Secure Programming

Lai Zit Seng

November 2012

A Simple Program

int main(){ char name[100]; printf("What is your name?\n"); gets(name); printf("Hello, "); printf(name); printf("!\n"); return 0;}

Buffer Overflow Example

#include <string.h> void foo (char *bar){ char c[12]; strcpy(c, bar); // no bounds checking...} int main (int argc, char **argv){ foo(argv[1]); }

Source: Wikipedia

C Functions That Should Be Banned

This is bad Use this instead

gets() fgets()

sprintf() snprintf()

strcpy() strncpy()

strcat() strncat(), strlcat()

printf() – needs caution

Race Conditions

E.g.: How to create a temporary file in /tmp?– Use a static filename– Dynamically generate a filename– Check, then create the file

$ ls –l /tmptotal 8lrwxr-xr-x 1 lzs wheel 11 Nov 12 11:20 tmpXNg2i9 -> /etc/passwd

Suppose attacker knows program wants to create this file /tmp/tmpXNg2i9.What can attacker try to do?

Random Number Generation

How do you generate random numbers?

How do you seed the generator?

#include <stdio.h>

main () { srand(0); printf("Num #1: %d\n", rand()); printf("Num #2: %d\n", rand()); printf("Num #3: %d\n", rand());}

Num #1: 520932930Num #2: 28925691Num #3: 822784415

This sequence is fixed. If the seed is known, the random sequence can be entirely pre-determined.

Encryption vs Encoding

How do you store secrets?– E.g. if your app needs to store

passwords or credentials

If you encrypt secrets with a password, then where do you store that password?

Use Standard Libraries and Protocols

Make use of whatever is already available:– Glib– D-Bus IPC– SSL/OpenSSL for secure

communications

Don’t reinvent the wheel

Security by Obscurity

Although in some circumstances it can be adopted as part of a defense-in-depth strategy

Security through minority

Don’t count on the unlikely

Principles

Least privilege

Economy of mechanism/Simplicity

Open design

Complete mediation

Fail-safe defaults

Least common mechanisms

Separation of privilege

Psychological acceptability/Easy to useSource: The Protection of Information in Computer Systems (http://www.cs.virginia.edu/~evans/cs551/saltzer/)

Secure by Design

Security needs to be designed from the start

Borrowing from Perl’s Taint Mode

You may not use data derived from outside your program to affect something else outside your program – at least, not by accident.

$arg = shift; # $arg is tainted $hid = $arg, 'bar'; # $hid is also tainted$line = <>; # Tainted$line = <STDIN>; # Also taintedopen FOO, "/home/me/bar" or die $!; $line = <FOO>; # Still tainted $path = $ENV{'PATH'}; # Tainted, but see below$data = 'abc'; # Not tainted system "echo $arg”; # Insecure

http://perldoc.perl.org/perlsec.html

2. Avoid buffer overflow3. Program internals/Design approach6. Language-specific issues7. Special topics

1. Validate all input

5. Send info back

judiciously

4. Carefully call out to other

resources

Source: http://www.dwheeler.com/secure-programs/secure-programming.pdf

A Program

Multi Facets of Information Security

Access control

Telecommunications & network security

Software development

security

Cryptography

Information security governance & risk

management

Security architecture

& design

Business continuity &

disaster recovery

Operations security

Physical security

Legal, regulations,

investigations & compliance

Resources

https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard

http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/index.html

What’s more dangerous than knowing nothing, is

knowing something…

Questions?

Lai Zit Senghttp://www.facebook.com/zitseng