|
Writing Secure Code 2nd Edition
Keep black-hat hackers at bay with the tips and techniques in this entertaining, eye-opening book! Developers will learn how to padlock their applications throughout the entire development process - from designing secure applications to writing robust code that can withstand repeated attacks to testing applications for security flaws. Short, easily
digested chapters reveal proven principles, strategies, and coding techniques. The authors - two battle-scarred veterans who have solved some of the industry's toughest security problems - provide sample code in several languages. This edition includes updated information about threat modeling, designing a security process, international issues, file-system issues, adding privacy to applications, and performing security code reviews. It also includes enhanced coverage of buffer overruns, Microsoft .NET security, and Microsoft ActiveX development, plus practical checklists for developers, testers, and program managers.
* Focuses on the number one issue on developers' minds today - how to write code that can withstand malicious attack
* Includes enhanced coverage of topics from the first edition plus in-depth coverage of new topics to offer the best, most comprehensive security title for developers
* It's the security book recommended by Bill Gates (Microsoft Chief Software Architect) and Brian Valentine (Microsoft Senior Vice President for Microsoft Windows Development)
Table of Contents:
PART I CONTEMPORARY SECURITY
1 The Need for Secure Systems
Applications on the Wild Wild Web
The Need for Trustworthy Computing
Getting Everyone's Head in the Game
Using Tact to Sell Security to the Organization
Using Subversion
Some Ideas for Instilling a Security Culture
Get the Boss to Send an E-Mail
Nominate a Security Evangelist
The Attacker's Advantage and the Defender's Dilemma
Principle #1: The defender must defend all points; the attacker can choose the weakest point.
Principle #2: The defender can defend only against known attacks; the attacker can probe for unknown vulnerabilities.
Principle #3: The defender must be constantly vigilant; the attacker can strike at will.
Principle #4: The defender must play by the rules; the attacker can play dirty.
Summary
2 The Proactive Security Development Process
Process Improvements
The Role of Education
Resistance to Mandatory Training
Ongoing Training
Advancing the Science of Security
Education Proves the More Eyes Fallacy
Now the Evidence!
Design Phase
Security Questions During Interviews
Define the Product Security Goals
Security Is a Product Feature
Making Time for Security
Threat Modeling Leads to Secure Design
Build End-of-Life Plans for Insecure Features
Setting the Bug Bar
Security Team Review
Development Phase
Be Hardcore About Who Can Check In New Code (Check-Ins Checked)
Security Peer Review of New Code (Check-Ins Checked)
Define Secure Coding Guidelines
Review Old Defects
External Security Review
Security Push
Be Mindful of Your Bug Counts
Keep Track of Bug Metrics
No Surprises and No Easter Eggs!
Test Phase
Shipping and Maintenance Phases
How Do You Know When You're Done?
Response Process
Accountability
Summary
3 Security Principles to Live By
SD3: Secure by Design, by Default, and in Deployment
Secure by Design
Secure by Default
Secure in Deployment
Security Principles
Learn from Mistakes
Minimize Your Attack Surface
Employ Secure Defaults
Use Defense in Depth
Use Least Privilege
Backward Compatibility Will Always Give You Grief
Assume External Systems Are Insecure
Plan on Failure
Fail to a Secure Mode
Remember That Security Features != Secure Features
Never Depend on Security Through Obscurity Alone
Don't Mix Code and Data
Fix Security Issues Correctly
Summary
4 Threat Modeling
Secure Design Through Threat Modeling
Assemble the Threat-Modeling Team
Decompose the Application
Determine the Threats to the System
Rank the Threats by Decreasing Risk
Choose How to Respond to the Threats
Choose Techniques to Mitigate the Threats
Security Techniques
Authentication
Authorization
Tamper-Resistant and Privacy-Enhanced Technologies
Protect Secrets, or Better Yet, Don't Store Secrets
Encryption, Hashes, MACs, and Digital Signatures
Auditing
Filtering, Throttling, and Quality of Service
Least Privilege
Mitigating the Sample Payroll Application Threats
A Cornucopia of Threats and Solutions
Summary
PART II SECURE CODING TECHNIQUES
5 Public Enemy #1: The Buffer Overrun
Stack Overruns
Heap Overruns
Array Indexing Errors
Format String Bugs
Unicode and ANSI Buffer Size Mismatches
A Real Unicode Bug Example
Preventing Buffer Overruns
Safe String Handling
A Word of Caution About String-Handling Functions
The Visual C++ .NET /GS Option
Summary
6 Determining Appropriate Access Control
Why ACLs Are Important
A Diversion: Fixing the Registry Code
What Makes Up an ACL?
A Method of Choosing Good ACLs
Effective Deny ACEs
Creating ACLs
Creating ACLs in Windows NT 4
Creating ACLs in Windows 2000
Creating ACLs with Active Template Library
Getting the ACE Order Right
Be Wary of the Terminal Server and Remote Desktop SIDs
NULL DACLs and Other Dangerous ACE Types
NULL DACLs and Auditing
Dangerous ACE Types
What If I Can't Change the NULL DACL?
Other Access Control Mechanisms
.NET Framework Roles
COM+ Roles
IP Restrictions
SQL Server Triggers and Permissions
A Medical Example
An Important Note About Access Control Mechanisms
Summary
7 Running with Least Privilege
Least Privilege in the Real World
Viruses and Trojans
Web Server Defacements
Brief Overview of Access Control
Brief Overview of Privileges
SeBackupPrivilege Issues
SeRestorePrivilege Issues
SeDebugPrivilege Issues
SeTcbPrivilege Issues
SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege Issues
SeLoadDriverPrivilege Issues
SeRemoteShutdownPrivilege Issues
SeTakeOwnershipPrivilege Issues
Brief Overview of Tokens
How Tokens, Privileges, SIDs, ACLs, and Processes Relate
SIDs and Access Checks, Privileges and Privilege Checks
Three Reasons Applications Require Elevated Privileges
ACL Issues
Privilege Issue
Using LSA Secrets
Solving the Elevated Privileges Issue
Solving ACL Issues
Solving Privilege Issues
Solving LSA Issues
A Process for Determining Appropriate Privilege
Step 1: Find Resources Used by the Application
Step 2: Find Privileged APIs Used by the Application
Step 3: Which Account Is Required?
Step 4: Get the Token Contents
Step 5: Are All the SIDs and Privileges Required?
Step 6: Adjust the Token
Low-Privilege Service Accounts in Windows XP and Windows .NET Server 2003
The Impersonate Privilege and Windows .NET Server 2003
Debugging Least-Privilege Issues
Why Applications Fail as a Normal User
How to Determine Why Applications Fail
Summary
8 Cryptographic Foibles
Using Poor Random Numbers
The Problem: rand
Cryptographically Random Numbers in Win32
Cryptographically Random Numbers in Managed Code
Cryptographically Random Numbers in Web Pages
Using Passwords to Derive Cryptographic Keys
Measuring the Effective Bit Size of a Password
Key Management Issues
Long-Term and Short-Term Keys
Use Appropriate Key Lengths to Protect Data
Keep Keys Close to the Source
Key Exchange Issues
Creating Your Own Cryptographic Functions
Using the Same Stream-Cipher Encryption Key
Why People Use Stream Ciphers
The Pitfalls of Stream Ciphers
What If You Must Use the Same Key?
Bit-Flipping Attacks Against Stream Ciphers
Solving Bit-Flipping Attacks
When to Use a Hash, Keyed Hash, or Digital Signature
Reusing a Buffer for Plaintext and Ciphertext
Using Crypto to Mitigate Threats
Document Your Use of Cryptography
9 Protecting Secret Data
Attacking Secret Data
Sometimes You Don't Need to Store a Secret
Creating a Salted Hash
Using PKCS #5 to Make the Attacker's Job Harder
Getting the Secret from the User
Protecting Secrets in Windows 2000 and Later
A Special Case: Client Credentials in Windows XP
Protecting Secrets in Windows NT 4
Protecting Secrets in Windows 95, Windows 98, Windows Me, and Windows CE
Getting Device Details Using PnP
Not Opting for a Least Common Denominator Solution
Managing Secrets in Memory
A Compiler Optimization Caveat
Encrypting Secret Data in Memory
Locking Memory to Prevent Paging Sensitive Data
Protecting Secret Data in Managed Code
Managing Secrets in Memory in Managed Code
Raising the Security Bar
Storing the Data in a File on a FAT File System
Using an Embedded Key and XOR to Encode the Data
Using an Embedded Key and 3DES to Encrypt the Data
Using 3DES to Encrypt the Data and Storing a Password in the Registry
Using 3DES to Encrypt the Data and Storing a Strong Key in the Registry
Using 3DES to Encrypt the Data, Storing a Strong Key in the Registry, and ACLing the File and the Registry Key
Using 3DES to Encrypt the Data, Storing a Strong Key in the Registry, Requiring the User to Enter a Password, and ACLing the File and the Registry Key
Trade-Offs When Protecting Secret Data
Summary
10 All Input Is Evil!
The Issue
Misplaced Trust
A Strategy for Defending Against Input Attacks
How to Check Validity
Tainted Variables in Perl
Using Regular Expressions for Checking Input
Be Careful of What You Find - Did You Mean to Validate?
Regular Expressions and Unicode
A Regular Expression Rosetta Stone
Regular Expressions in Perl
Regular Expressions in Managed Code
Regular Expressions in Script
Regular Expressions in C++
A Best Practice That Does Not Use Regular Expressions
Summary
11 Canonical Representation Issues
What Does Canonical Mean, and Why Is It a Problem?
Canonical Filename Issues
Bypassing Napster Name Filtering
Vulnerability in Apple Mac OS X and Apache
DOS Device Names Vulnerability
Sun Microsystems StarOffice /tmp Directory Symbolic-Link Vulnerability
Common Windows Canonical Filename Mistakes
Canonical Web-Based Issues
Bypassing AOL Parental Controls
Bypassing eEye's Security Checks
Zones and the Internet Explorer 4 "Dotless-IP Address" Bug
Internet Information Server 4.0 ::DATA Vulnerability
When is a Line Really Two Lines?
Yet Another Web Issue - Escaping
Visual Equivalence Attacks and the Homograph Attack
Preventing Canonicalization Mistakes
Don't Make Decisions Based on Names
Use a Regular Expression to Restrict What's Allowed in a Name
Stopping 8.3 Filename Generation
Don't Trust the PATH - Use Full Path Names
Attempt to Canonicalize the Name
Calling CreateFile Safely
Web-Based Canonicalization Remedies
Restrict What Is Valid Input
Be Careful When Dealing with UTF-8
ISAPIs - Between a Rock and a Hard Place
A Final Thought: Non-File-Based Canonicalization Issues
Server Names
Usernames
Summary
12 Database Input Issues
The Issue
Pseudoremedy #1: Quoting the Input
Pseudoremedy #2: Use Stored Procedures
Remedy #1: Never Ever Connect as sysadmin
Remedy #2: Building SQL Statements Securely
Building SQL Stored Procedures Securely
An In-Depth Defense in Depth Example
Summary
13 Web-Specific Input Issues
Cross-Site Scripting: When Output Turns Bad
Sometimes the Attacker Doesn't Need a Block
The Attacker Doesn't Need the User to Click a Link!
Other XSS-Related Attacks
XSS Attacks Against Local Files
XSS Attacks Against HTML Resources
XSS Remedies
Encoding Output
Adding Double Quotes Around All Tag Properties
Inserting Data in the innerText Property
Forcing the Codepage
The Internet Explorer 6.0 SP1 HttpOnly Cookie Option
Internet Explorer "Mark of the Web"
Internet Explorer Attribute
ASP.NET 1.1 ValidateRequest configuration option
Don't Look for Insecure Constructs
But I Want Users to Post HTML to My Web Site!
How to Review Code for XSS Bugs
Other Web-Based Security Topics
eval() Can Be Bad
HTTP Trust Issues
ISAPI Applications and Filters
Be Wary of "Predictable Cookies"
SSL/TLS Client Issues
Summary
14 Internationalization Issues
The Golden I18N Security Rules
Use Unicode in Your Application
Prevent I18N Buffer Overruns
Words and Bytes
Validate I18N
Visual Validation
Do Not Validate Strings with LCMapString
Use CreateFile to Validate Filenames
Character Set Conversion Issues
Use MultiByteToWideChar with MB_PRECOMPOSED and MB_ERR_INVALID_CHARS
Use WideCharToMultiByte with WC_NO_BEST_FIT_CHARS
Comparison and Sorting
Unicode Character Properties
Normalization
Summary
PART III EVEN MORE SECURE CODING TECHNIQUES
15 Socket Security
Avoiding Server Hijacking
TCP Window Attacks
Choosing Server Interfaces
Accepting Connections
Writing Firewall-Friendly Applications
Use One Connection to Do the Job
Don't Require the Server to Connect Back to the Client
Use Connection-Based Protocols
Don't Multiplex Your Application over Another Protocol
Don't Embed Host IP Addresses in Application-Layer Data
Make Your Application Configurable
Spoofing and Host-Based and Port-Based Trust
IPv6 Is Coming!
Summary
16 Securing RPC, ActiveX Controls, and DCOM
An RPC Primer
What Is RPC?
Creating RPC Applications
How RPC Applications Communicate
Secure RPC Best Practices
Use the /robust MIDL Switch
Use the [range] Attribute
Require Authenticated Connections
Use Packet Privacy and Integrity
Use Strict Context Handles
Don't Rely on Context Handles for Access Checks
Be Wary of NULL Context Handles
Don't Trust Your Peer
Use Security Callbacks
Implications of Multiple RPC Servers in a Single Process
Use Mainstream Protocols
Secure DCOM Best Practices
DCOM Basics
Application-Level Security
DCOM User Contexts
Programmatic Security
Sources and Sinks
An ActiveX Primer
Secure ActiveX Best Practices
What ActiveX Components Are Safe for Initialization and Safe for Scripting?
Best Practices for Safe for Initialization and Scripting
Summary
17 Protecting Against Denial of Service Attacks
Application Failure Attacks
CPU Starvation Attacks
Memory Starvation Attacks
Resource Starvation Attacks
Network Bandwidth Attacks
Summary
18 Writing Secure .NET Code
Code Access Security: In Pictures
FxCop: A "Must-Have" Tool
Assemblies Should Be Strong-Named
Strong-Named Assemblies and ASP.NET
Specify Assembly Permission Requirements
Request Minimal Permission Set
Refuse Unneeded Permissions
Request Optional Permissions
Overzealous Use of Assert
Further Information Regarding Demand and Assert
Keep the Assertion Window Small
Demands and Link Demands
An Example LinkDemand Security Bug
Use SuppressUnmanagedCodeSecurityAttribute with Caution
Remoting Demands
Limit Who Uses Your Code
No Sensitive Data in XML or Configuration Files
Review Assemblies That Allow Partial Trust
Check Managed Wrappers to Unmanaged Code for Correctness
Issues with Delegates
Issues with Serialization
The Role of Isolated Storage
Disable Tracing and Debugging Before Deploying ASP.NET Applications
Do Not Issue Verbose Error Information Remotely
Deserializing Data from Untrusted Sources
Don't Tell the Attacker Too Much When You Fail
Summary
PART IV SPECIAL TOPICS
19 Security Testing
The Role of the Security Tester
Security Testing Is Different
Building Security Test Plans from a Threat Model
Decompose the Application
Identify the Component Interfaces
Rank the Interfaces by Potential Vulnerability
Ascertain the Data Structures Used by Each Interface
Attacking Applications with STRIDE
Attacking with Data Mutation
Before Testing
Building Tools to Find Flaws
Testing Clients with Rogue Servers
Should a User See or Modify That Data?
Testing with Security Templates
When You Find a Bug, You're Not Done!
Test Code Should Be of Great Quality
Test the End-to-End Solution
Determining Attack Surface
Determine Root Attack Vectors
Determine Bias For Attack Vectors
Count the Biased Vectors in the Product
Summary
20 Performing a Security Code Review
Dealing with Large Applications
A Multiple-Pass Approach
Low-Hanging Fruit
Integer Overflows
A Related Issue: Integer Underflows
Checking Returns
Perform an Extra Review of Pointer Code
Never Trust the Data
Sumary
21 Secure Software Installation
Principle of Least Privilege
Clean Up After Yourself!
Using the Security Configuration Editor
Low-Level Security APIs
Using the Windows Installer
Summary
22 Building Privacy into Your Application
Malicious vs. Annoying Invasions of Privacy
Major Privacy Legislation
Personally Identifiable Information
The EU Directives on Data Protection
Safe Harbor Principles
Other Privacy Legislation
Privacy vs. Security
Building a Privacy Infrastructure
The Role of the Chief Privacy Officer
The Role of the Privacy Advocate
Designing Privacy-Aware Applications
Including Privacy in the Development Process
Exploring Privacy Features
Summary
23 General Good Practices
Don't Tell the Attacker Anything
Service Best Practices
Security, Services, and the Interactive Desktop
Service Account Guidelines
Don't Leak Information in Banner Strings
Be Careful Changing Error Messages in Fixes
Double-Check Your Error Paths
Keep It Turned Off!
Kernel-Mode Mistakes
High-Level Security Issues
Handles
Symbolic Links
Quota
Serialization Primitives
Buffer-Handling Issues
IRP Cancellation
Add Security Comments to Code
Leverage the Operating System
Don't Rely on Users Making Good Decisions
Calling CreateProcess Securely
Do Not Pass NULL for lpApplicationName
Use Quotes Around the Path to Executable in lpCommandLine
Don't Create Shared/Writable Segments
Using Impersonation Functions Correctly
Don't Write User Files to \Program Files
Don't Write User Data to HKLM
Don't Open Objects for FULL_CONTROL or ALL_ACCESS
Object Creation Mistakes
Care and Feeding of CreateFile
Creating Temporary Files Securely
Implications of Setup Programs and EFS
File System Reparse Point Issues
Client-Side Security Is an Oxymoron
Samples Are Templates
Dogfood Your Stuff!
You Owe It to Your Users If
Determining Access Based on an Administrator SID
Allow Long Passwords
Be Careful with _alloca
ATL Conversion Macros
Don't Embed Corporate Names
Move Strings to a Resource DLL
Application Logging
Migrate Dangerous C/C++ to Managed Code
24 Writing Security Documentation and Error Messages
Security Issues in Documentation
The Basics
Threat Mitigation Through Documentation
Documenting Security Best Practices
Security Issues in Error Messages
A Typical Security Message
Information Disclosure Issues
Informed Consent
Progressive Disclosure
Be Specific
Consider Not Asking the Question
Usability Test Your Security Messages
A Note When Reviewing Product Specifications
Security Usability
Summary
PART V APPENDIXES
A Dangerous APIs
B Ridiculous Excuses We've Heard
C A Designer's Security Checklist
D A Developer's Security Checklist
E A Tester's Security Checklist
A Final Thought
ANNOTATED BIBLIOGRAPHY
INDEX
|
