Programming Flaws and How to Fix Them

Transcription

1 19 ö Programming Flaws and How to Fix Them MICHAEL HOWARD DAVID LEBLANC JOHN VIEGA McGraw-Hill /Osborne New York Chicago San Francisco Lisbon London Madrid Mexico City- Milan New Delhi San Juan Seoul Singapore Sydney Toronto

2 CONTENTS Foreword Acknowledgments Introduction xv xvii xix 1 Buffer Overruns 1 Overview of the Sin 2 Affected Languages 2 The Sin Explained 3 SinfulC/C++ 6 Related Sins 8 Spotting the Sin Pattern 9 Spotting the Sin During Code Review 9 Testing Techniques to Find the Sin 9 Example Sins 10 CVE CVE CVE CVE , CVE , CAN CAN Redemption Steps 12 Replace Dangerous String Handling Functions 12 Audit Allocations 13 Check Loops and Array Accesses 13 Replace C String Buffers with C++ Strings 13 Replace Static Arrays with STL Containers 13 Use Analysis Tools 13 Extra Defensive Measures 14 Stack Protection 14 Non-executable Stack and Heap 14 Other Resources 15 Summary 16 2 Format String Problems 17 Overview of the Sin 18 Affected Languages 18 The Sin Explained 18 SinfulC/C++ 21 Related Sins 21 Spotting the Sin Pattern 21 Spotting the Sin During Code Review 22 V

3 19 Deadly Sins of Software Security Testing Techniques to Find the Sin 22 ExampleSins 22 CVE CVE Redemption Steps 23 C/C++Redemption 23 Extra Defensive Measures 24 Other Resources 24 Summary 24 3 Integer Overflows 25 Overview of the Sin 26 Affected Languages 26 The Sin Explained 26 Sinful C and C++ 26 Sinful C# 31 Sinful Visual Basic and Visual Basic.NET 33 Sinful Java 34 Sinful Perl 34 Spotting the Sin Pattern 35 Spotting the Sin During Code Review 36 C/C++ 36 C# 38 Java 38 Visual Basic and Visual Basic.NET 38 Perl 39 Testing Techniques to Find the Sin 39 Example Sins 39 Flaw in Windows Script Engine Could Allow Code Execution 39 Integer Overflow in the SOAPParameter Object Constructor 39 Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise 40 Redemption Steps 40 Extra Defensive Measures 42 Other Resources 42 Summary 43 4 SQLInjection 45 Overview of the Sin 46 Affected Languages 46 The Sin Explained 46 Sinful C# 47 Sinful PHP 48 Sinful Perl/CGI 48 Sinful Java and JDBC 49 Sinful SQL 50 Related Sins 51

4 Contents Spotting the Sin Pattern 52 Spotting the Sin During Code Review 52 Testing Techniques to Find the Sin 53 Example Sins 54 CAN CAN Redemption Steps 55 Validate All Input 55 Never Use String Concatenation to Build SQL Statements 55 PHP 5.0 and MySQL 4.1 or Later Redemption 56 Perl/CGI Redemption 57 Java Using JDBC Redemption 58 ColdFusion Redemption 59 SQL Redemption 59 Extra Defensive Measures 59 Other Resources 59 Summary 60 5 Command Injection 63 Overview of the Sin 64 Affected Languages 64 The Sin Explained 64 Related Sins 66 Spotting the Sin Pattern 66 Spotting the Sin During Code Review 66 Testing Techniques to Find the Sin 68 Example Sins 68 CAN CAN Redemption Steps 69 Data Validation 69 When a Check Fails 71 Extra Defensive Measures 72 Other Resources 72 Summary 72 6 Failing to Handle Errors 73 Overview of the Sin 74 Affected Languages 74 The Sin Explained 74 Yielding Too Much Information 74 Ignoring Errors 74 Misinterpreting Errors 75 Using Useless Error Values 75 Handling the Wrong Exceptions 75 Handling All Exceptions 76 SinfulC/C++ 76 Sinful C/C++on Windows 77 SinfulC++ 78

5 19 Deadly Sins of Software Security Sinful C#, VB.NET, and Java 78 Related Sins 79 Spotting the Sin Pattern 79 Spotting the Sin During Code Review 79 Testing Techniques to Find the Sin 80 Example Sin 80 CAN Linux Kernel do_mremap 80 Redemption Steps 80 C/C++Redemption 80 C#, VB.NET, and Java Redemption 81 Other Resources 82 Summary 82 7 Cross-Site Scripting 83 Overview of the Sin 84 Affected Languages 84 The Sin Explained 84 Sinful C/ C++ IS API Application or Filter 85 Sinful ASP 85 Sinful ASP.NET Forms 86 Sinful JSP 86 Sinful PHP 86 Sinful CGI Using Perl 86 Sinful mod_perl 87 Spotting the Sin Pattern 87 Spotting the Sin During Code Review 87 Testing Techniques to Find the Sin 88 Example Sins 89 IBM Lotus Domino Cross-Site Scripting and HTML Injection Vulnerabilities 89 Oracle HTTP Server "isqlplus" Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks 90 CVE Redemption Steps 90 ISAPIC/C++Redemption 90 ASP Redemption 91 ASP.NET Forms Redemption 91 JSP Redemption 92 PHP Redemption 94 CGI Redemption 95 mod_perl Redemption 95 A Note on HTML Encode 96 Extra Defensive Measures 96 Other Resources 97 Summary 98 8 Failing to Protect Network Traffic 99 Overview of the Sin 100 Affected Languages 100 The Sin Explained 100

6 Contents Related Sins 102 Spotting the Sin Pattern 103 Spotting the Sin During Code Review 103 Testing Techniques to Find the Sin 106 Example Sins 106 TCP/IP 107 Protocols 107 ETrade 107 Redemption Steps 108 Low-Level Recommendations 108 Extra Defensive Measures 111 Other Resources 111 Summary Use of Magic URLs and Hidden Form Fields 113 Overview of the Sin 114 Affected Languages 114 The Sin Explained 114 Magic URLs 114 Hidden Form Fields 115 Related Sins 115 Spotting the Sin Pattern 115 Spotting the Sin During Code Review 116 Testing Techniques to Find the Sin 117 Example Sins 118 CAN MaxWebPortal Hidden Form Field Modification 118 Redemption Steps 118 Attacker Views the Data 119 Attacker Replays the Data 119 Attacker Predicts the Data 121 Attacker Changes the Data 122 Extra Defensive Measures 123 Other Resources 123 Summary Improper Use of SSL and TLS 125 Overview of the Sin 126 Affected Languages 126 The Sin Explained 126 Related Sins 129 Spotting the Sin Pattern 130 Spotting the Sin During Code Review 130 Testing Techniques to Find the Sin 132 Example Sins 132 Clients 132 Safari Web Browser 133 The Stunnel SSL Proxy 133 Redemption Steps 134 Choosing a Protocol Version 134

7 19 Deadly Sins of Software Security Choosing a Cipher Suite 135 Ensuring Certificate Validity 136 Validating the Hostname 137 Checking Certificate Revocation 138 Extra Defensive Measures 140 Other Resources 140 Summary Use of Weak Password-Based Systems 143 Overview of the Sin 144 Affected Languages 144 The Sin Explained 144 Related Sins 146 Spotting the Sin Pattern 146 Spotting the Sin During Code Review 146 Password Content Policy 147 Password Changes and Resets 147 Password Protocols 148 Password Handling and Storage 148 Testing Techniques to Find the Sin 149 Example Sins 149 CVE CVE TheTENEXBug 150 The Paris Hilton Hijacking 151 Redemption Steps 151 Multifactor Authentication 152 Storing and Checking Passwords 152 Guidelines for Choosing Protocols 156 Guidelines for Password Resets 156 Guidelines for Password Choice 157 Other Guidelines 158 Extra Defensive Measures 158 Other Resources 159 Summary Failing to Store and Protect Data Securely 161 Overview of the Sin 162 Affected Languages 162 The Sin Explained 162 Weak Access Controls to "Protect" Secret Data 162 Sinful Access Controls 164 Embedding Secret Data in Code 166 Related Sins 166 Spotting the Sin Pattern 166 Spotting the Sin During Code Review 167 Testing Techniques to Find the Sin 168 Example Sins 170 CVE CAN

8 Contents CVE CAN CAN Redemption Steps 172 Use the Operating System's Security Technologies 172 C/C++ Windows 2000 and Later Redemption 173 ASP.NET 1.1 and Later Redemption 175 C#.NET Framework 2.0 Redemption 175 C/C++Mac OS Xvl0.2 and Later Redemption 175 Redemption with No Operating System Help (or Keeping Secrets Out of Harm's Way) 176 A Note on Java and the Java KeyStore 178 Extra Defensive Measures 180 Other Resources 180 Summary Information Leakage 183 Overview of the Sin 184 Affected Languages 184 The Sin Explained 184 Side Channels 185 TMI: Too Much Information! 186 A Model for Information Flow Security 188 Sinful C# (and Any Other Language) 190 Related Sins 190 Spotting the Sin Pattern 190 Spotting the Sin During Code Review 191 Testing Techniques to Find the Sin 192 The Stolen Laptop Scenario 192 Example Sins 192 Dan Bernstein's AES Timing Attack 192 CAN CAN Redemption Steps 194 C# (and Other Languages) Redemption 194 Network Locality Redemption 195 Extra Defensive Measures 195 Other Resources 195 Summary Improper File Access 197 Overview of the Sin 198 Affected Languages 198 The Sin Explained 198 Sinful C/C++on Windows 199 Sinful C/C Sinful Perl 200 Sinful Python 200 Related Sins 200

9 19 Deadly Sins of Software Security Spotting the Sin Pattern 201 Spotting the Sin During Code Review 201 Testing Techniques to Find the Sin 202 Example Sins 202 CAN CAN CAN and CAN CVE Microsoft Virtual PC for the Macintosh 203 Redemption Steps 203 Perl Redemption 204 C/C++ Redemption on *nix 204 C/C++ Redemption on Windows 204 Getting the Location of the User's Temporary Directory 205.NET Code Redemption 205 Extra Defensive Measures 205 Other Resources 206 Summary Trusting Network Name Resolution 207 Overview of the Sin 208 Affected Languages 208 The Sin Explained 208 Sinful Applications 210 Related Sins 211 Spotting the Sin Pattern 211 Spotting the Sin During Code Review 212 Testing Techniques to Find the Sin 212 Example Sins 212 CVE CVE Redemption Steps 213 Other Resources 214 Summary Race Conditions 217 Overview of the Sin 218 Affected Languages 218 The Sin Explained 218 Sinful Code 220 Related Sins 220 Spotting the Sin Pattern 221 Spotting the Sin During Code Review 221 Testing Techniques to Find the Sin 222 Example Sins 222 CVE CAN CVE Redemption Steps 223 Extra Defensive Measures 225

10 Contents Other Resources 225 Summary Unauthenticated Key Exchange 227 Overview of the Sin 228 Affected Languages 228 The Sin Explained 228 Related Sins 229 Spotting the Sin Pattern 230 Spotting the Sin During Code Review 230 Testing Techniques to Find the Sin 231 Example Sins 231 Novell Netware MITM Attack 231 CAN Redemption Steps 232 Extra Defensive Measures 232 Other Resources 233 Summary Cryptographically Strong Random Numbers 235 Overview of the Sin 236 Affected Languages 236 The Sin Explained 236 Sinful NonCryptographic Generators 237 Sinful Cryptographic Generators 237 Sinful True Random Number Generators 238 Related Sins 239 Spotting the Sin Pattern 239 Spotting the Sin During Code Review 239 When Random Numbers Should Have Been Used 239 Finding Places that Use PRNGs 240 Determining Whether a CRNG Is Seeded Properly 241 Testing Techniques to Find the Sin 241 Example Sins 242 The Netscape Browser 242 OpenSSL Problems 242 Redemption Steps 243 Windows 243.NET Code 243 Unix 244 Java 245 Replaying Number Streams 245 Extra Defensive Measures 246 Other Resources 246 Summary Poor Usability 247 Overview of the Sin 248 Affected Languages 248

11 19 Deadly Sins of Software Security The Sin Explained 248 Who Are Your Users? 249 The Minefield: Presenting Security Information to Your Users 249 Related Sins 250 Spotting the Sin Pattern 250 Spotting the Sin During Code Review 250 Testing Techniques to Find the Sin 251 Example Sins 251 SSL/TLS Certificate Authentication 251 Internet Explorer 4.0 Root Certificate Installation 252 Redemption Steps 253 When Users Are Involved, Make the UI Simple and Clear 253 Make Security Decisions for Users 253 Make Selective Relaxation of Security Policy Easy 255 Clearly Indicate Consequences 255 Make It Actionable 258 Provide Central Management 259 Other Resources 259 Summary 259 A Mapping the 19 Deadly Sins to the OWASP "Top Ten" 261 B Summary of Do's and Don'ts 263 Sin 1: Buffer Overruns Summary 264 Sin 2: Format String Problems Summary 264 Sin 3: Integer Overflows Summary 264 Sin 4: SQL Injection Summary 265 Sin 5: Command Injection Summary 266 Sin 6: Failing to Handle Errors Summary 266 Sin 7: Cross-Site Scripting Summary 266 Sin 8: Failing to Protect Network Traffic Summary 266 Sin 9: Use of Magic URLs and Hidden Form Fields Summary 267 Sin 10: Improper Use of SSL and TLS Summary 267 Sin 11: Use of Weak Password-Based Systems Summary 268 Sin 12: Failing to Store and Protect Data Securely Summary 269 Sin 13: Information Leakage Summary 270 Sin 14: Improper File Access Summary 270 Sin 15: Trusting Network Name Resolution Summary 270 Sin 16: Race Conditions Summary 271 Sin 17: Unauthenticated Key Exchange Summary 271 Sin 18: Cryptographically Strong Random Numbers Summary 271 Sin 19: Poor Usability Summary 271 Index 273