|
|
 |
|
|
|
Writing Secure Code
|
|
|
Author |
|
Michael Howard and David LeBlanc
|
|
|
Pages |
512
|
|
Disk |
1 Companion CD(s)
|
|
Level |
Intermediate
|
|
Published |
11/13/2001
|
|
ISBN |
9780735615885
|
|
ISBN-10 |
0-7356-1588-8
|
|
Price(USD) |
$39.99
To see this book's discounted price, select a reseller below.
|
|
|
|
|
|
|
|
|
Index
Send feedback about this index to mspindex@microsoft.com.
Special Characters and Numbers
3DES (Triple-DES), 172, 179, 203
7-bit and 8-bit ASCII, 323
8.3 representation of long filenames, 219-20, 229
::$DATA vulnerability in IIS 4.0, 215-17
\\?\ format, 222
.. (parent path) vulnerabilities, 222-23, 328-30
0wn3d (owned) systems, 12
A
absolute vs. relative filenames, 223
accept function, 247
access, based on Administrator Security ID (SID), 428-29
access checks, context handles as, 271-72
access control entries (ACEs)
dangerous types, 110-11
deny, 98
introduced, 51
NULL DACLs and other dangerous ACE types, 108-11
access control lists (ACLs). See also access control mechanisms
choosing, 95-98
creating
with ATL, 106-7
introduced, 99
in Windows 2000, 103-6
in Windows NT 4, 99-103
effective deny ACEs, 98
file system support, 93-94
how tokens, privileges, SIDs, ACLs, and processes relate, 128-29
importance of, 89-91
introduced, 51, 89
NULL DACLs and other dangerous ACE types, 108-11
overview, 93-95
access control mechanisms
COM+ roles, 113-14
important note about, 116-17
introduced, 112
IP restrictions, 51, 112-13, 116-17
medical example, 114-16
SQL Server triggers and permissions, 114
access control overview, 122
ACEs. See access control entries (ACEs)
ACLs. See access control lists (ACLs)
Act As Part Of The Operating System privilege, 123, 126-27
ActiveState Perl 5.6.1 Web site, 377
Active Template Library (ATL), creating ACLs with, 106-7
ActiveX
application testing, 384-85
introduced, 287
security best practices
introduced, 288
safe initialization and scripting, 288-92
AddAccessAllowedAce function, 409
AddAce function, 409
administrator privileges, 27, 158
Administrator Security ID (SID), 428-29
AeDebug key, 400-401
ALL_ACCESS request, 421
America Online (AOL) 5.0 parental controls, 212
ANSI and Unicode buffer size mismatches, 78-80
AOL (America Online) 5.0 parental controls, 212
Apache Web server vulnerability, 214
APIs (application programming interfaces), 433-36. See also Internet Server API (ISAPI)
Apple Mac OS X vulnerability, 214
application failure attacks, 293-97
application programming interfaces (APIs), 433-36. See also Internet Server API (ISAPI)
applications
international, regular expressions and, 228
secure settings in, 427-28
array indexing errors, 75-77
ASCII, 7-bit and 8-bit, 323
ASP.NET
disabling tracing and debugging before deploying ASP.NET applications, 357-58
thread awareness, 357
validating data from untrusted sources, 356-57
assert function, 352
Assert method, 352-55
asymmetric ciphers, 175
ATL. See Active Template Library (ATL)
attacks. See also denial of service (DoS) attacks; threat modeling
defined, 36
Department of Justice Computer Crime and Intellectual Property Section (CCIPS) Web site, 10
DVD encryption, 168
multiplayer games, 8
System Administration, Networking, and Security (SANS) Institute Web site defacement, 4
Web server defacements, 4, 121-22
Windows 2000 test site, 5
auditing (logging), 54
authentication
Basic, 47
Digest, 47-48
forms-based, 48
introduced, 46-47
IPSec, 50
Kerberos v5, 49
NTLM, 49
Passport, 48
Remote Authentication Dial-In User Service (RADIUS), 50
Windows, 49
X.509 certificate, 49-50
Authenticode technology, 288
authorization, 51
automation (process), 287
B
7-bit and 8-bit ASCII, 323
Back Orifice tool, 120
Backup Files And Directories privilege, 123-25
backward compatibility problems, 32-33
bandwidth attacks, 305-6
Basic authentication, 47
bind function, 239-46
binding handles, 262
BindView tool Web site, 200
black-box testing, 365
blanket (security settings), 283
block ciphers, 175
buffer overruns
array indexing errors and, 75-77
common language runtime and, 342-46
format string bugs and, 78
heap overruns and, 70-75
introduced, 63-64
preventing, 80 (see also string handling, safe)
static, 64-70
testing and, 365-66
Unicode and ANSI buffer size mismatches, 78-80
buffers
reusing for plaintext and ciphertext, 187-88
security check, /GS option, 343-46
BugTraq Web site, 14
Bypass Traverse Checking privilege, 127
C
canary (value), 70, 343
Canonicalize method, 318
canonical representation issues
bypassing AOL parental controls, 212
bypassing eEye security checks, 213-14
bypassing Napster name filters, 212-13
canonical, defined, 212
common canonicalization mistakes in Windows
\\?\ format, 222
8.3 representation of long filenames, 219-20, 229
absolute vs. relative filenames, 223
canonicalizing filenames, 229-33
case-insensitive filenames, 223
decisions based on filenames, 225
device names and reserved names, 223-24
directory traversal and using parent paths (..), 222-23
introduced, 219
NTFS alternate data streams, 220-21
PATH environment variable, 229
trailing characters, 221
Universal Naming Convention (UNC) shares, 224
using regular expressions to restrict filenames, 225-29
DOS device names vulnerability, 217
Internet Information Server 4.0 ::$DATA vulnerability, 215-17
introduced, 211
other canonicalization vulnerabilities, 218
server names, 233-34
Sun Microsystems StarOffice /tmp directory symbolic-link vulnerability, 217-18
usernames, 234-36
vulnerability in Apple Mac OS X and Apache, 214
Web-based service security
7-bit and 8-bit ASCII, 323
double encoding, 326
hexadecimal escape codes, 323
HTML escape codes, 326
introduced, 322
remedies, 326-30
UCS-2 Unicode encoding, 325
UTF-8 variable-width encoding, 323-25, 327-28
zones and the Internet Explorer 4 "dotless-IP address" bug, 214-15
CAPICOM COM component, 174
CArchive operators, 360
case-insensitive filenames, 223
CAtlRegExp class, 227
CCIPS (Computer Crime and Intellectual Property Section), Department of Justice, 10
CCryptRandom class, 163-64
certificate naming issues, 50
CFileManipulator function, 271
CheckTokenMembership function, 429
ciphertext, 173
cleartext (plaintext), 170
client credentials in Windows XP, 195-97
client-side security, 427
clients with rogue servers, 395
CloseFileByID function, 273
closesocket function, 249
CodePage property, 318
CoImpersonateClient function, 357, 420
CoInternetParseUrl function, 318
COM
application testing, 384-85
CAPICOM COM component, 174
COM+
object constructor string, 335-37
roles, 113-14
command line argument testing, 386-88
comments in code regarding security, 416
compatws template, 396
Computer Crime and Intellectual Property Section (CCIPS), Department of Justice, 10
concatenating strings, 86
confidentiality. See privacy (confidentiality)
connectable objects, 287
context handles
as access checks, 271-72
introduced, 261-62
NULL, 272-73
strict, 270-71
cookies, 331-32, 343
CopyMemory function, 433
count(*) in SELECT statement, 310
CpInitializeSecurity function, 280, 282, 283-85
CPU (processor) starvation attacks, 297-303
CreateFile function, 123-25, 424-25
CreateFileMapping function, 420
Create functions, 421-23
CreateHardLink function, 217, 329
CreateMutex function, 421, 422-23
CreateNamedPipe function, 421, 422
CreateProcessAsUser function, 128, 143, 417, 435
CreateProcess function, 143, 417-19, 435
CreateProcessWithLogon function, 435
CreateProcessWithLogonW function, 417
CreateRemoteThread function, 126
CreateRestrictedToken function, 140
creating temporary files securely, 423-26
credentials
client, in Windows XP, 195-97
defined, 46-47
generic, 195-97
Windows domain, 195-97
CredUICmdLinePromptForCredentials function, 197
cross-site scripting attacks, 311-12, 393-94
Crucial ADS tool Web site, 220
CryptAcquireContext function, 163
CryptExportKey function, 170
CryptGenKey function, 170
CryptGenRandom function, 162-64, 197, 204, 359, 373
CryptImportKey function, 170
cryptographic issues. See also hash (digest) functions
digital signatures, 53, 186-87
Federal Information Processing Standard (FIPS) 140-41, 164-65
poor key management
introduced, 168-69
keeping keys close to the source, 169-72
random numbers
CryptGenRandom function, 162-64, 197, 204, 359, 373
generating good random numbers by using .NET framework, 358-59
introduced, 159
rand function, 160-62, 164, 358
reusing buffers for plaintext and ciphertext, 187-88
rolling your own cryptographic functions, 172-75
stream ciphers
bit-flipping attacks against, 181-82
defined, 175
introduced, 175
pitfalls, 176-79
reasons for using, 175-76
what if you must use the same key?, 179-80
using passwords to derive cryptographic keys
introduced, 165
measuring the effective bit size of passwords, 166-67
cryptographic keys
poor key management
introduced, 168-69
keeping keys close to the source, 169-72
using passwords to derive
introduced, 165
measuring the effective bit size of passwords, 166-67
CryptProtectData function, 192-93
CryptReleaseContext function, 163
CryptUnprotectData function, 192-93
CSocket class, 382
D
3DES (Triple-DES), 172, 179, 203
DACLs. See discretionary access control lists (DACLs)
Data Encryption Standard (DES) cryptographic algorithm, 165, 175-76, 179
Triple-DES (3DES), 172, 179, 203
Data Protection API (DPAPI) functions, 192-93, 200
data type rosetta stone, 321-22
::$DATA vulnerability in IIS 4.0, 215-17
DCOM. See Distributed COM (DCOM)
debugging least-privilege issues, 151-55, 156, 157
Debug Programs privilege, 123, 126
defense in depth, 28-29
Demand method, 351, 354-55
denial of service (DoS) attacks
application failure attacks, 293-97
CPU (processor) starvation attacks, 297-303
introduced, 39, 46, 293
memory starvation attacks, 303
network bandwidth attacks, 305-6
resource starvation attacks, 304-5
testing and, 371
deny ACEs, 98
deny-only SIDs, 142
Department of Justice Computer Crime and Intellectual Property Section (CCIPS), 10
DES (Data Encryption Standard) cryptographic algorithm, 165, 175-76, 179
Triple-DES (3DES), 172, 179, 203
device names
and reserved names, 223-24
vulnerability in DOS, 217
dictionary attacks, 191
Digest authentication, 47-48
digest functions. See hash (digest) functions
digital signatures, 53, 186-87
directory traversal and using parent paths (..), 222-23
discretionary access control lists (DACLs)
null, 108-11
resources secure using, 94-95
Distributed COM (DCOM)
application testing, 384-85
introduced, 52
security best practices
application-level security, 280-81
basics, 278-80
introduced, 278
programmatic security, 283-87
sources and sinks, 287
user contexts, 281-83
DNS corruption, 255
DoS. See denial of service (DoS) attacks
DOS device names vulnerability, 217
DoThreadWork function, 146
dotless-IP address bug in Internet Explorer 4, 214-15
double encoding, 326
DoWork function, 170
DPAPI (Data Protection API) functions, 192-93, 200
DsMakeSPN function, 267
DVD encryption, 168
E
eEye security checks, 213-14
EFS (Encrypting File System), 52, 193
EIP (instruction pointer) register, 379
Element N.V. Element InstantShop Price Modification vulnerability Web site, 331
elevation of privileges, 40, 46
EmailAlertPermission permission, 354
encraption, 173
EncryptData function, 170
Encrypt function, 170
Encrypting File System (EFS), 52, 193
encrypting secret data using external devices
introduced, 203-4
PPCKey threat model, 206-10
sample scenario using PPCKey application, 204-5
encryption, 53
encryption keys, 159
EncryptWithKey function, 170
EnterCriticalSection function, 303, 436
entropy, 162
EnvironmentPermission permission, 354
error messages, 414
error paths, 414
Everyone (DELETE) ACE, 110
Everyone (FILE_ADD_FILE) ACE, 110
Everyone (FILE_DELETE_CHILD) ACE, 111
Everyone (WRITE_DAC) ACE, 110
Everyone (WRITE_OWNER) ACE, 110
evidence, 46-47
excuses for lax security, 453-57
EXPLICIT_ACCESS structure, 102
exploit (sploit), 6
F
Fair Information Practice Principles (FIPP) Web site, 411
FAT files, 202
fault injection
introduced, 370-72
partially incorrect data, 375-78
perturbing the container, 372-73
perturbing the data, 373
random data, 373-75
size of data, 378-79
special-case data, 379-81
Federal Information Processing Standard (FIPS) 140-41, 164-65
fgets function, 88
fields, sensitive data in, 331-32
file-based application testing, 385
FileIOPermission permission, 352, 354
FileMon tool, 154-55, 157
filename vulnerabilities
\\?\ format, 222
8.3 representation of long filenames, 219-20, 229
absolute vs. relative filenames, 223
canonicalizing filenames, 229-33
case-insensitive filenames, 223
decisions based on filenames, 225
device names and reserved names, 223
directory traversal and using parent paths (..), 222-23
introduced, 219
NTFS alternate data streams, 220-21
trailing characters, 221
Universal Naming Convention (UNC) shares, 224
using regular expressions to restrict filenames, 225-29
file permission canonicalization vulnerability Web site, 325
FileSystemObject collections, 94
filtering, 54
FIPP (Fair Information Practice Principles) Web site, 411
FIPS (Federal Information Processing Standard) 140-41, 164-65
firewall-friendly applications, 252-54
format string bugs, 78
FormsAuthenticationModule class, 48
forms-based authentication, 48
fprintf function, 85
FULL_CONTROL request, 421
fullwidth encoding, 325
function epilog code, 343
function prolog code, 343
FunLove virus, 121
G
games, multiplayer game attacks, 8
generic credentials, 195-97
getaddrinfo function, 234
GetAllSIDs function, 136
GetExchangeKey function, 172
GetFileType function, 230
GetFullPathName function, 230
GetHostName function, 333
GetKey function, 170
GetKeyHandle function, 170
GetLastError function, 422
GetLastError method, 278
GetLongPathName function, 230
GetPrivs function, 136
GetServerBlanket method, 285-86
GetServerVariable function, 80, 332-33
gets function, 88, 434
GetTempFileName function, 424
GetTempPath function, 424
GetTickCount function, 302
GetUser function, 136
GetUserNameEx function, 235
GetVolumeInformation function, 93
Gramm-Leach-Bliley Act of 1999 Web site, 411
/GS buffer security check option, 343-46
H
Hailstorm tool Web site, 380
hash-based message authentication codes (HMACs), 183
hash (digest) functions
defined, 191
introduced, 53, 182
keyed, 182-86
salted, 191-92
Health Insurance Portability and Accountability Act (HIPPA) Web site, 411
heap overruns, 70-75
hexadecimal escape codes, 323
Hierarchical File System Plus (HFS+), 214
HIPPA (Health Insurance Portability and Accountability Act) Web site, 411
hisecdc template, 396, 397
hisecws template, 397
HKEY_CLASSES_ROOT key, 121
HKEY_CURRENT_USER key, 400, 421
HKEY_LOCAL_MACHINE key, 121, 201, 229, 400, 401-2, 421
HMACs (hash-based message authentication codes), 183
Honeynet Project Web site, 5
host-based trust, 255-56
host spoofing, 255
HTMLEncode method, 319
HTML escape codes, 326
HTML tags, 316-17
HTTP-based application testing, 382-84
HttpGetClientProtocol class, 384
HttpPostClientProtocol class, 384
HTTP trust issues, 330-32
I
IAccessControl object, 284
IClientSecurity::SetBlanket method, 283, 286
ICommandWithParameters interface, 322
IDispatch interface, 287, 384
IHttpModule interface, 48
IIS. See Internet Information Server (IIS)
ILoveYou (VBS.Loveletter, The Love Bug) virus, 121
ImpersonateAnonymousToken function, 420
ImpersonateDdeClientWindow function, 420
ImpersonateLoggedOnUser function, 143, 420
ImpersonateNamedPipeClient function, 420
ImpersonateSecurityContext function, 420
ImpersonateSelf function, 420
impersonation functions, 420, 435
Increase Quotas privilege, 123, 127
information disclosure, 39, 46
InitializeCriticalSection function, 303, 436
input/output controls (IOCTLs), 416
INSERT statement, 314
installing secure software
introduced, 399-400
principle of least privilege, 400-409
instruction pointer (EIP) register, 379
international applications, regular expressions and, 228
InternetCanonicalizeUrl function, 318
InternetCrackUrl function, 291-92
Internet Explorer 4 dotless-IP address bug, 214-15
Internet Information Server (IIS)
SecureIIS, 213-14
version 4.0 ::$DATA vulnerability, 215-17
version 4 encryption problem, 187-88
Internet Printing Protocol (IPP) buffer overruns, 79-80, 332
Internet Server API (ISAPI)
applications and filters, 332-34
extension vulnerability, 121
IObjectWithSite interface, 291
IOCTLs (input/output controls), 416
IPersist interfaces, 288
IP headers, 294-97
IPP (Internet Printing Protocol) buffer overruns, 79-80, 332
IP restrictions, 51, 112-13, 116-17
IPSec authentication, 50
IPSec protocol, 52
IsAccessAllowed function, 30
ISAPI. See Internet Server API (ISAPI)
IsCallerInRole method, 113-14
IsTokenRestricted function, 145
IsValidDomain function, 292
IUnknown::AddRef method, 279-80
IUnknown interface, 287, 291
IUnknown::Release method, 279-80
K
Kerberos v5 authentication, 49
kernel-mode mistakes, 415-16
keyed hashes, 182-86
keys. See also cryptographic keys
defined, 159
hard-coded, 169
L
laws
of security, 437-44
of security administration, 445-51
least privilege. See privileges, least
linear congruential functions, 160-62
Linux-Mandrake MandrakeUpdate race condition vulnerability, 423
LoadLibraryEx function, 436
LoadLibrary function, 436
Local Security Authority (LSA) secrets, 193, 197-200
logging (auditing), 54
LogonUser function, 48
Love Bug, The (ILoveYou, VBS.Loveletter) virus, 121
LSADUMP2 tool, 126
LsaRetrievePrivateData function, 193
LSA (Local Security Authority) secrets, 193, 197-200
LsaStorePrivateData function, 193, 200
lstrcat function, 433
lstrcpy function, 433
lstrcpyn function, 82, 433
lstr functions, 81
M
Mac OS X vulnerability, 214
MACs (message authentication codes), 53, 182, 183, 187
main function, 301
malloc function, 109
Malware, 120
marshaling, 260
maximum segment lifetime (MSL), 247
MAX_PATH constant, 379
_mbscat function, 433
_mbscpy function, 433
_mbslen function, 434
_mbsnbcat function, 433
_mbsnbcpy function, 433
Meltzer, David, 303, 305
memcpy function, 433
memory starvation attacks, 303
memset function, 201-2, 365
message authentication codes (MACs), 53, 182, 183, 187
message digests, 191
Microsoft Management Console (MMC), 401-4
Microsoft Passport, 48
Microsoft Windows
authentication, 49
common canonicalization mistakes in
\\?\ format, 222
8.3 representation of long filenames, 219-20, 229
absolute vs. relative filenames, 223
canonicalizing filenames, 229-33
case-insensitive filenames, 223
decisions based on filenames, 225
device names and reserved names, 223-24
directory traversal and using parent paths (..), 222-23
introduced, 219
NTFS alternate data streams, 220-21
PATH environment variable, 229
trailing characters, 221
Universal Naming Convention (UNC) shares, 224
using regular expressions to restrict filenames, 225-29
domain credentials, 195-97
privileges, 122, 123
Microsoft Windows 95, storing secrets in, 201-2
Microsoft Windows 98, storing secrets in, 201-2
Microsoft Windows 2000
creating ACLs in, 103-6
storing secrets in, 192-97
test site discovery, 5
Microsoft Windows CE, storing secrets in, 201-2
Microsoft Windows Me, storing secrets in, 201-2
Microsoft Windows NT 4
creating ACLs in, 99-103
storing secrets in, 197-200
Microsoft Windows XP
client credentials in, 195-97
service accounts in, 149-51
Software Restriction Policies (SAFER), 147-49
storing secrets in, 192-97
Mitnick, Kevin, 255
MMC (Microsoft Management Console), 401-4
MmProbeAndLockPages function, 415
motives for attacks, 36
MoveFile function, 426
MSL (maximum segment lifetime), 247
MultiByteToWideChar function, 79, 327, 435
multiplayer game attacks, 8
mutual authentication, 267
N
named pipes, 384, 421-22
Napster name filters, 212-13
nCipher tool Web site, 168
.NET code security
ASP.NET
disabling tracing and debugging before deploying ASP.NET applications, 357-58
thread awareness, 357
validating data from untrusted sources, 356-57
Assert method, 352-55
buffer overruns and the common language runtime, 342-46
code failures and, 360-61
demanding appropriate permissions, 351-52
Demand method, 351, 354-55
deserializing data from untrusted sources, 359-60
final thoughts, 362
generating good random numbers by using .NET framework, 358-59
/GS buffer security check option, 343-46
introduced, 341-42
refusing permissions, 355-56
Simple Object Access Protocol (SOAP) and, 361
storing secrets in .NET, 346-51
.NET Server service accounts, 149-51
network bandwidth attacks, 305-6
new operator, 303
nonces, 159
NTBugTraq Web site, 14
NTFS alternate data streams, 220-21
NTLM authentication, 49
NULL context handles, 272-73
NULL DACLs, 108-11
O
object creation mistakes, 421-23
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) Web site, 35
OpenFileByID function, 273
OpenProcessToken function, 136
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Web site, 35, 85
_output function, 85
owned (0wn3d) systems, 12
P
packet privacy and integrity, 269-70
pack function, 377-78, 382
parameterized commands (placeholders), 320-22
Parameters subkey, 401
parental controls in AOL 5.0, 212
parent path (..) vulnerabilities, 222-23, 328-30
Passport authentication, 48
PassportAuthenticationModule class, 48
passwords
to derive cryptographic keys
introduced, 165
measuring the effective bit size of passwords, 166-67
long, 430
special care of, 317-19
PATH environment variable, 229
Payroll application. See Web-based payroll application
permissions
appropriate, 351-52
EmailAlertPermission, 354
EnvironmentPermission, 354
FileIOPermission, 352, 354
refusing, 355-56
SerializationFormatter, 359
SocketPermission, 354
"Ping of Death" Web site, 294
placeholders (parameterized commands), 320-22
plaintext (cleartext), 170
port-based trust, 255-56
port scanning, 5
PPCKey application
sample scenario using, 204-5
threat model, 206-10
principals, 46, 122
printf functions, 65-66, 78, 434
Print method, 289
privacy (confidentiality)
collecting user data, 413-14
introduced, 53, 411-12
types of collected user data, 412
privacy-enhanced protocols, 52
PrivilegeCheck function, 139
privileges. See also tokens
Act As Part Of The Operating System, 123, 126-27
admin, 27
Backup Files And Directories, 123-25
Bypass Traverse Checking, 127
Debug Programs, 123, 126
determining appropriate privileges
introduced, 129
Step 1: finding resources used by the application, 130
Step 2: finding privileged APIs used by the application, 130-31
Step 3: evaluating which account is required, 131
Step 4: getting the token contents, 132-38
Step 5: determining which SIDs and privileges are required, 138-39
Step 6: adjusting the token, 139-42
elevation of, 40, 46
how tokens, privileges, SIDs, ACLs, and processes relate, 128-29
Increase Quotas, 123, 127
introduced, 51, 119-20
least
allowing less-privileged accounts to run the application, 139-40
debugging least-privilege issues, 151-55, 156, 157
importance of, 158
installation and, 400-409
introduced, 27-28, 54
overview, 122
in the real world, 120-22
Replace A Process Level Token, 123, 127
SeAssignPrimaryTokenPrivilege, 123, 127, 128
SeBackupPrivilege, 123-25
SeChangeNotifyPrivilege, 127, 143, 145
SeDebugPrivilege, 123, 126, 190
SeIncreaseQuotaPrivilege, 123, 127
SeRestorePrivilege, 125
service accounts in Windows XP and Windows .NET Server, 149-51
SeTcbPrivilege, 123, 126-27
Trusted Computing Base (TCB), 123, 126-27
Windows, 122, 123
ProbeForRead function, 415
processes, how tokens, privileges, SIDs, ACLs, and processes relate, 128-29
processor (CPU) starvation attacks, 297-303
\Program Files directory, 420-21
Q
quality of service, 54
R
8.3 representation of long filenames, 219-20, 229
race conditions, 187-88
RADIUS (Remote Authentication Dial-In User Service), 50
rand function, 160-62, 164, 358
random data, 373-75
random numbers
CryptGenRandom function, 162-64, 197, 204, 359, 373
generating good random numbers by using .NET framework, 358-59
introduced, 159
rand function, 160-62, 164, 358
ReadFileByID function, 273
recv function, 436
REFERER header, 330-31
Regex++ class, 227
registry
code fix, 91-92
HKEY_CLASSES_ROOT key, 121
HKEY_CURRENT_USER key, 400, 421
HKEY_LOCAL_MACHINE key, 121, 201, 229, 400, 401- 2, 421
registry-based application testing, 385-86
RegMon tool, 154-55, 156
RegQueryValueEx function, 90, 92
regression bugs, 11
regular expressions to restrict filenames, 225-29
RegularExpressionValidator control, 356
relative vs. absolute filenames, 223
Remote Authentication Dial-In User Service (RADIUS), 50
remote procedure calls (RPCs)
applications communication, 260-62
application testing, 384-85
creating applications, 259-60
defined, 258
introduced, 52, 257-58
security best practices
adding annotations for endpoints, 277-78
context handles as access checks, 271-72
implications of multiple RPC servers in a single process, 276-77
introduced, 262
mainstream protocols, 278
NULL context handles, 272-73
packet privacy and integrity, 269-70
[range] attribute, 263
requiring authenticated connections, 263-68
/robust MIDL switch, 262
security callbacks, 274-76
strict context handles, 270-71
trusting peers, 274
security vulnerabilities
sending garbage to port 135, 257-58
sending invalid data to the Local Security Authority (LSA), 257
server stubs, 258
Replace A Process Level Token privilege, 123, 127
repudiation, 39, 46
reserved names and device names, 223-24
resource starvation attacks, 304-5
restricted SIDs, 145
restricted tokens
defined, 128
introduced, 140-41
when to use, 143-49
restricting SIDs, 136, 141-42
RevertToSelf function, 140
RFC 1510 Web site, 49
RFC 2104 Web site, 183
RFC 2279 Web site, 323
RFC 2617 Web site, 47
RNGCryptoServiceProvider class, 359
/robust Microsoft Interface Definition Language (MIDL) compiler switch, 262, 376
rootsec template, 397
RpcBindingInqAuthClient function, 266-67
RpcBindingSetAuthInfoEx function, 274
RpcBindingSetAuthInfo function, 264-65, 267, 269
RpcBindingToStringBinding function, 276-77
RpcEpRegister function, 277-78
RpcImpersonateClient function, 273, 420
RPCs. See remote procedure calls (RPCs)
RpcServerRegisterAuthInfo function, 265-66
RpcServerRegisterIf2 function, 274, 275
RpcServerRegisterIfEx function, 274, 275
RpcServerRegisterIf function, 274
RpcServerUseProtSeq function, 276
RpcStringBindingParse function, 276-77
rsh spoofing, 255
S
sa (sysadmin) account, 338
SACLs. See system access control lists (SACLs)
SAFER (Software Restriction Policies), 147-49
SaferComputeTokenFromLevel function, 147
salt (value), 179-80, 191
salted hashes, 191-92
SANS (System Administration, Networking, and Security) Institute Web site defacement, 4
scanf function, 434
script-injection bugs, 393-94
script kiddies, 6
SDDL (Security Descriptor Definition Language), 103-6
SeAssignPrimaryTokenPrivilege privilege, 123, 127, 128
SeBackupPrivilege privilege, 123-25
SeChangeNotifyPrivilege privilege, 127, 143, 145
secret information
attack methods, 189-90
getting secrets from users, 192
introduced, 53, 189
storing
need for, 190
in .NET, 346-51
using a secret file, 202-3
in Windows 95, Windows 98, Windows Me, and Windows CE, 201-2
in Windows 2000 and Windows XP, 192-97
in Windows NT 4, 197-200
using external devices to encrypt secret data
introduced, 203-4
PPCKey threat model, 206-10
sample scenario using PPCKey application, 204-5
in Web pages, 334-37
securedc template, 397
SecureIIS, 213-14
secure systems
instilling a security culture
getting the boss to send e-mail, 13-14
introduced, 13
nominating a security evangelist, 14-16
providing bug triaging, 17
providing ongoing security education, 16-17
introduced, 3-4
selling security
cost of fixing vulnerabilities, 9-10
introduced, 7
using subversion, 11-12
using tact, 7-10
Web applications and, 5-6
securews template, 397
security administration laws, 445-51
security as a product feature, 24-25
SECURITY_ATTRIBUTES structure, 102
security callbacks, 274-76
__security_check_cookie call, 343
security comments in code, 416
Security Descriptor Definition Language (SDDL), 103-6
SECURITY_DESCRIPTOR structure, 102, 108
security education, 16-17
security evangelists, 14-16
security excuses, 453-57
Security Expressions tool Web site, 220
SecurityFocus Web site, 14
Security IDs (SIDs)
Administrator, 428-29
deny-only, 142
how tokens, privileges, SIDs, ACLs, and processes relate, 128-29
introduced, 95
restricted, 145
restricting, 136, 141-42
SDDL types, 105-6
security laws, 437-44
security mistakes, 19-22
security principles. See also privileges, least
assuming external systems are insecure, 29
defense in depth, 28-29
defining product security goals, 23
employing security defaults, 31-33
establishing a security process, 23
failing to a secure mode, 29-31
introduced, 22
learning from mistakes, 25-26
never depending on security through obscurity, 34
planning on failure, 29
security as a product feature, 24-25
security features != secure features, 33-34
Security Support Provider Interface (SSPI), 195
security templates, 396-97
SeDebugPrivilege privilege, 123, 126, 190
SeIncreaseQuotaPrivilege privilege, 123, 127
SELECT count(*) statement, 310
selling security
cost of fixing vulnerabilities, 9-10
introduced, 7
using subversion, 11-12
using tact, 7-10
send function, 436
SeRestorePrivilege privilege, 125
SerializationFormatter permission, 359
Server Message Block (SMB) packet signing, 397
servers
avoiding hijacking, 239-46
choosing interfaces, 246
names, 233-34
server-specific permissions, 51
service accounts in Windows XP and Windows .NET Server, 149-51
SeTcbPrivilege privilege, 123, 126-27
SetSecurityDescriptorDacl function, 102, 435
SetSecurityDescriptorGroup function, 102
SetSecurityDescriptorOwner function, 102
SetSecurityDescriptorSacl function, 102
_set_security_error_handler function, 345
SetSite method, 291
setsockopt function, 249
SetThreadToken function, 143, 420
setup security template, 397
SHA-1 algorithm, 191
SHA-256, SHA-384, and SHA-512 algorithms, 191
shared data segments, 419-20
ShellExecute function, 143, 417, 435
SIDs. See Security IDs (SIDs)
Simple Object Access Protocol (SOAP), 361, 390-93
sizeof operator, 83
SMB (Server Message Block) packet signing, 397
_snprintf function, 85-86, 434
_snwprintf function, 434
SOAP (Simple Object Access Protocol), 361, 390-93
SoapHttpClientProtocol class, 393
sockaddr_in structure, 240
SocketPermission permission, 354
sockets-based application testing, 382
socket security
accepting connections, 247-52
avoiding server hijacking, 239-46
choosing server interfaces, 246
introduced, 239
spoofing and host-based and port-based trust, 255-56
writing firewall-friendly applications, 252-54
SO_CONDITIONAL_ACCEPT socket option, 249
SO_EXCLUSIVEADDRUSE socket option, 240-46
Software Restriction Policies (SAFER), 147-49
SO_REUSEADDR socket option, 245
sploit (exploit), 6
spoofing and host-based and port-based trust, 255-56
spoofing identity, 39, 45
sprintf function, 84-85, 433
SQLBindParam function, 322
SQLNumParams function, 322
SQL Server triggers and permissions, 114
SSL/TLS protocol, 52
SSPI (Security Support Provider Interface), 195
Standard Template Library (STL), 87, 434
StarOffice /tmp directory symbolic link vulnerability, 217-18
stateful inspection firewalls, 253-54
stat function, 230
static buffer overruns, 64-70
STL (Standard Template Library), 87, 434
strcat function, 433
strcpy function, 17, 64-65, 81-82, 433
stream ciphers
bit-flipping attacks against, 181-82
defined, 175
introduced, 175
pitfalls, 176-79
reasons for using, 175-76
what if you must use the same key?, 179-80
Streams.exe tool Web site, 220
strict context handles, 270-71
STRIDE threat model, 38-42
string handling, safe
gets and fgets functions, 88
introduced, 81
_snprintf function, 85-86
sprintf function, 84-85
Standard Template Library (STL) strings, 87
strcpy function, 17, 64-65, 81-82
strncpy function, 82-84
strings
concatenating, 86
Standard Template Library (STL), 87
StripBackslash1 function, 301-3
StripBackslash2 function, 301-3
strlen function, 434
strncat function, 86, 433
strncpy function, 82-84, 433
SubSeven tool, 121
Sun Microsystems StarOffice /tmp directory symbolic-link vulnerability, 217-18
swprintf function, 433
symmetric ciphers, 175
sysadmin (sa) account, 338
system access control lists (SACLs), resources audited using, 94-95
System Administration, Networking, and Security (SANS) Institute Web site defacement, 4
System.EnterpriseServices.ServicedComponent namespace, 351
SYSTEM identity, 119, 132, 140, 158, 332, 338, 428
System.Net.Sockets namespace, 382
System.Runtime.InteropServices namespace, 347
System.Runtime.Serialization namespace, 359
System.Security.Cryptography classes, 174
T
tampering with data, 39, 45
tamper-resistant protocols, 52
TCB (Trusted Computing Base) privilege, 123, 126-27
TcpClient class, 382
TcpServer class, 382
_tcscat function, 433
_tcscpy function, 433
_tcslen function, 434
_tcsncat function, 433
_tcsncpy function, 433
TerminateProcess function, 126
testing secure applications
before testing, 381
building the security test plan (see also testing tools)
ascertaining data used by each interface, 370
decomposing the application, 367-68
finding security problems by injecting faulty data (see fault injection)
identifying component interfaces, 368-69
introduced, 366-67
ranking interfaces by their relative vulnerability, 369-70
clients with rogue servers, 395
code quality, 397-98
code reviews, 398
end-to-end solution, 398
feature/functional testing vs. security testing, 364
getting started, 365-66
introduced, 363
role of the security tester, 363-64
security templates, 396-97
seeing or modifying data, 395-96
testing tools
COM, DCOM, ActiveX, and RPC applications, 384-85
command line arguments, 386-88
cross-site scripting and script-injection bugs, 393-94
file-based applications, 385
HTTP-based applications, 382-84
introduced, 381-82
named pipes applications, 384
registry-based applications, 385-86
SOAP services, 390-93
sockets-based applications, 382
XML payloads, 388-90
thread awareness, 357
ThreadFunc function, 146
threat modeling
brainstorming known threats
introduced, 36-38
items to note while threat modeling, 42-43
STRIDE threat model, 38-42
choosing how to respond to threats, 44-45
choosing techniques to mitigate threats, 45-46
introduced, 35
PPCKey application, 206-10
ranking threats by decreasing risk, 43
threats
common, and solutions, 57-60
defined, 36
throttling, 54
tokens. See also privileges
how tokens, privileges, SIDs, ACLs, and processes relate, 128-29
overview, 127-28
restricted
defined, 128
introduced, 140-41
when to use, 143-49
trailing characters in filenames, 221
Triple-DES (3DES), 172, 179, 203
Trojans (Trojan horses)
defined, 120
in the real world, 120-21
Trusted Computing Base (TCB) privilege, 123, 126-27
try/except blocks, 415
_tscanf function, 434
Tsutomu Shimomura hack, 255
U
UCS-2 (Universal Character Set) encoding, 325
UNC (Universal Naming Convention) shares, 224
Unicode
and ANSI buffer size mismatches, 78-80
double encoding, 326
Unicode Transformation Format (UTF-8) encoding, 323- 25, 327-28
Universal Character Set (UCS-2) encoding, 325
Unicode Transformation Format (UTF-8) encoding, 323-25, 327-28
Universal Character Set (UCS-2) encoding, 325
Universal Naming Convention (UNC) shares, 224
URLEncode method, 318
UrlEscape function, 318
UseFile function, 271
user-mode memory, 415
usernames, 234-36
UTF-8 (Unicode Transformation Format) encoding, 323-25, 327-28
V
VBS.Loveletter (ILoveYou, The Love Bug) virus, 121
verifiers, 190
viruses
defined, 120
FunLove, 121
ILoveYou (VBS.Loveletter, The Love Bug), 121
in the real world, 120-21
vulnerabilities, 36
W
wcscat function, 433
wcscpy function, 433
wcslen function, 434
wcsncat function, 433
wcsncpy function, 433
Web-based payroll application
components and protocols, 38
high-level view, 37
STRIDE threats, 40-41
threat model and technologies, 54-56
Web-based service security
canonicalization issues
7-bit and 8-bit ASCII, 323
double encoding, 326
hexadecimal escape codes, 323
HTML escape codes, 326
introduced, 322
remedies, 326-30
UCS-2 Unicode encoding, 325
UTF-8 variable-width encoding, 323-25, 327-28
HTTP trust issues, 330-32
Internet Server API (ISAPI) applications and filters, 332-34
introduced, 307
private data in other forms, 337
secret information in Web pages, 334-37
sysadmin (sa) account, 338
user input issues
introduced, 308-9
remedies, 315-22
vulnerabilities, 309-14
Web servers
Apache Web server vulnerability, 214
defacements, 4, 121-22
Web sites
ActiveState Perl 5.6.1, 377
BindView tool, 200
BugTraq, 14
cross-site scripting, 312, 394
Crucial ADS tool, 220
Department of Justice Computer Crime and Intellectual Property Section (CCIPS), 10
DVD encryption, 168
Element N.V. Element InstantShop Price Modification vulnerability, 331
Fair Information Practice Principles (FIPP), 411
Federal Information Processing Standard (FIPS) 140-41, 165
FileMon tool, 154
file permission canonicalization vulnerability, 325
Gramm-Leach-Bliley Act of 1999, 411
Hailstorm tool, 380
Health Insurance Portability and Accountability Act (HIPPA), 411
Honeynet Project, 5
Internet Information Server (IIS) 4 encryption problem, 187-88
Internet Printing Protocol (IPP) buffer overrun vulnerability, 79-80
Internet Printing Protocol (IPP) ISAPI buffer overrun, 332
Internet Server Application Programming Interface (ISAPI) extension vulnerability, 121
LSADUMP2 tool, 126
message authentication codes (MACs), 182
nCipher tool, 168
NTBugTraq, 14
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), 35
Passport, 48
"Ping of Death," 294
RegMon tool, 154
RFC 1510, 49
RFC 2104, 183
RFC 2279, 323
RFC 2617, 47
Security Descriptor Definition Language (SDDL), 103
Security Expressions tool, 220
SecurityFocus, 14
SHA-256, SHA-384, and SHA-512 algorithms, 191
Streams.exe tool, 220
System Administration, Networking, and Security (SANS) Institute Web site defacement, 4
Windows 2000 test site, 5
wOOwOO Security Development (WSD), 70
white-box testing, 365
white-hats, 6
WideCharToMultiByte function, 327
Win32::Registry module, 385
Windows. See Microsoft Windows entries
Windows Event Viewer, 153-54
WinExec function, 417, 435
wOOwOO Security Development (WSD), 70
worms, 120
writable data segments, 419-20
WSAAccept function, 249
wscanf function, 434
WSD (wOOwOO Security Development), 70
X
X.509 certificate authentication, 49-50
XFree86 4.0.1 /tmp vulnerabilities, 423
XMLHTTP object, 389
XML payload testing, 388-90
XOR property, 173, 202
Last Updated: November 14, 2001
|
