Special Offers

Writing Secure Code
Author Michael Howard and David LeBlanc
Pages 512
Disk 1 Companion CD(s)
Level Intermediate
Published 11/13/2001
ISBN 9780735615885
ISBN-10 0-7356-1588-8
Price(USD) $39.99
To see this book's discounted price, select a reseller below.

More Information

About the Book
Table of Contents
Sample Chapter
Related Series
Related Books
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books


Table of Contents

1   The Need for Secure Systems3
    Applications on the Wild Wild Web5
    Getting Everyone's Head in the Game7
        Using Tact to Sell Security to the Organization7
        Using Subversion11
    Some Ideas for Instilling a Security Culture13
        Get the Boss to Send an E-Mail13
        Nominate a Security Evangelist14
2   Designing Secure Systems19
    Two Common Security Mistakes19
        Why These Mistakes Are Made21
    Security Principles to Live By22
        Establish a Security Process23
        Define the Product Security Goals23
        Consider Security as a Product Feature24
        Learn from Mistakes25
        Use Least Privilege27
        Use Defense in Depth28
        Assume External Systems Are Insecure29
        Plan on Failure29
        Fail to a Secure Mode29
        Employ Secure Defaults31
        Remember That Security Features != Secure Features33
        Never Depend on Security Through Obscurity34
        Three Final Points34
    Security Design by Threat Modeling35
        Brainstorm the Known Threats to the System36
        Rank the Threats by Decreasing Risk43
        Choose How to Respond to the Threats44
        Choose Techniques to Mitigate the Threats45
    Security Techniques46
        Tamper-Resistant and Privacy-Enhanced Technologies52
        Protect Secrets, or Better Yet, Don't Store Secrets53
        Encryption, Hashes, MACs, and Digital Signatures53
        Filtering, Throttling, and Quality of Service54
        Least Privilege54
    Back to the Example Payroll Application54
    A Cornucopia of Threats and Solutions57
3   Public Enemy #1: The Buffer Overrun 63
    Static Buffer Overruns 64
    Heap Overruns 70
    Array Indexing Errors 75
    Format String Bugs 78
    Unicode and ANSI Buffer Size Mismatches 78
        A Real Unicode Bug Example 79
    Preventing Buffer Overruns 80
        Safe String Handling 81
    Good News on the Horizon! 88
4   Determining Good Access Control89
    Why ACLs Are Important89
        A Diversion: Fixing the Registry Code91
    What Makes Up an ACL?93
    A Method of Choosing Good ACLs 95
        Effective Deny ACEs 98
    Creating ACLs 99
        Creating ACLs in Windows NT 4 99
        Creating ACLs in Windows 2000 103
        Creating ACLs with Active Template Library 106
    NULL DACLs and Other Dangerous ACE Types 108
        NULL DACLs and Auditing 110
        Dangerous ACE Types 110
        What If I Can't Change the NULL DACL? 111
    Other Access Control Mechanisms 112
        IP Restrictions 112
        COM+ Roles 113
        SQL Server Triggers and Permissions 114
        A Medical Example 114
        An Important Note About Access Control Mechanisms 116
5   Running with Least Privilege119
    Least Privilege in the Real World 120
        Viruses and Trojans 120
        Web Server Defacements 121
    Brief Overview of Access Control 122
    Brief Overview of Privileges 122
        SeBackupPrivilege Issues123
        SeDebugPrivilege Issues126
        SeTcbPrivilege Issues126
        SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege Issues127
    Brief Overview of Tokens 127
    How Tokens, Privileges, SIDs, ACLs, and Processes Relate 128
        SIDs and Access Checks, Privileges and Privilege Checks 129
    A Process for Determining Appropriate Privilege 129
        Step 1: Find Resources Used by the Application 130
        Step 2: Find Privileged APIs Used by the Application 130
        Step 3: Which Account Is Required? 131
        Step 4: Get the Token Contents 132
        Step 5: Are All the SIDs and Privileges Required? 138
        Step 6: Adjust the Token 139
        When to Use Restricted Tokens 143
    Low-Privilege Service Accounts in Windows XP and Windows .NET Server 149
    Debugging Least-Privilege Issues 151
        Why Applications Fail as a Normal User 152
        How to Determine Why Applications Fail 153
6   Cryptographic Foibles 159
    Using Poor Random Numbers 159
        The Problem: rand 160
        A Remedy: CryptGenRandom 162
    Using Passwords to Derive Cryptographic Keys 165
        Measuring the Effective Bit Size of a Password 166
    Poor Key Management 168
        Keep Keys Close to the Source 169
    Rolling Your Own Cryptographic Functions 172
    Using the Same Stream-Cipher Encryption Key 175
        Why People Use Stream Ciphers 175
        The Pitfalls of Stream Ciphers 176
        What If You Must Use the Same Key? 179
    Bit-Flipping Attacks Against Stream Ciphers 181
        Solving Bit-Flipping Attacks 181
        When to Use a Hash, Keyed Hash, or Digital Signature 182
    Reusing a Buffer for Plaintext and Ciphertext 187
7   Storing Secrets189
    Attack Methods189
    Sometimes You Don't Need to Store a Secret190
        Creating a Salted Hash191
    Getting the Secret from the User192
    Storing Secrets in Windows 2000 and Windows XP192
        A Special Case: Client Credentials in Windows XP195
    Storing Secrets in Windows NT 4197
    Storing Secrets in Windows 95, Windows 98, Windows Me, and Windows CE201
    Raising the Security Bar202
        Storing the Data in a File on a FAT File System202
        Using an Embedded Key and XOR to Encode the Data202
        Using an Embedded Key and 3DES to Encrypt the Data203
        Using 3DES to Encrypt the Data and Storing a Password in the Registry203
        Using 3DES to Encrypt the Data and Storing a Strong Key in the Registry203
        Using 3DES to Encrypt the Data, Storing a Strong Key in the Registry, and ACLing the File and the Registry Key203
    An Idea: Using External Devices to Encrypt Secret Data203
        A Sample Scenario Using PPCKey204
        A PPCKey Threat Model206
8   Canonical Representation Issues 211
    What Does Canonical Mean, and Why Is It a Problem? 212
    A Bit of History 212
        Bypassing AOL Parental Controls 212
        Bypassing Napster Name Filtering 212
        Bypassing eEye's Security Checks 213
        Vulnerability in Apple Mac OS X and Apache 214
        Zones and the Internet Explorer 4 "Dotless-IP Address" Bug 214
        Internet Information Server 4.0 ::$DATA Vulnerability 215
        DOS Device Names Vulnerability 217
        Sun Microsystems StarOffice /tmp Directory Symbolic-Link Vulnerability 217
    Common Windows Canonicalization Mistakes 219
        8.3 Representation of Long Filenames 219
        NTFS Alternate Data Streams 220
        Trailing Characters 221
        \\?\ Format 222
        Directory Traversal and Using Parent Paths (..) 222
        Absolute vs. Relative Filenames 223
        Case-Insensitive Filenames 223
        Device Names and Reserved Names 223
        UNC Shares 224
    Preventing Canonicalization Mistakes 225
        Don't Make Decisions Based on Names 225
        Use a Regular Expression to Restrict What's Allowed in a Name 225
        Attempt to Canonicalize the Name 229
    A Final Thought: Non-File-Based Canonicalization Issues 233
        Server Names 233
        Usernames 234
9   Socket Security 239
    Avoiding Server Hijacking 239
    Choosing Server Interfaces 246
    Accepting Connections 247
    Writing Firewall-Friendly Applications 252
        Use One Connection to Do the Job 253
        Don't Require the Server to Connect Back to the Client 253
        Use Connection-Based Protocols 253
        Don't Multiplex Your Application over Another Protocol 254
        Don't Embed Host IP Addresses in Application-Layer Data 254
        Make Your Application Configurable 254
    Spoofing and Host-Based and Port-Based Trust 255
10   Securing RPC, ActiveX Controls, and DCOM 257
    An RPC Primer 258
        What Is RPC? 258
        Creating RPC Applications 259
        How RPC Applications Communicate 260
    Secure RPC Best Practices 262
        Use the /robust MIDL Switch 262
        Use the [range] Attribute 263
        Require Authenticated Connections 263
        Use Packet Privacy and Integrity 269
        Use Strict Context Handles 270
        Don't Rely on Context Handles for Access Checks 271
        Be Wary of NULL Context Handles 272
        Don't Trust Your Peer 274
        Use Security Callbacks 274
        Implications of Multiple RPC Servers in a Single Process 276
        Consider Adding an Annotation for Your Endpoint 277
        Use Mainstream Protocols 278
    Secure DCOM Best Practices 278
        DCOM Basics 278
        Application-Level Security 280
        DCOM User Contexts 281
        Programmatic Security 283
        Sources and Sinks 287
    An ActiveX Primer 287
    Secure ActiveX Best Practices 288
        What ActiveX Components Are Safe for Initialization and Safe for Scripting? 288
        Best Practices for Safe for Initialization and Scripting 289
11   Protecting Against Denial of Service Attacks 293
    Application Failure Attacks 293
    CPU Starvation Attacks 297
    Memory Starvation Attacks 303
    Resource Starvation Attacks 304
    Network Bandwidth Attacks 305
12   Securing Web-Based Services 307
    Never Trust User Input! 308
        User Input Vulnerabilities 309
        User Input Remedies 315
    Web-Specific Canonicalization Bugs 322
        7-Bit and 8-Bit ASCII 323
        Hexadecimal Escape Codes 323
        UTF-8 Variable-Width Encoding 323
        UCS-2 Unicode Encoding 325
        Double Encoding 326
        HTML Escape Codes 326
        Web-Based Canonicalization Remedies 326
    Other Web-Based Security Topics 330
        HTTP Trust Issues 330
        ISAPI Applications and Filters 332
        Don't Store Secrets in Web Pages 334
        Do You Really Need to Use sa? Probably Not! 338
13   Writing Secure .NET Code 341
    Buffer Overruns and the Common Language Runtime 342
        Adding Your Own Security Error Handler 345
        A Dose of Reality 346
    Storing Secrets in .NET 346
    Always Demand Appropriate Permissions 351
    Overzealous Use of Assert 352
    Further Information Regarding Demand and Assert 354
    Don't Be Afraid to Refuse Permissions 355
    Validate Data from Untrusted Sources 356
    Be Thread-Aware in ASP.NET 357
    Disable Tracing and Debugging Before Deploying ASP.NET Applications 357
    Generating Good Random Numbers by Using the .NET Framework 358
    Deserializing Data from Untrusted Sources 359
    Don't Tell the Attacker Too Much When You Fail 360
    SOAP Ponderings 361
    Some Final Thoughts 362
14   Testing Secure Applications363
    The Role of the Security Tester363
    Security Testing Is Different364
    Getting Started365
    Building the Security Test Plan366
        Decompose the Application367
        Identify Component Interfaces368
        Rank Interfaces by Their Relative Vulnerability369
        Ascertain Data Used by Each Interface370
        Find Security Problems by Injecting Faulty Data370
        Before Testing381
        Building Tools to Find Flaws381
    Testing Clients with Rogue Servers395
    Should a User See or Modify That Data?395
    Testing with Security Templates396
    Test Code Should Be of Great Quality397
    Test the End-to-End Solution398
    Slightly Off-Topic: Code Reviews398
15   Secure Software Installation 399
    Principle of Least Privilege 400
    Using the Security Configuration Editor 401
    Low-Level Security APIs 409
16   General Good Practices 411
    Protecting Customer Privacy 411
        Types of Collected User Data 412
        Collecting User Data 413
    Don't Tell the Attacker Anything 414
    Double-Check Your Error Paths 414
    Keep It Turned Off! 415
    Kernel-Mode Mistakes 415
        Using User-Mode Memory 415
        Accessing Privileged Interfaces Through Unprotected IOCTLs 416
    Consider Adding Security Comments to Code 416
    Leverage the Operating System 416
    Don't Rely on Users Making Good Decisions 417
    Calling CreateProcess Securely 417
        Do Not Pass NULL for lpApplicationName 419
        Use Quotes Around the Path to Executable in lpCommandLine 419
    Don't Create Shared/Writable Segments 419
    Using Impersonation Functions Correctly 420
    Don't Write User Files to \Program Files 420
    Don't Write User Data to HKLM 421
    Don't Open Objects for FULL_CONTROL or ALL_ACCESS 421
    Object Creation Mistakes 421
    Creating Temporary Files Securely 423
    Client-Side Security Is an Oxymoron 427
    Samples Are Templates 427
    Dogfood Your Stuff! 427
    You Owe It to Your Users If. 428
    Determining Access Based on an Administrator SID 428
    Allow Long Passwords 430
A   Dangerous APIs433
B   The Ten Immutable Laws of Security437
C   The Ten Immutable Laws of Security Administration445
D   Lame Excuses We've Heard453
A Final Thought459
Annotated Bibliography461

Last Updated: November 14, 2001
Top of Page