Security Engineering 1

Agenda Today Types of Security Problems Integrating Security into Software Process Security Toolbag

Types of Security Problems

Integrating Security into Software Process

Security Toolbag

Threats and Vulnerabilities Two major categories of computer security risks are: Threats Threats are a person, thing, or event which will compromise the system All systems have potential threats Some examples of threats are: Natural and Physical – These imperil the physical plant and the state of the actual equipment Unintentional – These are the dangers brought on by ignorance Intentional – These are malicious attacks against a system

Two major categories of computer security risks are:

Threats

Threats are a person, thing, or event which will compromise the system

All systems have potential threats

Some examples of threats are:

Natural and Physical – These imperil the physical plant and the state of the actual equipment

Unintentional – These are the dangers brought on by ignorance

Intentional – These are malicious attacks against a system

Threats and Vulnerabilities (Continued) Vulnerabilities Vulnerabilities are perceived threats If they were exploited, the system would no longer be reliable The more vulnerabilities can be perceived, the more threats can be determined Every system is vulnerable to attack Some examples of vulnerabilities are Physical & Natural – Natural disasters and environmental threats can adversely impact a facility and its IT resources Hardware & Software – IT resources can start malfunctioning Media – Disks, tapes, printouts, etc. can be stolen or damaged Network – Machines can be remotely breached Human – Users can make errors which will put data in jeopardy

Vulnerabilities

Vulnerabilities are perceived threats

If they were exploited, the system would no longer be reliable

The more vulnerabilities can be perceived, the more threats can be determined

Every system is vulnerable to attack

Some examples of vulnerabilities are

Physical & Natural – Natural disasters and environmental threats can adversely impact a facility and its IT resources

Hardware & Software – IT resources can start malfunctioning

Media – Disks, tapes, printouts, etc. can be stolen or damaged

Network – Machines can be remotely breached

Human – Users can make errors which will put data in jeopardy

Malicious Logic Trojan Horse Virus Worms Rabbits (Bacteria) Logic Bomb

Trojan Horse

Virus

Worms

Rabbits (Bacteria)

Logic Bomb

Example Shell script on a UNIX system: cp /bin/sh /tmp/.xyzzy chmod u+s,o+x /tmp/.xyzzy rm ./ls ls $* Place in program called “ls” and trick someone into executing it You now have a setuid-to- them shell!

Shell script on a UNIX system:

cp /bin/sh /tmp/.xyzzy

chmod u+s,o+x /tmp/.xyzzy

rm ./ls

ls $*

Place in program called “ls” and trick someone into executing it

You now have a setuid-to- them shell!

Trojan Horse Program with an overt purpose (known to user) and a covert purpose (unknown to user) Often called a Trojan Example: previous script is Trojan horse Overt purpose: list files in directory Covert purpose: create setuid shell

Program with an overt purpose (known to user) and a covert purpose (unknown to user)

Often called a Trojan

Example: previous script is Trojan horse

Overt purpose: list files in directory

Covert purpose: create setuid shell

Example: NetBus Designed for Windows NT system Victim uploads and installs this Usually disguised as a game program, or in one Acts as a server, accepting and executing commands for remote administrator This includes intercepting keystrokes and mouse motions and sending them to attacker Also allows attacker to upload, download files

Designed for Windows NT system

Victim uploads and installs this

Usually disguised as a game program, or in one

Acts as a server, accepting and executing commands for remote administrator

This includes intercepting keystrokes and mouse motions and sending them to attacker

Also allows attacker to upload, download files

Replicating Trojan Horse Trojan horse that makes copies of itself Also called propagating Trojan horse Early version of animal game used this to delete copies of itself Hard to detect 1976: Karger and Schell suggested modifying compiler to include Trojan horse that copied itself into specific programs including later version of the compiler 1980s: Thompson implements this

Trojan horse that makes copies of itself

Also called propagating Trojan horse

Early version of animal game used this to delete copies of itself

Hard to detect

1976: Karger and Schell suggested modifying compiler to include Trojan horse that copied itself into specific programs including later version of the compiler

1980s: Thompson implements this

Viruses designed to replicate themselves removable storage media, email, file transfer intended to cause damage need a host program attach to and modify host execute as part of host virus detection check program length (virus can hide or compress program) check for virus “signature” (viruses use encryption)

designed to replicate themselves

removable storage media, email, file transfer

intended to cause damage

need a host program

attach to and modify host

execute as part of host

virus detection

check program length (virus can hide or compress program)

check for virus “signature” (viruses use encryption)

First Reports Brain (Pakistani) virus (1986) Written for IBM PCs Alters boot sectors of floppies, spreads to other floppies MacMag Peace virus (1987) Written for Macintosh Prints “universal message of peace” on March 2, 1988 and deletes itself

Brain (Pakistani) virus (1986)

Written for IBM PCs

Alters boot sectors of floppies, spreads to other floppies

MacMag Peace virus (1987)

Written for Macintosh

Prints “universal message of peace” on March 2, 1988 and deletes itself

Types of Viruses Boot sector infectors Executable infectors Multipartite viruses TSR viruses Stealth viruses Encrypted viruses Polymorphic viruses Macro viruses

Boot sector infectors

Executable infectors

Multipartite viruses

TSR viruses

Stealth viruses

Encrypted viruses

Polymorphic viruses

Macro viruses

Boot Sector Infectors A virus that inserts itself into the boot sector of a disk Section of disk containing code Executed when system first “sees” the disk Including at boot time … Example: Brain virus Moves disk interrupt vector from 13H to 6DH Sets new interrupt vector to invoke Brain virus When new floppy seen, check for 1234H at location 4 If not there, copies itself onto disk after saving original boot block

A virus that inserts itself into the boot sector of a disk

Section of disk containing code

Executed when system first “sees” the disk

Including at boot time …

Example: Brain virus

Moves disk interrupt vector from 13H to 6DH

Sets new interrupt vector to invoke Brain virus

When new floppy seen, check for 1234H at location 4

If not there, copies itself onto disk after saving original boot block

Executable Infectors A virus that infects executable programs Can infect either .EXE or .COM on PCs May prepend itself (as shown) or put itself anywhere, fixing up binary so it is executed at some point

A virus that infects executable programs

Can infect either .EXE or .COM on PCs

May prepend itself (as shown) or put itself anywhere, fixing up binary so it is executed at some point

Multipartite Viruses A virus that can infect either boot sectors or executables Typically, two parts One part boot sector infector Other part executable infector

A virus that can infect either boot sectors or executables

Typically, two parts

One part boot sector infector

Other part executable infector

TSR Viruses A virus that stays active in memory after the application (or bootstrapping, or disk mounting) is completed TSR is “Terminate and Stay Resident” Examples: Brain, Jerusalem viruses Stay in memory after program or disk mount is completed

A virus that stays active in memory after the application (or bootstrapping, or disk mounting) is completed

TSR is “Terminate and Stay Resident”

Examples: Brain, Jerusalem viruses

Stay in memory after program or disk mount is completed

Stealth Viruses A virus that conceals infection of files Example: IDF virus modifies DOS service interrupt handler as follows: Request for file length: return length of uninfected file Request to open file: temporarily disinfect file, and reinfect on closing Request to load file for execution: load infected file

A virus that conceals infection of files

Example: IDF virus modifies DOS service interrupt handler as follows:

Request for file length: return length of uninfected file

Request to open file: temporarily disinfect file, and reinfect on closing

Request to load file for execution: load infected file

Encrypted Viruses A virus that is enciphered except for a small deciphering routine Detecting virus by signature now much harder as most of virus is enciphered

A virus that is enciphered except for a small deciphering routine

Detecting virus by signature now much harder as most of virus is enciphered

Polymorphic Viruses A virus that changes its form each time it inserts itself into another program Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine At instruction level: substitute instructions At algorithm level: different algorithms to achieve the same purpose Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine)

A virus that changes its form each time it inserts itself into another program

Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine

At instruction level: substitute instructions

At algorithm level: different algorithms to achieve the same purpose

Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine)

Example These are different instructions (with different bit patterns) but have the same effect: add 0 to register subtract 0 from register xor 0 with register no-op Polymorphic virus would pick randomly from among these instructions

These are different instructions (with different bit patterns) but have the same effect:

add 0 to register

subtract 0 from register

xor 0 with register

no-op

Polymorphic virus would pick randomly from among these instructions

Macro Viruses A virus composed of a sequence of instructions that are interpreted rather than executed directly Can infect either executables (Duff’s shell virus) or data files (Highland’s Lotus 1-2-3 spreadsheet virus) Independent of machine architecture But their effects may be machine dependent

A virus composed of a sequence of instructions that are interpreted rather than executed directly

Can infect either executables (Duff’s shell virus) or data files (Highland’s Lotus 1-2-3 spreadsheet virus)

Independent of machine architecture

But their effects may be machine dependent

Example Melissa Infected Microsoft Word 97 and Word 98 documents Windows and Macintosh systems Invoked when program opens infected file Installs itself as “open” macro and copies itself into Normal template This way, infects any files that are opened in future Invokes mail program, sends itself to everyone in user’s address book

Melissa

Infected Microsoft Word 97 and Word 98 documents

Windows and Macintosh systems

Invoked when program opens infected file

Installs itself as “open” macro and copies itself into Normal template

This way, infects any files that are opened in future

Invokes mail program, sends itself to everyone in user’s address book

Computer Worms A program that copies itself from one computer to another Origins: distributed computations Schoch and Hupp: animations, broadcast messages Segment: part of program copied onto workstation Segment processes data, communicates with worm’s controller Any activity on workstation caused segment to shut down

A program that copies itself from one computer to another

Origins: distributed computations

Schoch and Hupp: animations, broadcast messages

Segment: part of program copied onto workstation

Segment processes data, communicates with worm’s controller

Any activity on workstation caused segment to shut down

Example: Internet Worm of 1988 Targeted Berkeley, Sun UNIX systems Used virus-like attack to inject instructions into running program and run them To recover, had to disconnect system from Internet and reboot To prevent re-infection, several critical programs had to be patched, recompiled, and reinstalled Analysts had to disassemble it to uncover function Disabled several thousand systems in 6 or so hours

Targeted Berkeley, Sun UNIX systems

Used virus-like attack to inject instructions into running program and run them

To recover, had to disconnect system from Internet and reboot

To prevent re-infection, several critical programs had to be patched, recompiled, and reinstalled

Analysts had to disassemble it to uncover function

Disabled several thousand systems in 6 or so hours

Rabbits, Bacteria A program that absorbs all of some class of resources Example: for UNIX system, shell commands: while true do mkdir x chdir x done Exhausts either disk space or file allocation table (inode) space

A program that absorbs all of some class of resources

Example: for UNIX system, shell commands:

while true

do

mkdir x

chdir x

done

Exhausts either disk space or file allocation table (inode) space

Logic Bombs A program that performs an action that violates the site security policy when some external event occurs Example: program that deletes company’s payroll records when one particular record is deleted The “particular record” is usually that of the person writing the logic bomb Idea is if (when) he or she is fired, and the payroll record deleted, the company loses all those records

A program that performs an action that violates the site security policy when some external event occurs

Example: program that deletes company’s payroll records when one particular record is deleted

The “particular record” is usually that of the person writing the logic bomb

Idea is if (when) he or she is fired, and the payroll record deleted, the company loses all those records

Buffer overflow The most important avenue for vulnerabilities Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format

The most important avenue for vulnerabilities

Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format

Normal Stack State

Modified Stack State

Authentication Four classic ways to authenticate: something you know (passwords) something you have (smartcard) something you are (fingerprint) something you do (usage signature) None of these is perfect

Four classic ways to authenticate:

something you know (passwords)

something you have (smartcard)

something you are (fingerprint)

something you do (usage signature)

None of these is perfect

Identity theft Fastest rising crime in the US FBI won’t help unless losses above $100,000. Someone can steal an identity with just a social security number!!!

Fastest rising crime in the US

FBI won’t help unless losses above $100,000.

Someone can steal an identity with just a social security number!!!

Passwords Account - person using the system Username - Identity of account (public) limited characters, alphanumeric & special characters typically related to real name of user (not always), certain names reserved unique on system fixed at account creation Passwords – Verification of identity (private) Less limited length and characters Fixed until changed Non-unique passwords – (both users have bad password)

Account - person using the system

Username - Identity of account (public)

limited characters, alphanumeric & special characters

typically related to real name of user (not always), certain names reserved

unique on system

fixed at account creation

Passwords – Verification of identity (private)

Less limited length and characters

Fixed until changed

Non-unique passwords – (both users have bad password)

Password Security Password security depends on ONLY you knowing the password Secure selection Secure handling Secure storage

Password security depends on ONLY you knowing the password

Secure selection

Secure handling

Secure storage

Password Attacks Easy to Hard Given password Grab password Generate password Guess password

Easy to Hard

Given password

Grab password

Generate password

Guess password

Denial of Service Attack (DoS) Attempts to "flood" a network, thereby preventing legitimate network traffic;

Attempts to "flood" a network, thereby preventing legitimate network traffic;

Remote Execution remote execution upload and start code on remote machine mobile agent: may migrate among machines unlike worm, relies on legitimate servers for migration

remote execution

upload and start code on remote machine

mobile agent: may migrate among machines

unlike worm, relies on legitimate servers for migration

Eavesdropping Reads plain text communicated through a channel.

Reads plain text communicated through a channel.

Identity Spoofing (IP Address Spoofing) Packets appears to be generated by a valid IP address but they are actually generated by a hacker.

Packets appears to be generated by a valid IP address but they are actually generated by a hacker.

Social Engineering Sometimes breaking into a network is as simple as calling new employees, telling them you are from the IT department, and asking them to verify their password for your records.

Sometimes breaking into a network is as simple as calling new employees, telling them you are from the IT department, and asking them to verify their password for your records.

Problem Sources Requirements definitions, omissions, and mistakes System design flaws Hardware implementation flaws, such as wiring and chip flaws Software implementation errors, program bugs, and compiler bugs System use and operation errors and inadvertent mistakes Willful system misuse Hardware, communication, or other equipment malfunction Environmental problems and natural causes. Evolution, maintenance, faulty upgrades, and decommissions

Requirements definitions, omissions, and mistakes

System design flaws

Hardware implementation flaws, such as wiring and chip flaws

Software implementation errors, program bugs, and compiler bugs

System use and operation errors and inadvertent mistakes

Willful system misuse

Hardware, communication, or other equipment malfunction

Environmental problems and natural causes.

Evolution, maintenance, faulty upgrades, and decommissions

Security Defects We live in an age with constant threat of security breaches Holes in web software Flaws in server software Security defects very easy to make Blaster worm defect only two lines long One line error can be catastrophic Here we look at 19 common security defects (sins of security)

We live in an age with constant threat of security breaches

Holes in web software

Flaws in server software

Security defects very easy to make

Blaster worm defect only two lines long

One line error can be catastrophic

Here we look at 19 common security defects (sins of security)

Sin 1 : Buffer Overruns You’ve heard this one many times… Occurs when a program allows input to write beyond the end of the allocated buffer Program might crash or allow attacker to gain control Still possible in languages like C#, Java since they use libraries written in C/C++ but more unlikely

You’ve heard this one many times…

Occurs when a program allows input to write beyond the end of the allocated buffer

Program might crash or allow attacker to gain control

Still possible in languages like C#, Java since they use libraries written in C/C++ but more unlikely

Spotting Buffer Overflows Look for input read from the network, a file, the user interface, or the command line Transfer of data from input to internal structures Use of unsafe string handling calls Use of arithmetic to calculate an allocation size or remaining buffer size

Look for input read from the network, a file, the user interface, or the command line

Transfer of data from input to internal structures

Use of unsafe string handling calls

Use of arithmetic to calculate an allocation size or remaining buffer size

Sin 2 : Format String Problems A C/C++ type of problem First mentioned June 23, 2000 Pretty simple, what could go wrong? void main(int argc, char * argv[]) { printf(argv[1]); }

A C/C++ type of problem

First mentioned June 23, 2000

Pretty simple, what could go wrong?

Format String What if the program is invoked as : bug.exe “%x %x” Output something like: 12FFC0 4011E5 The %x specifier reads the stack 4 bytes at a time and outputs them Leaks important info to the attacker

What if the program is invoked as :

bug.exe “%x %x”

Output something like:

Format String Another obscure format string: %n unsigned int bytes; printf(“%s%n
”, argv[1], &bytes); printf(“Input is %d characters long.
”, bytes); Usage: bug.exe “Hello“ Hello Input is 5 characters long The %n specifier writes 4 bytes at a time based on the length of the previous argument Carefully crafted, allows an attacker to place own data into the stack

Another obscure format string: %n

Sin 3 : Integer Overflows When an unsigned integer gets too big for the number of bits allocated, it overflows back to 0 For signed integers, positive numbers suddenly become negative numbers “ Obvious” errors where integers are multiplied/added/etc. and overflow Result can be very bad and unpredictable behavior if relational operators suddenly behave the opposite of how they are supposed to Also many less obvious errors

When an unsigned integer gets too big for the number of bits allocated, it overflows back to 0

For signed integers, positive numbers suddenly become negative numbers

“ Obvious” errors where integers are multiplied/added/etc. and overflow

Result can be very bad and unpredictable behavior if relational operators suddenly behave the opposite of how they are supposed to

Also many less obvious errors

Casting Implicit type casting is a frequent cause of integer overflows Most languages require the same types to be compared so an up-cast is done const long MAX_LEN = 0x7FFF; short len = strlen(input); if (len < MAX_LEN) { // Do stuff } If a short is 2 bytes and input > 32767, then len becomes a negative number

Implicit type casting is a frequent cause of integer overflows

Most languages require the same types to be compared so an up-cast is done

Casting Signed int to Larger signed int Smaller value is sign-extended 0x7F to an int becomes 0x0000007F 0x80 to an int becomes 0xFFFFFF80 Signed int to Larger unsigned int Positive numbers behave as expected Negatives unexpected (char) -1 becomes 0xFFFFFFFFF or 4,294,967,295

Signed int to Larger signed int

Smaller value is sign-extended

0x7F to an int becomes 0x0000007F

0x80 to an int becomes 0xFFFFFF80

Signed int to Larger unsigned int

Positive numbers behave as expected

Negatives unexpected

(char) -1 becomes 0xFFFFFFFFF or 4,294,967,295

Overflow Problem Problem here to detect whether two unsigned 16-bit numbers would overflow when added? bool IsValidAddition(unsigned short x, unsigned short y) { if (x + y < x) return false; return true; }

Problem here to detect whether two unsigned 16-bit numbers would overflow when added?

Overflow Problem in C#? Following code throws a compiler error, how would you fix it? byte a, b; a = 255; b = 1; byte c = (a + b); ERROR: Cannot implicitly convert type ‘int’ to ‘byte’

Following code throws a compiler error, how would you fix it?

Spotting the Overflow Sin Anything doing arithmetic Especially if input provided by the user Focus especially on array index calculations Redemption Use size_t type in C/C++ Use unsigned integers if appropriate, easier to verify Avoid “clever” code in favor of straightforward code

Anything doing arithmetic

Especially if input provided by the user

Focus especially on array index calculations

Redemption

Use size_t type in C/C++

Use unsigned integers if appropriate, easier to verify

Avoid “clever” code in favor of straightforward code

Sin 4 : SQL Injection How do bad guys get credit card numbers from sites? Break into server using exploit like buffer overrun Go through open port with sysadmin password SQL injection attacks

How do bad guys get credit card numbers from sites?

Break into server using exploit like buffer overrun

Go through open port with sysadmin password

SQL injection attacks

SQL Injection Example PHP code $id = $_REQUEST[“id”]; $pass = $_REQUEST[“password”]; $qry = “SELECT ccnum FROM cust WHERE id = $id AND pass=$pass”;

PHP code

SQL Injection Example PHP code $id = $_REQUEST[“id”]; $pass = $_REQUEST[“password”]; $qry = “SELECT ccnum FROM cust WHERE id = ‘$id’ AND pass=‘$pass’”; User inputs id of user to attack For password, enters: ‘ OR 1=1 – -- is the comment operator, to ignore whatever comes afterwards

PHP code

Spotting the Sin Takes user input Does not check user input for validity Uses user input data to query a database Uses string concatenation or string replacement to build the SQL query or uses the SQL Exec command

Takes user input

Does not check user input for validity

Uses user input data to query a database

Uses string concatenation or string replacement to build the SQL query or uses the SQL Exec command

Sin 5 : Command Injection In 1994, one could get a root shell on an SGI computer running IRIX by sending the following to a printer: FRED; xterm& Code: char buf[1024]; snprintf(buf, “system lpr –P %s”, user_input, sizeof(buf) -1); system(buf);

In 1994, one could get a root shell on an SGI computer running IRIX by sending the following to a printer:

FRED; xterm&

Code:

char buf[1024];

snprintf(buf, “system lpr –P %s”, user_input, sizeof(buf) -1);

system(buf);

Spotting the Sin Look for calls to system(), exec() Java too: Class.forName(String name); Dynamically load and run Java code Runtime.exec() Redemption Check the data to make sure it is ok

Look for calls to system(), exec()

Java too:

Class.forName(String name);

Dynamically load and run Java code

Runtime.exec()

Redemption

Check the data to make sure it is ok

Sin 6 : Failing to Handle Errors Not properly handling errors. May result into inadvertent access to the system by the hacker.

Not properly handling errors.

May result into inadvertent access to the system by the hacker.

Sin 7 : Cross Site Scripting Somewhat misnamed, as crossing sites is not always necessary to exploit this bug Sin is straightforward: Web app takes input from a user Input is stored or echoed back to the user That’s it

Somewhat misnamed, as crossing sites is not always necessary to exploit this bug

Sin is straightforward:

Web app takes input from a user

Input is stored or echoed back to the user

That’s it

PHP Example <?php if($_SERVER['REQUEST_METHOD'] != &quot;POST&quot;) { header(&quot;Content-Type: text/html&quot;); print(&quot;<HTML><HEAD><TITLE>My Page</TITLE>&quot;); print(&quot;</HEAD>&quot;); print(&quot;<BODY>&quot;); print(&quot;<FORM method=post action='cssSin.php'>&quot;); print(&quot;Enter your comment.<p>&quot;); print(&quot;<INPUT type=text name='comment'>&quot;); print(&quot;<INPUT type=submit value='Submit'>&quot;); print(&quot;</FORM>&quot;); print(&quot;<HR>&quot;); print(&quot;<B>Here is the comment log:</B><p>&quot;);

PHP Example $f = fopen(&quot;c:\comments.txt&quot;,&quot;r&quot;); print(&quot;<UL>&quot;); while (!feof($f)) { $line = fgets($f,2000); print(&quot;<li>&quot; . $line . &quot;</LI>&quot;); } fclose($f); print(&quot;</UL>&quot;); } else { $comment = $_REQUEST['comment']; $f = fopen(&quot;c:\comments.txt&quot;, &quot;a&quot;); fprintf($f, &quot;
&quot; . $comment); fclose($f); print(&quot;Thank you, your comment has been saved.&quot;); } ?>

CSS Problem Malicious user can inject script code that is then executed when another user views that page Even if the input is merely echoed, a malicious user might: Lure victim to their page Get victim to click on a link which refers victim to the vulnerable site with the CSS bug Script code is run under domain of the server and could get cookies or modify any elements of the DOM like tweak all links to point to porn sites

Malicious user can inject script code that is then executed when another user views that page

Even if the input is merely echoed, a malicious user might:

Lure victim to their page

Get victim to click on a link which refers victim to the vulnerable site with the CSS bug

Script code is run under domain of the server and could get cookies or modify any elements of the DOM like tweak all links to point to porn sites

Spotting the Sin The web app takes input from a header, form, or query string App does not check the input for validity App echoes back data from a user into the browser Redemption Restrict input to valid input onl HTML encode the output ; &lt; &gt; etc.

The web app takes input from a header, form, or query string

App does not check the input for validity

App echoes back data from a user into the browser

Redemption

Restrict input to valid input onl

HTML encode the output ; &lt; &gt; etc.

Sin 8 : Failing to Protect Network Traffic Mostly skipping Network vulnerable to Eavesdropping Replay Spoofing Tampering Hijacking Use SSL / TLS for session security

Mostly skipping

Network vulnerable to

Eavesdropping

Replay

Spoofing

Tampering

Hijacking

Use SSL / TLS for session security

Sin 9 : Magic URLs and Hidden Form Fields Magic URLs: http://www.xyz.com/?val=1&q=foo&user=n58 http://www.xyz.com/?id=TKSJDARJ$J14$J== Hidden Form Fields to pass variables <form action = “ …” <input type=text name=“product”> <input type=hidden name=“price” value=“300”> </form>

Magic URLs:

http://www.xyz.com/?val=1&q=foo&user=n58

http://www.xyz.com/?id=TKSJDARJ$J14$J==

Hidden Form Fields to pass variables

<form action = “ …”

<input type=text name=“product”>

<input type=hidden name=“price” value=“300”>

</form>

Redemption Use SSL or store data on server side Session variables, encrypted

Use SSL or store data on server side

Session variables, encrypted

Sin 10 : Improper Use of SSL and TLS If server authentication not done properly, attacker can eavesdrop or modify conversations Especially vulnerable when key associated with certificate Feeling that site is impenetrable simply because it uses SSL Still can have overflow, SQL injection, etc…

If server authentication not done properly, attacker can eavesdrop or modify conversations

Especially vulnerable when key associated with certificate

Feeling that site is impenetrable simply because it uses SSL

Still can have overflow, SQL injection, etc…

Sin 11 : Use of Weak Passwords People hate passwords, it is a battle to force people to use strong passwords Consider password content policy Length, characters, reset frequency… Password storage? Storage in the clear is bad How to recover a lost password? Paris Hilton T-Mobile Sidekick phone hijack Broke into server side by getting username and asking for a password reset Challenge question: “What is the name of your favorite pet?”

People hate passwords, it is a battle to force people to use strong passwords

Consider password content policy

Length, characters, reset frequency…

Password storage?

Storage in the clear is bad

How to recover a lost password?

Paris Hilton T-Mobile Sidekick phone hijack

Broke into server side by getting username and asking for a password reset

Challenge question: “What is the name of your favorite pet?”

Guidelines for Password Resets Locking users out of accounts for too many bad password attempts may result in DoS Recommendations Limit number of attempts to reasonable number like 20/hour Slow down authentication process after certain number of bad attempts Make users provide multiple pieces of information to reset a password, might require “thing they have” like a ID card Use more obscure questions

Locking users out of accounts for too many bad password attempts may result in DoS

Recommendations

Limit number of attempts to reasonable number like 20/hour

Slow down authentication process after certain number of bad attempts

Make users provide multiple pieces of information to reset a password, might require “thing they have” like a ID card

Use more obscure questions

Tenex Bug TENEX Operating System pseudocode to validate: For i = 0 to len(typed_password) if i >= len(actual_password) fail; if typed_password[i] != actual_password[i] fail; if i < len(actual_password) fail; Success; Flaw: Attacker could put candidate password in memory overlapping page boundaries. First letter on one page, second letter on the next, if the first letter was correct there was a pause while the page for the second letter loaded

TENEX Operating System pseudocode to validate:

Sin 12 : Failing to Store and Protect Data Securely Unix: tendency to give permissions to all Windows: Access Control Lists can be mind boggling as which objects to consider what can be controlled Don’t take the easy way out and give out too many permissions Don’t embed secret data in code E.g. passwords Use DPAPI or KeyChain or at least store passwords somewhere not hard-coded in the app

Unix: tendency to give permissions to all

Windows: Access Control Lists can be mind boggling as which objects to consider what can be controlled

Don’t take the easy way out and give out too many permissions

Don’t embed secret data in code

E.g. passwords

Use DPAPI or KeyChain or at least store passwords somewhere not hard-coded in the app

Sin 13 : Information Leakage Attacker gets information, implicitly or explicitly, that could provide more information for the attacker to reach their goal Examples: Name of server software, versions Debugging information (e.g. left on in PHP) Error messages that reveal code structure

Attacker gets information, implicitly or explicitly, that could provide more information for the attacker to reach their goal

Examples:

Name of server software, versions

Debugging information (e.g. left on in PHP)

Error messages that reveal code structure

Sin 14: Improper File Access Watch out for race conditions among accessing files Perl: #!/usr/bin/perl my $file = “$ENV{HOME}/.config”; read_config($file) if –r $file; Between the file check and read, the file may disappear if there are multiple processes handling this file Manipulation of pathnames to overwrite important files

Watch out for race conditions among accessing files

Perl:

#!/usr/bin/perl

my $file = “$ENV{HOME}/.config”;

read_config($file) if –r $file;

Between the file check and read, the file may disappear if there are multiple processes handling this file

Manipulation of pathnames to overwrite important files

Sin 15 : Trusting Network Name Resolution Not too difficult to have an unsecure name server, e.g. might use WINS Skipping Might ensure connections running over SSL

Not too difficult to have an unsecure name server, e.g. might use WINS

Skipping

Might ensure connections running over SSL

Sin 16 : Race Conditions Common bug in multi-threaded applications, which includes web apps Actual bug from a DB web application, sometimes the queries were UPDATE to a shared field try { sqlComm.sqlConn.Open(); comm.ExecuteNonQuery(); sqlComm.sqlConn.Close(); } catch(Exception f) { sqlComm.sqlConn.Close(); }

Common bug in multi-threaded applications, which includes web apps

Actual bug from a DB web application, sometimes the queries were UPDATE to a shared field

Sin 16 : Race Conditions Lock access to any query for mutual exclusion lock(sqlComm.sqlConn) { try { sqlComm.sqlConn.Open(); comm.ExecuteNonQuery(); sqlComm.sqlConn.Close(); } catch(Exception f) { sqlComm.sqlConn.Close(); } }

Lock access to any query for mutual exclusion

Spotting the Sin Multiple threads or processes that write to the same source Creating files or directories in common areas Signal handlers

Multiple threads or processes that write to the same source

Creating files or directories in common areas

Signal handlers

Sin 17 : Unauthenticated Key Exchange

Sin 18 : Cryptographically Strong Random Numbers Seeds for pseudo-random number generators may not be that difficult to regenerate, then use to test a sequence of random values and determine what the next “random” number will be Can try true random number generators Mouse, keyboard, etc.

Seeds for pseudo-random number generators may not be that difficult to regenerate, then use to test a sequence of random values and determine what the next “random” number will be

Can try true random number generators

Mouse, keyboard, etc.

Sin 19 : Poor Usability Poor usability can also mean poor security Always clicking “OK” when given lots of dialogs Cryptic error or status messages

Poor usability can also mean poor security

Always clicking “OK” when given lots of dialogs

Cryptic error or status messages