Training
Certifications
Books
Special Offers
Community




 
Writing Secure Code, Second Edition
Author Michael Howard and David LeBlanc
Pages 800
Disk N/A
Level Intermediate
Published 12/04/2002
ISBN 9780735617223
Price $49.99
To see this book's discounted price, select a reseller below.
 

More Information

About the Book
Table of Contents
Sample Chapter
Index
Companion Content
Related Series
Related Books
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books

 

Index


Symbols and Numbers
\\?\ (format for file names), 370
" (quotation marks), 422, 677
3DES key, 337-38

A
AcceptConnection example, 465-70
access checks vs. context handles, 492-93
access control entries (ACEs)
   adding to ACLs, 191-93
   dangerous types, 197-99
   deny type, 179, 180-81
   getting the order right, 191-93
   overview, 177, 178, 179
access control lists (ACLs)
   adding ACEs to, 191-93
   ATLACL.cpp file, 189-90
   code example, 172-75
   creating in Windows 2000, 185-89
   creating in Windows NT, 181-85
   creating with Active Template Library, 189-91
   discretionary type (DACLs), 175, 177, 184, 195-99, 211, 669
   DPAPI and, 305-6
   elevated privilege issues, 220-21, 222-23
   examples of secured resources, 177
   file system support, 175-76
   how to choose, 178-81
   importance of; 171-75
   NTLACL.cpp file, 181-84
   overview, 114, 175, 177, 211
   proper use, 725
   role of SIDs in performing access checks, 219-20
   SDDLACL.cpp file, 186
   securing data in the absence of, 315-20
   system type (SACLs), 175, 177, 184
   trusted data aspect, 344-45
   types of ACLs, 175, 177
access control techniques. See also access control entries; access control lists
   COM+ roles, 201
   IP restrictions, 202-3, 205
   medical example, 203-4
   .NET Framework roles, 199-201
   overview, 171, 199
   SQL Server permissions, 203
   SQL Server triggers, 203, 204
access tenet, Safe Harbor Principles, 645
accounts
   domain, 666-67
   local, 503, 665, 666, 667
   Network Service, 665
   security implications, 665-67
ACEs. See access control entries
ACK packets, 463, 465
ACLs. See access control lists
Active Directory, identifying where data comes from, 573
Active Template Library (ATL)
   _alloca function and, 691-92
   creating ACLs with, 189-91
   regular expressions and, 360-61
   SiteLock, 514-15
   string conversion macros, 691-92
ActiveX controls
   binding to Web sites, 514-15
   developer's checklist, 733
   digitally signing, 510
   identifying parameters as part of security testing process, 571
   InternetCrackURL.cpp file, 513-14
   killing, 515
   limiting domain usage, 513-14
   <OBJECT> tag, 593-95
   overview, 509
   restricting how they operate, 514-15
   role of SiteLock, 514-15
   rules of safe for initialization, 511-15
   rules of safe for scripting, 511-15
   safe for initialization, 510
   safe for scripting, 510
   security best practices, 509-15
   testing applications, 592, 593-95
   vulnerabilities, 510-11
AdjustTokenPrivilege function, 245
administrative accounts
   malware and, 208-10
   reasons for requiring elevated privileges, 220-22
   sample Windows application, 226
   when not to use, 60-62, 726-27
Administrator SIDs, 689-90
affected users, as DREAD category, 94
Allchin, Jim, 14
_alloca function, 691-92, 719
AllocateUserPhysicalPages function, 327
AllowPartiallyTrustedCallersAttribute attribute, 556-57
alternate data streams, 368, 369
America Online. See AOL parental controls, bypassing
annotating RPC endpoints, 498-99
ANSI characters
   buffer size mismatches, 153-54
   interchanging with Unicode as testing technique, 575
AOL parental controls, bypassing, 373-74
Apache Web server, vulnerability, 365
APIs, low-level security, 638
Apple Computer, vulnerability in Mac OS X and Apache, 365
applets, identifying as part of security testing process, 571
Application Log, 693-94
applications. See secure applications; software
Argamal, Lamagra, 147
array indexing errors, 144-47
ArrayIndexError.cpp file, 144-47
ASP.NET
   assemblies and, 542
   <custom error> configuration setting, 561-62
   disabling tracing and debugging before deploying applications, 561
   forms-based authentication and, 111
   HttpServerUtility.HTMLEncode method, 422
   Microsoft Passport and, 111
   storing sensitive data, 555-56
   ValidateRequest configuration option, 427-28
assemblies, .NET
   AllowPartiallyTrustedCallersAttribute attribute, 556-57
   ASP.NET and, 542
   Authenticode-signing, 541-42
   calling from partially trusted code, 556-57
   checking with FxCop, 539-40
   permission requirements, 542-45
   strong-naming, 540-41, 555
Assert method, 545-47, 548, 549-50
assets, defined, 87
asymmetric ciphers, 284
asynchronous calls, DCOM and, 508-9
ATL. See Active Template Library
ATLACL.cpp file, 189-90
attack surface
   determining, 611-13
   minimizing, 57
attack vectors, determining bias, 612-13
attackers vs. defenders, 19-21
attacks, defined, 87
auditing
   as authorization mechanism, 117
   NULL DACLs and, 197
authentication
   basic type, 110
   digest type, 110
   forms-based, 110-11
   IPSec, 113
   Kerberos, 112
   Microsoft Passport, 111
   mutual, 488
   NTLM protocol, 112
   overview, 109-10
   RADIUS, 114
   requiring in RPC server-based applications, 484-89
   as threat mitigation technique, 109-14
   Windows protocols, 112
   X.509 certificates, 112-13
Authenticode, 510
AuthnLevel argument, 485
AuthnSvc argument, 486, 487
authorization
   access control lists, 114
   IP restrictions, 115
   overview, 114
   privileges, 114
   server-specific permissions, 115

B
Back Orifice, 209
backward compatibility, 62, 63, 365
banner strings, 667
BBBOnline, 645, 646
best practices
   documenting, 698-700
   secure ActiveX, 509-15
   secure DCOM, 499-509
   secure RPC, 482-99
   secure services, 663-67
binary order, 448
bind function, 456, 720
BindDemoSvr.cpp file, 457-63
binding handles, remote procedure calls and, 482
birth dates, 661
bit-flipping attacks
   digital signatures and, 294-96
   keyed hashes and, 290-91
   overview, 289-90
   solving, 290-96
blanket, DCOM, 505, 508-9
block ciphers, 284, 287, 289
breaking applications. See security testing
buffer overruns. See also array indexing errors; format string bugs
   CodeRed worm and, 592
   common flaws, 619
   dangerous APIs, 714-16
   as example of misplaced trust in input data, 343-45
   exploitability, 133
   heap-based, 138-44
   HeapOverrun.cpp file, 140-44
   as internationalization issue, 441-42
   Internet Printing Protocol vulnerability, 154-55, 210
   in ISAPI applications and filters, 433-36
   in Microsoft Index Server, 592
   OffByOne.c example, 136-38
   overview, 127-29
   pointers and, 625
   preventing, 155-67
   stack-based, 129-38
   StackOverrun.c example, 129-36
   string handling and, 128, 156-67
   testing with random data, 578-84
   Unicode and ANSI buffer size mismatches, 153-55
   Unicode-related, 441-42
   Visual C++ .NET /GS option, 167-70
buffers
   reusing for plaintext and ciphertext, 296-97
   zero-length read and write, 672
bug e-mails, 18
bug tracking
   BugTraq, 15, 139-40, 147
   categorizing threats, 46-47
   limiting bug counts, 46
bugs, cockroach analogy, 67-68
BugTraq, 15, 139-40, 147
bytes vs. words, 442

C
C and C++ programming languages
   ArrayIndexError.cpp file, 144-47
   creating salted hash, 302-3
   format string bug example, 148-52
   HeapOverrun.cpp file, 140-44
   migrating components to managed code, 694
   OffByOne.c example, 136-38
   rand function, 260-62
   regular expressions overview, 359-61
   remote procedure calls and, 478
   role of classes in validating input, 360-61
   sample code for handling LSA secrets, 313-15
   security issues in compiler optimization, 322-26
   stack overrun examples, 131-38
   StackOverrun.c example, 129-36
   Standard Template Library, 162-63
   string handling, 156-67
C#
   moving C and C++ components to, 694
   regular expressions example, 359
   role of classes in validating input, 360-61
   testing HTTP-based server applications using WebClient class, 590-91
callback functions, 469, 495-97
canonicalization
   attempting, 386-90
   CleanCanon.cpp file, 378-90
   common Windows filename mistakes, 367-73
   defined, 364
   filename issues, 364-73
   Macintosh/Apache vulnerability, 365
   MS-DOS device name vulnerability, 365
   myriad ways to represent characters in URLs and Web pages, 378-81
   Napster filter example, 364-65
   non-file-based issues, 393-96
   preventing filename mistakes, 383-91
   preventing Web-based mistakes, 391-92
   server name issues, 393-94
   Sun symbolic-link vulnerability, 366
   username issues, 394-96
   Web-based issues, 373-81
CanonServer.cpp file, 393-94
CAPICOM, 282, 283
carriage return/line feed characters, 377-78, 604
CAS (code access security), 537-39
case, as input issue, 429-30
CAtlRegExp class, 360-61
CB_GETLBTEXT message, 718
CB_GETLBTEXTLEN message, 718
CCryptRandom class, 266
Character Map application, 357-58
characters
   conversion issues, 444, 619-20
   homograph attacks, 483
   multiple binary representation problem, 450
   similarities and mixups, 382
   special, 586
   visual equivalence attacks, 483
chargen service, 532
checking returns, 624-25
Chief Privacy Officer (CPO), 648
Children's Online Privacy Protection Act (COPPA), 646
CHM files, 418, 420
choice tenet, Safe Harbor Principles, 644
chokepoints, for input, 345-47
class identifiers (CLSIDs), 506, 515
classes, role in validating input, 361-62
CleanCanon.cpp file, 378-90
Clear method, 336
client-side applications
   inherent security problems, 687-88
   privacy options, 656-58
   template for privacy specifications, 651
Clipboard, identifying as part of security testing process, 571
CloseFileByID function, 494
CLR. See common language runtime
CLSIDs, 506, 515
code. See also development process; managed code; secure applications
   adding security comments, 674
   building secure SQL statements, 404-7
   dangers in mixing with data, 67
   defining guidelines for, 44
   migrating C and C++ components to C# or managed code, 694
   partially trusted, 556-57
   restricting method access, 554-55
   reviewing old defects, 44-45, 54-56
   scheduling external reviews, 45
   sealing classes, 554-55
   security checklists, 169, 731-35
code access security (CAS), 537-39
codepages, forcing, 423-24
CodeRed worm, 592
code-scanning tools, 169
CoImpersonateClient function, 678
CoInitializeSecurity function, 505-7
COM (Component Object Model)
   developer's checklist, 733
   identifying methods, properties, and events as part of security testing process, 571
   identifying where data comes from, 573
   testing applications, 592-93
COM+, protecting secret data when constructing objects, 333-34
COM+ roles, 201
command line
   identifying arguments as part of security testing process, 571
   identifying where argument data comes from, 573
   security testing arguments, 597-600
comments
   adding to code, 674
   special characters, 586
common language runtime (CLR)
   Assert method, 545-47, 548, 549-50
   Demand method, 547, 548, 550-52
   requesting permissions, 542-45
Common Language Specification (CLS), code access security elements, 537-39
compact privacy policy statements, 655-56
CompareString function, 443
compatibility, backward, 62, 63
compatws security template, 608
compilers
   security issues in C and C++ compiler optimization, 322-26
   task of removing unnecessary code, 323, 324, 325
   turning off optimization, 326
Component Fraud and Abuse Act (CFAA), 646
Component Services MMC tool, 334
confidentiality. See privacy
configuration files, security issues, 535, 555
connectable objects, 508-9
connection-based protocols, vulnerability to spoofing attacks, 473-74
connectionless protocols, vulnerability to spoofing attacks, 473
connections
   AcceptConnection example, 465-70
   firewall-friendly rules, 471-73
   minimizing need for, 471
   multiplexing applications, 472
   requiring authentication in RPC server-based applications, 484-89
   ways to accept, 464-70
   which protocols are best, 472
ConnectionString function, 410
Conover, Matt, 138-39
console input, identifying as part of security testing process, 571
containers, perturbing, 577-78
context handles
   vs. access checks, 492-93
   NULL problems, 493-94
   remote procedure calls and, 482
   when not to rely on, 492-93
   when to be strict, 491-92
contingency plans, need for, 64
cookies
   cross-site scripting and, 415, 417
   HttpOnly option, 424-25
   predictability, 436-37
   role of ValidateRequest configuration option, 427-28
   vulnerability, 435-36
Cooper, Russ, 15
CopyData function, 343
CopyFile function, 721
CopyMemory function, 714
corporate names, embedding in code, 692
cover-your-tracks feature, 658
Cowan, Crispin, 139, 167, 169
CPU starvation attacks, 521-29
CPU_DoS_Example.cpp file, 521-29
CREATE_ALWAYS flag, 684
CreateDirectory function, 716
CreateEvent function, 716
CreateFile function, 372, 390-91, 443, 681-82, 684, 716
CreateFileMapping function, 716
CreateHardLink function, 716
CreateJobObject function, 716
CreateMailslot function, 716
CreateMutex function, 679, 716
CreateNamedPipe function, 679, 716
CreateProcess function, 665, 675-77, 717
CreateProcessAsUser function, 218, 675-77, 717
CreateProcessWithLogon function, 717
CreateRandomPrefix.cpp file, 685-86
CreateSemaphore function, 716
CreateWaitableTimer function, 716
CreateWellKnownSid function, 192
credentials, client, 309-11
credit-card information, 661
Crocker, Steve, 272
cross-site scripting (XSS)
   embedding scripts in HTML tags, 428-29
   how an attack works, 415-16
   remedies, 421-28
   reviewing code for bugs, 431
   role of chokepoints, 346-47
   security testing, 604-5
   as Web vulnerability, 346, 413-21
CryptAcquireContext function, 266, 267
CryptDeriveKey function, 304
CryptExchangeKey function, 279
CryptExportKey function, 277
CryptGenKey function, 277
CryptGenRandom function, 262-68, 311, 316, 578-79
CryptGetHashParam function, 303
CryptImportKey function, 277
CryptoAPI, 117, 285, 301, 302-3
cryptographic keys
   CryptExchangeKey function, 279
   CryptExportKey function, 277
   CryptGenKey function, 277
   CryptImportKey function, 277
   deriving using system hardware data, 316-20
   deriving with passwords, 269-72, 304
   exchange issues, 279-81
   keeping close to source, 276-79
   long-term vs. short-term, 274
   management issues, 272-81
   ProtectKey.cpp file, 277-79
   ways to use in storing secret data, 337-38
   which length to use, 274-75
Cryptographic Service Provider (CSP), 266
cryptography
   breaking DVD encryption, 273
   common solutions to threads, 297
   creating functions, 281-83
   developer's checklist, 734
   importance of documenting algorithms, 298
   key management issues, 272-81
   problems and limitations, 259-98, 724-25
CryptProtectData function, 305, 306, 556
CRYPTPROTECT_LOCAL_MACHINE flag, 305, 306
CryptProtectMemory function, 326
CryptReleaseContext function, 266
CryptUnprotectData function, 305, 307
CryptUnprotectMemory function, 326
CSSInject.pl file, 605
<custom error> ASP.NET configuration setting, 561-62

D
DACLs. See discretionary access control lists
damage potential, as DREAD category, 93
data, trusted vs. untrusted, 341, 342-43. See also input
Data Encryption Standard (DES), 269
data flow diagrams (DFDs)
   general concept, 75, 76
   list of key symbols, 75
   number of levels, 80
   payroll application example, 77, 79, 81
   role in threat modeling, 73-81
   tips for using, 78
   vs. Unified Modeling Language, 74
data integrity tenet, Safe Harbor Principles, 645
data mutation, 575-87
Data Protection API. See DPAPI
data segments, shared and writable, 677-78
data tampering threats
   attacks on secret data, 300
   list of specific threats and solutions, 120-23
   mitigating, 108
   overview, 84, 97
   payroll application example, 98, 100-101
   testing techniques, 574, 607
data transfer, 661
databases
   building secure SQL statements, 404-7
   identifying access technologies as part of security testing process, 571
   identifying stored procedures as part of security testing process, 571
   input vulnerability issues, 397-411
   quoting input as remedy, 401-2
   secure in-depth example, 407-11
   stored procedures as remedy, 402-3
DataProtection.cs file, 329-32
DCOM. See Distributed COM
deadlocks, 670
debugger, role in security testing, 587-88
debugging
   disabling before deploying ASP.NET applications, 561
   least-privilege issues, 251-58
decomposing applications prior to threat modeling, 74-83
defacing Web servers, 210
default installations, defining, 53, 57-58
defense in depth concept, 59-60
delegates, security issues, 558
Demand method, 547, 548, 550-52, 553
demands, remoting, 553
denial of service (DoS) threats
   API issues, 719-20
   application crashes, 517-21
   CPU starvation attacks, 521-29
   list of specific threats and solutions, 120-23
   memory starvation attacks, 529-30
   mitigating, 108
   network bandwidth attacks, 532
   operating systems crashes, 517-21
   overview, 85, 98, 517
   payroll application example, 99-100
   resource starvation attacks, 530-31
   testing techniques, 575, 576, 587
deny ACEs, 180-81
Deny method, 550
deny-only SIDs, 236-37
Department of Justice Computer Crime and Intellectual Property Section (CCIPS), 11
desktop, role of services, 664-65
developers
   as defenders, 19-21
   security checklist, 731-35
development process
   accountability aspect, 49
   defining guidelines for secure coding, 44
   design security principles, 54-68
   external code reviews, 45
   learning from past mistakes, 44-45, 54-56
   limiting bug counts, 46
   peer reviewing new code, 44
   reviewing old defects, 44-45, 54-56
   role of threat modeling, 70-108
   and SD3, 51-54
   who can check in new code, 43
device names, 372-73, 386, 387
device objects, creating, 669
DFDs. See data flow diagrams
dh.exe tool, 587
dialog boxes, identifying as part of security testing process, 571
dictionary attacks, 302, 303
Diffle-Hellman key agreement, 281
digest function, 301. See also hashing
digital signatures
   as authorization mechanism, 117
   creating, 294-96
   vs. keyed hashes, 294
   overview, 294
directory junctions, 686-87
directory structure, as security issue, 370-71
disclosure. See information disclosure threats
discoverability, as DREAD category, 94
discretionary access control lists (DACLs), 175, 177, 184, 195-99, 211, 669
Dispose method, 336
Distributed COM (DCOM)
   application-level security, 502
   as authorization mechanism, 116
   configuring, 500-501
   defined, 499
   developer's checklist, 733
   handling of asynchronous calls, 508-9
   overview, 500-501
   programmatic security, 505-8
   RPC and, 477, 499
   running objects as interactive user, 503
   running objects as launching user, 503
   running objects as local system account, 503
   running objects as specific user, 504-5
   security best practices, 499-509
   security text application, 507-8
   testing of applications, 592-93
   user context options, 502-5
DLL functions, identifying as part of security testing process, 571
documentation
   reviewing product specifications, 708
   security issues, 695-700
   SOAP server product example, 698-700
domain accounts, 666-67
domain credentials, 309
DOS. See MS-DOS, device name vulnerability
DoS. See denial of service threats
DPAPI (Data Protection API)
   ACL and, 305-6
   vs. LSA, 312
   overview, 305-7
   ways to use, 305
DREAD risk categories, 93-95
Driver Verifier, 668
drivers
   allocation of memory, 670
   buffer-handling issues, 671-73
   reliability, 668
   security issues, 669
   serialization primitives and, 670-71
   setting FILE_DEVICE_SECURE_OPEN, 669
   symbolic links and, 670
   types of handles, 670
DsMakeSPN function, 488
DVD encryption, breaking, 273
dynamic buffers, 322
Dynamic Data Exchange (DDE), identifying as part of security testing process, 571
Dynamic HTML (DHTML), 687
dynamic memory, _alloca function and, 691-92

E
Eastlake, Donald, 272
echo service, 532
EDI (Electronic Data Interchange), 661
education
   changing mind-sets, 29-30
   example of its value, 31-32
   keeping workers attuned, 18
   mandatory vs. voluntary, 28, 29
   ongoing aspect, 17-18, 29
   role in developing security-savvy workers, 26-28
eEye, bypassing security checks, 374
EIP register, 585
Electronic Data Interchange (EDI), 661
elevation of privilege threats
   list of specific threats and solutions, 120-23
   mitigating, 108
   overview, 85, 98
   payroll application example, 101
   remote procedure calls and, 494-95
   testing techniques, 575
e-mail
   identifying as part of security testing process, 571
   as tool, 14-15, 18
embedded keys, and storage of secret data, 337
embedding IP addresses, 473
employees. See hiring employees
encoding output, 422
Encrypting File System (EFS)
   as authorization mechanism, 116
   temporary files and, 686
endpoints, RPC, 498-99
enforcement tenet, Safe Harbor Principles, 645
EnterCriticalSection function, 719
environment, identifying where data comes from, 573
environment variables, identifying as part of security testing process, 571
ErasableData class, 335-36
error messages
   bad examples, 700, 701, 702-3
   being specific, 705-6
   changing in fixes, 668
   cryptic vs. detailed, 663
   good example, 701-2
   information disclosure issues, 701-5
   informed consent and, 702-4
   local vs. remote settings, 561-62
   progressive disclosure and, 704-5
   remoteOff settings, 561-62
   security information in, 700-701
   usability testing, 707-8
error paths, 668
errors, checking returns, 624-25
escape codes, 378, 381
ESRB trust program, 645, 646
European Union Directives on Data Protection, 643
eval() function, 431-32
event log, role in security testing, 588
Everyone (DELETE) ACE type, 198
Everyone (FILE_DELETE_CHILD) ACE type, 198
Everyone (GENERIC_ALL) ACE type, 198, 221
Everyone (WRITE_DAC) ACE type, 197, 198
Everyone (WRITE_FILE_ADD_FILE) ACE type, 197-98
Everyone (WRITE_OWNER) ACE type, 197, 198
ExAllocatePoolWithQuotaTag function, 670
exception handling, 588
exchanging keys, 279-81
EXE functions, identifying as part of security testing process, 571
ExerciseArgs.pl file, 598-99
ExInterlockedInsertHeadList function, 670
exploitability, as DREAD category, 94
external code reviews, 45
external data, as insecure, 63-64

F
failure
   inevitability, 64
   methods to prevent, 639-40
   secure vs. insecure, 64-66, 347
   tools for determining why applications fail, 251-58
   withholding details from attackers, 562-63
FAT file systems, storing secret data, 337
features, whether to enable by default, 58
fgets function, 163
file extensions
   IsBadExtension function, 348
   as security issue, 348-49, 368
   as valid input, 347-50
file I/O vs. isolated storage, 559-60
FILE_ATTRIBUTE_TEMPORARY flag, 684
FILE_FLAG_DELETE_ON_CLOSE flag, 684, 685
FileIOPermission, 543, 544, 547, 551
FileMon tool, 254, 257
filenames
   \\?\ format, 370
   attempting to canonicalize, 386-90
   avoiding name-based security decisions, 383
   canonical name issues, 364-73
   case sensitive, 371
   character mixups, 382
   common Windows canonical mistakes, 367-73
   device names, 372, 373, 386, 387
   directory and parent path vulnerabilities, 370-71
   preventing short (8.3) filenames, 385
   problems with short (8.3) representations of long names, 367-68
   relative vs. absolute, 371
   as security issue, 347-50, 364-73
   strong names, 540-42
   trailing characters as problem, 369-70
   as valid input, 347-50
FILE_REPARSE_POINT attribute, 687
files
   flowchart for investigating potential access failures, 257
   identifying as part of security testing process, 571
   identifying where data comes from, 573
   local, vulnerability to XSS attacks, 418-20
   security testing applications, 596
FileStream class, 560
filtering, as authorization mechanism, 118
FIN packets, 465, 467
FIPS 140-1 standard, 267, 268
firewalls
   cross-site scripting and, 417
   FTP as unfriendly application, 471
   limitations, 725
   protective role, 470
   vs. routers, 470
   rules for application developers, 471-73
Flake, Halvar, 140
floating-point arithmetic, 620
FoldString function, 450
foreign languages. See languages other than English, Unicode regular expression issues
format string bugs, 147-52
forms-based authentication, 110-11
<FRAME SECURITY> attribute, 426-27
FTP (File Transfer Protocol), as example of firewall-unfriendly application, 471
function calls, checking returns, 624-25
FunLove virus, 209
FXCop tool, 539-40

G
Gabrilovich, Evgeniy, 382
games, multiplayer, protecting from attack, 9
Garg, Praerit, 86
Garms, Jason, 86
GetCurrentProcessID function, 263
GetCurrentThreadID function, 263
GetFileType function, 681
GetKeyHandle function, 277
GetLocalTime function, 264
gets function, 163, 715
GetServerBlanket function, 508
GetServerVariable function, 154
GetStringTypeEx property, 449
GetTickCount function, 263, 621
GetUnicodeCategory method, 449
Gflags.exe tool, 587
global data LSA secret, 312
Gontmakher, Alex, 382
Gramm-Leach Bliley Act (GLBA), 646

H
Hailstorm tool, 587
Hal.dll file, 668
handles, security issues, 670. See also context handles
hardware, system data as basis for cryptographic keys, 316-20
hardware devices, identifying as part of security testing process, 571
hashing
   creating salted hashes, 302-3
   overview, 116-17
   role of PKCS #5, 303-4
   verifier overview, 301
HEAD request, 6
Health Information Portability Accountability Act (HIPAA), 646
heap overruns
   HeapOverrun.cpp file, 140-44
   overview, 138-40
HeapAlloc function, 322
HeapCreate function, 322
HeapOverrun.cpp file, 140-44
HeapSize function, 322
Help files, 420-21
hexadecimal escape codes, 378
hiring employees
   qualities to look for in security employees, 16-17
   security questions to ask during interviews, 33-34
hisecdc security template, 608, 609
hisecws security template, 608, 609
Hoglund, Greg, 169
honeypots, 5
HTML escape codes, 381
HTML files
   building malicious test code, 600-602
   forcing into zones, 425-26
   mark of the Web, 425-26
   vulnerability to XSS attacks, 418
HTML Help files, 420-21
HTML tags
   embedding scripts in, 428-29
   vulnerability, 428-29, 430
HTMLEncode method, 422
HTTP 1.0 protocol, 110
HTTP requests
   ascertaining data structures, 573
   identifying as part of security testing process, 571
   REFERER header, 432-33
   trust issues, 432-33
HTTP server port, 6
HTTP-based server applications, testing, 589-92
HttpGetClientProtocol class, 590
HttpOnly, as cookie option, 424-25
HttpPostClientProtocol class, 590

I
I18N. See internationalization issues
IAccessControl interface, 505
IBM Sendmail bug, 588
IClientSecurity interface, 505, 508
IDisposable interface, 336
IDL. See Interface Definition Language files, [range] attribute
ILoveYou virus, 209
ImpersonateAnonymousToken function, 678
ImpersonateDdeClientWindow function, 678
ImpersonateLoggedOnUser function, 678
ImpersonateNamedPipeClient function, 678
ImpersonateSecurityContext function, 678
ImpersonateSelf function, 678
impersonation functions, 678, 718-19
impersonation model, trusted subsystem model and, 250-51
Indexing Service, 685
INF files, 669
information disclosure threats
   attacks on secret data, 300
   error message issues, 701-5
   list of specific threats and solutions, 120-23
   mitigating, 108
   Napster filter example, 364-65
   overview, 84, 97, 98
   payroll application example, 88, 98
   as spoofing threats, 300
   testing techniques, 574, 607
information sources, 15-16
informed consent, 702-4
inheritance, security issues, 554-55
InheritanceDemand method, 553
InitializeCriticalSection function, 719
innerText property, 423
input
   checking for validity using regular expressions, 349-53
   checking for validity using string compares, 348-49
   database issues, 397-411
   defending against use in attacks, 345-47
   encoding, 422
   misplaced trust problem, 343-45, 398, 625-26
   quoting, 401-2
   role of classes in validating, 361-62
   to trust or not to trust, 342-43
   valid vs. invalid, 347-50, 391
   Web-specific issues, 413-37
installation, default, 53, 57-58
installing secure applications, 627-40
integer overflows, 620-24
integer underflows, 624
interactive desktop, role of services, 664-65
Interface Definition Language (IDL) files, [range] attribute, 483-84
interfaces
   ascertaining data structures, 573
   list of vulnerability characteristics, 572
   ranking for testing by potential vulnerability, 572
internationalization issues
   basic rules, 440
   buffer overruns, 441-42
   character set conversion, 444, 619-20
   Unicode and regular expressions, 353-58
   validating Unicode strings, 443
Internet
   as hostile environment, 4, 5-7
   Web-specific input issues, 413-37
Internet Explorer
   version 4 and dotless-IP address bug, 374-75
   version 4 security zone issue, 374-75
   version 6 HttpOnly cookie option, 424-25
   version 6 mark of the Web, 425-26
   version 6 privacy eye, 652
Internet Information Services (IIS), 6, 375-77, 667, 668
Internet Printing Protocol (IPP)
   buffer overrun vulnerability, 154-55, 210
   role in Web server defacements, 210
Internet Server Application Programming Interfaces (ISAPIs), 392, 433-36
InternetCrackURL.cpp file, 513-14
Invariant locale, 448
invasions of privacy, 642. See also privacy
I/O Manager, 672
I/O request packets, 672, 673-74
IObjectWithSite interface, 513
IoCreateDeviceSecure function, 669
IP addresses, why not to embed in application layer, 473
IP protocol. See IPv6
IP restrictions, 202-3, 205
IPSec
   authentication methods dialog box, 280
   as authorization mechanism, 116
   support for authentication, 113
IPv6, 455, 456, 474-75
IRP (I/O request packet) cancellation, 673-74
ISAPIs (Internet Server Application Programming Interfaces), 392, 433-36
IsBadCodePtr function, 721
IsBadExtension function, 348
IsBadHugeReadPtr function, 721
IsBadHugeWritePtr function, 721
IsBadReadPtr function, 721
IsBadStringPtr function, 721
IsBadWritePtr function, 721
IsCallerInRole method, 201
ISerializable interface, 558-59
IsNLSDefinedString function, 443
ISO 17799, 36-37
isolated storage
   when not to use, 560
   when to use, 559-60
IsValidDomain function, 514

J
JettisonPrivs.cpp file, 246-47
JScript
   encrypting and decrypting messages, 282
   eval() function, 431-32
   regular expression example, 360

K
KeAcquireSpinLock primitive, 670
Kerberos
   authentication, 112
   remote procedure calls and, 488
kernel mode
   buffer-handling issues, 671-73
   handles and, 670
   high-level security issues, 669
   overview, 668
   symbolic links and, 670
key streams. See stream ciphers
keyed hashes
   common mistakes, 291
   creating, 291-94
   MAC.cpp file, 292-94
   overview, 290
keys. See cryptographic keys
Klaus, Christopher W., 95
Knuth, Donald, 260
Kohnfelder, Loren, 86

L
languages other than English, Unicode regular expression issues, 353-58
laptops
   and cryptographic keys, 320
   security concerns, 320
LB_GETTEXT message, 718
LB_GETTEXTLEN message, 718
LCMapString function, 443
LDAP sources, identifying as part of security testing process, 571
least privilege concept
   debugging issues, 251-58
   good reasons for running with, 208-10
   installation issues, 628-30
   as mitigation technique, 118
   overview, 60-62, 118, 207-8
   storing user data, 678-79
legislation, privacy, 643-46
linear congruential function, 260-61, 262
link demands, 551
LinkDemand example, 551-52
Linkd.exe file, 686
Linux
   device name issues, 373, 387
   symbolic-link vulnerabilities, 366
Litchfield, David, 147
LoadLibrary function, 717
LoadLibraryEx function, 717
LoadUserProfile function, 306
local accounts, 503, 665, 666, 667
local Active Directory, 688
local administrators group
   object ownership in Windows XP and later versions, 217
   when not to use, 60-62
local data LSA secret, 312
local files, vulnerability to XSS attacks, 418-20
local procedure calls (LPCs), identifying as part of security testing process, 571
Local Security Authority (LSA)
   LsaRetrievePrivateData function, 221, 307, 312
   LsaStorePrivateData function, 221, 222, 307, 312, 315
   overview, 221-22, 312
   removing privileges, 245
   role of DPAPI, 223, 312
   sample C++ code for handling secrets, 313-15
   in Windows .NET Server 2003, 245
locales, 448
LocalRPC (LRPC), 497, 498
locking. See spin locks
logging
   as authorization mechanism, 117
   and BindDemoServer example, 462
   overview, 693-94
long filenames, 367-68
long passwords, allowing, 690
lpApplicationName parameter, 676, 677
lpCommandLine parameter, 676, 677
LSA. See Local Security Authority
LSA_HANDLE object, 530
LsaRetrievePrivateData function, 221, 307, 312
LsaStorePrivateData function, 221, 222, 307, 312, 315
lstrcat function, 714
lstrcpy function, 714
lstrcpyn function, 714
LVM_GETISEARCHSTRING message, 717

M
MAC.cpp file, 292-94
machine data LSA secret, 312
Macintosh OS X, vulnerability, 365
MACs (message authentication codes)
   as authorization mechanism, 117
   SSL/TLS and, 115
mailing lists, 15
mailslots
   identifying as part of security testing process, 570
   opening, 372
managed code
   developer's checklist, 734-35
   migrating C and C++ components to, 694
   overview, 535-36
   partially trusted, 556-57
   protecting secret data, 329-36
   regular expressions overview, 359-60
   restricting method access, 554-55
management, selling security idea to, 8-11
MandrakeUpdate application, 682
_mbccpy function, 715
_mbscat function, 714
_mbscpy function, 714
_mbsdec function, 715
_mbsinc function, 715
_mbslen function, 715
_mbsnbcat function, 714
_mbsnbcpy function, 714
_mbsncat function, 715
_mbsncpy function, 715
_mbsnextc function, 715
_mbsnset function, 715
_mbsrev function, 715
_mbsset function, 715
_mbsstr function, 715
_mbstok function, 715
MD5 hash function, 301
Meltzer, David, 530, 532
memcpy function, 714
memory
   allocated by drivers, 670
   cleaning out dynamic buffers, 322
   compiler optimization and, 322-26
   encrypting secret data, 326-27
   keeping secret data in, 321-28
   locking to protect data, 327, 328
   starvation DoS attacks and, 529-30
Memory Descriptor List (MDL), 672
message authentication codes. See MACs
message digests, 301
MessageBox function, 664-65
metacharacters, 586
Microphone, identifying as part of security testing process, 571
Microsoft Corporation
   Allchin e-mail, 14
   Microsoft Security Response Center, 127
   Secure Windows Initiative, 26, 51-54
   Windows 2000 test site, 6
   Windows Security Push, 26, 28, 128
Microsoft IDL (MIDL) compiler, /robust switch, 483, 581
Microsoft .NET. See also common language runtime
   checking assemblies with FxCop, 539-40
   code access security elements, 537-39
   protecting secret data, 329-36
   role of delegates, 558
   XCOPY deployment, 329
Microsoft Passport, 111
Microsoft RPC, 477
Microsoft Telnet server, 680
Microsoft Visual Basic, 201
Microsoft Visual Basic .NET, 359, 360-61
Microsoft Visual C++. See C and C++ programming languages
Microsoft Visual C++ .NET, GS option, 167-70
mistakes, learning from, 44-45, 54-56
mitigating threats, techniques
   auditing, 117
   authentication, 109-14
   authorization, 114-15
   digital signatures, 116-17
   encryption, 116-17
   mitigating threats, techniques, (continued)
   
filtering, 118
   hashes, 116-17
   least privilege, 118
   MACs, 116-17
   privacy enhancement, 115-16
   quality of service, 118
   tamper resistance, 115-16
   throttling, 118
Mitnick, Kevin, 473
mixing code and data, 67
MmProbeAndLockPages function, 671
Morris, Robert T., 127
motives, defined, 87
MoveFile function, 716, 721
MS-DOS, device name vulnerability, 365
MultiByteToWideChar function, 153, 440, 444, 445, 620, 715
multiplayer games, protecting from attack, 9
multiplexing applications, 472
mutated data. See data mutation
mutexes, 681
mutual authentication, 488
My Computer zone, 419
MyToken.cpp file, 227-30

N
named objects, 680-81
named pipes
   identifying as part of security testing process, 571
   identifying where data comes from, 573
   opening, 372
   testing of applications, 592
names, as security issue, 363-96. See also canonicalization
name-squatting, 716
naming of devices, 372-73
Napster, bypassing filters as canonicalization example, 364-65
NAT (network address translation), 473
.NET Framework roles, 199-201. See also Microsoft .NET
NetApi32 calls, 720-21
NetBIOS
   identifying as part of security testing process, 570
   identifying where data comes from, 573
network address translation (NAT), 473
network bandwidth attacks, 532
network protocol analyzers, 88
network protocols, remote procedure calls and, 481-82
Network Service account, 665
networks, API issues, 720-21
Newsham, Tim, 147
NLS. See Windows National Language Support
normalizing Unicode strings, 450
notice tenet, Safe Harbor Principles, 644
NTBugTraq, 15
Ntdsapi.dll file, 488
NTFS alternate data streams, 368, 369
NTFS file system, support for directory junctions, 686-87
NTLACL.cpp file, 181-84
NTLM authentication, 112
Ntoskrnl.exe file, 668
NTStrsafe.h file, 668
NULL DACLs, 195-99

O
obfuscation, as security test, 660
object creation mistakes, 679-81
object owners, 217
<OBJECT> tag, 593-95
ObReferenceObjectByHandle function, 670
OffByOne.c example, 136-38
Oh.exe tool, 587
ONC. See Open Network Computing
online trust programs, 645, 646
onward transfer tenet, Safe Harbor Principles, 644
Open Network Computing (ONC), defined, 477
Open Software Foundation (OSF), 479
OpenDesktop function, 665
OpenFileByID function, 494
OpenProcessToken function, 230
OpenWindowStation function, 665
operating systems. See also Windows operating system
   denial of service (DoS) threats, 517-21
   role in security handling, 674
output, encoding, 422
Own3d (hacker slang), 13
owners, object, 217

P
P3P (Platform for Privacy Preference Project), 652, 653-56
pack function, 583
packages, signing, 639
packet privacy and integrity, remote procedure calls and, 489-90
Pagefile.sys file, 300
paging, preventing, 327, 328
paper trails, 660
partially trusted code, 556-57
passwords. See also secret data
   in aftermath of software installation, 630
   embedding in code, 692
   as information disclosure issue, 701
   keeping them secret, 301-5
   long, allowing, 690
   measuring effective bit size, 270-72
   role of PKCS #5, 303-4
   storing in registry, 337
   using to derive cryptographic keys, 269-72, 304
   weaknesses in, 269-72
path analysis, 95-96
PATH environment variable, avoiding, 385
path names, using in full, 385-86
payroll application example
   analyzing specific threats, 98-102
   data flow diagrams, 77, 79, 81
   list of components, 82-83
   mitigating threats, 118-19
   tables describing threats, 98-102
   threat tree overview, 88-90
   threat trees illustrated, 89, 102-4
peer reviewing code, 44, 617
Performance Monitor, role in security testing, 587-88
Perl
   CSSInject.pl file, 605
   ExerciseArgs.pl file, 598-99
   invoking taint (-T) option, 349, 350
   pack function, 583
   regular expressions overview, 358
   role in testing HTTP-based server applications, 589-92
   role in testing sockets-based applications, 589
   security testing for scripting attacks, 604-5
   security testing SOAP services, 602-3
   SmackPOST.pl file, 589-90
   SmackQueryString.pl file, 590
   TCPJunkServer.pl file, 606
   testing clients with rogue servers, 606
   testing file-based applications, 596
   testing HTTP-based server applications, 589-90
   testing registry-based applications, 596-97
   TestSoap.pl file, 602-3
permissions
   assembly requirements, 542-45
   asserting, 545-47, 548, 549-50
   declarative, 543, 545
   demanding, 547, 548, 550-52
   FileIOPermission, 543, 544
   imperative, 545
   optional, 544-45
   role in SQL Server, 203
   server-specific, 115
   unmanaged code and, 548
   unneeded, 544
PermitOnly method, 550
personally identifiable information (PII), 643
perturbing data to test security, 575-87
Phone application example, 480, 484, 486-87, 488
Ping of Death, 518
pipe bomb bug, 588
PKCS #5 standard, 303-4
Platform for Privacy Preference Project (P3P), 652, 653-56
Plug and Play, role in deriving cryptographic keys, 316-20
PnP. See Plug and Play, role in deriving cryptographic keys
pointers, reviewing code, 625
policy reference files, 654
port 80, 6
ports
   binding sockets, 456-57
   scanning, 6, 469
predictable cookies, 436-37
primitives, serialization, 670-71
PrincipalPermission class, 200
principals, 200-201
printf family of functions, 714-15
privacy
   annoying invasions, 642
   benefits of team organization, 647-48
   building infrastructure, 647-48
   for client-side applications, 656-58
   defined, 116
   exploring user preferences, 652-62
   major legislation, 643-46
   malicious invasions, 642
   policy statement, 651-52, 654
   review template, 651
   role in application development process, 649-52
   role of advocate, 648
   role of Chief Privacy Officer, 648
   vs. security, 646-47
   specification template, 650-51
   then and now, 641
   trust and, 641-42
   U.S. Federal laws, 646
privacy advocate, 648
private data LSA secrets, 312
private information. See secret data
private keys, 280
PrivilegeCheck function, 233
privileges
   access control list issues, 220-21
   accounting for in administrator's token, 223-48
   allowing less-privileged accounts to run applications, 233-34
   as authorization mechanism, 114
   debugging least-privilege issues, 251-58
   privileges, (continued)
   
determining what's appropriate, 223-48
   determining which ones are required, 232-33
   elevation of privilege threats, 85, 98, 101, 108
   finding in Windows application example, 224-26
   flowchart for investigating potential failures, 255
   JettisonPrivs.cpp file, 246-47
   overview, 211-12
   reasons for requiring administrative access, 220-22
   reasons that applications require elevated privileges, 220-22
   removing permanently when unneeded, 243-47
   SeAssignPrimaryTokenPrivilege issues, 217, 218
   SeBackupPrivilege issues, 212-15
   SeChangeNotifyPrivilege issues, 218
   SeDebugPrivilege issues, 215-16
   SeIncreaseQuotaPrivilege issues, 217, 218
   SeLoadDrivePrivilege issues, 217
   separating, 61-62
   SeRemoteShutdownPrivilege issues, 217
   SeRestorePrivilege issues, 215
   SeTakeOwnershipPrivilege issues, 217
   SeTcbPrivilege issues, 216
   solving elevated privilege issues, 222-23
   vs. tokens and SIDs, 218-20
   when not to use, 60-62, 118
   WOWAccess.cpp file, 212-14
ProbeForRead function, 671, 672
ProbeForWrite function, 672
product features, whether to enable by default, 58
profiles, roaming, 560
profiling, 527-29
Program Files directory, 678-79
programming languages, remote procedure calls and, 478
programs. See code; secure applications; software
progressive disclosure, 704-5
promiscuous mode, 88, 89
ProtectKey.cpp file, 277-79
protocols. See also TCP protocol; User Datagram Protocol
   DCOM and, 501
   reasons not to multiplex applications, 472
   sequences for remote procedure calls, 499
Public Key Cryptography Standard (PKCS) #5, 303-4
pushes, security, 45-46

Q
QoS. See quality of service, as authorization mechanism
quality of service, as authorization mechanism, 118
QueryPerformanceCounter function, 264
quotas, resource, 530-31
quotation marks ("), 422, 677
quoting input, as remedy for database attackers, 401-2

R
RADIUS (Remote Authentication Dial-In User Service), 114
rand function, 260-62
random data, as security testing tool, 578-84
random numbers
   creating salted hashes, 302-3
   cryptographically random, 262-68
   generating with CryptGenRandom function, 262-68
   generating with rand function, 260-62
   in managed code, 262-69
   predictable, 260-62
[range] attribute, 483-84
RASQ (relative attack surface quotient), 611-13
RC4Test.cpp file, 285-87
ReadFileByID function, 494
read-only access, 679
real names, embedding in code, 692
recv function, 720
REFERER header, 432-33
Regex++, 360
registry
   ACLs and, 172-73
   flowchart for investigating potential access failures, 256
   identifying as part of security testing process, 571
   identifying where data comes from, 573
   levels of security need, 337, 338, 555-56, 629-30
   security testing applications, 596-97
   storing passwords in, 337
   usage by SafeQuery example, 409-10
   ways to store sensitive data, 337, 338, 555-56
RegMon tool, 254, 256
RegQueryValueEx function, 173
regression bugs, 12
regular expressions
   C++ overview, 360-61
   C# example, 359
   CAtlRegExp class, 360-61
   finding data vs. validating data, 352-53
   as input validation tool, 349-53
   managed C++ example, 359-60
   managed code overview, 359-60
   Perl overview, 358
   restricting allowable filenames, 383-85
   in scripts, 360
   Unicode and, 353-58
   Visual Basic .NET example, 359
relative attack surface quotient (RASQ), 611-13
Remote API (RAPI), identifying as part of security testing process, 571
Remote Authentication Dial-In User Service (RADIUS), 114
Remote Desktop Users SID, 193-94
remote procedure calls (RPCs)
   as authorization mechanism, 116
   as C and C++ technology, 478
   compiling code, 479-80
   context handles vs. access checks, 492-93
   creating applications, 479-80
   DCE (Distributed Computing Environment) variant, 477
   developer's checklist, 733
   history, 477
   how applications communicate, 481-82
   identifying as part of security testing process, 571
   identifying where data comes from, 573
   Kerberos support, 488
   list of possible security setting levels, 485
   multiple RPC servers in single processes, 497-99
   ONC (Open Network Computing) variant, 477
   overview, 477, 478-79
   performance issues, 489
   Phone application example, 480
   potential security threats to, 482
   relationship to DCOM, 477, 499
   requiring authenticated connections, 484-89
   role of security callback functions, 495-97
   role of strict context handles, 491-92
   security best practices, 482-99
   testing applications, 592
   testing performance characteristics, 489
   vulnerabilities, 477-78
reproducibility, as DREAD category, 93
repudiation threats
   list of specific threats and solutions, 120-23
   mitigating, 108
   overview, 84, 98
   testing techniques, 574
res: protocol, 420-21
reserve names, 372-73
resources
   finding in Windows application example, 224
   names as security issue, 363-96
   starvation DoS attacks, 530-31
Restrict.cpp file, 238-39
reusable components, 345, 689
roaming profiles, 560
/robust MIDL switch, 483, 581
rogue servers, 606
role-based security
   COM+ roles, 201
   .NET Framework roles, 199-201
   overview, 199
root (hacker slang), 13
rootsec security template, 608
RoundTrip.cpp file, 445-47
routers, vs. firewalls, 470
RpcBindingInqAuthClient function, 486-87, 488
RpcBindingSetAuthInfo function, 484-85, 486, 489, 495
RpcBindingToStringBinding function, 497
RpcEpRegister function, 498-99
RpcImpersonateClient function, 494, 678
RPCs. See remote procedure calls
RpcServerRegisterAuthInfo function, 486
RpcServerUseProtSeq function, 497
RpcStringBindingParse function, 497
RPCSvc application, 489
RppServerRegisterIf function, 495
RppServerRegisterIf2 function, 495, 496
RppServerRegisterIfEx function, 495, 496
RSA algorithm, 26-27, 281
RSA Data Security, 301, 303

S
Safe Harbor Principles
   access tenet, 645
   choice tenet, 644
   data integrity tenet, 645
   enforcement tenet, 645
   history, 643
   notice tenet, 644
   onward transfer tenet, 644
   overview, 644
   security tenet, 645
safe string handling, 156-67
SafeQuery example, 407-11
SAFER.cpp file, 242-43
salt values, 287-88
salted hashes, creating, 302-3
sample applications, making secure, 688
SANS (System Administration, Networking, and Security) Institute, 4
SB_GETLBTEXTLENGTH message, 718
SB_GETTEXT message, 718
SB_GETTIPTEXT message, 718
scanf function, 715
Schiller, Jeffrey, 272
<SCRIPT> blocks, 417-18
scripting, ActiveX controls best practices, 511-15. See also cross-site scripting
SD3, 51-54
SDDL. See Security Descriptor Definition Language
SDDLACL.cpp file, 186
SearchPath function, 717
SeAssignPrimaryTokenPrivilege privilege, 217, 218, 249
SeAuditPrivilege privilege, 249
SeBackupPrivilege privilege, 212-15, 249
SeChangeNotifyPrivilege privilege, 218, 249
SeCreatePagefilePrivilege privilege, 249
SeCreatePermanentPrivilege privilege, 249
SeCreateTokenPrivilege privilege, 249
secret data. See also passwords
   and compiler optimization, 322-26
   encrypting in memory, 326-27
   hash overview, 301
   keeping it secret, 301-5
   memory issues, 321-28
   preventing paging of, 327, 328
   protecting in managed code, 329-36
   protecting in Windows 95, 315-20
   protecting in Windows 98, 315-20
   protecting in Windows 2000, 305-11
   protecting in Windows CE, 315-20
   protecting in Windows Me, 315-20
   protecting in Windows NT, 311-15
   protecting in Windows XP, 305-11
   protection trade-offs, 338-39
   storing hashes, 301-5
   threat susceptibility, 300
   ways of attacking, 300
   ways to store, 336-38
Secret.txt file, 336-38
secure applications. See also code; software
   adding security to new products, 38-41
   banner strings, 667
   checklists, 169, 731-35
   cost factors in fixing vulnerabilities, 10-11
   CPU starvation attacks, 521-29
   defining default installation, 53, 57-58
   defining security goals for new products, 34-37
   denial of service (DoS) threats, 517-21
   disabling tracing and debugging before deploying ASP.NET applications, 561
   enabling product features by default, 58
   installing, 627-40
   multiplexing, 472
   profiling, 527-29
   as quality issue, 4-5, 6-7, 8
   reasons for building, 8-11
   role of threat modeling, 70-108
   SD3, 51-54
   secure by default, 53
   secure by deployment, 53-54
   secure by design, 51-53
   security as product feature, 37-40
Secure Windows Initiative, 26, 51-54
securedc security template, 608
SecureIIS, 374
securews security template, 608
SecureZeroMemory function, 325
security
   ActiveX best practices, 509-15
   adding incremental improvements to development process, 25-26
   canonicalization issues, 363-96
   common excuses, 723-28
   common shortcomings, 23-24
   as competitive issue, 9
   as consumer issue, 9, 10
   cost factors in fixing vulnerabilities, 10-11
   DCOM best practices, 499-509
   design principles, 54-68
   designer's checklist, 729
   developer's checklist, 731-36
   as a discipline, 54-68
   documentation issues, 695-700
   fire analogy, 87
   as media issue, 9
   vs. privacy, 646-47
   as product feature, 37-40
   as quality issue, 4-5, 6-7, 8
   reasons for making a priority, 8-11
   role of testers, 567-68
   role of users, 675
   RPC best practices, 482-99
   services best practices, 663-67
   subversion as wake-up call, 11-13
   tester's checklist, 737
   threat mitigation techniques, 107-18
   trade-offs in protecting secret data, 338-39
   ways to instill consciousness, 13-19
   when to add to new products, 38-41
   where to begin, 7-13
security blanket, DCOM, 505, 508-9
security callback functions, 495-97
security code reviews
   how to deal with large applications, 617-18
   multiple-pass approach, 618
   overview, 615-16
   vs. peer reviews, 617
security comments, adding to code, 674
Security Configuration and Analysis snap-in, 630-31
Security Configuration Editor
   creating new configuration database, 631-32
   creating templates, 632-33
   overview, 627, 630-31
   SecInstall example, 633-37
Security Descriptor Definition Language (SDDL), 185-89
security descriptors (SDs), 184, 669
security identifiers (SIDs)
   accounting for in administrator's token, 223-48
   Administrator SID, 689-90
   applying deny-only attribute, 236-37
   determining which ones are required, 232-33
   list of well-known types, 188-89
   overview, 177, 184, 185
   Remote Desktop SID, 193-94
   in SetUpdateACL.cpp file, 192
   Terminal Server SID, 193-94
   vs. tokens and privileges, 218-20
security pushes, 45-46
security settings, 708-9
Security Support Provider Interface (SSPI), 112
security templates, 607-9
Security Templates snap-in, 630, 631
security tenet, Safe Harbor Principles, 645
security testing
   ActiveX applications, 592, 593-95
   building test plans from threat models, 569-605
   building tools for finding flaws, 588-605
   COM and DCOM applications, 592-93
   command line arguments, 597-600
   cross-site scripting, 604-5
   determining attack surface, 611-13
   file-based applications, 596
   finding bug variations, 609-10
   formulating test plans for attacking applications, 573-75
   vs. functional testing, 568-69
   HTTP-based server applications, 589-92
   identifying component interfaces, 570-71
   named pipes applications, 592
   overview, 47, 567
   quality of test code, 610
   ranking interfaces by potential vulnerability, 572
   registry-based applications, 596-97
   role of list of system components, 570
   role of rogue servers, 606
   role of templates, 607-9
   role of testers, 567-68
   RPC applications, 592
   setting up application monitoring first, 587-88
   SOAP services, 602-3
   sockets-based applications, 589
   techniques for denial of service (DoS) threats, 575, 576, 587
   techniques for perturbing data, 575-87
security zones. See zones, security
SecurityFocus, 15, 16
SeDebugPrivilege privilege, 215-16, 249
SeEnableDelegationPrivilege privilege, 249
SeImpersonatePrivilege privilege, 250-51
SeIncreaseBasePriorityPrivilege privilege, 249
SeIncreaseQuotaPrivilege privilege, 217, 218, 249
SeLoadDriverPrivilege privilege, 217, 249
SeLockMemoryPrivilege privilege, 249
SeMachineAccountPrivilege privilege, 249
semaphores, 681
send function, 720
Sendmail bug, 588
SeProfileSingleProcessPrivilege privilege, 249
SeRemoteShutdownPrivilege privilege, 217, 249
SeRestorePrivilege privilege, 215, 249
serialization
   deserializing data from untrusted sources, 562
   security issues, 558-59
serialization primitives, 670-71
SerializationFormatter permission, 562
serializing, defined, 562
Server Message Block (SMB) protocol, 63, 609
server names, as canonicalization issue, 393-94
servers
   avoiding hijacking, 456-63
   building test cases to attack, 588-605
   choosing interfaces, 464
   embedding names in code, 692
   hijacking, 456
   insecure, 63-64
   rogue-type, 606
   testing HTTP-based applications, 589-92
server-specific permissions, 115
Service account, SeImpersonatePrivilege privilege, 250
Service Control Manager (SCM), 219
services
   account guidelines, 665-67
   overview, 664
   role of Windows desktop, 664-65
   security best practices, 663-67
SeSecurityPrivilege privilege, 249
SeShutdownPrivilege privilege, 249
SeSyncAgentPrivilege privilege, 249
SeSystemEnvironmentPrivilege privilege, 249
SeSystemProfilePrivilege privilege, 249
SeSystemtimePrivilege privilege, 249
SeTakeOwnershipPrivilege privilege, 217, 249
SetBlanket method, 505, 508
SeTcbPrivilege privilege, 216, 249
SetFileSecurity function, 184
SetNamedSecurityInfo function, 184
SetProcessWindowStation function, 665
SetSecurityDescriptorDacl function, 184, 718-19
SetSecurityDescriptorGroup function, 184
SetSecurityDescriptorOwner function, 184
SetSecurityDescriptorSacl function, 184
SetThreadToken function, 678
SetThreatDesktop function, 665
setup security template, 608
SetUpdatedACL.cpp file, 192-93
SeUndockPrivilege privilege, 249
SHA-1 hash function, 301
Shannon, Claude, 270
shared data segments, 677-78
shared memory, identifying as part of security testing process, 571
ShellExecute function, 675, 717
Shimomura, Tsutomu, 473
shipping new software
   knowing when it's safe to ship, 47-48
   response process, 48
short filenames
   preventing generation of 8.3 filenames, 385
   problems with 8.3 representations of long names, 367-68
SIDs. See security identifiers
Simple Network Management Protocol (SNMP), 629
sinks, DCOM and, 509
SiteLock, 514-15
SmackPOST.pl file, 589-90
SmackQueryString.pl file, 590
sneaker-net, 280
SN.exe tool, 333
sniffers, 88
SNMP (Simple Network Management Protocol), 629
_snprintf function, 161-62, 714
_snwprintf function, 714
SOAP (Simple Object Access Protocol)
   code access security checks and, 553
   identifying requests as part of security testing process, 571
   security testing services, 602-3
SoapHttpClientProtocol class, 603
social security numbers, 661
sockets
   BindDemoSvr.cpp file, 457-63
   binding, 456-57
   identifying where data comes from, 573
   IP addresses and, 457
   libraries, 457
   overview, 455
   testing, 589
SO_CONDITIONAL_ACCEPT socket option, 467
SO_EXCLUSIVEADDRUSE socket option, 457, 461, 462, 463
software. See also code; secure applications
   common security mistakes, 23-24
   cost factors in fixing vulnerabilities, 10-11
   creating RPC applications, 479-80
   deciding which bugs to fix, 41-43
   decomposing prior to threat modeling, 74-83
   defining default installation, 53, 57-58
   defining security goals for products, 34-37
   design security principles, 54-68
   designing privacy-aware applications, 649-62
   end-of-life plans, 41
   improving development process, 25-26
   installing applications securely, 630-38
   knowing when it's safe to ship, 47-48
   limiting access to your applications, 659-60
   reasons for making secure, 8-11
   security code reviews for large applications, 617-18
   security practices during design phase, 32-43
   security practices during development phase, 43-47
   security practices during shipping and maintenance phases, 47-49
   tolerance for defects, 41-43
   tools for determining why applications fail, 251-58
   what to do about insecure features, 41
   when to add security to new products, 38-41
   whether to enable product features by default, 58
Software Restriction Policies, 241-43
Solar Designer, 139-40
special characters, 586
spin locks, 670-71
spoofing threats
   connection-based protocols and, 473-74
   connectionless protocols and, 473-74
   host-based trusts and, 473
   as information disclosure threats, 300
   list of specific threats and solutions, 120-23
   mitigating, 108
   overview, 84, 97, 473
   payroll application example, 101-2
   port-based trusts and, 473-74
   testing techniques, 574
sprintf function, 160-61, 714
SQL injection, 399, 400
SQL (Structured Query Language)
   building secure statements, 404-7
   database input issues, 398-401
SQL Server
   connecting as sysadmin, 401, 403-4
   medical access control example, 204
   permissions, 203
   and sysadmin, 403-4
   triggers, 203, 204
SQLConnection object, 409
SSL/TLS
   client issues, 437
   defined, 115
   example, 661, 662
stack overruns
   how to tell if they're exploitable, 133
   OffByOne.c example, 136-38
   overview, 129
   StackOverrun.c example, 129-36
StackGuard, 139, 167
StackOverrun.c example, 129-36
Standard Template Library (STL), 162-63
starvation (DoS attacks)
   starving CPU, 521-29
   starving memory, 529-30
   starving resources, 530-31
state, remote procedure calls and, 482
store-and-forward interfaces, identifying as part of security testing process, 571
stored procedures
   building securely, 406-7
   as database input remedy, 402-3
Stored User Names And Passwords feature, 309-11
strcat function, 714
strcpy function, 129, 156-57, 714
stream ciphers
   bit-flipping attacks, 289-96
   defined, 283
   how they work, 284
   pitfalls, 284-87
   RC4Test.cpp file, 285-87
   reusing same key, 287-89
   what they're used for, 284
streams. See alternate data streams
STRIDE threat categories
   formulating test plans for attacking applications, 573-75
   list of categories, 83-86
strings
   buffer overruns and, 128, 156
   common flaws, 619-20
   moving to resource DLLs, 693
   normalizing, 450
   safe handling, 156-67
   _snprintf function, 161-62
   sprintf function, 160-61
   strcpy function, 129, 156-57, 714
   strncpy function, 158-59, 619, 624, 714
   Strsafe.h file, 163-66
   Unicode multiplicity problem, 450
Strings tool, 273
StripBackslash functions, 525, 526-27, 528, 529
strlen function, 715
strncat function, 714
strncpy function, 158-59, 619, 624, 714
strong names, 540-42
Strsafe.h file, 163-66, 668
SubSeven, 209
subversion, as wake-up call, 11-13
Sun Microsystems, symbolic-link vulnerability, 366
Sun RPC, 477. See also Open Network Computing
SuppressUnmanagedCodeSecurityAttribute attribute, 552-53, 557
surrogate pairs, 442
swprintf function, 714
symbolic-link vulnerabilities, 366
symbolic links, 670, 686
symmetric ciphers, 284
SYN packets, 465, 470
sysadmin, when not to connect to database servers as, 401, 403-4
system access control lists (SACLs), 175, 177, 184
System Administration, Networking, and Security (SANS) Institute, 4
System.EnterpriseServices namespace, 333, 334
System.Runtime.InteropServices namespace, 329
System.Runtime.Serialization namespace, 562

T
tamper resistance, 115-16
tampering. See data tampering threats
TB_GETBUTTONTEXT message, 717
TCP protocol
   accepting connections, 465-70
   binding sockets to ports, 456
   identifying sockets as part of security testing process, 570
   vs. UDP protocol, 472
   window sizes and, 463
TCP/IP protocol, 63, 455
TCPJunkServer.pl file, 606
_tcscat function, 714
_tcscpy function, 714
_tcslen function, 715
_tcsncat function, 714
_tcsncpy function, 714
Telnet server, 680
templates
   privacy specification template, 650-651
   sample applications as, 688
   security, 607-9
temporary files
   CreateFile flags, 684
   creating, 683-84
   Encrypting File System and, 686
   list of vulnerabilities, 682
   random filename prefixes, 685
   secure, 682-86
   security properties, 683
Terminal Server SID, 193-94
TerminateProcess function, 719, 720
TerminateThread function, 719, 720
test code, 610
testing. See security testing
TestSoap.pl file, 602-3
threat modeling
   benefits, 70-71
   categorizing threat effects using STRIDE, 84-85
   common threats listed with solutions, 120-23, 297
   determining overall risk rating, 105
   determining threats, 83-93
   identifying threats, 86-91
   including technical writers and editors in process, 697-98
   items to note, 92-93
   mitigating threats, 107-18
   overview, 41, 69-70
   payroll application example, 77, 79, 81, 82-83, 97-104, 118-19
   process summary, 105-6
   ranking threats by risk, 93-106
   role in building security test plans, 569-605
   role of threat trees, 86-91
   significance in creating secure applications, 41
   SOAP server product example, 698-700
   steps in process, 71-72
   usefulness of data flow diagrams, 73-81
   ways to respond to threats, 106-8
threat targets, 83, 86, 87
threat trees
   converting to outlines, 90
   making more readable, 90, 91
   overview, 86-87
   payroll application example, 88-90
threats, defined, 87. See also mitigating threats, techniques
throttling, as authorization mechanism, 118
Token Master tool, 230-31
tokens
   accounting for SIDs and privileges, 223-48
   applying deny-only attribute to SIDs, 236-37
   determining SIDs and privileges in, 226-32
   MyToken.cpp file, 227-30
   overview, 218
   vs. privileges and SIDs, 218-20
   reducing capabilities, 233-47
   removing privileges, 235
   Restrict.cpp file, 238-39
   SAFER.cpp file, 242-43
   sample restricted token code, 237-41
   specifying restricting SIDs, 235-36
   ways to restrict, 235-37
   when restricted tokens are appropriate, 237
tracing, disabling before deploying ASP.NET applications, 561
trade-offs in protecting secret data, 338-39
trailing characters, in filenames, 369-70
transferring data securely, 661
transforms, 640
triaging bugs, 19
triggers, SQL Server, 203, 204
Trojan horses, 208, 209, 717
trust, as privacy issue, 641-42
trust boundaries, for input, 345-47
TRUSTe program, 645, 646
trusted data
   ACLs and, 344-45
   assumptions, 343-45
   buffer overrun example, 343-45
   overview, 341, 342-43
   vs. untrusted data, 341, 342-43
trusted subsystem model, impersonation model and, 250-51
trustworthy computing, overview, 7
try/except blocks, 670, 671
_tscanf function, 715
TTM_GETTEXT message, 717
TVM_GETISEARCHSTRING message, 717

U
UCS-2 encoding, 380-81
UDP protocol. See User Datagram Protocol
UML (Unified Modeling Language), 74, 178, 179
UNC. See Universal Naming Convention shares
Unicode
   buffer overruns and, 441-42
   buffer size mismatches, 153-54
   character properties, 448-49
   importance in internationalization, 440
   interchanging with ANSI characters as testing technique, 575
   Internet Printing Protocol buffer overrun vulnerability, 154-55
   regular expressions and, 353-58
   string multiplicity problem, 450
   surrogate pairs, 442
   UCS-2 encoding, 380-81
   UTF-8 encoding, 378-80, 381
   validating strings, 443
Unified Modeling Language (UML), 74, 178, 179
Universal Naming Convention (UNC) shares, 371-72
UNIX
   symbolic-link vulnerabilities, 366
   temporary file vulnerabilities, 682
unmanaged code, calling, 548, 557
URLs
   canonical name issues, 373-81
   myriad ways to represent characters, 378-81
   as security issue, 373-81
User Datagram Protocol (UDP)
   accepting connections, 464
   binding sockets to ports, 456, 457
   as connectionless, 464, 472
   DoS attack problem, 517-18
   identifying sockets as part of security testing process, 570
   vs. TCP protocol, 472
user principal names (UPNs), 394, 395
user profiles, roaming, 560
UserInput class, 361-62
usernames, as canonicalization issue, 394-96
users, role in security, 675
UTF-8 encoding, 378-80, 381, 391-92, 440
UTF-16 encoding, 440
UTF-32 encoding, 440

V
VBScript
   determining bit size of passwords, 270-71
   regular expression example, 360
   setting IP restrictions, 202-3
vectors. See attack vectors, determining bias
verifiers, 301
VirtualLock function, 327, 328
viruses, 208, 209
Visual Basic, 201
Visual Basic .NET, 359, 360-61
Visual C++. See C and C++ programming languages
Visual C++ .NET, GS option, 167-70
vulnerabilities, defined, 87

W
w00w00 Security Development (WSD), 138
wcscat function, 714
wcscpy function, 714
wcslen function, 715
wcsncat function, 714
wcsncpy function, 714
Web applications
   developer's checklist, 732-33
   HTTP trust issues, 432-33
   input issues, 413-31
   security issues, 413-37
   vulnerability of JavaScript eval() function, 431-32
Web pages
   applying .NET Framework roles, 200
   myriad ways to represent characters, 378-81
Web servers
   applying IP restriction, 202-3, 205
   changing version header, 667
   defacing, 210
Web services
   applying .NET Framework roles, 200
   privacy specifications, 651
Web sites
   canonical Web-based issues, 373-81
   cross-site scripting error problem, 346, 413-21
   file upload example, 347-50
   privacy policy statements, 651-52, 654
WebClient class, 590, 591-92
web.config files, security issues, 535, 555
WideCharToMultiByte function, 154, 440, 444, 445-47, 619-20
WinCrypt.h file, 262
window sizes, 463
Windows 95
   deriving keys using system hardware data, 316-20
   protecting secret data, 315-20
Windows 98
   deriving keys using system hardware data, 316-20
   protecting secret data, 315-20
Windows 2000
   creating ACLs in, 185-89
   protecting secret data, 305-11
   Security Configuration Editor, 627
   security templates, 607-9
   user principal names, 394, 395
   vs. Windows NT, 320-21
Windows 2000 test site, 6
Windows applications
   finding privileged APIs used by, 224-26
   finding resources used by, 224
Windows authentication, 112
Windows CE
   deriving keys using system hardware data, 316-20
   protecting secret data, 315-20
Windows Event Viewer, 252-53
Windows Help files, 418, 420
Windows Installer, 638-40
Windows Me
   deriving keys using system hardware data, 316-20
   protecting secret data, 315-20
Windows Media Player, 658-59
Windows National Language Support (NLS), 440
Windows .NET Server 2003
   low-privilege service accounts, 245, 248-50
   SeImpersonatePrivilege and, 250-51
Windows NT
   creating ACLs in, 181-85
   protecting secret data, 311-15
   Security Configuration Editor, 627
   vs. Windows 2000, 320-21
Windows operating system
   accommodating differences in versions, 320-21
   common canonical filename mistakes, 367-73
   MS-DOS device name vulnerability, 365
   role of services, 664-65
Windows Security Push, 26, 28, 128
Windows Sockets 2.0. See Winsock
windows styles, 717-18
Windows XP
   client credentials, 309-11
   local service account, 248, 249
   local system account, 248, 249
   low-privilege service accounts, 248-50
   network service account, 248, 249
   object ownership, 217
   protecting secret data, 305-11
   Security Configuration Editor, 627
   security templates, 607-9
   Software Restriction Policies, 241-43
   Stored User Names And Passwords, 309-11
WinExec function, 675-77, 717
Winsock, 464
wireless data, identifying as part of security testing process, 570
words vs. bytes, 442
World Wide Web, as hostile environment, 4, 5-7
worms, 208
WOWAccess.cpp file, 212-14
writable data segments, 677-78
WSAAccept function, 467, 470
wscanf function, 715
WSD (w00w00 Security Development), 138
Wysopal, Chris, 457

X
X.509 certificates, 112-13
XCOPY, 329
XFree86, 682
Xing Technologies, 273
XML (Extensible Markup Language)
   privacy policy statement, 654-55
   security testing the code handling payloads, 600-602
XML data, mutating, 583-84
XOR operator, 282, 287, 289, 337
XSLT (XSL Transformation), 560
XSS. See cross-site scripting

Z
ZeroMemory function, 322, 323, 324, 325
zones, security
   Internet Explorer and, 419-20
   mark of the Web and, 425-26
   My Computer zone, 419
   overview, 420



Last Updated: November 14, 2002
Top of Page