Security Training: #4 Development: Typical Security Issues

33 %
67 %
Information about Security Training: #4 Development: Typical Security Issues
Technology

Published on March 7, 2014

Author: YulianSlobodyan

Source: slideshare.net

Development: Typical Security Issues Overview Yuri Voynalovich, Oleh Melnik, Oleg Basarab, Yulian Slobodian November 2008

Presentation Plan  Introduction  Buffer Overrun (Overflow)  Integer arithmetic errors  Cross-site scripting  SQL injection  Crypto Pitfalls 2

Introduction

Top Misunderstandings of Information Security  I thought the firewall would take care of this. Or file permissions. Or SSL.  I’m an experienced web developer and don’t think I need this.  Can’t someone do this after I finish my dev work?  It's encrypted, so it's secure.  No one knows my algorithm, so it must be secure.  Once a piece of code is deemed secure in one system, is secure for use everywhere.  But that's the way we've always done it. 4

The Need for Secure Systems  A secure product: a product that protects the confidentiality, integrity, and availability of the customers' information, and the integrity and availability of processing resources, under control of the system's owner or administrator.  A security vulnerability: a flaw in a product that makes it infeasible—even when using the product properly—to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust. Information security Availability Integrity Confidentiality Source: Microsoft.com 5

Buffer overruns

Buffer Overrun Types  Stack Overruns  Heap Overruns  Array Indexing Errors  Format String Bugs 7

Simple buffer overrun example  The buffer overrun caused by Unicode and ANSI buffer size mismatches is somewhat common on Windows platforms, it occurs if you mix up the number of elements with the size in bytes of a Unicode buffer  The most commonly used function that is vulnerable to this kind of bug is MultiByteToWideChar: Vulnerable code: BOOL GetName(char *szName) { WCHAR wszUserName[256]; // Convert ANSI name to Unicode. MultiByteToWideChar(CP_ACP, 0, szName, -1, wszUserName, sizeof(wszUserName)); // Snip } Correct way to write this function: MultiByteToWideChar(CP_ACP, 0, szName, -1, wszUserName, sizeof(wszUserName) / sizeof(wszUserName[0])); 8

Preventing Buffer Overruns  The first line of defense is simply to write solid code!  Always validate all your inputs  Use safe functions  Use Standard Template Library or other safe libraries  Use stack-smashing protection  Use pointer protection  Use executable space protection  Use address space layout randomization  Use deep packet inspection  Stacks that grow up  Stack canaries  No executable stack 9

Integer overflows

Integer Overflow Types  Overflow  Underflow  Signedness Error  Truncation 11

Integer Overflow Example Vulnerable code: char* processNext(char* strm) { char buf[512]; short len = *(short*) strm; strm += sizeof(len); } if (len <= 512) { memcpy(buf, strm, len); process(buf); return strm + len; } else { return -1; } 12

Typical Integer exploits  Arbitrary code execution  Denial of Service (DoS) attacks  Array index attacks  Bypassing sanitization attacks  Logic errors 13

Preventing Integer Errors  Range Checking  Strong Typing  Compiler-Generated Runtime Checks  Safe Integer Operations  Arbitrary Precision Arithmetic  Source Code Audit 14

Cross-site scripting

XSS Types  DOM-based  Non-Persistent  Persistent 16

Cross-Site Scripting Illustrated Example Attacker sets the trap – update my profile Victim views page – sees attacker profile Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Application with stored XSS vulnerability Administration Transactions Attacker enters a malicious script into a web page that stores the data on the server Accounts Finance 1 Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie 17

Typical XSS Results  Identity theft  Accessing sensitive or restricted information  Gaining free access to otherwise paid for content  Spying on user’s web browsing habits  Altering browser functionality  Public defamation of an individual or corporation  Web application defacement  Denial of Service attacks 18

Preventing XSS  Early policies  Escaping and filtering  Input validation  Cookie security  Eliminating scripts 19

SQL Injection

Forms of SQL Injection  Incorrectly filtered escape characters  Incorrect type handling  Vulnerabilities inside the database server  Blind SQL Injection  Conditional Responses  Conditional Errors  Time Delays 21

SQL Injection Examples  Incorrectly filtered escape characters statement = "SELECT * FROM users WHERE name = '" + userName + "';" UserName  a' or 't'='t SELECT * FROM users WHERE name = 'a' OR 't'='t'; userName  a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '% SELECT * FROM Users WHERE name = 'a';DROP TABLE users; SELECT * FROM DATA WHERE name LIKE '%';  Incorrect type handling statement := "SELECT * FROM data WHERE id = " + a_variable + ";― a_variable  1;DROP TABLE users SELECT * FROM DATA WHERE id=1;DROP TABLE users; 22

Preventing SQL Injection  Using Escaping  Access the database using an account with the least privileges necessary  Using Parameterized Statements  Using Stored Procedures  Re-validate data in stored procedures  Enforcing the Use of Parameterized Statements 23

Crypto Pitfalls

The “Top 10” List of Crypto Pitfalls  Security by Obscurity  Using Traditional Cryptography  Using Proprietary Cryptography  Using Insecure Random Generators  ‘Hiding’ Secrets  Using Weak Keys  Memory Protection  Not Using ‘Salted’ Hash  Using MAC Insecurely  Insecure Initialization 25

Home Grown Encryption  Bad idea to invent encryption algorithms  Do not accept proprietary encryption  Acceptable algorithms are very difficult and require:  Invented by professional cryptologist  Subject to years of open analysis and scrutiny  Many past failures by the brightest and well funded  MD4 hash by Ronald Rivest  Helix by Bruce Schneier  LANMAN Hash by Microsoft  DVD CSS (Content Scrambling System) 26

How to: avoid Weak Cryptography  Choose the right algorithm  Choose the appropriate key size  Generate a random number  Manage keys and other sensitive data  Use hashing  Implement an integrity check  Use a digital certificate  Use passwords to generate keys 27

Conclusions  Know what you are doing  Do not rely on ‘Obscurity’  Do not try to ‘Hide’ secrets  Do not re-invent the wheel  Generate Strong Keys and Protect them  Use only strong & standard Ciphersuites  Don't Grow Your Own Crypto  Don't Assume Too Much  Use Care When Implementing Crypto 28

References  http://download.microsoft.com/download/d/9/a/d9abfa8d-2207-4827-9e15d0375b288495/Writing%20Secure%20Code%20--%20Best%20Practices.ppt  http://www.arcert.gov.ar/webs/textos/best_prac_for_sec_dev4.pdf  http://blogs.msdn.com/michael_howard/archive/2006/02/02/523392.aspx  http://doc.bughunter.net/buffer-overflow/heap-corruption.html  http://en.wikipedia.org/wiki/Buffer_overflow  http://en.wikipedia.org/wiki/Code_review  http://en.wikipedia.org/wiki/Cross-site_scripting  http://en.wikipedia.org/wiki/Cryptography  http://en.wikipedia.org/wiki/SQL_injection  http://java.sun.com/security/seccodeguide.html  http://msdn.microsoft.com/en-us/library/aa480479.aspx#pagpractices0002_cryptography  http://msdn.microsoft.com/en-us/library/aa720329(VS.71).aspx  http://msdn.microsoft.com/en-us/library/bb892733.aspx  http://msdn.microsoft.com/en-us/library/ms998364.aspx  http://msdn.microsoft.com/en-us/magazine/cc163518.aspx  http://www.cs.virginia.edu/~nrp3d/papers/computers_and_security-net-java.pdf 29

References  http://my.safaribooksonline.com/0735617228/IDA0TYR  http://my.safaribooksonline.com/0735617228/IDALQET  http://smartbear.com/docs/BestPracticesForPeerCodeReview.pdf  http://www.cs.cmu.edu/~dbrumley/pubs/integer-ndss-07.pdf  http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208804113  http://www.gotdotnet.ru/LearnDotNet/NETFramework/661.aspx  http://www.heise-online.co.uk/security/A-Heap-of-Risk--/features/74634/6  http://www.informit.com/content/images/0321335724/samplechapter/seacord_ch05.pdf  http://www.it-eye.nl/weblog/2007/06/13/soa-best-practice-9-use-a-canonical-data-model/  http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index.html?page=1  http://www.safecode.org/publications/SAFECode_Dev_Practices1008.pdf  http://www.schneier.com/essay-155.html  http://www.securitylab.ru/analytics/216249.php  http://www.securitylab.ru/analytics/350799.php  http://www.tech-faq.com/integer-overflow.shtml  http://www3.interscience.wiley.com/journal/94515736/abstract?CRETRY=1&SRETRY=0  https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/312-BSI.html 30

Add a comment

Related presentations

Related pages

MGT514: IT Security Strategic Planning, Policy and Leadership

Security Training; Choose a different ... MGT514: IT Security Strategic Planning, Policy and Leadership. ... Security Policy Development and Assessment ...
Read more

10 Common Intranet Security Issues - Bright Hub

Here are 10 common intranet security Issues often dealt ... their employees receive formal security training prior to being ... 3/4 /2013. Did ...
Read more

Security Planning - MSDN - Microsoft

Security planning involves developing security policies and ... If the organization has computer security training and ... product development, ...
Read more

Security - Wikipedia, the free encyclopedia

This article has multiple issues. ... Inciting factors in the convergence of security disciplines include the development of digital video surveillance ...
Read more

Chapter 3-Security Policy: Development and Implementation ...

Have staff who represent a range of job levels and types been included in the security policy development ... security training ... security issues ...
Read more

Security guard - Wikipedia, the free encyclopedia

A security guard, security officer, ... training and development, ... Security officers may issue fixed penalty tickets for violation of parking ...
Read more

Implementing Basic Security Measures - Help Net Security

Abstract. When we talk about implementing basic security measures, one could think “And what are those?” And if that question would be asked, it would ...
Read more

Building An Information Technology Security Awareness and ...

Building an Information Technology Security Awareness and Training Program Mark Wilson and Joan Hash C O M P U T E R S E C U R I T Y
Read more

Security in the software development life cycle

Information Security Careers, Training ... The software development ... Programmers unknowingly inherit development framework security issues;
Read more