a chunk of your business, not mentioning the bad publicity that you get. The media will hound you for days and your competition will mention it for years to come…. Vipul Patel (Expert): 2. People Shy Away from Products That Don’t Work As Advertised: If your application keeps crashing every now and then, then people will start avoiding your product. Vipul Patel (Expert): 3. Security Vulnerabilities Are Expensive to Fix: If security flaws are detected after the product is released to market, then the cost of fixing that Vulnerability as well as deployment costs for the fix are enormous. Vipul Patel (Expert): With that background, lets begin our discussion on designing secure systems. Vipul Patel (Expert): What are the two most common security mistakes made by software companies? Vipul Patel (Expert): a. The application is designed, written, tested, and shipped to customers, but the developers forget to make it secure. Or they think they have, but they got the design wrong. It’s wrong because they added some security technology to their application to be “buzzword-compliant,” but the technology doesn’t mitigate any real security threats Vipul Patel (Expert): b. The second mistake is adding security to the application as an afterthought. Security aspect of the code should be from the design phase itself. Vipul Patel (Expert): Adding security features after the application is developed should be prevented for the following reasons: Vipul Patel (Expert): i. Adding security later is wrapping security around existing features, rather than designing features and security with both in mind Vipul Patel (Expert): ii. Adding any feature, including security, as an afterthought is expensive Vipul Patel (Expert): iii. Adding security might change the way you’ve implemented features. This too can be expensive Vipul Patel (Expert): iv. Adding security might change the application interface, which might break the code that has come to rely on the current interface. Vipul Patel (Expert): There is a need for the security principles to be imbibed in a software developement process. These principles are as under: Vipul Patel (Expert): a. Establish a security process Vipul Patel (Expert): b. Define the product security goals] Vipul Patel (Expert): c. Consider security as a product feature Vipul Patel (Expert): d. Learn from mistakes Vipul Patel (Expert): e. Use least privilege Vipul Patel (Expert): f. Use defense in depth g. Assume external systems are insecure h. Plan on failure i. Fail to a secure mode j. Employ secure defaults h. Remember that security features != secure features i. Never depend on security through obscurity Vipul Patel (Expert): Please let me complete the section theory for today, then I will jump to examples…. 🙂 Vipul Patel (Expert): and then take up all the questions raised. Vipul Patel (Expert): How to incorporate security features thru design? The answer is thru Threat Modelling Vipul Patel (Expert): You cannot build a secure system until you understand your threats. It’s as simple as that. Vipul Patel (Expert): A threat model is a security based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves. Vipul Patel (Expert): The goal is to determine which threasts require migitation and how to migitate the threats. Vipul Patel (Expert): Benefits of threat modeling Vipul Patel (Expert): a. It helps to understand the threat better. Vipul Patel (Expert): b. Threat models helps you find bugs. Vipul Patel (Expert): b. Threat models helps you find bugs. Vipul Patel (Expert): c. You can discover serious design bugs in the process Vipul Patel (Expert): d. Threat models can help new team members understand the application in detail. Vipul Patel (Expert): Threat modeling process: Vipul Patel (Expert): 1. Assemble the threat-modelling team Vipul Patel (Expert): 2. Decompose the application Vipul Patel (Expert): 3. Determine the threats to the application using STRIDE model Vipul Patel (Expert): 4. Rank the threats by decreasing risk Vipul Patel (Expert): 5. Choose how to respond to the threats Vipul Patel (Expert): 6. Choose techniques to mitigate the threats Vipul Patel (Expert): We are now done with the theory 😉 . and we shall begin examples of security vulnerabilities. Vipul Patel (Expert): The biggest security issue has been the Buffer overrun…. Vipul Patel (Expert): Q: what is STRIDE model? A: STRIDE model is a model to understand the security flaws. It includes analysis for the following type of flaws: “Spoofing identity”, “Tampering with data” , “Repudiation”, “Information disclosure”, “Denial of service”, “Elevation of privilege” More details are available at http://msmvps.com/secure/archive/2004/06/22/8728.aspx Vipul Patel (Expert): No Sundar: The good thing about the .NET Framework is that it is no longer a security issue with .NET using C# and VB.NET. With VC++.NET, you need to compile your project with /GS option to identify any such possible buffer overflows in your project. Vipul Patel (Expert): Sai: Your question has been answered in the previous post. Vipul Patel (Expert): Q: How can Buffer Overrun be a security issue ? A: I am coming to that with an example Vipul Patel (Expert): Defintion of buffer overrun: A stack based buffer overrun occurs when a buffer declared on the stack is overwritten by copying data larger than the buffer. Vipul Patel (Expert): Variables declared on the stack are located next to the return address for the function’s caller. The culprit here is the return address for the function gets overwritten by an address chosen by the attacker. Vipul Patel (Expert): e.g. code void food (const char* input) { char buf[10];
// print statement to see the stack printf (“Stack status :\n%p\n%p\n%p\n%p\n%p\n\n”);
strcpy(buf, input) printf(“%s\n”, buf);
printf (“New Stack status :\n%p\n%p\n%p\n%p\n%p\n\n”); }
void bar(void) { printf (“Uh Oh”);
}
int main (int argc, char* argv[]) { printf(“Address of foo = %p\n”, foo); printf(“Address of bar = %p\n”, bar);
if (argc != 2) { printf(“Please supply a string as argument\n”); return -1; } foo(argv[1]); return 0; } Vipul Patel (Expert): please read “foo” instead of foo for the first function declaration. Vipul Patel (Expert): sat: which kind of failure is being talked of here? Vipul Patel (Expert): IN the above code sample : observe the code // print statement to see the stack printf (“Stack status :\n%p\n%p\n%p\n%p\n%p\n\n”); This code is used to see the stack contents Vipul Patel (Expert): Q: What are other major security issuess to be taken care of , mainly with .NET ? A: This concern will be addressed in the third webchat of the series scheduled on Friday this week.. Vipul Patel (Expert): If we pass a string of less than 10 characters, it will work fine. Example of execution: c:\Mycode>StackEx.exe Hello Address of foo = 00401000 Address of bar = 00401045 Stack status: 00000000 00000000 7FFDF000 0012FF80 0040108A <This is the address we want to overwrite 00410EDE
Hello New stack status: 6C6C6548 < You can see where Hello was copied in 0000000F 7FFDF000 0012FF80 0040108A 00410EDE Vipul Patel (Expert): See that the first memory location gets modified with the text. The second memory location is the instruction set for the second call. Vipul Patel (Expert): Now input a long string :\Mycode>StackEx.exe AAAAAAAAAAAAAAAAAAAAAAA Address of foo = 00401000 Address of bar = 00401045 Stack status: 00000000 00000000 7FFDF000 0012FF80 0040108A 00410EDE
AAAAAAAAAAAAAAAAAAAAAAA New stack status: 41414141 41414141 41414141 41414141 41414141 41414141 Vipul Patel (Expert): If you use a longer string the whole stack buffer gets rewritten with the data from the string input….. Vipul Patel (Expert): And we also get an application error claiming the instruction at 0x41414141 tried to access memory at address 0x41414141. Vipul Patel (Expert): Q: But Vipul….is’nt this limitation limited to Unmanaged code in the .Net…..i mean over-writing the return address of a function in the stack…. A: Yes, thats the limitattion limited to unmanaged code in the .NET. That is not an issue with .NET application. I agree Vipul Patel (Expert): Q: what kind of security issues normally hit the web applications A: For web applications, you need to make sure to consider the following during threat modelling: a. Unvalidated paramaters b. Broken access control c. Borken authentication and session management d. Cross site scripting flaws e. Buffer overflows f. Command injection flaws g. Error handling problems h. Insecure storage i. Denial of service (!!! The top most threat)
You also need to see that there is no undue priviledge evevation Vipul Patel (Expert): If a smart hacker were to know of this vulnerability, he will write a script to execute the above executable with a specifc string which will expose this flaw. Vipul Patel (Expert): More information about this is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp Vipul Patel (Expert): Q: how should we handle this buffer overrun then ? by validating user input ? A: Yes, Buffer overrun can be migitated by the following steps a. Always validate your input for the type and length. b. Make sure your string handling operations are safe Vipul Patel (Expert): Q: how should we handle this buffer overrun then ? by validating user input ? A: in the above code if we had the following check it could have been prevented
if (strlen (input) < sizeof(buf)) { // everything in place strcpy(buf, input) } else { // do the processing for failure… } Vipul Patel (Expert): Q: How does MS address the Denial of Service…..i mean does the web-server has any means of preventing it…and does IIS have any feature of this kind….? A: Hello Rakesh, we will take up Denial of Service tomorrow… Today we shall be limiting ourselves to Buffer overrun and ACLs.. Vipul Patel (Expert): Sundar: you are right about storing int like data structure on the stack and the reference types on heap.. Vipul Patel (Expert): But heap buffer overrun is also posisble, but it is dificult to exploit. Vipul Patel (Expert): Q: You never answerd what’s the impact of buffer overrun in .Net world, in C run time world I think those who familier with that have better understanding 🙂 A: Fortunately, buffer overrun is not an issue with .NET. The .NET framework handles the issue with buffer overruns…. it is only an issue with legacy applications and unmanaged code written in VC++.NET Vipul Patel (Expert): Q: in C# i guess only the basic data types like int variables are stored in stack . basically the reference objects are stored in heaps so the risk is very low. in this case how ill a function get executed? A: This is not applicable to .NET applications in C# Vipul Patel (Expert): Q: other than String Handling errors and Array indexing errors what are all the possible causes for Heap overruns A: Unicode and ANSI Buffer size mismatches are another source for the heap overruns Vipul Patel (Expert): Q: can u please throw some light on Array Indexing errors and its impact on Heap over runs? A: I shall discuss this later Vipul Patel (Expert): Q: Why did microsoft not consider the /GS behavior default ? A: it is only applicabel for unmanaged code in VC++.NET Vipul Patel (Expert): Q: is there any way in .Net to avoid Heap Over runs? because there are ways to have non executable stacks in operating systems and there are also tools like StackGuard to avoid stack based overruns. is there something like that for heap over runs A: safe string handling for one.. I need to investigate this more….. Vipul Patel (Expert): Q: Oh sorry I got a look at the article you reffered recently, so strsafe.h is the solution right A: yes Vipul Patel (Expert): Q: Recently C librarys has improved functions, like the one I mentioned earlier nstrcpy(), is that type of implementations are missing in VC++ A: it was missing in VC++ 6.0 Vipul Patel (Expert): Q: Give a simple security method for a windows application which is connecting to www or some Dedicated line often A: Have a firewall installed Vipul Patel (Expert): Q: What are the different ACLs that can be employed and how to chose the best of it? A: ACL strategy 1. Determine the resource you need 2. Determine the business defined acccess requirement 3. Determine the appropriate access control technology 4. Convert the access requirements to access control technology Vipul Patel (Expert): Q: is one required to have diffrent security model for “Intranet” or “Internet” application A: no, if you have Single Signon for INtranet, yes other wise, because the scenarios are different for both subhashini (Moderator): We have almost come to the end of this chat today. Space for one more question! subhashini (Moderator): I willw ait for Vipul to complete answering the questions to announce the closure of this chat. Vipul Patel (Expert): Most of us are admin on our machines. Imagine what will happen when you download a malicious script and the script gets running in admin mode… your machine is bound to be infected. subhashini (Moderator): So that brings us to the end of today’s chat subhashini (Moderator): Hold on to your questions till tomorrow subhashini (Moderator): because this chat is a series chat Vipul Patel (Expert): Q: but is’nt this discrimination between intranet and internet handled by .Net CLR implicitly….. A: We are not talking from .NET CLR perspective, but rather from a developer point of view using any developement language. subhashini (Moderator): that willc ontinue till friday subhashini (Moderator): So friends , meet you again tomorrow subhashini (Moderator): and be ready with your questions ..let’s shoot it out to Vipul subhashini (Moderator): 🙂 subhashini (Moderator): So lets catch up with teh seciond series of this chat tomorrow at 5pm subhashini (Moderator): Till then , have a lovely evening Vipul Patel (Expert): Q: And what are security issues with desktop or client server applications ? A: improper file permission, undue Access control to name a few Vipul Patel (Expert): Q: what are security issues with desktop or client server applications ? A: improper file permission, undue Access control to name a few subhashini (Moderator): And lets thank Vipul for his great spirit to take this chat in succession subhashini (Moderator): 🙂 Thanks Vipul subhashini (Moderator): And all of you have a lovely evening .. Vipul Patel (Expert): One of the best articles on running with least privildge is http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx\ Vipul Patel (Expert): THats all for today. See you all tomorrow when we discuss about Cryptographic Foibles, Storing Secrets, Canonical Representation Issues and Network-Based Application Considerations Vipul Patel (Expert): good day to all…. and a good morning to me… its 5:45 am in los angeles and time to go to work…..
|