subhashini
(Moderator):
hello everbody . A very good evening to all of you. :-)
subhashini
(Moderator):
Welcome to today's webchat on writing secure code
subhashini
(Moderator):
This is a chat in series
subhashini (Moderator):
and today is the part one of the series
subhashini
(Moderator):
we have with us our MVP Vipul Patel
subhashini
(Moderator):
with us today for the chat.
subhashini
(Moderator):
To give a quick intro about him
subhashini
(Moderator):
After pursuing a bachelor's degree in Chemical Engineering, Vipul
pursued a Masters in Computer Application from Gujarat University
for the sheer love for computers. He is currently with Patni Computer
Systems, and has been working on .NET technologies since last 1.5
years. Once the Chairperson of the Computer Society of India's college
chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>)
in his academic days, he sincerely believes that communities can be
a powerful platform for developers to share their experiences and
queries.
subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com
or vipul.patel@patni.com.
subhashini (Moderator):
As always , few chat rules
subhashini
(Moderator):
before we beging the chat
subhashini (Moderator):
Please refrain from sending any private messages to the expert during
the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will
respond to as many questions as they can. Please understand that there
may be some questions we cannot respond to due to lack of information
or because the information is not yet public. We encourage you to
submit questions for our Experts.
subhashini
(Moderator):
We ask that you stay on topic for the duration of the chat. This helps
the Guests and Experts follow the conversation more easily. We invite
you to ask off topic questions after this chat is over.
subhashini
(Moderator):
lets get the chat rolling
subhashini (Moderator):
let us welcome Vipul
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Thanks Subhashini and welcome to all to the first of the series of
webchats on "Writing secure code"
Vipul
Patel (Expert):
Our topic Writing secure code is gaining popularity day by day and
we are here to discuss about the same.
Vipul
Patel (Expert):
I shall start with small introduction.
Vipul
Patel (Expert):
If you have any questions , please feel free to send them to me thru
"expert chat" radio button
Vipul
Patel (Expert):
As the Internet grows in importance, applications are becoming highly
interconnected.
Vipul Patel (Expert):
Earlier computers were not as highly interconnected as they are today,
and hence most people wouldn't care much about security.
Vipul
Patel (Expert):
But times have changed. Virtually all computers—servers, desktop
personal computers, and, more recently, cell phones, pocket-size devices,
and other form factor devices such as embedded systems—are interconnected.
Vipul Patel (Expert):
that means that if one of the interconnected system is affected, it
can affect the whole network
Vipul Patel
(Expert):
No wonder why the World Wide Web is often referred to as the Wild
Wild Web. ;)
Vipul Patel (Expert):
It is not only important to write robust code, the need of the day
is to produce reliable & secure systems.
Vipul
Patel (Expert):
Your system, if connected to Internet, is a potential victim for an
attack.
Vipul Patel (Expert):
So Why is security important for you and me?
Vipul
Patel (Expert):
1. The Media (and Your Competition) Leap on Security Issues: This
is a business impact. If your application makes a security breach
headlines, you are bound to lose a chunk of your business, not mentioning
the bad publicity that you get. The media will hound you for days
and your competition will mention it for years to come....
Vipul
Patel (Expert):
2. People Shy Away from Products That Don’t Work As Advertised:
If your application keeps crashing every now and then, then people
will start avoiding your product.
Vipul
Patel (Expert):
3. Security Vulnerabilities Are Expensive to Fix: If security flaws
are detected after the product is released to market, then the cost
of fixing that Vulnerability as well as deployment costs for the fix
are enormous.
Vipul Patel (Expert):
With that background, lets begin our discussion on designing secure
systems.
Vipul Patel (Expert):
What are the two most common security mistakes made by software companies?
Vipul Patel (Expert):
a. The application is designed, written, tested, and shipped to customers,
but the developers forget to make it secure. Or they think they have,
but they got the design wrong. It’s wrong because they added
some security technology to their application to be “buzzword-compliant,”
but the technology doesn’t mitigate any real security threats
Vipul Patel (Expert):
b. The second mistake is adding security to the application as an
afterthought. Security aspect of the code should be from the design
phase itself.
Vipul Patel (Expert):
Adding security features after the application is developed should
be prevented for the following reasons:
Vipul
Patel (Expert):
i. Adding security later is wrapping security around existing features,
rather than designing features and security with both in mind
Vipul Patel (Expert):
ii. Adding any feature, including security, as an afterthought is
expensive
Vipul Patel (Expert):
iii. Adding security might change the way you’ve implemented
features. This too can be expensive
Vipul
Patel (Expert):
iv. Adding security might change the application interface, which
might break the code that has come to rely on the current interface.
Vipul Patel (Expert):
There is a need for the security principles to be imbibed in a software
developement process. These principles are as under:
Vipul
Patel (Expert):
a. Establish a security process
Vipul
Patel (Expert):
b. Define the product security goals]
Vipul
Patel (Expert):
c. Consider security as a product feature
Vipul
Patel (Expert):
d. Learn from mistakes
Vipul Patel (Expert):
e. Use least privilege
Vipul Patel (Expert):
f. Use defense in depth
g. Assume external systems are insecure
h. Plan on failure
i. Fail to a secure mode
j. Employ secure defaults
h. Remember that security features != secure features
i. Never depend on security through obscurity
Vipul
Patel (Expert):
Please let me complete the section theory for today, then I will jump
to examples.... :)
Vipul Patel (Expert):
and then take up all the questions raised.
Vipul
Patel (Expert):
How to incorporate security features thru design? The answer is thru
Threat Modelling
Vipul Patel (Expert):
You cannot build a secure system until you understand your threats.
It's as simple as that.
Vipul Patel (Expert):
A threat model is a security based analysis that helps people determine
the highest level security risks posed to the product and how attacks
can manifest themselves.
Vipul Patel
(Expert):
The goal is to determine which threasts require migitation and how
to migitate the threats.
Vipul Patel
(Expert):
Benefits of threat modeling
Vipul Patel
(Expert):
a. It helps to understand the threat better.
Vipul
Patel (Expert):
b. Threat models helps you find bugs.
Vipul
Patel (Expert):
b. Threat models helps you find bugs.
Vipul
Patel (Expert):
c. You can discover serious design bugs in the process
Vipul
Patel (Expert):
d. Threat models can help new team members understand the application
in detail.
Vipul Patel (Expert):
Threat modeling process:
Vipul Patel (Expert):
1. Assemble the threat-modelling team
Vipul
Patel (Expert):
2. Decompose the application
Vipul Patel
(Expert):
3. Determine the threats to the application using STRIDE model
Vipul Patel (Expert):
4. Rank the threats by decreasing risk
Vipul
Patel (Expert):
5. Choose how to respond to the threats
Vipul
Patel (Expert):
6. Choose techniques to mitigate the threats
Vipul
Patel (Expert):
We are now done with the theory ;) . and we shall begin examples of
security vulnerabilities.
Vipul Patel
(Expert):
The biggest security issue has been the Buffer overrun....
Vipul
Patel (Expert):
Q: what is STRIDE model?
A: STRIDE model is a model to understand the security flaws.
It includes analysis for the following type of flaws: "Spoofing
identity", "Tampering with data" , "Repudiation",
"Information disclosure", "Denial of service",
"Elevation of privilege"
More details are available at http://msmvps.com/secure/archive/2004/06/22/8728.aspx
Vipul Patel (Expert):
No Sundar: The good thing about the .NET Framework is that it is no
longer a security issue with .NET using C# and VB.NET. With VC++.NET,
you need to compile your project with /GS option to identify any such
possible buffer overflows in your project.
Vipul
Patel (Expert):
Sai: Your question has been answered in the previous post.
Vipul
Patel (Expert):
Q: How can Buffer Overrun be
a security issue ?
A: I am coming to that with an example
Vipul Patel (Expert):
Defintion of buffer overrun: A stack based buffer overrun occurs when
a buffer declared on the stack is overwritten by copying data larger
than the buffer.
Vipul Patel (Expert):
Variables declared on the stack are located next to the return address
for the function's caller. The culprit here is the return address
for the function gets overwritten by an address chosen by the attacker.
Vipul Patel (Expert):
e.g. code
void food (const char* input)
{
char buf[10];
// print statement to see the stack
printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");
strcpy(buf, input)
printf("%s\n", buf);
printf ("New Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");
}
void bar(void)
{
printf ("Uh Oh");
}
int main (int argc, char* argv[])
{
printf("Address of foo = %p\n", foo);
printf("Address of bar = %p\n", bar);
if (argc != 2)
{
printf("Please supply a string as argument\n");
return -1;
}
foo(argv[1]);
return 0;
}
Vipul Patel (Expert):
please read "foo" instead of foo for the first function
declaration.
Vipul Patel (Expert):
sat: which kind of failure is being talked of here?
Vipul Patel (Expert):
IN the above code sample : observe the code
// print statement to see the stack
printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");
This code is used to see the stack contents
Vipul Patel (Expert):
Q: What are other major security issuess to be taken care
of , mainly with .NET ?
A: This concern will be addressed in the third webchat of
the series scheduled on Friday this week..
Vipul Patel (Expert):
If we pass a string of less than 10 characters, it will work fine.
Example of execution:
c:\Mycode>StackEx.exe Hello
Address of foo = 00401000
Address of bar = 00401045
Stack status:
00000000
00000000
7FFDF000
0012FF80
0040108A <This is the address we want to overwrite
00410EDE
Hello
New stack status:
6C6C6548 < You can see where Hello was copied in
0000000F
7FFDF000
0012FF80
0040108A
00410EDE
Vipul Patel (Expert):
See that the first memory location gets modified with the text.
The second memory location is the instruction set for the second
call.
Vipul Patel (Expert):
Now input a long string
:\Mycode>StackEx.exe AAAAAAAAAAAAAAAAAAAAAAA
Address of foo = 00401000
Address of bar = 00401045
Stack status:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410EDE
AAAAAAAAAAAAAAAAAAAAAAA
New stack status:
41414141
41414141
41414141
41414141
41414141
41414141
Vipul Patel (Expert):
If you use a longer string the whole stack buffer gets rewritten
with the data from the string input.....
Vipul Patel (Expert):
And we also get an application error claiming the instruction at
0x41414141 tried to access memory at address 0x41414141.
Vipul Patel (Expert):
Q: But Vipul....is'nt this limitation limited to Unmanaged
code in the .Net.....i mean over-writing the return address of a
function in the stack....
A: Yes, thats the limitattion limited to unmanaged code in
the .NET. That is not an issue with .NET application. I agree
Vipul Patel (Expert):
Q: what kind of security issues normally hit the web applications
A: For web applications, you need to make sure to consider
the following during threat modelling:
a. Unvalidated paramaters
b. Broken access control
c. Borken authentication and session management
d. Cross site scripting flaws
e. Buffer overflows
f. Command injection flaws
g. Error handling problems
h. Insecure storage
i. Denial of service (!!! The top most threat)
You also need to see that there is no undue priviledge evevation
Vipul Patel (Expert):
If a smart hacker were to know of this vulnerability, he will write
a script to execute the above executable with a specifc string which
will expose this flaw.
Vipul Patel (Expert):
More information about this is available at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp
Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating
user input ?
A: Yes, Buffer overrun can be migitated by the following
steps
a. Always validate your input for the type and length.
b. Make sure your string handling operations are safe
Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating
user input ?
A: in the above code if we had the following check it could
have been prevented
if (strlen (input) < sizeof(buf))
{
// everything in place
strcpy(buf, input)
}
else
{
// do the processing for failure...
}
Vipul Patel (Expert):
Q: How does MS address the Denial of Service.....i mean does
the web-server has any means of preventing it...and does IIS have
any feature of this kind....?
A: Hello Rakesh, we will take up Denial of Service tomorrow...
Today we shall be limiting ourselves to Buffer overrun and ACLs..
Vipul Patel (Expert):
Sundar: you are right about storing int like data structure on the
stack and the reference types on heap..
Vipul Patel (Expert):
But heap buffer overrun is also posisble, but it is dificult to
exploit.
Vipul Patel (Expert):
Q: You never answerd what's the impact of buffer overrun
in .Net world, in C run time world I think those who familier with
that have better understanding :)
A: Fortunately, buffer overrun is not an issue with .NET.
The .NET framework handles the issue with buffer overruns.... it
is only an issue with legacy applications and unmanaged code written
in VC++.NET
Vipul Patel (Expert):
Q: in C# i guess only the basic data types like int variables
are stored in stack . basically the reference objects are stored
in heaps so the risk is very low. in this case how ill a function
get executed?
A: This is not applicable to .NET applications in C#
Vipul Patel (Expert):
Q: other than String Handling errors and Array indexing errors
what are all the possible causes for Heap overruns
A: Unicode and ANSI Buffer size mismatches are another source
for the heap overruns
Vipul Patel (Expert):
Q: can u please throw some light on Array Indexing errors
and its impact on Heap over runs?
A: I shall discuss this later
Vipul Patel (Expert):
Q: Why did microsoft not consider the /GS behavior default
?
A: it is only applicabel for unmanaged code in VC++.NET
Vipul Patel (Expert):
Q: is there any way in .Net to avoid Heap Over runs? because
there are ways to have non executable stacks in operating systems
and there are also tools like StackGuard to avoid stack based overruns.
is there something like that for heap over runs
A: safe string handling for one..
I need to investigate this more.....
Vipul Patel (Expert):
Q: Oh sorry I got a look at the article you reffered recently,
so strsafe.h is the solution right
A: yes
Vipul Patel (Expert):
Q: Recently C librarys has improved functions, like the one
I mentioned earlier nstrcpy(), is that type of implementations are
missing in VC++
A: it was missing in VC++ 6.0
Vipul Patel (Expert):
Q: Give a simple security method for a windows application
which is connecting to www or some Dedicated line often
A: Have a firewall installed
Vipul Patel (Expert):
Q: What are the different ACLs that can be employed and how
to chose the best of it?
A: ACL strategy
1. Determine the resource you need
2. Determine the business defined acccess requirement
3. Determine the appropriate access control technology
4. Convert the access requirements to access control technology
Vipul Patel (Expert):
Q: is one required to have diffrent security model for "Intranet"
or "Internet" application
A: no, if you have Single Signon for INtranet, yes other
wise, because the scenarios are different for both
subhashini (Moderator):
We have almost come to the end of this chat today. Space for one
more question!
subhashini (Moderator):
I willw ait for Vipul to complete answering the questions to announce
the closure of this chat.
Vipul Patel (Expert):
Most of us are admin on our machines. Imagine what will happen when
you download a malicious script and the script gets running in admin
mode... your machine is bound to be infected.
subhashini (Moderator):
So that brings us to the end of today's chat
subhashini (Moderator):
Hold on to your questions till tomorrow
subhashini (Moderator):
because this chat is a series chat
Vipul Patel (Expert):
Q: but is'nt this discrimination between intranet and internet
handled by .Net CLR implicitly.....
A: We are not talking from .NET CLR perspective, but rather
from a developer point of view using any developement language.
subhashini (Moderator):
that willc ontinue till friday
subhashini (Moderator):
So friends , meet you again tomorrow
subhashini (Moderator):
and be ready with your questions ..let's shoot it out to Vipul
subhashini (Moderator):
:-)
subhashini (Moderator):
So lets catch up with teh seciond series of this chat tomorrow at
5pm
subhashini (Moderator):
Till then , have a lovely evening
Vipul Patel (Expert):
Q: And what are security issues with desktop or client server
applications ?
A: improper file permission, undue Access control to name
a few
Vipul Patel (Expert):
Q: what are security issues with desktop or client server
applications ?
A: improper file permission, undue Access control to name
a few
subhashini (Moderator):
And lets thank Vipul for his great spirit to take this chat in succession
subhashini (Moderator):
:-) Thanks Vipul
subhashini (Moderator):
And all of you have a lovely evening ..
Vipul Patel (Expert):
One of the best articles on running with least privildge is http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx\
Vipul Patel (Expert):
THats all for today. See you all tomorrow when we discuss about
Cryptographic Foibles, Storing Secrets, Canonical Representation
Issues and Network-Based Application Considerations
Vipul Patel (Expert):
good day to all.... and a good morning to me... its 5:45 am in los
angeles and time to go to work.....
|
