Secure Software Professional Recommendations from CWE/SANS

References Material is from:: 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, Version 1.4, Oct 29, CISA ® Certified Information Systems Auditor All-in-One Exam Guide, Peter H Gregory, McGraw-Hill Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Contributors: Megan Reid, Todd Burri Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant : Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Objectives Define attacks: Buffer overflow, SQL injection, OS command injection, cross-site scripting, cleartext, race condition, chatty error message Define solutions: Sanitization, whitelist, blacklist, nonce, character encoding (UTF-8), jail or sandbox environment Recognize major coding errors. Modify a Requirements Document to include Security Requirements

Problem: Incorrect Input Car Sale Model: Chevrolet XR2Price $: VIN: 12K4FG436DDE842Status: New Sale to:Rubber Ducky 2222 Atlantic Ocean Antarctica, NY, Phone: 911VISA: RUAFOOL444

Problem: Buffer overflow NameZzzzzzzzzz Count49, 425,222 State:84 Return address 0x Frame pointer 0x Enter Name: Zzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzz

Fix: Input Validation Assume all input is malicious! Validate: Length Type Syntax Context: Business Rules Or Use Special input checkers  Struts or OWASP ESAPI Validation API Whitelist: List of acceptable input Blacklist: Reject suspect input network Validate First!!!

Problem: Insecure Interaction Between Components network real -> fake -> Problem: Server assumes validation occurred in client Does not recheck Attack: Code is reverse engineered and modified to act differently. Program B Program B*

Fix: Server-Side Authentication Perform authentication and input validation on both client and server sides Use encryption & hash between client & server network real ->

Problem: SQL Injection Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”; Inserted Password: Aa’ OR ‘’=’ Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘; Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘% Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’ Login: Password: Welcome to My System

Fix: Input Sanitization Avoid dynamically- constructed query strings Disallow Meta-characters Persistence Software: Oracle DBMS_ASSERT MySQL mysql_real_escape_strin g() for C, PHP Hibernate or Enterprise Java Beans if used properly Persistence Layer Database Business Logic GUI - Validation

Problem: OS Command Injection Problem: Command Injection into SQL Inserts ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’  Data and control can traverse same path Login: Password: Welcome to My System

Fix: Avoid OS Command Injection Separate control information from data information.  E.g. where data-> database, control defines application Use library calls instead of external processes Avoid external control of command input Run code in “jail” or other sandbox environment (discussed in further detail on next slide) Provide lowest possible permissions for executable Control: Start WPI session, parms -lmk Data: “Terry, Brian, Jerry, Ann, Louis, …”

Define Jail & Sandbox Jail OS imposes resource limits on programs. It may include: I/O bandwidth caps disk quotas network access restrictions restricted file system namespace Sandbox Quarantines an untrusted program as it runs Can execute untested/ untrusted programs from untrusted third-parties, suppliers, and users.

Problem: External Control of Critical State Data User-side data can be modified: Cookies Configuration files Profiles Hidden form fields Environmental variables Registry keys Web request Web Form Form with fake data

Fix: Control Critical State Data Understand all locations that are accessible to attackers Do not keep state info on client without using encryption and integrity checking (e.g. HMAC) Store state info on server side only: ASP.NET View State, OWASP ESAPI Session Mgmt

Problem: Insecure Interaction Between Components Web servers are memoryless Do not remember sending a form to a client – what type, info Client side can remove checks, insert other code, return unexpected data, etc. Web access Web Form with javascript Revised form With data and java script Modifies javascript to avoid error checks

Problem: Cross-Site Scripting A reputable site has links to an unknowingly disreputable site The disreputable site generates a Javascript or VB script, which gets inserted into the reputable company’s html response. The result looks like a valid web page from the reputable company. E.g.: Error: Page not found Web access to product link Web Form with javascript attack reference Should be error (Not Found) Instead: fake form

Fix: Preserve Web Page Structure Specify strong character encoding such as UTF-8 or ISO  Use on output  Check on input  Or use other encoders: MS Anti-XSS library, OWASP ESAPI Encoding, Apache Wicket Validate not only input data, but all parts of the HTTP input.

Problem: Forgery Web access Web Form with javascript Fake form With data and java script Real form Also known as Cross-Site Request Forgery

Problem: Improper Access Control Web access Web Form need authentication Reply to Web Request for Web Form for actual data for Web Reply w. authent. To cache Web Form for actual data for

Fix: Access Permissions Use Role-Based Access  At least permissions: anonymous, normal, privileged, administrative Verify access control at server side Sensitive pages are never cached and must have active authorization token Only provide higher level access when you need it; always run with the minimum possible authorization level Check that files read have the required access level permissions; administrators may not set them properly. Use a good random number generator when generating random session keys – if not random, attackers will figure out next key sequence

Problem: Incorrect Access Permissions Database Program Sales Sell on Web Sell to Distributor Accounting Adjust Price Manufac- turing Add Inventory Ship Order What permissions to use for these forms???

Fix: Prevent Forgery Use a nonce for each form (a number or CAPTCHA generated for a specific use, such as session authentication) Verifier not predictable If dangerous operation, send a separate confirmation request Name: Ann Winkler Address: 2526 Pratt Ave Racine WI Phone: Interests: Horses, Movies, Travel Security Code: Johnson Rivers Submit Security Code: Johnson Rivers

Problem: Cleartext Transmit of Sensitive Info Fix: Encrypt data with standard, reliable encryption before transmission Login: Ginger Password: Snap

Problem: Race Condition Thread P1 Thread P2Comment cin >> input;..// read in "hello" into global.. cin >> input;// read in "good-bye" into global out = input; out = input;// do a string copy (...use strcpy()) cout << out;..// print out "good-bye".. cout << out;// print out "good-bye“ Fix: Use Synchronization Primitives around critical code Minimize use of shared resources Test using artificial delays in race window Identify and trigger error conditions Result: Data Corruption & Denial of Service

Problem: Chatty Error Messages “Cannot find file: C:/users/Lincke/valida tion.txt” “Invalid password for login ID” “Lab.cs.uwp.edu error: divide by zero error” Fix: Error messages should avoid file, network configuration, and PII information. Must be helpful to user Remove debug info before release

Problem: External Control of Path If you download an external file or navigate to a URL – and execute If you provide access to a file on your system  Attacker can insert../../ and access files outside privilege. Fix: Run as low-privilege user Provide fixed input values Run code in ‘jail’: Unix chroot jail and AppArmor Submit File: Enter pathname: Browse Browse

Problem: Adopting Untrusted Software Fix: Use monitoring tools that examine processes as it interacts with the OS  Truss (Solaris)  Strace (Linux)  FileMon, RegMon, Process Monitor, Sysinternals (Windows)  Sniffers, Protocol analyzers Download File Free Software … Is it Safe?

Problem: Other Security Errors Find the errors: Security() { String contents, environment; String spath = “security.dat” File security = new File(); if (security.open(spath) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”); }

Problem: Other Security Errors Find the errors: Security() { String contents, environment; String spath = “security.dat” File security = new File(); if (security.open(spath) >0) contents = security.read(); environment = security.read(); else print(“Error: Security.dat not found”); } 1. Variables contents & environment not initialized Can cause problems if executed in certain ways Attacker can initialize or read variables from previous session 2. “security.dat” is not full pathname. File can be replaced if run from another location 3. File ‘security’ not closed  Leaves file open to attack  Keeps unnecessary resources busy 4. Error message indicates file name Can give attacker important info

Problem: More Security Errors Find the errors: purchaseProduct() { password = “N23m**2d3”; count = form.quantity; // input total = count * product.cost(); Message m = new Message( name,product,total); m.myEncrypt(); server.send(m); }

Problem: More Security Errors Find the errors: purchaseProduct() { password = “N23m**2d3”; count = form.quantity; total = count * product.cost(); Message m = new Message( name,password,product,total); m.myEncrypt(); server.send(m); } Errors: 1. Password is hardcoded  If attacker finds it, every system can be broken into before software is changed on all computers  Passwords may only be stored in encrypted file 2. Total may overflow, producing very small number  Input is not checked (could be zero or invalid) 3. Encryption should be standard algorithm  Home-written variety can be broken into easily

Fix: Test All Software!!! Dynamic Tools: use large test suites such as fuzz testing, robustness testing, and fault injection. Software may slow down but should not crash or generate incorrect results Use automated static analysis tools, e.g., warnings on program analysis tools Use manual tests such as penetration testing, threat modeling, and interactive tools to reach beyond auto testing tools Run program under low memory conditions, insufficient privileges, interrupt a transaction or disable connectivity before transaction completed.

Definition Matching Whitelist Blacklist Nonce Jail Sandbox Environment 1. A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas). 2. Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA) 3. List of acceptable input 4. A security mechanism for quarantining untrusted running programs. 5. Reject suspect input

Definition Matching Whitelist Blacklist Nonce Jail Sandbox Environment 1. A set of resource limits imposed on programs by the operating system kernel (e.g. I/O bandwidth caps & disk quotas). 2. Uses a time-sensitive mark to prevent packet replay (e.g. CAPTCHA) 3. List of acceptable input 4. A security mechanism for quarantining untrusted running programs. 5. Reject suspect input

Question A third party inserts attack data into another organization’s html response. This is known as: 1. Cross-Site Scripting 2. Blacklist 3. Race Condition 4. Cleartext

Question What technique would NOT be appropriate in avoiding OS Command Injection? 1. Separate control information from data information 2. Use library calls instead of external processes 3. Run code in “jail” or other sandbox environment 4. Use a hard-coded password to enable access

Question Which of the following is true concerning web servers? 1. Servers cannot retain web session state, and thus the client must do it 2. The single best place to do input validation and authentication is at the client-side 3. Using client as storage is safe if encryption and integrity checking are used 4. The server can trust web input if it validates the data in the web form

Question The BEST way to ensure input validity at the client is: 1. Nonce 2. Whitelist 3. Blacklist 4. Integrity Checking

Question The BEST implementation of Access Control would be: 1. Do not provide caches for sensitive data 2. Always use minimal possible permissions in code, for as short of a time as possible 3. Avoid using cookies and hidden fields 4. Never provide an authorization above ‘guest’ to web users

Question SQL Injection is BEST protected against by using: 1. Cleartext 2. Encryption and Integrity Checking 3. Sanitization 4. Clearly defined code such as UTF-8

Question The main way to avoid replay between a client and server is: 1. Integrity checking 2. Whitelist 3. Blacklist 4. Nonce

Question An attack that could cause the MOST problems includes: 1. Hard-coded password 2. Race condition 3. Denial of Service 4. Chatty error message

Question The BEST way to ensure no message modification occurs is: 1. Hashing 2. Whitelist 3. Blacklist 4. Encryption

Question All of the following EXCEPT which answer can result in invalid data AND break-in? 1. Non-random random number generator 2. Buffer overflow 3. Uninitialized variables resulting in error messages 4. Race conditions