19 - gbv.de
Transcript of 19 - gbv.de
19 ö¥
Programming Flaws and How to Fix Them
MICHAEL HOWARD DAVID LEBLANC
JOHN VIEGA
McGraw-Hill /Osborne New York Chicago San Francisco
Lisbon London Madrid Mexico City-Milan New Delhi San Juan Seoul
Singapore Sydney Toronto
CONTENTS Foreword xv Acknowledgments xvii Introduction xix
1 Buffer Overruns 1
Overview of the Sin 2 Affected Languages 2 The Sin Explained 3
SinfulC/C++ 6 Related Sins 8
Spotting the Sin Pattern 9 Spotting the Sin During Code Review 9 Testing Techniques to Find the Sin 9 Example Sins 10
CVE-1999-0042 10 CVE-2000-0389-CVE-2000-0392 11 CVE-2002-0842, CVE-2003-0095, CAN-2003-0096 11 CAN-2003-0352 12
Redemption Steps 12 Replace Dangerous String Handling Functions 12 Audit Allocations 13 Check Loops and Array Accesses 13 Replace C String Buffers with C++ Strings 13 Replace Static Arrays with STL Containers 13 Use Analysis Tools 13
Extra Defensive Measures 14 Stack Protection 14 Non-executable Stack and Heap 14
Other Resources 15 Summary 16
2 Format String Problems 17
Overview of the Sin 18 Affected Languages 18 The Sin Explained 18
SinfulC/C++ 21 Related Sins 21
Spotting the Sin Pattern 21 Spotting the Sin During Code Review 22
V
19 Deadly Sins of Software Security
Testing Techniques to Find the Sin 22 ExampleSins 22
CVE-2000-0573 23 CVE-2000-0844 23
Redemption Steps 23 C/C++Redemption 23
Extra Defensive Measures 24 Other Resources 24 Summary 24
3 Integer Overflows 25
Overview of the Sin 26 Affected Languages 26 The Sin Explained 26
Sinful C and C++ 26 Sinful C# 31 Sinful Visual Basic and Visual Basic .NET 33 Sinful Java 34 Sinful Perl 34
Spotting the Sin Pattern 35 Spotting the Sin During Code Review 36
C/C++ 36 C# 38 Java 38 Visual Basic and Visual Basic .NET 38 Perl 39
Testing Techniques to Find the Sin 39 Example Sins 39
Flaw in Windows Script Engine Could Allow Code Execution 39
Integer Overflow in the SOAPParameter Object Constructor 39
Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise 40
Redemption Steps 40 Extra Defensive Measures 42 Other Resources 42 Summary 43
4 SQLInjection 45
Overview of the Sin 46 Affected Languages 46 The Sin Explained 46
Sinful C# 47 Sinful PHP 48 Sinful Perl/CGI 48 Sinful Java and JDBC 49 Sinful SQL 50 Related Sins 51
Contents
Spotting the Sin Pattern 52 Spotting the Sin During Code Review 52 Testing Techniques to Find the Sin 53 Example Sins 54
CAN-2004-0348 54 CAN-2002-0554 55
Redemption Steps 55 Validate All Input 55 Never Use String Concatenation to Build SQL Statements 55 PHP 5.0 and MySQL 4.1 or Later Redemption 56 Perl/CGI Redemption 57 Java Using JDBC Redemption 58 ColdFusion Redemption 59 SQL Redemption 59
Extra Defensive Measures 59 Other Resources 59 Summary 60
5 Command Injection 63
Overview of the Sin 64 Affected Languages 64 The Sin Explained 64
Related Sins 66 Spotting the Sin Pattern 66 Spotting the Sin During Code Review 66 Testing Techniques to Find the Sin 68 Example Sins 68
CAN-2001-1187 68 CAN-2002-0652 69
Redemption Steps 69 Data Validation 69 When a Check Fails 71
Extra Defensive Measures 72 Other Resources 72 Summary 72
6 Failing to Handle Errors 73
Overview of the Sin 74 Affected Languages 74 The Sin Explained 74
Yielding Too Much Information 74 Ignoring Errors 74 Misinterpreting Errors 75 Using Useless Error Values 75 Handling the Wrong Exceptions 75 Handling All Exceptions 76 SinfulC/C++ 76 Sinful C /C++on Windows 77 SinfulC++ 78
19 Deadly Sins of Software Security
Sinful C#, VB.NET, and Java 78 Related Sins 79
Spotting the Sin Pattern 79 Spotting the Sin During Code Review 79 Testing Techniques to Find the Sin 80 Example Sin 80
CAN-2004-0077 Linux Kernel do_mremap 80 Redemption Steps 80
C/C++Redemption 80 C#, VB.NET, and Java Redemption 81
Other Resources 82 Summary 82
7 Cross-Site Scripting 83
Overview of the Sin 84 Affected Languages 84 The Sin Explained 84
Sinful C / C++ IS API Application or Filter 85 Sinful ASP 85 Sinful ASP.NET Forms 86 Sinful JSP 86 Sinful PHP 86 Sinful CGI Using Perl 86 Sinful mod_perl 87
Spotting the Sin Pattern 87 Spotting the Sin During Code Review 87 Testing Techniques to Find the Sin 88 Example Sins 89
IBM Lotus Domino Cross-Site Scripting and HTML Injection Vulnerabilities 89
Oracle HTTP Server "isqlplus" Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks 90
CVE-2002-0840 90 Redemption Steps 90
ISAPIC/C++Redemption 90 ASP Redemption 91 ASP.NET Forms Redemption 91 JSP Redemption 92 PHP Redemption 94 CGI Redemption 95 mod_perl Redemption 95 A Note on HTML Encode 96
Extra Defensive Measures 96 Other Resources 97 Summary 98
8 Failing to Protect Network Traffic 99
Overview of the Sin 100 Affected Languages 100 The Sin Explained 100
Contents
Related Sins 102 Spotting the Sin Pattern 103 Spotting the Sin During Code Review 103 Testing Techniques to Find the Sin 106 Example Sins 106
TCP/IP 107 E-mail Protocols 107 ETrade 107
Redemption Steps 108 Low-Level Recommendations 108
Extra Defensive Measures 111 Other Resources 111 Summary 111
9 Use of Magic URLs and Hidden Form Fields 113
Overview of the Sin 114 Affected Languages 114 The Sin Explained 114
Magic URLs 114 Hidden Form Fields 115 Related Sins 115
Spotting the Sin Pattern 115 Spotting the Sin During Code Review 116 Testing Techniques to Find the Sin 117 Example Sins 118
CAN-2000-1001 118 MaxWebPortal Hidden Form Field Modification 118
Redemption Steps 118 Attacker Views the Data 119 Attacker Replays the Data 119 Attacker Predicts the Data 121 Attacker Changes the Data 122
Extra Defensive Measures 123 Other Resources 123 Summary 123
10 Improper Use of SSL and TLS 125
Overview of the Sin 126 Affected Languages 126 The Sin Explained 126
Related Sins 129 Spotting the Sin Pattern 130 Spotting the Sin During Code Review 130 Testing Techniques to Find the Sin 132 Example Sins 132
E-mail Clients 132 Safari Web Browser 133 The Stunnel SSL Proxy 133
Redemption Steps 134 Choosing a Protocol Version 134
19 Deadly Sins of Software Security
Choosing a Cipher Suite 135 Ensuring Certificate Validity 136 Validating the Hostname 137 Checking Certificate Revocation 138
Extra Defensive Measures 140 Other Resources 140 Summary 140
11 Use of Weak Password-Based Systems 143
Overview of the Sin 144 Affected Languages 144 The Sin Explained 144 Related Sins 146 Spotting the Sin Pattern 146 Spotting the Sin During Code Review 146
Password Content Policy 147 Password Changes and Resets 147 Password Protocols 148 Password Handling and Storage 148
Testing Techniques to Find the Sin 149 Example Sins 149
CVE-2005-1505 150 CVE-2005-0432 150 TheTENEXBug 150 The Paris Hilton Hijacking 151
Redemption Steps 151 Multifactor Authentication 152 Storing and Checking Passwords 152 Guidelines for Choosing Protocols 156 Guidelines for Password Resets 156 Guidelines for Password Choice 157 Other Guidelines 158
Extra Defensive Measures 158 Other Resources 159 Summary 159
12 Failing to Store and Protect Data Securely 161
Overview of the Sin 162 Affected Languages 162 The Sin Explained 162
Weak Access Controls to "Protect" Secret Data 162 Sinful Access Controls 164 Embedding Secret Data in Code 166 Related Sins 166
Spotting the Sin Pattern 166 Spotting the Sin During Code Review 167 Testing Techniques to Find the Sin 168 Example Sins 170
CVE-2000-0100 171 CAN-2002-1590 171
Contents
CVE-1999-0886 171 CAN-2004-0311 171 CAN-2004-0391 171
Redemption Steps 172 Use the Operating System's Security Technologies 172 C/C++ Windows 2000 and Later Redemption 173 ASP.NET 1.1 and Later Redemption 175 C# .NET Framework 2.0 Redemption 175 C/C++Mac OS Xvl0.2 and Later Redemption 175 Redemption with No Operating System Help
(or Keeping Secrets Out of Harm's Way) 176 A Note on Java and the Java KeyStore 178
Extra Defensive Measures 180 Other Resources 180 Summary 181
13 Information Leakage 183
Overview of the Sin 184 Affected Languages 184 The Sin Explained 184
Side Channels 185 TMI: Too Much Information! 186 A Model for Information Flow Security 188 Sinful C# (and Any Other Language) 190 Related Sins 190
Spotting the Sin Pattern 190 Spotting the Sin During Code Review 191 Testing Techniques to Find the Sin 192
The Stolen Laptop Scenario 192 Example Sins 192
Dan Bernstein's AES Timing Attack 192 CAN-2005-1411 193 CAN-2005-1133 193
Redemption Steps 194 C# (and Other Languages) Redemption 194 Network Locality Redemption 195
Extra Defensive Measures 195 Other Resources 195 Summary 196
14 Improper File Access 197
Overview of the Sin 198 Affected Languages 198 The Sin Explained 198
Sinful C /C++on Windows 199 Sinful C/C++ 199 Sinful Perl 200 Sinful Python 200 Related Sins 200
19 Deadly Sins of Software Security
Spotting the Sin Pattern 201 Spotting the Sin During Code Review 201 Testing Techniques to Find the Sin 202 Example Sins 202
CAN-2005-0004 202 CAN-2005-0799 202 CAN-2004-0452 and CAN-2004-0448 203 CVE-2004-0115 Microsoft Virtual PC for the Macintosh 203
Redemption Steps 203 Perl Redemption 204 C/C++ Redemption on *nix 204 C/C++ Redemption on Windows 204 Getting the Location of the User's Temporary Directory 205 .NET Code Redemption 205
Extra Defensive Measures 205 Other Resources 206 Summary 206
15 Trusting Network Name Resolution 207
Overview of the Sin 208 Affected Languages 208 The Sin Explained 208
Sinful Applications 210 Related Sins 211
Spotting the Sin Pattern 211 Spotting the Sin During Code Review 212 Testing Techniques to Find the Sin 212 Example Sins 212
CVE-2002-0676 213 CVE-1999-0024 213
Redemption Steps 213 Other Resources 214 Summary 215
16 Race Conditions 217
Overview of the Sin 218 Affected Languages 218 The Sin Explained 218
Sinful Code 220 Related Sins 220
Spotting the Sin Pattern 221 Spotting the Sin During Code Review 221 Testing Techniques to Find the Sin 222 Example Sins 222
CVE-2001-1349 222 CAN-2003-1073 223 CVE-2000-0849 223
Redemption Steps 223 Extra Defensive Measures 225
Contents
Other Resources 225 Summary 226
17 Unauthenticated Key Exchange 227
Overview of the Sin 228 Affected Languages 228 The Sin Explained 228 Related Sins 229 Spotting the Sin Pattern 230 Spotting the Sin During Code Review 230 Testing Techniques to Find the Sin 231 Example Sins 231
Novell Netware MITM Attack 231 CAN-2004-0155 231
Redemption Steps 232 Extra Defensive Measures 232 Other Resources 233 Summary 233
18 Cryptographically Strong Random Numbers 235
Overview of the Sin 236 Affected Languages 236 The Sin Explained 236
Sinful NonCryptographic Generators 237 Sinful Cryptographic Generators 237 Sinful True Random Number Generators 238 Related Sins 239
Spotting the Sin Pattern 239 Spotting the Sin During Code Review 239
When Random Numbers Should Have Been Used 239 Finding Places that Use PRNGs 240 Determining Whether a CRNG Is Seeded Properly 241
Testing Techniques to Find the Sin 241 Example Sins 242
The Netscape Browser 242 OpenSSL Problems 242
Redemption Steps 243 Windows 243 .NET Code 243 Unix 244 Java 245 Replaying Number Streams 245
Extra Defensive Measures 246 Other Resources 246 Summary 246
19 Poor Usability 247
Overview of the Sin 248 Affected Languages 248
19 Deadly Sins of Software Security
The Sin Explained 248 Who Are Your Users? 249 The Minefield: Presenting Security Information
to Your Users 249 Related Sins 250
Spotting the Sin Pattern 250 Spotting the Sin During Code Review 250 Testing Techniques to Find the Sin 251 Example Sins 251
SSL/TLS Certificate Authentication 251 Internet Explorer 4.0 Root Certificate Installation 252
Redemption Steps 253 When Users Are Involved, Make the UI Simple and Clear 253 Make Security Decisions for Users 253 Make Selective Relaxation of Security Policy Easy 255 Clearly Indicate Consequences 255 Make It Actionable 258 Provide Central Management 259
Other Resources 259 Summary 259
A Mapping the 19 Deadly Sins to the OWASP "Top Ten" 261
B Summary of Do's and Don'ts 263
Sin 1: Buffer Overruns Summary 264 Sin 2: Format String Problems Summary 264 Sin 3: Integer Overflows Summary 264 Sin 4: SQL Injection Summary 265 Sin 5: Command Injection Summary 266 Sin 6: Failing to Handle Errors Summary 266 Sin 7: Cross-Site Scripting Summary 266 Sin 8: Failing to Protect Network Traffic Summary 266 Sin 9: Use of Magic URLs and Hidden Form Fields Summary 267 Sin 10: Improper Use of SSL and TLS Summary 267 Sin 11: Use of Weak Password-Based Systems Summary 268 Sin 12: Failing to Store and Protect Data Securely Summary 269 Sin 13: Information Leakage Summary 270 Sin 14: Improper File Access Summary 270 Sin 15: Trusting Network Name Resolution Summary 270 Sin 16: Race Conditions Summary 271 Sin 17: Unauthenticated Key Exchange Summary 271 Sin 18: Cryptographically Strong Random Numbers Summary 271 Sin 19: Poor Usability Summary 271
Index 273