subhashini
(Moderator):
hello everybody
subhashini (Moderator):
:-) a very good evening to all of you
subhashini
(Moderator):
and welcome all of you to join us for the second part of the series
chat
subhashini (Moderator):
on writing secure code
subhashini (Moderator):
Thansk to Vipul Patel (MVP) for hosting this series chat
subhashini
(Moderator):
Guys, thanks to him, he's based out of US and is currently hosting
the chat during his odd hours
subhashini
(Moderator):
Once again a quick rrun through the chat rules
subhashini
(Moderator):
Please refrain from sending any private messages to the expert during
the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will
respond to as many questions as they can. Please understand that there
may be some questions we cannot respond to due to lack of information
or because the information is not yet public. We encourage you to
submit questions for our Experts. We ask that you stay on topic for
the duration of the chat. This helps the Guests and Experts follow
the conversation more easily. We invite you to ask off topic questions
after this chat is over.
subhashini (Moderator):
thansk to all of you for attending this chat.
subhashini
(Moderator):
and lets welcome vipul
Vipul Patel (Expert):
Thanks Subhashini for the opportunity. Welcome to the second part
of the series on Writing secure code.
subhashini
(Moderator):
to continue the series
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Hello all
Vipul Patel (Expert):
Those wo missed out yesterday: a quick recap. Yesterday the main focus
was the need for writing secure code, threat modeling and we saw two
security concerns: buffer overrun and ACLs.
Vipul
Patel (Expert):
Today we shall focus on the other security concerns....
Vipul
Patel (Expert):
We begin with poor cryptographic tehcniques
Vipul
Patel (Expert):
Crypto can help secure data from specific threats, but it does not
secure the application from coding errors.
Vipul
Patel (Expert):
Common mistakes people make when using cryptography include
Vipul
Patel (Expert):
a. using poor random numbers
Vipul Patel
(Expert):
b. using password to derive cryptographic
Vipul
Patel (Expert):
Lets catch them one by one
Vipul Patel
(Expert):
Did you know that the Random function provided by the Operating systems
generetes the same sequence of random numbers everytime.
Vipul
Patel (Expert):
Same case with the Frameworks......
Vipul
Patel (Expert):
Consider this code in C++
// Always print 52 4 26 66 26
void main()
{
srand(12366);
for (int i = 0; o< 10 ; i++)
{
int i = rand() % 100;
printf("%d " , i);
}
}
Vipul Patel (Expert):
The above code snippet always results in the same sets of numbers.....
Vipul Patel (Expert):
lets see one in C#
class Class1
{
/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{
//
// TODO: Add code to start application here
//
Random rnd = new Random(1234);
for(int i = 0; i <20; i++)
{
Console.WriteLine(rnd.Next(100));
}
}
}
Vipul Patel (Expert):
The above code also results in the same sequence of random numbers
being generated.
Vipul Patel (Expert):
The problem with using such functions is that if your application
is of a secure nature like a financial institution application,
such a dependency on system provided (read predictable) numbers
can be easily tracked by the hacker......
Vipul Patel (Expert):
If the random numbers are used for say saving the session key, then
all the session information is at risk....
Vipul Patel (Expert):
How to avoid such a situation.....
Vipul Patel (Expert):
For win32 applications use the CryptGenRandom class.....................
Vipul Patel (Expert):
and those of you coding in C#, Use the RNGCryptoServiceProvider
class available in the system.Security.Cryptography namespace
Vipul Patel (Expert):
another poor cryptographic technique is "Using Passwords to
Derive Cryptographic keys"
Vipul Patel (Expert):
some applications are based on a security model that you ask the
user for the password for a specfic action and then this user-provided
password is used as a cryptographic key.
Vipul Patel (Expert):
The problem with such a approach is that if the password is small,
then it is easy to predict thru Dictionary attack......
Vipul Patel (Expert):
Dictionary attack: try all possible words from the dictionary to
see which works as an key....
Vipul Patel (Expert):
Suggesstion: Keep your passwords long and randon.
Vipul Patel (Expert):
You can make this a network policy.....
Vipul Patel (Expert):
With Win2003 Server and later, you can validate password compliance
with NetValidatePasswordPolicy.
Vipul Patel (Expert):
More information available at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp>
Vipul Patel (Expert):
Use Keyed Hash
Vipul Patel (Expert):
Keyed Hash: Is a hash that includes some secret data, data known
only to the sender and recipients. It is typically created by hashing
the plaintext concatenated to some secret key or a derivation of
the secret key. It is one kind of message authentication code (MAC).
Vipul Patel (Expert):
the idea here is to not use a simple hash but to use a keyed hash........
This is secure things a bit....
subhashini (Moderator):
sorry guys, vipul
subhashini (Moderator):
might have just got logged out
subhashini (Moderator):
please hold on for coupel of mins. he would be back
subhashini (Moderator):
vipul has lost his wireless connection and has had to reboot
subhashini (Moderator):
so, he would be back any minute
subhashini (Moderator):
thanks for cooperating
subhashini (Moderator):
thanks guys
Vipul Patel (Expert):
sorry for the confusion guys...
Vipul Patel (Expert):
lets continue
Vipul Patel (Expert):
Creating a Keyed hash
HMACSHA1 hmac = new HMACSHA1();
Hmac.Key = key;
byte[] hash = hmac.ComputeHash(message);
Tip: Use the Operating system or .NET framework libraries. It’s
much easier than implementing the logic yourself.
Vipul Patel (Expert):
Creating a Keyed hash
Tip: Use the Operating system or .NET framework libraries. It’s
much easier than implementing the logic yourself.
HMACSHA1 hmac = new HMACSHA1();
Hmac.Key = key;
byte[] hash = hmac.ComputeHash(message);
subhashini (Moderator):
apologies for the technical tricks played on us by the chat tool
:-) we are back and lets get the chat rocking!
Vipul Patel (Expert):
So how do you protect secrets?
Vipul Patel (Expert):
We usually hash the data.....
Vipul Patel (Expert):
But better than hash, do a salted hash...
Vipul Patel (Expert):
Hash: is a cryptographic algorithm that produces a different output,
called a message digest, for each unique element of data
Vipul Patel (Expert):
Better than hash, use a salted hash
Vipul Patel (Expert):
Salt is a random number that is added to the hashed data to eliminate
the use of precompiled dictionary attacks, making an attempt to
recover the original secret extremely expensive. The salt is stored
unencrypted with the hash.
Vipul Patel (Expert):
More information is available at <http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx>
Vipul Patel (Expert):
Coming to talk of DPAPI, lets see what is available in Windows 2000
and above
Vipul Patel (Expert):
In Windows 2000 and later, we can use the Data Protection API (DPAPI)
functions CryptProtectData and CryptUnprotectData.
Vipul Patel (Expert):
http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx
Vipul Patel (Expert):
Guys the above link shoud work...
Vipul Patel (Expert):
These functions encrypt (DPAPI) and decrypt data by using a key
derived from the user’s password. In addition, decryption
can be done only on the computer where the data was encrypted unless
the user has a roaming profile, in which case she can decrypt the
data from another computer on the network.
Vipul Patel (Expert):
A Special Case: Client Credentials in Windows XP
Vipul Patel (Expert):
Windows XP includes functionality named Stored User Names And Passwords
to make handling users’ passwords and other credentials, such
as private keys, easier, more consistent, and safer. If your application
includes a client component that requires you to prompt for or store
a user’s credentials, you should seriously consider using
this feature for the following reasons:
• Support for different types of credentials, such as passwords
and keys, on smart cards.
• Support for securely saving credentials by using DPAPI.
• No need to define your own user interface. It’s provided,
although you can add a custom image to the dialog box.
Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict
security checks.
Vipul Patel (Expert):
Other small nuances to take care of.....
Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict
security checks
Vipul Patel (Expert):
Trust no input
Vipul Patel (Expert):
Always validate any user input for all possible values: minimum,
maximum, boundary conditions, etc.
You can check the format of the inputed data by regular expressions
Vipul Patel (Expert):
DOS device name vulnerability
Due to compatility reasons, DOS device named have been carried over
to Windows. That’s why you cant create a file named PRN or
COM1, COM@ or LPT. Creating such files (even for temporary purpose)
thru code should be avoided.
Vipul Patel (Expert):
Don’t trust PATH variable. Use Full path names
If your application uses the PATH variable explicitly for a good
number of reasons, it is better to create a custom environment variable
for the purpose as PATH variable should not be dependede upon as
a lot of applications may be and modify it..
Vipul Patel (Expert):
SQL Injection attacks
Vipul Patel (Expert):
consider a SQL statement
Vipul Patel (Expert):
string sql = "select * from client where name = '" + name
+ "'"
Vipul Patel (Expert):
imagine a user entering
Blake' or 1 = 1
Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through
Stored procedures.
A: no for SQL injection , SPs are not a solution.
People use two solutions
Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through
Stored procedures.
A: Correct solution is
a. never ever connect as sysadmin (This limits database damage by
SQL injection)
b. Build your SQL statements securely, use Parameterized commands
in your SP..............
Vipul Patel (Expert):
Q: what are your strong recommendations to deal with SQL
injection attacks
A: a. never ever connect as sysadmin (This limits database
damage by SQL injection)
b. Build your SQL statements securely, use Parameterized commands
in your SP..............
subhashini (Moderator):
guys, we have the last 13 mins left for the chat to conclude for
today
subhashini (Moderator):
please ask the last few questions to get them answered
Vipul Patel (Expert):
I agree with Chakravarthy: If possible prevent the user from entering
"'" when he is specifing text based information. But the
problem is with names like L'Oreal... how to deal with that.. :D
Vipul Patel (Expert):
Q: vipul, is there any other security areas that you need
to highlight and you may not have time to disscuss them fully here.
A: I will not be able to cover the security in .NET framework
whcih I will cover tomorrow.......
Vipul Patel (Expert):
Q: i want to ask whether parameterized commands are foolproof.
A: Depends on your code. But it is deemed and projected as
quite secure..
Vipul Patel (Expert):
Q: suppose, i have a web application, then..using encryption
class is not going to help much, as encryption would occur at server
side, after all data is transfered across the n/w with out encryption.
m i right???
A: If you use SSL,, then your data will be secure when transferred
from the client to the server....
Vipul Patel (Expert):
Q: Hi, tell me more about DPAPI and what all complexities
are involved implementing it ?
A: already answered....
Vipul Patel (Expert):
Yes,,, dont allow where word, if possible, I must add....
Vipul Patel (Expert):
Chakravarthy: Whidbey: I shall answer that tomorrow.....
subhashini (Moderator):
So this brings us to teh end of today's chat
subhashini (Moderator):
and hope to see you all tomorrow
subhashini (Moderator):
and hold on to your questions till tomorrow
subhashini (Moderator):
alos feel free to email vipul at vipul_d_patel@hotmail.com
Vipul Patel (Expert):
The best resource on writing secure code is a book by Michael Howard
titled "Writing secure code".......... Google for more
information on the book....
Vipul Patel (Expert):
Chakravarthy:..... go ahead...
subhashini (Moderator):
go ahead chakravarthy
Vipul Patel (Expert):
For securing already written code, I suggest that you have a robust
code review policy, revisit your design,, bascially perform a threat
modelling for a already existing application..
Vipul Patel (Expert):
That is a judgement call, if you feel that the previously written
code is not secure, demo the failure to your team lead, and then
suggest that the following remedies will apply....
Vipul Patel (Expert):
what do you mean by wrapping mechanism?
Vipul Patel (Expert):
Best practises for writing secure code:
Vipul Patel (Expert):
a. Dont tell the attacker anything
Vipul Patel (Expert):
b. Dont leak information in banner strings and unhandled errors...
Vipul Patel (Expert):
Doubel check your error messagess and paths...
Vipul Patel (Expert):
Add security commenst to your code...
Vipul Patel (Expert):
Dont write user files to \Program Files
Vipul Patel (Expert):
Dont write user data to HKLM
Vipul Patel (Expert):
Allow long passwords...
Vipul Patel (Expert):
and have an application log.
Vipul Patel (Expert):
Thats all for today.....
subhashini (Moderator):
thanks again to all of you for attending teh chat
Vipul Patel (Expert):
if you have any further questions,,,, please email me at vipul_d_patel@hotmail
.com or visit my unfrequented blog at http://spaces.msn.com/members/vipul
and leave your comments there. I shall revert...
subhashini (Moderator):
see you alla gain tomorrow for the last part of this series
subhashini (Moderator):
have a lovely evening. |
