Secure Software

1
Secure Software

• Professional Recommendations from CWE/SANS

2
References

• Material is from
• 2009 CWE/SANS Top 25 Most Dangerous Programming
  Errors, Version 1.4, Oct 29, 2009.
• CISA Certified Information Systems Auditor
  All-in-One Exam Guide, Peter H Gregory,
  McGraw-Hill
• Author
• Susan J Lincke, PhD Univ. of Wisconsin-Parkside
• Contributors Megan Reid, Todd Burri
• Funded by National Science Foundation (NSF)
  Course, Curriculum and Laboratory Improvement
  (CCLI) grant 0837574 Information Security
  Audit, Case Study, and Service Learning.
• Any opinions, findings, and conclusions or
  recommendations expressed in this material are
  those of the author(s) and/or source(s) and do
  not necessarily reflect the views of the National
  Science Foundation.

3
Problem Incorrect Input
Car Sale Model Chevrolet XR2 Price
25.45 VIN 12K4FG436DDE842 Status New Sale
to Rubber Ducky 2222 Atlantic
Ocean Antarctica, NY, 00000 Phone
911 VISA RUAFOOL444
4
Problem Buffer overflow
Name Zzzzzzzzzz
Count 49, 425,222
State 84
Return address 0x246625
Frame pointer 0x246625
Enter Name Zzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzz
zzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzz
5
Fix Input Validation

• Assume all input is malicious! Validate
• Length
• Type
• Syntax
• Context Business Rules
• Or Use
• Special input checkers
• Struts or OWASP ESAPI Validation API
• Whitelist List of acceptable input
• Blacklist Reject suspect input

Validate First!!!
network
6
Problem Insecure Interaction Between
Components
real -gt
network
Program B
Attack Code is reverse engineered and
modified to act differently.
fake -gt
Problem Server assumes validation
occurred in client Does not recheck
Program B
7
FixServer-Side Authentication
real -gt
network

• Perform authentication and input validation on
  both client and server sides
• Use encryption hash between client server

8
ProblemSQL Injection

• Java Original SELECT FROM users_table WHERE
  username username AND
  password password
• Inserted Password Aa OR
• Java Result SELECT FROM users_table WHERE
  usernameanyname AND password Aa OR
  
• Inserted Password fooDELETE FROM users_table
  WHERE username LIKE
• Java Result SELECT FROM users_table WHERE
  usernameanyname AND password foo DELETE
  FROM users_table WHERE username LIKE

Login Password
Welcome to My System
9
Fix Input Sanitization

• Avoid dynamically-constructed query strings
• Disallow Meta-characters
• Persistence Software
• Oracle DBMS_ASSERT
• MySQL mysql_real_escape_string() for C, PHP
• Hibernate or Enterprise Java Beans if used
  properly

GUI - Validation
Business Logic
Persistence Layer
Database
10
Problem OS Command Injection

• Problem Command Injection into SQL
• Inserts shell(cmd /c echo char(124)
  format c)
• Data and control can traverse same path

Login Password
Welcome to My System
11
Fix Avoid OS Command Injection

• Separate control information from data
  information.
• E.g. where data-gt database, control defines
  application
• Use library calls instead of external processes
• Avoid external control of command input
• Run code in jail or other sandbox environment
  (discussed in further detail on next slide)
• Provide lowest possible permissions for executable

Data Terry, Brian, Jerry, Ann, Louis,
Control Start WPI session, parms -lmk
12
Web Form Web Service Attacks
Attack Name Attack Description
Directory Traversal A URL is coded to access unexpected files or commands on the web server, such as www.company.com/../../cmd. Characters may be encoded to hide contents 2e2e2f.
WSDL Enumeration Discovery of web services via UDDI or a search for WSDL files for attack purposes.
Replay Transmitted packets may be copied and resent. Packets may also be modified before transmission.
URL Jumping Avoids authentication by referencing web accesses out-of-order.
XPath Injection Modifies XML format or contents to create unintended data. Similar to SQL Injection except that XML is attacked.
XML Overflow DOS attack constructs invalid or repeats XML structures, in an attempt to confuse the server or overflow memory.
13
Define Jail Sandbox

• Jail

• Sandbox

• OS imposes resource limits on programs. It may
  include
• I/O bandwidth caps
• disk quotas
• network access restrictions
• restricted file system namespace

• Quarantines an untrusted program as it runs
• Can execute untested/ untrusted programs from
  untrusted third-parties, suppliers, and users.

14
ProblemReliance on UntrustedInputs

• User-side data can be modified
• Cookies
• Configuration files
• Profiles
• Hidden form fields
• Environmental variables
• Registry keys

Web request
Web Form
Form with fake data
15
FixControl Critical State Data

• Understand all locations that are accessible to
  attackers
• Do not keep state info on client without using
  encryption and integrity checking (e.g. HMAC)
• Store state info on server side only ASP.NET
  View State, OWASP ESAPI Session Mgmt

16
ProblemIncorrect Authorization

• Web servers are memoryless
• Do not remember sending a form to a client what
  type, info
• Client side can remove checks, insert other code,
  return unexpected data, etc.

Web access
Web Form with javascript
Modifies javascript to avoid error checks
Revised form With data and java script
17
ProblemCross-Site Scripting

• A reputable site has links to a disreputable site
• Disreputable site generates a script, which is
  inserted into the reputable companys html
  response
• The result looks like a valid web page from the
  reputable company.
• E.g. Error Page not found
• Database, Document Object Model, client input may
  be bad

Create link or data
Web access to product link
reference
Should be form, instead requests payment
Web Form with javascript attack
18
More onCross-Site Scripting (XSS)

• Local XSS Modifies webpage code by modifying
  JavaScript in Document Object Model (DOM)
• Stored XSS The attacker uses form input to
  modify a database. The input includes infected
  links or files.
• Reflective XSS Victim server returns infected
  client data, submitted as part of the client
  input.

19
FixPreserve Web Page Structure

• Same-origin policy All parts of webpage must
• use same protocol, port number
• be derived from the same host
• Specify strong character encoding such as UTF-8
  or ISO-8859.
• Use on output
• Check on input
• Or use other encoders MS Anti-XSS library, OWASP
  ESAPI Encoding, Apache Wicket
• Validate input data and all parts of HTTP input.

20
Problem ForgeryCross-Site-Request Forgery

• Server provides authentication token to user A
• User uses token for other purpose
• Attacker copies and uses token
• Problem authentication token is pre-approved
• Fix Complete mediation every request to server
  is verified for authorization

Web access w. Authentication
Web Form with credential
listens
Other fake form With data copied credential
Fake form With data copied credential
Also known as Cross-Site Request Forgery
21
ProblemMissing Authorization
Web access login form
Web URL with authentication www.abc.com/123
Web Request for www.abc.com/341
Web Request for www.abc.com/342
cache
Web Request for www.abc.com/343
Web Request for www.abc.com/344
Web Form for actual data for www.abc.com/344
22
ProblemMissing Authentication
Web access
Web Form need authentication Reply to
www.abc.com/123
Web Reply w. authent. To www.abc.com/123
cache
Web Form for actual data for www.abc.com/345
Web Request for www.abc.com/345
Web Form for actual data for www.abc.com/345
23
FixAuthentication Permissions

• Use Role-Based Access Control
• At least permissions anonymous, normal,
  privileged, administrative
• Verify authentication at server side for every
  input
• Sensitive pages are never cached and must have
  active authorization token
• Only provide higher level access when you need
  it always run with the minimum possible
  authorization level
• Check that files read have the required access
  level permissions administrators may not set
  them properly.
• Use a good random number generator when
  generating random session keys if not random,
  attackers will figure out next key sequence

24
ProblemIncorrect Access Permissions
What permissions to use for these forms???
25
FixPrevent Forgery
Name Ann Winkler Address 2526 Pratt
Ave Racine WI Phone 262-595-2111 Interests
Horses, Movies, Travel Security Code Johnson
Rivers

• Use a nonce for each form (a number or CAPTCHA
  generated for a specific use, such as session
  authentication)
• Verifier not predictable
• If dangerous operation, send a separate
  confirmation request

Security Code Johnson Rivers
Submit
26
ProblemCleartext Transmit of Sensitive Info
Login Ginger Password Snap

• Fix
• Encrypt data with standard, reliable encryption
  before transmission

27
ProblemRace Condition

• Thread P1 Thread P2 Comment
• cin gtgt input .. // read in "hello" into
  global
• .. cin gtgt input // read in "good-bye" into
  global
• out input out input // do a string copy
  (...use strcpy())
• cout ltlt out .. // print out "good-bye"
• .. cout ltlt out // print out "good-bye
• Fix
• Use Synchronization Primitives around critical
  code
• Minimize use of shared resources
• Test using artificial delays in race window
• Identify and trigger error conditions

Result Data Corruption Denial of Service
28
ProblemChatty Error Messages

• Cannot find file C/users/Lincke/validation.txt
  
• Invalid password for login ID
• Lab.cs.uwp.edu error divide by zero error

• Fix
• Error messages should avoid file, network
  configuration, and PII information.
• Must be helpful to user
• Remove debug info before release

29
ProblemPath Traversal

• If you download an external file or navigate to a
  URL and execute
• If you provide access to a file on your system
• Attacker can insert ../../ and access files
  outside privilege.
• Fix
• Allow only certain files or directories to be
  visible
• Run as low-privilege user
• Provide fixed input values
• Run code in jail Unix chroot jail and AppArmor

Submit File Enter pathname
Browse
Browse
30
ProblemAdopting Untrusted Software

• Fix
• Use monitoring tools that examine processes as it
  interacts with the OS
• Truss (Solaris)
• Strace (Linux)
• FileMon, RegMon, Process Monitor, Sysinternals
  (Windows)
• Sniffers, Protocol analyzers

Download File
Free Software Is it Safe?
31
ProblemOther Security Errors

• Find the errors
• Security()
• String contents, environment
• String spath security.dat
• File security new File
• if (security.open(spath) gt0)
• contents security.read()
• environment security.read()
• else
• print(Error Security.dat not found)

32
ProblemOther Security Errors

• Find the errors
• Security()
• String contents, environment
• String spath security.dat
• File security new File
• if (security.open(spath) gt0)
• contents security.read()
• environment security.read()
• else
• print(Error Security.dat not found)

• Variables contents environment not initialized
• Can cause problems if executed in certain ways
• Attacker can initialize or read variables from
  previous session
• security.dat is not full pathname.
• File can be replaced if run from another location
• File security not closed
• Leaves file open to attack
• Keeps unnecessary resources busy
• Error message indicates file name
• Can give attacker important info

33
ProblemMore Security Errors

• Find the errors
• purchaseProduct()
• encryptKey N23m2d3
• count form.quantity // input
• total count product.cost()
• Message m new Message(
• name,product,total)
• m.myEncrypt(encryptKey)
• server.send(m)

34
ProblemMore Security Errors

• Find the errors
• purchaseProduct()
• encryptKey N23m2d3
• count form.quantity
• total count product.cost()
• Message m new Message(
• name,product,total)
• m.myEncrypt(encryptKey)
• server.send(m)

• Errors
• EncryptKey is hardcoded
• Attacker can break into every system before
  software is changed on all computers
• Total may overflow, producing very small number
• Input is not checked (could be zero or invalid)
• Encryption should be standard algorithm
• Home-written variety can be broken into easily
• Message m should have nonce
• Race condition can occur total, count,
  encryptKey

35
Fix Test All Software!!!

• Dynamic Tools use large test suites such as fuzz
  testing, robustness testing, and fault injection.
  Software may slow down but should not crash or
  generate incorrect results
• Use automated static analysis tools, e.g.,
  warnings on program analysis tools
• Use manual tests such as penetration testing,
  threat modeling, and interactive tools to reach
  beyond auto testing tools
• Run program under low memory conditions,
  insufficient privileges, interrupt a transaction
  or disable connectivity before transaction
  completed.

36
Other software problems

• Use of hard-coded credentials
• Missing encryption of sensitive data
• Unrestricted upload of file with dangerous type
  (image vs executable)
• Execution with unnecessary privileges
• Use of poor encryption algorithm
• Download of code without integrity check
• Inclusion of Functionality from Untrusted Control
  Sphere (e.g., Client libraries)

37
Web Service Vocabulary

• Service-Oriented Architecture (SOA) Distributed
  architecture with discoverable, contract-based
  interfaces
• uses platform-neutral HTTP or XML interface
• interoperable, modular, reusable components
• Universal Discover Description and Integration
  Server (UDDI) Server Yellow Pages
• Web Services Description Language (WSDL)
  Interface description language describes calling
  and return parameters

38
Web Service Attacks
Attack Name Attack Description
Directory Traversal A URL is coded to access unexpected files or commands www.company.com/../../cmd. Characters may be encoded to hide contents 2e2e2f.
WSDL Enumeration The discovery of web services via UDDI or a search for WSDL files for attack purposes.
Replay Transmitted packets are copied, potentially modified and resent.
URL Jumping Web references are accessed out-of-order to avoid authentication
XPath Injection Modifies XML format or contents to create unintended data. (similar to SQL Injection)
XML Overflow DOS attack constructs invalid or repeated XML structures to confuse server or overflow memory
39
Definition Matching

• Whitelist
• Blacklist
• Nonce
• Jail
• Sandbox Environment

1. A set of resource limits imposed on programs by
   the operating system kernel (e.g. I/O bandwidth
   caps disk quotas).
2. Uses a time-sensitive mark to prevent packet
   replay (e.g. CAPTCHA)
3. List of acceptable input
4. A security mechanism for quarantining untrusted
   running programs.
5. Reject suspect input

40
Definition Matching

• Whitelist
• Blacklist
• Nonce
• Jail
• Sandbox Environment

1. A set of resource limits imposed on programs by
   the operating system kernel (e.g. I/O bandwidth
   caps disk quotas).
2. Uses a time-sensitive mark to prevent packet
   replay (e.g. CAPTCHA)
3. List of acceptable input
4. A security mechanism for quarantining untrusted
   running programs.
5. Reject suspect input

41
Question

• A third party inserts attack data into
  another organizations html response. This is
  known as
• Cross-Site Scripting
• Blacklist
• Race Condition
• Cleartext

42
Question

• What technique would NOT be appropriate in
  avoiding OS Command Injection?
• Separate control information from data
  information
• Use library calls instead of external processes
• Run code in jail or other sandbox environment
• Use a hard-coded password to enable access

43
Question

• Which of the following is true concerning
  web servers?
• Servers cannot retain web session state, and thus
  the client must do it
• The single best place to do input validation and
  authentication is at the client-side
• Using client as storage is safe if encryption,
  nonce and hashes are used
• The server can trust web input if it validates
  the data in the web form

44
Question

• The BEST way to ensure input validity at the
  client is
• Nonce
• Whitelist
• Blacklist
• Integrity Checking

45
Question

• The BEST implementation of Access Control
  would be
• Do not provide caches for sensitive data
• Always use minimal possible permissions in code,
  for as short of a time as possible
• Avoid using cookies and hidden fields
• Never provide an authorization above guest to
  web users

46
Question

• SQL Injection is BEST protected against by
  using
• Cleartext
• Encryption and Integrity Checking
• Sanitization
• Clearly defined code such as UTF-8

47
Question

• The main way to avoid replay between a
  client and server is
• Integrity checking
• Whitelist
• Blacklist
• Nonce

48
Question

• An attack that could cause the MOST problems
  includes
• Hard-coded password
• Race condition
• Denial of Service
• Chatty error message

49
Question

• The BEST way to ensure no message
  modification occurs is
• Hashing
• Whitelist
• Blacklist
• Encryption

50
Question

• All of the following EXCEPT which answer can
  result in invalid data AND break-in?
• Non-random random number generator
• Buffer overflow
• Uninitialized variables resulting in error
  messages
• Race conditions

51
Vocabulary

• Buffer overflow, SQL injection, OS command
  injection, cross-site scripting, cleartext, race
  condition, chatty error message
• Sanitization, whitelist, blacklist, nonce,
  character encoding (UTF-8), jail or sandbox
  environment