19 - gbv.de

19 ö¥

Programming Flaws and How to Fix Them

MICHAEL HOWARD DAVID LEBLANC

JOHN VIEGA

McGraw-Hill /Osborne New York Chicago San Francisco

Lisbon London Madrid Mexico City-Milan New Delhi San Juan Seoul

Singapore Sydney Toronto

CONTENTS Foreword xv Acknowledgments xvii Introduction xix

1 Buffer Overruns 1

Overview of the Sin 2 Affected Languages 2 The Sin Explained 3

SinfulC/C++ 6 Related Sins 8

Spotting the Sin Pattern 9 Spotting the Sin During Code Review 9 Testing Techniques to Find the Sin 9 Example Sins 10

CVE-1999-0042 10 CVE-2000-0389-CVE-2000-0392 11 CVE-2002-0842, CVE-2003-0095, CAN-2003-0096 11 CAN-2003-0352 12

Redemption Steps 12 Replace Dangerous String Handling Functions 12 Audit Allocations 13 Check Loops and Array Accesses 13 Replace C String Buffers with C++ Strings 13 Replace Static Arrays with STL Containers 13 Use Analysis Tools 13

Extra Defensive Measures 14 Stack Protection 14 Non-executable Stack and Heap 14

Other Resources 15 Summary 16

2 Format String Problems 17


SinfulC/C++ 21 Related Sins 21

Spotting the Sin Pattern 21 Spotting the Sin During Code Review 22

V

19 Deadly Sins of Software Security

Testing Techniques to Find the Sin 22 ExampleSins 22

CVE-2000-0573 23 CVE-2000-0844 23

Redemption Steps 23 C/C++Redemption 23

Extra Defensive Measures 24 Other Resources 24 Summary 24

3 Integer Overflows 25


Sinful C and C++ 26 Sinful C# 31 Sinful Visual Basic and Visual Basic .NET 33 Sinful Java 34 Sinful Perl 34


C/C++ 36 C# 38 Java 38 Visual Basic and Visual Basic .NET 38 Perl 39

Testing Techniques to Find the Sin 39 Example Sins 39

Flaw in Windows Script Engine Could Allow Code Execution 39

Integer Overflow in the SOAPParameter Object Constructor 39

Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise 40

Redemption Steps 40 Extra Defensive Measures 42 Other Resources 42 Summary 43

4 SQLInjection 45


Sinful C# 47 Sinful PHP 48 Sinful Perl/CGI 48 Sinful Java and JDBC 49 Sinful SQL 50 Related Sins 51

Contents


CAN-2004-0348 54 CAN-2002-0554 55

Redemption Steps 55 Validate All Input 55 Never Use String Concatenation to Build SQL Statements 55 PHP 5.0 and MySQL 4.1 or Later Redemption 56 Perl/CGI Redemption 57 Java Using JDBC Redemption 58 ColdFusion Redemption 59 SQL Redemption 59


5 Command Injection 63


Related Sins 66 Spotting the Sin Pattern 66 Spotting the Sin During Code Review 66 Testing Techniques to Find the Sin 68 Example Sins 68

CAN-2001-1187 68 CAN-2002-0652 69

Redemption Steps 69 Data Validation 69 When a Check Fails 71


6 Failing to Handle Errors 73


Yielding Too Much Information 74 Ignoring Errors 74 Misinterpreting Errors 75 Using Useless Error Values 75 Handling the Wrong Exceptions 75 Handling All Exceptions 76 SinfulC/C++ 76 Sinful C /C++on Windows 77 SinfulC++ 78


Sinful C#, VB.NET, and Java 78 Related Sins 79

Spotting the Sin Pattern 79 Spotting the Sin During Code Review 79 Testing Techniques to Find the Sin 80 Example Sin 80

CAN-2004-0077 Linux Kernel do_mremap 80 Redemption Steps 80

C/C++Redemption 80 C#, VB.NET, and Java Redemption 81


7 Cross-Site Scripting 83


Sinful C / C++ IS API Application or Filter 85 Sinful ASP 85 Sinful ASP.NET Forms 86 Sinful JSP 86 Sinful PHP 86 Sinful CGI Using Perl 86 Sinful mod_perl 87


IBM Lotus Domino Cross-Site Scripting and HTML Injection Vulnerabilities 89

Oracle HTTP Server "isqlplus" Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks 90

CVE-2002-0840 90 Redemption Steps 90

ISAPIC/C++Redemption 90 ASP Redemption 91 ASP.NET Forms Redemption 91 JSP Redemption 92 PHP Redemption 94 CGI Redemption 95 mod_perl Redemption 95 A Note on HTML Encode 96


8 Failing to Protect Network Traffic 99


http://VB.NET

http://VB.NET

http://ASP.NET

http://ASP.NET

Contents


TCP/IP 107 E-mail Protocols 107 ETrade 107

Redemption Steps 108 Low-Level Recommendations 108


9 Use of Magic URLs and Hidden Form Fields 113


Magic URLs 114 Hidden Form Fields 115 Related Sins 115


CAN-2000-1001 118 MaxWebPortal Hidden Form Field Modification 118

Redemption Steps 118 Attacker Views the Data 119 Attacker Replays the Data 119 Attacker Predicts the Data 121 Attacker Changes the Data 122


10 Improper Use of SSL and TLS 125



E-mail Clients 132 Safari Web Browser 133 The Stunnel SSL Proxy 133

Redemption Steps 134 Choosing a Protocol Version 134


Choosing a Cipher Suite 135 Ensuring Certificate Validity 136 Validating the Hostname 137 Checking Certificate Revocation 138


11 Use of Weak Password-Based Systems 143

Overview of the Sin 144 Affected Languages 144 The Sin Explained 144 Related Sins 146 Spotting the Sin Pattern 146 Spotting the Sin During Code Review 146

Password Content Policy 147 Password Changes and Resets 147 Password Protocols 148 Password Handling and Storage 148


CVE-2005-1505 150 CVE-2005-0432 150 TheTENEXBug 150 The Paris Hilton Hijacking 151

Redemption Steps 151 Multifactor Authentication 152 Storing and Checking Passwords 152 Guidelines for Choosing Protocols 156 Guidelines for Password Resets 156 Guidelines for Password Choice 157 Other Guidelines 158


12 Failing to Store and Protect Data Securely 161


Weak Access Controls to "Protect" Secret Data 162 Sinful Access Controls 164 Embedding Secret Data in Code 166 Related Sins 166


CVE-2000-0100 171 CAN-2002-1590 171

Contents

CVE-1999-0886 171 CAN-2004-0311 171 CAN-2004-0391 171

Redemption Steps 172 Use the Operating System's Security Technologies 172 C/C++ Windows 2000 and Later Redemption 173 ASP.NET 1.1 and Later Redemption 175 C# .NET Framework 2.0 Redemption 175 C/C++Mac OS Xvl0.2 and Later Redemption 175 Redemption with No Operating System Help

(or Keeping Secrets Out of Harm's Way) 176 A Note on Java and the Java KeyStore 178


13 Information Leakage 183


Side Channels 185 TMI: Too Much Information! 186 A Model for Information Flow Security 188 Sinful C# (and Any Other Language) 190 Related Sins 190

Spotting the Sin Pattern 190 Spotting the Sin During Code Review 191 Testing Techniques to Find the Sin 192

The Stolen Laptop Scenario 192 Example Sins 192

Dan Bernstein's AES Timing Attack 192 CAN-2005-1411 193 CAN-2005-1133 193

Redemption Steps 194 C# (and Other Languages) Redemption 194 Network Locality Redemption 195


14 Improper File Access 197


Sinful C /C++on Windows 199 Sinful C/C++ 199 Sinful Perl 200 Sinful Python 200 Related Sins 200

http://ASP.NET



CAN-2005-0004 202 CAN-2005-0799 202 CAN-2004-0452 and CAN-2004-0448 203 CVE-2004-0115 Microsoft Virtual PC for the Macintosh 203

Redemption Steps 203 Perl Redemption 204 C/C++ Redemption on *nix 204 C/C++ Redemption on Windows 204 Getting the Location of the User's Temporary Directory 205 .NET Code Redemption 205


15 Trusting Network Name Resolution 207


Sinful Applications 210 Related Sins 211


CVE-2002-0676 213 CVE-1999-0024 213

Redemption Steps 213 Other Resources 214 Summary 215

16 Race Conditions 217


Sinful Code 220 Related Sins 220


CVE-2001-1349 222 CAN-2003-1073 223 CVE-2000-0849 223

Redemption Steps 223 Extra Defensive Measures 225

Contents


17 Unauthenticated Key Exchange 227

Overview of the Sin 228 Affected Languages 228 The Sin Explained 228 Related Sins 229 Spotting the Sin Pattern 230 Spotting the Sin During Code Review 230 Testing Techniques to Find the Sin 231 Example Sins 231

Novell Netware MITM Attack 231 CAN-2004-0155 231

Redemption Steps 232 Extra Defensive Measures 232 Other Resources 233 Summary 233

18 Cryptographically Strong Random Numbers 235


Sinful NonCryptographic Generators 237 Sinful Cryptographic Generators 237 Sinful True Random Number Generators 238 Related Sins 239


When Random Numbers Should Have Been Used 239 Finding Places that Use PRNGs 240 Determining Whether a CRNG Is Seeded Properly 241


The Netscape Browser 242 OpenSSL Problems 242

Redemption Steps 243 Windows 243 .NET Code 243 Unix 244 Java 245 Replaying Number Streams 245


19 Poor Usability 247

Overview of the Sin 248 Affected Languages 248


The Sin Explained 248 Who Are Your Users? 249 The Minefield: Presenting Security Information

to Your Users 249 Related Sins 250


SSL/TLS Certificate Authentication 251 Internet Explorer 4.0 Root Certificate Installation 252

Redemption Steps 253 When Users Are Involved, Make the UI Simple and Clear 253 Make Security Decisions for Users 253 Make Selective Relaxation of Security Policy Easy 255 Clearly Indicate Consequences 255 Make It Actionable 258 Provide Central Management 259


A Mapping the 19 Deadly Sins to the OWASP "Top Ten" 261

B Summary of Do's and Don'ts 263

Sin 1: Buffer Overruns Summary 264 Sin 2: Format String Problems Summary 264 Sin 3: Integer Overflows Summary 264 Sin 4: SQL Injection Summary 265 Sin 5: Command Injection Summary 266 Sin 6: Failing to Handle Errors Summary 266 Sin 7: Cross-Site Scripting Summary 266 Sin 8: Failing to Protect Network Traffic Summary 266 Sin 9: Use of Magic URLs and Hidden Form Fields Summary 267 Sin 10: Improper Use of SSL and TLS Summary 267 Sin 11: Use of Weak Password-Based Systems Summary 268 Sin 12: Failing to Store and Protect Data Securely Summary 269 Sin 13: Information Leakage Summary 270 Sin 14: Improper File Access Summary 270 Sin 15: Trusting Network Name Resolution Summary 270 Sin 16: Race Conditions Summary 271 Sin 17: Unauthenticated Key Exchange Summary 271 Sin 18: Cryptographically Strong Random Numbers Summary 271 Sin 19: Poor Usability Summary 271

Index 273

19 - gbv.de

Documents

Transcript of 19 - gbv.de