|
|
4/22/2005 Here is the webchat transcript of the final webchat of the series - Writing Secure Code, this one focussing on writing secure .NET code. Chat Topic: Writing Secure .NET Code
Date: Wednesday, April 20, 2005
subhashini (Moderator):
the chat begins at 5.00 pm IST
subhashini (Moderator):
Request all of you to refrain from sending any private messages as that lead sto disconnection of the expert from the chat
subhashini (Moderator):
hello everbody . A very good evening to all of you.
subhashini (Moderator):
welcome to today's chat on writing Secure .NET code
subhashini (Moderator):
we had chats on writing secure code earlier on 13'th and 14'th April . and today is the last part in series.
subhashini (Moderator):
We have with us Vipul Patel (MVP)
subhashini (Moderator):
to host today's chat
subhashini (Moderator):
After pursuing a bachelor's degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India's college chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.
subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com <mailto:vipul_d_patel@hotmail.com> or vipul.patel@patni.com <mailto:vipul.patel@patni.com>.
subhashini (Moderator):
before we begin the chat
subhashini (Moderator):
few chat rules
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
This leads to disconnection of the expert from the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
let's welcome Vipul and hope you find this chat useful and informative
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Thanks Subhashini
Vipul Patel (Expert):
Welcome all to the final episode of writing secure code. Today we shall focus on "Writing Secure .NET code"
Vipul Patel (Expert):
I shall skim thru the best practises and tips on writing secure .NET code.... and will answers the questions on completion of the best practises.
Vipul Patel (Expert):
While the .NET Framework is a robust one, we need to exercise care while coding to make the application secure.
Vipul Patel (Expert):
The good thing about .NET Framework is that common security attacks are not bound to happen with .NET application. But vulnerabilities are still possible.
Vipul Patel (Expert):
A classical example will be sQL injection.... To avoid such an attach, you need to follow the best practises as outlines in the earlier web chats.....
Vipul Patel (Expert):
today will focus more on the .NET side of coding practises...
Vipul Patel (Expert):
Dont forget to apply secure coding techniques like:
Vipul Patel (Expert):
a. Dont store secrets in code or web.config files
Vipul Patel (Expert):
b. Dont create your own encryption; use the one provided by the framework. Use the classes in the System.Security.Cryptography namespace.
Vipul Patel (Expert):
c. Dont trust user input till you have validated its correctness.
Vipul Patel (Expert):
.NET code helps migitate a number of common security vulnerabilities such as buffer overruns. Security in .NET provides code with different level of trust based not only on the user's capabilities but also on system policy and evidence (digital signature) of code.
Vipul Patel (Expert):
But before that a question to the audience.....
Vipul Patel (Expert):
How many of you are aware of FxCop?
Vipul Patel (Expert):
please reply using the Guest Chat option.....
Vipul Patel (Expert):
thats great. we have one user who actively uses that....
Vipul Patel (Expert):
Tip: Add your own rules to FxCOp if you want to implement coding rules beyond the ones provided by the FxCop...
Vipul Patel (Expert):
For those who are not aware, Fxcop is available from http://www.gotdotnet.com. It is a code analysis tool that checks.NET assemblies for conformation to .NET Framework Design guidelines at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconnetframeworkdesignguidelines.asp
Vipul Patel (Expert):
FxCop can produce an XMLfile that lists any design guideline violoations in your assembly.
Vipul Patel (Expert):
What are the two most common errors flagged by FxCop are ?
Vipul Patel (Expert):
a. Lack of strong name on the assembly
Vipul Patel (Expert):
b. Failure of the assembly to specify permssion requests.
Vipul Patel (Expert):
How to prevent these errors. Lets take them one by one
Vipul Patel (Expert):
Use strong name for assemblies:
Lack of strong name
Vipul Patel (Expert):
sn -k keypair.snk
Vipul Patel (Expert):
Over and above strong names, you may want to Authenticode-sign an assembly to identify the publisher. Do this after strong naming your assemblies.
Vipul Patel (Expert):
You cannot use Authenticode first because the string name signature will appear as "tampering" to the Authenicode signature check.
Vipul Patel (Expert):
Additionally, You can delay-sign your assemblies to prevent information disclosure by a careless developer.
Vipul Patel (Expert):
Tip: Strong nammed assemblies can only refer to other strong named assemblies. Get your application design ready to use GAC.
Vipul Patel (Expert):
Next we come to second most popular finding of FxCop - Failure of the assembly to specify permssion requests.
Vipul Patel (Expert):
pinto: can you rephrase your question?
Vipul Patel (Expert):
For that, we need to know about CAS or Code Access Security: The theory of the same is located at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconcodeaccesssecurity.asp
Vipul Patel (Expert):
Best practises for CAS
Vipul Patel (Expert):
a. Request minimal permission set: Requesting helps ensure that your code is granted only the permissions it needs.
Vipul Patel (Expert):
eg. if your appliation requires only FileIOPermissions to read one file, and nothing more, add this line to your code:
Vipul Patel (Expert):
[assembly: FileIOPermission(SecurityAction.RequestMinimum, Read = @"c:\FileName.xml")]
Vipul Patel (Expert):
pinto: that depends on your FxCop settings.....
Vipul Patel (Expert):
pinto: you need to disable this rule if it is already on....
Vipul Patel (Expert):
coming back to CAS, you should use RequestMinimum to define the minimum must-have grant set. If the runtime cannot grant the minimum set to the application, it will raise a PolicyException exception and your application will not run.
Vipul Patel (Expert):
b. Refuse Unneeded Permission: Simply refuse permissions you dont need.
Vipul Patel (Expert):
e.g. If there is no FileIO operations in the application,
[assembly: FileIOPermission (SecurityAction.RequestRefuse, Unrestricted= true)]
Vipul Patel (Expert):
a simple code snippet such as above will refuse File IO access thru your secure code.....
Vipul Patel (Expert):
Tip: If you dont get the requisite permissions, there will be exceptions. Handle these possible exceptions that may arise if the requested permissions are not granted.
Vipul Patel (Expert):
c. use Assert wisely
Vipul Patel (Expert):
What we need to apply for this is that we should make sure that code permissions are granted rationally.
Vipul Patel (Expert):
Suppose A has permissions to do anything on the server And B has permission to make calls on A.
Vipul Patel (Expert):
now if A makes an Assert statement, B will get access to all resources permitted to A. This implies that Thru A, B can make any changes on the server and this may not be the desired scenario.
Vipul Patel (Expert):
Q: aren't you trying to say about the SecurityExceptions?
A: no, the exception being referred here is PolicyException.....
Vipul Patel (Expert):
d. Keep the Assertion as small as possible
Vipul Patel (Expert):
If you do need to Assert, make sure that you revertAssert as soon as you are done.
Vipul Patel (Expert):
in C# code, this will be implied by
CodeAccessPermission.RevertAccess();
Vipul Patel (Expert):
Tip: When Deny, Assert and PermitOnly are used together, Deny has the highest precedence.
Vipul Patel (Expert):
e. Limit who uses your code
Vipul Patel (Expert):
How: Consider sealing your classes. This will make them non-inhertiable.
Vipul Patel (Expert):
Also, You can use InheritanceDemand to require that derived classes have a specified identity or permission.
Vipul Patel (Expert):
[EnvironmentPermission (securityAction.InheritanceDemand, Unrestricted = true)]
public class A { } public class B : A { }
Vipul Patel (Expert):
this will imply that if the inheriting class request a actions thru an inherited class, the framework will see if the calling class has the permissions needed to do the action.....
Vipul Patel (Expert):
in the earlier example, B must have environmentPermission, if it were to inherit A.
Vipul Patel (Expert):
Other security Tips for .NET programmers
Vipul Patel (Expert):
Q: How to protect Images in a ASP.NET Project i.e Print, Print Screen, Save Page.... etc
A: i <b>believe<b> that disabling menu options on browsers is achievable thru JavaScript....... I need time to investigate this in details. Please email me at vipul_d_patel@hotmail.com stating your complete requirement.
Vipul Patel (Expert):
a. No Sensitive Data in XML or Configuration files
Vipul Patel (Expert):
Storing data of non secure nature is ok in configuration files such as web.config.
subhashini (Moderator):
Please use the radial button "submit a question " to ask any questions to the expert
Vipul Patel (Expert):
It is an oxymoron that storing data in registry is safer than storing in the web.config... We need to make a judicious call here...as registry access violates No touch deployment fundas.
Vipul Patel (Expert):
A better option will be to use SQL Server as data storage for confidential information.
Vipul Patel (Expert):
ASP.NET v1.1 supports optional data Protection API encryption of secrets stored in registry. The configurations ectiosn that take advantage of this are <processModel>, <identity>, and <sessionState>....
Vipul Patel (Expert):
aspnet_setreg.exe is a cool tool to explore for using registry to store confidential information....
Vipul Patel (Expert):
Tip: Review Assemblies that allow partial trust
Vipul Patel (Expert):
if you want your assembly to be invoked from partially trust sources, you need to tag it
[assembly: AllowPartiallyTrustedCallers]
Vipul Patel (Expert):
Further more you need the review in details all the assemblies that make calls to this assembly in partial trusted mode... thats because a partial trusted code has considerable access on the resources handled by the called assembly...
Vipul Patel (Expert):
IMP: Assemblies that allow partially trusted callers should never expose objects from assemblies that do not allow partially trusted callers.
Vipul Patel (Expert):
Never forget to review the code of the calling assembly lest it causes any security breach.
Vipul Patel (Expert):
Tip: Check Managed Wrappers to Unmananged code for correctness
Make sure that code calling into unmanaged is well written and safe.
Vipul Patel (Expert):
Issues with Serialization
Vipul Patel (Expert):
Give special attention to classes that implement the ISerializable interface if an object based on the class could contain sensitive object information.
Vipul Patel (Expert):
If these classes store password, it could pose as a considerable security concern.
Vipul Patel (Expert):
Q: Vipul: i have learned that you can save the session in SQL to identify the broken sessions to continue with where they stoped... and do you think suggest such kind of storage?
A: yes, storing session information in SQL server would be a good option... optionally if that code or the user has access to registry, you can use the DPAPI also.... SQL server is better...
Vipul Patel (Expert):
Using Isolated storage
Vipul Patel (Expert):
using Isolated STorage provided by the .NET Framework has the advantage that only the code in a given assembly can access the isolated data when any of the following conditions are met: application is running when the assembly created the store is using the assembly, or when the user who created the store is running the application.
Vipul Patel (Expert):
using System.IO.IsolatedStorage; .. IsolatedStorageFile isoFile = IsolatedStorageFile.GetStore (IsloatedStorageScope.User || IsloatedStorageScope.Assembly, null, null);
Vipul Patel (Expert):
The major advantage of using isolated storage is that it does not require FileIOPermission to operate correctly.
subhashini (Moderator):
Friends , we have the last 15 minutes left for the chat to conclude
Vipul Patel (Expert):
But Don't use isolated storage to store sensitive data, because it is not protected from highly trusted code or trusted users of the computer.
Vipul Patel (Expert):
Other tips
Vipul Patel (Expert):
Disable Tracing and Debugging Before Deploying ASP.NET Application
Vipul Patel (Expert):
Because: you can potentially give an attacker too much information
subhashini (Moderator):
So please rush in your questions to Vipul
Vipul Patel (Expert):
How to do this:
Vipul Patel (Expert):
1. Remove Debug verb from IIS. 2. Disable debugging ad tracing within ASP.NET aplication pAge directive <%@ Page Language="VB" Trace="False" Debug="False" %> 3. In web.Config file <trace enabled = 'false'/> <compilation debug ='false'/>
Vipul Patel (Expert):
Also, Do not deserialize data from untrusted sources.
Vipul Patel (Expert):
in case the application fails, do not tell the attacker too much when you fail.. Rather , write to the application log an error code which is known only to developers
Vipul Patel (Expert):
Thats all for the tips and tricks. Now to your questions.....
Vipul Patel (Expert):
Q: Vipul: can you through some light on "SecurityException"?
A: Security exception occurs when a security error is detected, like making IO calls when the user does not rights on it... POlicyexception on the other hand is generated when code requests more permissions than the policy will grant or the policy is configured to prohibit running the code.
Vipul Patel (Expert):
OK team,,, the recsources that should keep you going.....
Vipul Patel (Expert):
A book by Michaol Howard titles "Writing Secure Code". It is by Microsoft Press. Its an extremely good book. Recommend all to read when you get time....
Vipul Patel (Expert):
visit digitalblackbelt.com and view the webcasts on security they are great.
Vipul Patel (Expert):
Also on MSDN webcasts, there is a series of webcasts on Writing Secure Code, you can view them if you can get hands on the book....
Vipul Patel (Expert):
thats all from my side....
Vipul Patel (Expert):
Q: Vipul: i have a small situation.. can i ask you now?
A: sure..
Vipul Patel (Expert):
Q: thnx vipul
A: anytime man
Vipul Patel (Expert):
u can visit http://msdn.microsoft.com/asp.net/articles/security/default.aspx for more information on security \
subhashini (Moderator):
well, we are almost close to time-up!
subhashini (Moderator):
there's time for one last question
subhashini (Moderator):
To ask any additional queries , please feel free to email Vipul
subhashini (Moderator):
at vipul_d_patel@hotmail.com
Vipul Patel (Expert):
go on chakravarty.. is your question over?
subhashini (Moderator):
Hope this chat in series was informative
subhashini (Moderator):
To read chat transcripts of earlier chats , visit http://www.microsoft.com/india/communities/chat/Transcripts.aspx
subhashini (Moderator):
thanks to all of you for attending today's chat\
Vipul Patel (Expert):
chakravarty: can you email me this question? I shall reply ASAP. My email id is vipul_D_patel@hotmail.com
subhashini (Moderator):
Special thanks to Vipul for taking time out for this informative session with his geographical constraints regarding timings
Vipul Patel (Expert):
Thanks all for attending this chat
subhashini (Moderator):
Thanks a lot Vipul
Vipul Patel (Expert):
welcome subhashini
subhashini (Moderator):
request all of you to pool in your queries through email
subhashini (Moderator):
Have alovely evening
subhashini (Moderator):
Also feel free to pool in your feedback for these chats at commind@microsoft.com
Here is the webchat transcript of the second webchat of the series - "Writing Secure Code" Chat Topic: Writing Secure Code -II
Date: Thursday, April 14, 2005
subhashini (Moderator):
hello everybody
subhashini (Moderator):
:-) a very good evening to all of you
subhashini (Moderator):
and welcome all of you to join us for the second part of the series chat
subhashini (Moderator):
on writing secure code
subhashini (Moderator):
Thansk to Vipul Patel (MVP) for hosting this series chat
subhashini (Moderator):
Guys, thanks to him, he's based out of US and is currently hosting the chat during his odd hours
subhashini (Moderator):
Once again a quick rrun through the chat rules
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
thansk to all of you for attending this chat.
subhashini (Moderator):
and lets welcome vipul
Vipul Patel (Expert):
Thanks Subhashini for the opportunity. Welcome to the second part of the series on Writing secure code.
subhashini (Moderator):
to continue the series
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Hello all
Vipul Patel (Expert):
Those wo missed out yesterday: a quick recap. Yesterday the main focus was the need for writing secure code, threat modeling and we saw two security concerns: buffer overrun and ACLs.
Vipul Patel (Expert):
Today we shall focus on the other security concerns....
Vipul Patel (Expert):
We begin with poor cryptographic tehcniques
Vipul Patel (Expert):
Crypto can help secure data from specific threats, but it does not secure the application from coding errors.
Vipul Patel (Expert):
Common mistakes people make when using cryptography include
Vipul Patel (Expert):
a. using poor random numbers
Vipul Patel (Expert):
b. using password to derive cryptographic
Vipul Patel (Expert):
Lets catch them one by one
Vipul Patel (Expert):
Did you know that the Random function provided by the Operating systems generetes the same sequence of random numbers everytime.
Vipul Patel (Expert):
Same case with the Frameworks......
Vipul Patel (Expert):
Consider this code in C++
// Always print 52 4 26 66 26
void main() { srand(12366); for (int i = 0; o< 10 ; i++) { int i = rand() % 100; printf("%d " , i); } }
Vipul Patel (Expert):
The above code snippet always results in the same sets of numbers.....
Vipul Patel (Expert):
lets see one in C#
class Class1
{ /// <summary> /// The main entry point for the application. /// </summary> [STAThread] static void Main(string[] args) { // // TODO: Add code to start application here // Random rnd = new Random(1234); for(int i = 0; i <20; i++) { Console.WriteLine(rnd.Next(100)); } } }
Vipul Patel (Expert):
The above code also results in the same sequence of random numbers being generated.
Vipul Patel (Expert):
The problem with using such functions is that if your application is of a secure nature like a financial institution application, such a dependency on system provided (read predictable) numbers can be easily tracked by the hacker......
Vipul Patel (Expert):
If the random numbers are used for say saving the session key, then all the session information is at risk....
Vipul Patel (Expert):
How to avoid such a situation.....
Vipul Patel (Expert):
For win32 applications use the CryptGenRandom class.....................
Vipul Patel (Expert):
and those of you coding in C#, Use the RNGCryptoServiceProvider class available in the system.Security.Cryptography namespace
Vipul Patel (Expert):
another poor cryptographic technique is "Using Passwords to Derive Cryptographic keys"
Vipul Patel (Expert):
some applications are based on a security model that you ask the user for the password for a specfic action and then this user-provided password is used as a cryptographic key.
Vipul Patel (Expert):
The problem with such a approach is that if the password is small, then it is easy to predict thru Dictionary attack......
Vipul Patel (Expert):
Dictionary attack: try all possible words from the dictionary to see which works as an key....
Vipul Patel (Expert):
Suggesstion: Keep your passwords long and randon.
Vipul Patel (Expert):
You can make this a network policy.....
Vipul Patel (Expert):
With Win2003 Server and later, you can validate password compliance with NetValidatePasswordPolicy.
Vipul Patel (Expert):
More information available at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp>
Vipul Patel (Expert):
Use Keyed Hash
Vipul Patel (Expert):
Keyed Hash: Is a hash that includes some secret data, data known only to the sender and recipients. It is typically created by hashing the plaintext concatenated to some secret key or a derivation of the secret key. It is one kind of message authentication code (MAC).
Vipul Patel (Expert):
the idea here is to not use a simple hash but to use a keyed hash........ This is secure things a bit....
subhashini (Moderator):
sorry guys, vipul
subhashini (Moderator):
might have just got logged out
subhashini (Moderator):
please hold on for coupel of mins. he would be back
subhashini (Moderator):
vipul has lost his wireless connection and has had to reboot
subhashini (Moderator):
so, he would be back any minute
subhashini (Moderator):
thanks for cooperating
subhashini (Moderator):
thanks guys
Vipul Patel (Expert):
sorry for the confusion guys...
Vipul Patel (Expert):
lets continue
Vipul Patel (Expert):
Creating a Keyed hash
HMACSHA1 hmac = new HMACSHA1(); Hmac.Key = key; byte[] hash = hmac.ComputeHash(message); Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself.
Vipul Patel (Expert):
Creating a Keyed hash
Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself.
HMACSHA1 hmac = new HMACSHA1();
Hmac.Key = key; byte[] hash = hmac.ComputeHash(message);
subhashini (Moderator):
apologies for the technical tricks played on us by the chat tool :-) we are back and lets get the chat rocking!
Vipul Patel (Expert):
So how do you protect secrets?
Vipul Patel (Expert):
We usually hash the data.....
Vipul Patel (Expert):
But better than hash, do a salted hash...
Vipul Patel (Expert):
Hash: is a cryptographic algorithm that produces a different output, called a message digest, for each unique element of data
Vipul Patel (Expert):
Better than hash, use a salted hash
Vipul Patel (Expert):
Salt is a random number that is added to the hashed data to eliminate the use of precompiled dictionary attacks, making an attempt to recover the original secret extremely expensive. The salt is stored unencrypted with the hash.
Vipul Patel (Expert):
More information is available at <http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx>
Vipul Patel (Expert):
Coming to talk of DPAPI, lets see what is available in Windows 2000 and above
Vipul Patel (Expert):
In Windows 2000 and later, we can use the Data Protection API (DPAPI) functions CryptProtectData and CryptUnprotectData.
Vipul Patel (Expert):
http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx
Vipul Patel (Expert):
Guys the above link shoud work...
Vipul Patel (Expert):
These functions encrypt (DPAPI) and decrypt data by using a key derived from the user’s password. In addition, decryption can be done only on the computer where the data was encrypted unless the user has a roaming profile, in which case she can decrypt the data from another computer on the network.
Vipul Patel (Expert):
A Special Case: Client Credentials in Windows XP
Vipul Patel (Expert):
Windows XP includes functionality named Stored User Names And Passwords to make handling users’ passwords and other credentials, such as private keys, easier, more consistent, and safer. If your application includes a client component that requires you to prompt for or store a user’s credentials, you should seriously consider using this feature for the following reasons:
· Support for different types of credentials, such as passwords and keys, on smart cards. · Support for securely saving credentials by using DPAPI. · No need to define your own user interface. It’s provided, although you can add a custom image to the dialog box.
Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks.
Vipul Patel (Expert):
Other small nuances to take care of.....
Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks
Vipul Patel (Expert):
Trust no input
Vipul Patel (Expert):
Always validate any user input for all possible values: minimum, maximum, boundary conditions, etc.
You can check the format of the inputed data by regular expressions
Vipul Patel (Expert):
DOS device name vulnerability Due to compatility reasons, DOS device named have been carried over to Windows. That’s why you cant create a file named PRN or COM1, COM@ or LPT. Creating such files (even for temporary purpose) thru code should be avoided.
Vipul Patel (Expert):
Don’t trust PATH variable. Use Full path names
If your application uses the PATH variable explicitly for a good number of reasons, it is better to create a custom environment variable for the purpose as PATH variable should not be dependede upon as a lot of applications may be and modify it..
Vipul Patel (Expert):
SQL Injection attacks
Vipul Patel (Expert):
consider a SQL statement
Vipul Patel (Expert):
string sql = "select * from client where name = '" + name + "'"
Vipul Patel (Expert):
imagine a user entering
Blake' or 1 = 1
Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through Stored procedures.
A: no for SQL injection , SPs are not a solution.
People use two solutions
Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through Stored procedures.
A: Correct solution is a. never ever connect as sysadmin (This limits database damage by SQL injection) b. Build your SQL statements securely, use Parameterized commands in your SP..............
Vipul Patel (Expert):
Q: what are your strong recommendations to deal with SQL injection attacks
A: a. never ever connect as sysadmin (This limits database damage by SQL injection) b. Build your SQL statements securely, use Parameterized commands in your SP..............
subhashini (Moderator):
guys, we have the last 13 mins left for the chat to conclude for today
subhashini (Moderator):
please ask the last few questions to get them answered
Vipul Patel (Expert):
I agree with Chakravarthy: If possible prevent the user from entering "'" when he is specifing text based information. But the problem is with names like L'Oreal... how to deal with that.. :D
Vipul Patel (Expert):
Q: vipul, is there any other security areas that you need to highlight and you may not have time to disscuss them fully here.
A: I will not be able to cover the security in .NET framework whcih I will cover tomorrow.......
Vipul Patel (Expert):
Q: i want to ask whether parameterized commands are foolproof.
A: Depends on your code. But it is deemed and projected as quite secure..
Vipul Patel (Expert):
Q: suppose, i have a web application, then..using encryption class is not going to help much, as encryption would occur at server side, after all data is transfered across the n/w with out encryption. m i right???
A: If you use SSL,, then your data will be secure when transferred from the client to the server....
Vipul Patel (Expert):
Q: Hi, tell me more about DPAPI and what all complexities are involved implementing it ?
A: already answered....
Vipul Patel (Expert):
Yes,,, dont allow where word, if possible, I must add....
Vipul Patel (Expert):
Chakravarthy: Whidbey: I shall answer that tomorrow.....
subhashini (Moderator):
So this brings us to teh end of today's chat
subhashini (Moderator):
and hope to see you all tomorrow
subhashini (Moderator):
and hold on to your questions till tomorrow
subhashini (Moderator):
alos feel free to email vipul at vipul_d_patel@hotmail.com
Vipul Patel (Expert):
The best resource on writing secure code is a book by Michael Howard titled "Writing secure code".......... Google for more information on the book....
Vipul Patel (Expert):
Chakravarthy:..... go ahead...
subhashini (Moderator):
go ahead chakravarthy
Vipul Patel (Expert):
For securing already written code, I suggest that you have a robust code review policy, revisit your design,, bascially perform a threat modelling for a already existing application..
Vipul Patel (Expert):
That is a judgement call, if you feel that the previously written code is not secure, demo the failure to your team lead, and then suggest that the following remedies will apply....
Vipul Patel (Expert):
what do you mean by wrapping mechanism?
Vipul Patel (Expert):
Best practises for writing secure code:
Vipul Patel (Expert):
a. Dont tell the attacker anything
Vipul Patel (Expert):
b. Dont leak information in banner strings and unhandled errors...
Vipul Patel (Expert):
Doubel check your error messagess and paths...
Vipul Patel (Expert):
Add security commenst to your code...
Vipul Patel (Expert):
Dont write user files to \Program Files
Vipul Patel (Expert):
Dont write user data to HKLM
Vipul Patel (Expert):
Allow long passwords...
Vipul Patel (Expert):
and have an application log.
Vipul Patel (Expert):
Thats all for today.....
subhashini (Moderator):
thanks again to all of you for attending teh chat
Vipul Patel (Expert):
if you have any further questions,,,, please email me at vipul_d_patel@hotmail.com or visit my unfrequented blog at http://spaces.msn.com/members/vipul and leave your comments there. I shall revert...
subhashini (Moderator):
see you alla gain tomorrow for the last part of this series
subhashini (Moderator):
have a lovely evening.
Vipul Patel (Expert):
With that background, lets begin our discussion on designing secure systems.
Vipul Patel (Expert):
What are the two most common security mistakes made by software companies?
Vipul Patel (Expert):
a. The application is designed, written, tested, and shipped to customers, but the developers forget to make it secure. Or they think they have, but they got the design wrong. It’s wrong because they added some security technology to their application to be “buzzword-compliant,” but the technology doesn’t mitigate any real security threats
Vipul Patel (Expert):
b. The second mistake is adding security to the application as an afterthought. Security aspect of the code should be from the design phase itself.
Vipul Patel (Expert):
Adding security features after the application is developed should be prevented for the following reasons:
Vipul Patel (Expert):
i. Adding security later is wrapping security around existing features, rather than designing features and security with both in mind
Vipul Patel (Expert):
ii. Adding any feature, including security, as an afterthought is expensive
Vipul Patel (Expert):
iii. Adding security might change the way you’ve implemented features. This too can be expensive
Vipul Patel (Expert):
iv. Adding security might change the application interface, which might break the code that has come to rely on the current interface.
Vipul Patel (Expert):
There is a need for the security principles to be imbibed in a software developement process. These principles are as under:
Vipul Patel (Expert):
a. Establish a security process
Vipul Patel (Expert):
b. Define the product security goals]
Vipul Patel (Expert):
c. Consider security as a product feature
Vipul Patel (Expert):
d. Learn from mistakes
Vipul Patel (Expert):
e. Use least privilege
Vipul Patel (Expert):
f. Use defense in depth g. Assume external systems are insecure h. Plan on failure i. Fail to a secure mode j. Employ secure defaults h. Remember that security features != secure features i. Never depend on security through obscurity
Vipul Patel (Expert):
Please let me complete the section theory for today, then I will jump to examples.... :)
Vipul Patel (Expert):
and then take up all the questions raised.
Vipul Patel (Expert):
How to incorporate security features thru design? The answer is thru Threat Modelling
Vipul Patel (Expert):
You cannot build a secure system until you understand your threats. It's as simple as that.
Vipul Patel (Expert):
A threat model is a security based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves.
Vipul Patel (Expert):
The goal is to determine which threasts require migitation and how to migitate the threats.
Vipul Patel (Expert):
Benefits of threat modeling
Vipul Patel (Expert):
a. It helps to understand the threat better.
Vipul Patel (Expert):
b. Threat models helps you find bugs.
Vipul Patel (Expert):
b. Threat models helps you find bugs.
Vipul Patel (Expert):
c. You can discover serious design bugs in the process
Vipul Patel (Expert):
d. Threat models can help new team members understand the application in detail.
Vipul Patel (Expert):
Threat modeling process:
Vipul Patel (Expert):
1. Assemble the threat-modelling team
Vipul Patel (Expert):
2. Decompose the application
Vipul Patel (Expert):
3. Determine the threats to the application using STRIDE model
Vipul Patel (Expert):
4. Rank the threats by decreasing risk
Vipul Patel (Expert):
5. Choose how to respond to the threats
Vipul Patel (Expert):
6. Choose techniques to mitigate the threats
Vipul Patel (Expert):
We are now done with the theory ;) . and we shall begin examples of security vulnerabilities.
Vipul Patel (Expert):
The biggest security issue has been the Buffer overrun....
Vipul Patel (Expert):
Q: what is STRIDE model?
A: STRIDE model is a model to understand the security flaws. It includes analysis for the following type of flaws: "Spoofing identity", "Tampering with data" , "Repudiation", "Information disclosure", "Denial of service", "Elevation of privilege" More details are available at http://msmvps.com/secure/archive/2004/06/22/8728.aspx
Vipul Patel (Expert):
No Sundar: The good thing about the .NET Framework is that it is no longer a security issue with .NET using C# and VB.NET. With VC++.NET, you need to compile your project with /GS option to identify any such possible buffer overflows in your project.
Vipul Patel (Expert):
Sai: Your question has been answered in the previous post.
Vipul Patel (Expert):
Q: How can Buffer Overrun be a security issue ?
A: I am coming to that with an example
Vipul Patel (Expert):
Defintion of buffer overrun: A stack based buffer overrun occurs when a buffer declared on the stack is overwritten by copying data larger than the buffer.
Vipul Patel (Expert):
Variables declared on the stack are located next to the return address for the function's caller. The culprit here is the return address for the function gets overwritten by an address chosen by the attacker.
Vipul Patel (Expert):
e.g. code
void food (const char* input)
{ char buf[10]; // print statement to see the stack printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n"); strcpy(buf, input) printf("%s\n", buf); printf ("New Stack status :\n%p\n%p\n%p\n%p\n%p\n\n"); } void bar(void) { printf ("Uh Oh"); } int main (int argc, char* argv[]) { printf("Address of foo = %p\n", foo); printf("Address of bar = %p\n", bar); if (argc != 2) { printf("Please supply a string as argument\n"); return -1; } foo(argv[1]); return 0; }
Vipul Patel (Expert):
please read "foo" instead of foo for the first function declaration.
Vipul Patel (Expert):
sat: which kind of failure is being talked of here?
Vipul Patel (Expert):
IN the above code sample : observe the code // print statement to see the stack printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n"); This code is used to see the stack contents
Vipul Patel (Expert):
Q: What are other major security issuess to be taken care of , mainly with .NET ?
A: This concern will be addressed in the third webchat of the series scheduled on Friday this week..
Vipul Patel (Expert):
If we pass a string of less than 10 characters, it will work fine. Example of execution:
c:\Mycode>StackEx.exe Hello
Address of foo = 00401000 Address of bar = 00401045 Stack status: 00000000 00000000 7FFDF000 0012FF80 0040108A <This is the address we want to overwrite 00410EDE Hello New stack status: 6C6C6548 < You can see where Hello was copied in 0000000F 7FFDF000 0012FF80 0040108A 00410EDE
Vipul Patel (Expert):
See that the first memory location gets modified with the text. The second memory location is the instruction set for the second call.
Vipul Patel (Expert):
Now input a long string
:\Mycode>StackEx.exe AAAAAAAAAAAAAAAAAAAAAAA
Address of foo = 00401000 Address of bar = 00401045 Stack status: 00000000 00000000 7FFDF000 0012FF80 0040108A 00410EDE AAAAAAAAAAAAAAAAAAAAAAA New stack status: 41414141 41414141 41414141 41414141 41414141 41414141
Vipul Patel (Expert):
If you use a longer string the whole stack buffer gets rewritten with the data from the string input.....
Vipul Patel (Expert):
And we also get an application error claiming the instruction at 0x41414141 tried to access memory at address 0x41414141.
Vipul Patel (Expert):
Q: But Vipul....is'nt this limitation limited to Unmanaged code in the .Net.....i mean over-writing the return address of a function in the stack....
A: Yes, thats the limitattion limited to unmanaged code in the .NET. That is not an issue with .NET application. I agree
Vipul Patel (Expert):
Q: what kind of security issues normally hit the web applications
A: For web applications, you need to make sure to consider the following during threat modelling: a. Unvalidated paramaters b. Broken access control c. Borken authentication and session management d. Cross site scripting flaws e. Buffer overflows f. Command injection flaws g. Error handling problems h. Insecure storage i. Denial of service (!!! The top most threat) You also need to see that there is no undue priviledge evevation
Vipul Patel (Expert):
If a smart hacker were to know of this vulnerability, he will write a script to execute the above executable with a specifc string which will expose this flaw.
Vipul Patel (Expert):
More information about this is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp
Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?
A: Yes, Buffer overrun can be migitated by the following steps a. Always validate your input for the type and length. b. Make sure your string handling operations are safe
Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?
A: in the above code if we had the following check it could have been prevented
if (strlen (input) < sizeof(buf))
{ // everything in place strcpy(buf, input) } else { // do the processing for failure... }
Vipul Patel (Expert):
Q: How does MS address the Denial of Service.....i mean does the web-server has any means of preventing it...and does IIS have any feature of this kind....?
A: Hello Rakesh, we will take up Denial of Service tomorrow... Today we shall be limiting ourselves to Buffer overrun and ACLs..
Vipul Patel (Expert):
Sundar: you are right about storing int like data structure on the stack and the reference types on heap..
Vipul Patel (Expert):
But heap buffer overrun is also posisble, but it is dificult to exploit.
Vipul Patel (Expert):
Q: You never answerd what's the impact of buffer overrun in .Net world, in C run time world I think those who familier with that have better understanding :)
A: Fortunately, buffer overrun is not an issue with .NET. The .NET framework handles the issue with buffer overruns.... it is only an issue with legacy applications and unmanaged code written in VC++.NET
Vipul Patel (Expert):
Q: in C# i guess only the basic data types like int variables are stored in stack . basically the reference objects are stored in heaps so the risk is very low. in this case how ill a function get executed?
A: This is not applicable to .NET applications in C#
Vipul Patel (Expert):
Q: other than String Handling errors and Array indexing errors what are all the possible causes for Heap overruns
A: Unicode and ANSI Buffer size mismatches are another source for the heap overruns
Vipul Patel (Expert):
Q: can u please throw some light on Array Indexing errors and its impact on Heap over runs?
A: I shall discuss this later
Vipul Patel (Expert):
Q: Why did microsoft not consider the /GS behavior default ?
A: it is only applicabel for unmanaged code in VC++.NET
Vipul Patel (Expert):
Q: is there any way in .Net to avoid Heap Over runs? because there are ways to have non executable stacks in operating systems and there are also tools like StackGuard to avoid stack based overruns. is there something like that for heap over runs
A: safe string handling for one.. I need to investigate this more.....
Vipul Patel (Expert):
Q: Oh sorry I got a look at the article you reffered recently, so strsafe.h is the solution right
A: yes
Vipul Patel (Expert):
Q: Recently C librarys has improved functions, like the one I mentioned earlier nstrcpy(), is that type of implementations are missing in VC++
A: it was missing in VC++ 6.0
Vipul Patel (Expert):
Q: Give a simple security method for a windows application which is connecting to www or some Dedicated line often
A: Have a firewall installed
Vipul Patel (Expert):
Q: What are the different ACLs that can be employed and how to chose the best of it?
A: ACL strategy 1. Determine the resource you need 2. Determine the business defined acccess requirement 3. Determine the appropriate access control technology 4. Convert the access requirements to access control technology
Vipul Patel (Expert):
Q: is one required to have diffrent security model for "Intranet" or "Internet" application
A: no, if you have Single Signon for INtranet, yes other wise, because the scenarios are different for both
subhashini (Moderator):
We have almost come to the end of this chat today. Space for one more question!
subhashini (Moderator):
I willw ait for Vipul to complete answering the questions to announce the closure of this chat.
Vipul Patel (Expert):
Most of us are admin on our machines. Imagine what will happen when you download a malicious script and the script gets running in admin mode... your machine is bound to be infected.
subhashini (Moderator):
So that brings us to the end of today's chat
subhashini (Moderator):
Hold on to your questions till tomorrow
subhashini (Moderator):
because this chat is a series chat
Vipul Patel (Expert):
Q: but is'nt this discrimination between intranet and internet handled by .Net CLR implicitly.....
A: We are not talking from .NET CLR perspective, but rather from a developer point of view using any developement language.
subhashini (Moderator):
that willc ontinue till friday
subhashini (Moderator):
So friends , meet you again tomorrow
subhashini (Moderator):
and be ready with your questions ..let's shoot it out to Vipul
subhashini (Moderator):
:-)
subhashini (Moderator):
So lets catch up with teh seciond series of this chat tomorrow at 5pm
subhashini (Moderator):
Till then , have a lovely evening
Vipul Patel (Expert):
Q: And what are security issues with desktop or client server applications ?
A: improper file permission, undue Access control to name a few
Vipul Patel (Expert):
Q: what are security issues with desktop or client server applications ?
A: improper file permission, undue Access control to name a few
subhashini (Moderator):
And lets thank Vipul for his great spirit to take this chat in succession
subhashini (Moderator):
:-) Thanks Vipul
subhashini (Moderator):
And all of you have a lovely evening ..
Vipul Patel (Expert):
One of the best articles on running with least privildge is http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx\
Vipul Patel (Expert):
THats all for today. See you all tomorrow when we discuss about Cryptographic Foibles, Storing Secrets, Canonical Representation Issues and Network-Based Application Considerations
Vipul Patel (Expert):
good day to all.... and a good morning to me... its 5:45 am in los angeles and time to go to work.....
Here is the transcript of the first webchat in the "Writing Secure Code" webchat series. If you have any questions, please drop it as a comment here or mail me at vipul_d_patel@hotmail.com Chat Topic: Writing Secure Code - I
Date: Wednesday, April 13, 2005
subhashini (Moderator):
The chat is about to begin
subhashini (Moderator):
sharp at 5pm IST
subhashini (Moderator):
hello everbody . A very good evening to all of you. :-)
subhashini (Moderator):
Welcome to today's webchat on writing secure code
subhashini (Moderator):
This is a chat in series
subhashini (Moderator):
and today is the part one of the series
subhashini (Moderator):
we have with us our MVP Vipul Patel
subhashini (Moderator):
with us today for the chat.
subhashini (Moderator):
To give a quick intro about him
subhashini (Moderator):
After pursuing a bachelor's degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India's college chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.
subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com <mailto:vipul_d_patel@hotmail.com> or vipul.patel@patni.com <mailto:vipul.patel@patni.com>.
subhashini (Moderator):
As always , few chat rules
subhashini (Moderator):
before we beging the chat
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts.
subhashini (Moderator):
We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
lets get the chat rolling
subhashini (Moderator):
let us welcome Vipul
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Thanks Subhashini and welcome to all to the first of the series of webchats on "Writing secure code"
Vipul Patel (Expert):
Our topic Writing secure code is gaining popularity day by day and we are here to discuss about the same.
Vipul Patel (Expert):
I shall start with small introduction.
Vipul Patel (Expert):
If you have any questions , please feel free to send them to me thru "expert chat" radio button
Vipul Patel (Expert):
As the Internet grows in importance, applications are becoming highly interconnected.
Vipul Patel (Expert):
Earlier computers were not as highly interconnected as they are today, and hence most people wouldn't care much about security.
Vipul Patel (Expert):
But times have changed. Virtually all computers—servers, desktop personal computers, and, more recently, cell phones, pocket-size devices, and other form factor devices such as embedded systems—are interconnected.
Vipul Patel (Expert):
that means that if one of the interconnected system is affected, it can affect the whole network
Vipul Patel (Expert):
No wonder why the World Wide Web is often referred to as the Wild Wild Web. ;)
Vipul Patel (Expert):
It is not only important to write robust code, the need of the day is to produce reliable & secure systems.
Vipul Patel (Expert):
Your system, if connected to Internet, is a potential victim for an attack.
Vipul Patel (Expert):
So Why is security important for you and me?
Vipul Patel (Expert):
1. The Media (and Your Competition) Leap on Security Issues: This is a business impact. If your application makes a security breach headlines, you are bound to lose a chunk of your business, not mentioning the bad publicity that you get. The media will hound you for days and your competition will mention it for years to come....
Vipul Patel (Expert):
2. People Shy Away from Products That Don’t Work As Advertised: If your application keeps crashing every now and then, then people will start avoiding your product.
Vipul Patel (Expert):
3. Security Vulnerabilities Are Expensive to Fix: If security flaws are detected after the product is released to market, then the cost of fixing that Vulnerability as well as deployment costs for the fix are enormous.
4/13/2005 Use Passwords to Derive Cryptographic keys Few applications use the user typed password to generate the cryptographic keys to access the application. The fallback with this approach is that if a robust password is not provided by the user, the hacker can try different combinations of the password to derice the cryptographic keys. The passwords should be long and random. With Win2003 Server and later, you can validate password compliance with NetValidatePasswordPolicy. More information available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp One of the nuances of using security mechanisms provided by the framework is the over trust of the framework. E.g. The mechanism to generate random number using the Random function in any progrmaming language yields the same set of random numbers on repeated execution of the same code. e.g. of C++ code // Always print 52 4 26 66 26 void main() { srand(12366); for (int i = 0; o< 10 ; i++) { int i = rand() % 100; printf("%d " , i); } } e.g. of the C# code class Class1 { /// <summary> /// The main entry point for the application. /// </summary> [STAThread] static void Main(string[] args) { // // TODO: Add code to start application here // Random rnd = new Random(1234); for(int i = 0; i <20; i++) { Console.WriteLine(rnd.Next(100)); } } } Codes such as above produce regular numbers. Such a regular pattern of random number generation can be exploited by a hacker. How to using Random number generation safely in Win32 Using the CryptGenRandom class How to using Random number generation safely in C# Use the RNGCryptoServiceProvider class available in the system.Security.Cryptography namespace. The webchat transcipt is continued here Vipul Patel (Expert):
Defintion of buffer overrun: A stack based buffer overrun occurs when a buffer declared on the stack is overwritten by copying data larger than the buffer.
Vipul Patel (Expert):
Variables declared on the stack are located next to the return address for the function's caller. The culprit here is the return address for the function gets overwritten by an address chosen by the attacker.
Vipul Patel (Expert):
e.g. code
void food (const char* input)
{ char buf[10]; // print statement to see the stack printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n"); strcpy(buf, input) printf("%s\n", buf); printf ("New Stack status :\n%p\n%p\n%p\n%p\n%p\n\n"); } void bar(void) { printf ("Uh Oh"); } int main (int argc, char* argv[]) { printf("Address of foo = %p\n", foo); printf("Address of bar = %p\n", bar); if (argc != 2) { printf("Please supply a string as argument\n"); return -1; } foo(argv[1]); return 0; }
Vipul Patel (Expert):
please read "foo" instead of foo for the first function declaration.
Vipul Patel (Expert):
sat: which kind of failure is being talked of here?
Vipul Patel (Expert):
IN the above code sample : observe the code // print statement to see the stack printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n"); This code is used to see the stack contents
Vipul Patel (Expert):
Q: What are other major security issuess to be taken care of , mainly with .NET ?
A: This concern will be addressed in the third webchat of the series scheduled on Friday this week..
Vipul Patel (Expert):
If we pass a string of less than 10 characters, it will work fine. Example of execution:
c:\Mycode>StackEx.exe Hello
Address of foo = 00401000 Address of bar = 00401045 Stack status: 00000000 00000000 7FFDF000 0012FF80 0040108A <This is the address we want to overwrite 00410EDE Hello New stack status: 6C6C6548 < You can see where Hello was copied in 0000000F 7FFDF000 0012FF80 0040108A 00410EDE
Vipul Patel (Expert):
See that the first memory location gets modified with the text. The second memory location is the instruction set for the second call.
Vipul Patel (Expert):
Now input a long string
:\Mycode>StackEx.exe AAAAAAAAAAAAAAAAAAAAAAA
Address of foo = 00401000 Address of bar = 00401045 Stack status: 00000000 00000000 7FFDF000 0012FF80 0040108A 00410EDE AAAAAAAAAAAAAAAAAAAAAAA New stack status: 41414141 41414141 41414141 41414141 41414141 41414141
Vipul Patel (Expert):
If you use a longer string the whole stack buffer gets rewritten with the data from the string input.....
Vipul Patel (Expert):
And we also get an application error claiming the instruction at 0x41414141 tried to access memory at address 0x41414141.
Vipul Patel (Expert):
Q: But Vipul....is'nt this limitation limited to Unmanaged code in the .Net.....i mean over-writing the return address of a function in the stack....
A: Yes, thats the limitattion limited to unmanaged code in the .NET. That is not an issue with .NET application. I agree
Vipul Patel (Expert):
Q: what kind of security issues normally hit the web applications
A: For web applications, you need to make sure to consider the following during threat modelling: a. Unvalidated paramaters b. Broken access control c. Borken authentication and session management d. Cross site scripting flaws e. Buffer overflows f. Command injection flaws g. Error handling problems h. Insecure storage i. Denial of service (!!! The top most threat) You also need to see that there is no undue priviledge evevation
Vipul Patel (Expert):
If a smart hacker were to know of this vulnerability, he will write a script to execute the above executable with a specifc string which will expose this flaw.
Vipul Patel (Expert):
More information about this is available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp
Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?
A: Yes, Buffer overrun can be migitated by the following steps a. Always validate your input for the type and length. b. Make sure your string handling operations are safe
Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?
A: in the above code if we had the following check it could have been prevented
if (strlen (input) < sizeof(buf))
{ // everything in place strcpy(buf, input) } else { // do the processing for failure... }
Vipul Patel (Expert):
Q: How does MS address the Denial of Service.....i mean does the web-server has any means of preventing it...and does IIS have any feature of this kind....?
A: Hello Rakesh, we will take up Denial of Service tomorrow... Today we shall be limiting ourselves to Buffer overrun and ACLs..
Vipul Patel (Expert):
Sundar: you are right about storing int like data structure on the stack and the reference types on heap..
Vipul Patel (Expert):
But heap buffer overrun is also posisble, but it is dificult to exploit.
Vipul Patel (Expert):
Q: You never answerd what's the impact of buffer overrun in .Net world, in C run time world I think those who familier with that have better understanding :)
A: Fortunately, buffer overrun is not an issue with .NET. The .NET framework handles the issue with buffer overruns.... it is only an issue with legacy applications and unmanaged code written in VC++.NET
Vipul Patel (Expert):
Q: in C# i guess only the basic data types like int variables are stored in stack . basically the reference objects are stored in heaps so the risk is very low. in this case how ill a function get executed?
A: This is not applicable to .NET applications in C#
Vipul Patel (Expert):
Q: other than String Handling errors and Array indexing errors what are all the possible causes for Heap overruns
A: Unicode and ANSI Buffer size mismatches are another source for the heap overruns
Vipul Patel (Expert):
Q: can u please throw some light on Array Indexing errors and its impact on Heap over runs?
A: I shall discuss this later
Vipul Patel (Expert):
Q: Why did microsoft not consider the /GS behavior default ?
A: it is only applicabel for unmanaged code in VC++.NET
Vipul Patel (Expert):
Q: is there any way in .Net to avoid Heap Over runs? because there are ways to have non executable stacks in operating systems and there are also tools like StackGuard to avoid stack based overruns. is there something like that for heap over runs
A: safe string handling for one.. I need to investigate this more.....
Vipul Patel (Expert):
Q: Oh sorry I got a look at the article you reffered recently, so strsafe.h is the solution right
A: yes
Vipul Patel (Expert):
Q: Recently C librarys has improved functions, like the one I mentioned earlier nstrcpy(), is that type of implementations are missing in VC++
A: it was missing in VC++ 6.0
Vipul Patel (Expert):
Q: Give a simple security method for a windows application which is connecting to www or some Dedicated line often
A: Have a firewall installed
Vipul Patel (Expert):
Q: What are the different ACLs that can be employed and how to chose the best of it?
A: ACL strategy 1. Determine the resource you need 2. Determine the business defined acccess requirement 3. Determine the appropriate access control technology 4. Convert the access requirements to access control technology
Vipul Patel (Expert):
Q: is one required to have diffrent security model for "Intranet" or "Internet" application
A: no, if you have Single Signon for INtranet, yes other wise, because the scenarios are different for both
subhashini (Moderator):
We have almost come to the end of this chat today. Space for one more question!
subhashini (Moderator):
I willw ait for Vipul to complete answering the questions to announce the closure of this chat.
Vipul Patel (Expert):
Most of us are admin on our machines. Imagine what will happen when you download a malicious script and the script gets running in admin mode... your machine is bound to be infected.
subhashini (Moderator):
So that brings us to the end of today's chat
subhashini (Moderator):
Hold on to your questions till tomorrow
subhashini (Moderator):
because this chat is a series chat
Vipul Patel (Expert):
Q: but is'nt this discrimination between intranet and internet handled by .Net CLR implicitly.....
A: We are not talking from .NET CLR perspective, but rather from a developer point of view using any developement language.
subhashini (Moderator):
that willc ontinue till friday
subhashini (Moderator):
So friends , meet you again tomorrow
subhashini (Moderator):
and be ready with your questions ..let's shoot it out to Vipul
subhashini (Moderator):
:-)
subhashini (Moderator):
So lets catch up with teh seciond series of this chat tomorrow at 5pm
subhashini (Moderator):
Till then , have a lovely evening
Vipul Patel (Expert):
Q: And what are security issues with desktop or client server applications ?
A: improper file permission, undue Access control to name a few
Vipul Patel (Expert):
Q: what are security issues with desktop or client server applications ?
A: improper file permission, undue Access control to name a few
subhashini (Moderator):
And lets thank Vipul for his great spirit to take this chat in succession
subhashini (Moderator):
:-) Thanks Vipul
subhashini (Moderator):
And all of you have a lovely evening ..
Vipul Patel (Expert):
One of the best articles on running with least privildge is http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx\
Vipul Patel (Expert):
THats all for today. See you all tomorrow when we discuss about Cryptographic Foibles, Storing Secrets, Canonical Representation Issues and Network-Based Application Considerations
If you have additional questions, please post them here. Below is the copy of the transcript of the web chat - Writing Secure Code Part 1, conducted on 13th April 2005 at 5 pm. Chat Topic: Writing Secure Code - I
Date: Wednesday, April 13, 2005
subhashini (Moderator):
The chat is about to begin
subhashini (Moderator):
sharp at 5pm IST
subhashini (Moderator):
hello everbody . A very good evening to all of you. :-)
subhashini (Moderator):
Welcome to today's webchat on writing secure code
subhashini (Moderator):
This is a chat in series
subhashini (Moderator):
and today is the part one of the series
subhashini (Moderator):
we have with us our MVP Vipul Patel
subhashini (Moderator):
with us today for the chat.
subhashini (Moderator):
To give a quick intro about him
subhashini (Moderator):
After pursuing a bachelor's degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India's college chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.
subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com <mailto:vipul_d_patel@hotmail.com> or vipul.patel@patni.com <mailto:vipul.patel@patni.com>.
subhashini (Moderator):
As always , few chat rules
subhashini (Moderator):
before we beging the chat
subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat
subhashini (Moderator):
Chat Procedures:
This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts.
subhashini (Moderator):
We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.
subhashini (Moderator):
lets get the chat rolling
subhashini (Moderator):
let us welcome Vipul
subhashini (Moderator):
Hi Vipul
Vipul Patel (Expert):
Thanks Subhashini and welcome to all to the first of the series of webchats on "Writing secure code"
Vipul Patel (Expert):
Our topic Writing secure code is gaining popularity day by day and we are here to discuss about the same.
Vipul Patel (Expert):
I shall start with small introduction.
Vipul Patel (Expert):
If you have any questions , please feel free to send them to me thru "expert chat" radio button
Vipul Patel (Expert):
As the Internet grows in importance, applications are becoming highly interconnected.
Vipul Patel (Expert):
Earlier computers were not as highly interconnected as they are today, and hence most people wouldn't care much about security.
Vipul Patel (Expert):
But times have changed. Virtually all computers—servers, desktop personal computers, and, more recently, cell phones, pocket-size devices, and other form factor devices such as embedded systems—are interconnected.
Vipul Patel (Expert):
that means that if one of the interconnected system is affected, it can affect the whole network
Vipul Patel (Expert):
No wonder why the World Wide Web is often referred to as the Wild Wild Web. ;)
Vipul Patel (Expert):
It is not only important to write robust code, the need of the day is to produce reliable & secure systems.
Vipul Patel (Expert):
Your system, if connected to Internet, is a potential victim for an attack.
Vipul Patel (Expert):
So Why is security important for you and me?
Vipul Patel (Expert):
1. The Media (and Your Competition) Leap on Security Issues: This is a business impact. If your application makes a security breach headlines, you are bound to lose a chunk of your business, not mentioning the bad publicity that you get. The media will hound you for days and your competition will mention it for years to come....
Vipul Patel (Expert):
2. People Shy Away from Products That Don’t Work As Advertised: If your application keeps crashing every now and then, then people will start avoiding your product.
Vipul Patel (Expert):
3. Security Vulnerabilities Are Expensive to Fix: If security flaws are detected after the product is released to market, then the cost of fixing that Vulnerability as well as deployment costs for the fix are enormous.
Vipul Patel (Expert):
With that background, lets begin our discussion on designing secure systems.
Vipul Patel (Expert):
What are the two most common security mistakes made by software companies?
Vipul Patel (Expert):
a. The application is designed, written, tested, and shipped to customers, but the developers forget to make it secure. Or they think they have, but they got the design wrong. It’s wrong because they added some security technology to their application to be “buzzword-compliant,” but the technology doesn’t mitigate any real security threats
Vipul Patel (Expert):
b. The second mistake is adding security to the application as an afterthought. Security aspect of the code should be from the design phase itself.
Vipul Patel (Expert):
Adding security features after the application is developed should be prevented for the following reasons:
Vipul Patel (Expert):
i. Adding security later is wrapping security around existing features, rather than designing features and security with both in mind
Vipul Patel (Expert):
ii. Adding any feature, including security, as an afterthought is expensive
Vipul Patel (Expert):
iii. Adding security might change the way you’ve implemented features. This too can be expensive
Vipul Patel (Expert):
iv. Adding security might change the application interface, which might break the code that has come to rely on the current interface.
Vipul Patel (Expert):
There is a need for the security principles to be imbibed in a software developement process. These principles are as under:
Vipul Patel (Expert):
a. Establish a security process
Vipul Patel (Expert):
b. Define the product security goals]
Vipul Patel (Expert):
c. Consider security as a product feature
Vipul Patel (Expert):
d. Learn from mistakes
Vipul Patel (Expert):
e. Use least privilege
Vipul Patel (Expert):
f. Use defense in depth g. Assume external systems are insecure h. Plan on failure i. Fail to a secure mode j. Employ secure defaults h. Remember that security features != secure features i. Never depend on security through obscurity
Vipul Patel (Expert):
Please let me complete the section theory for today, then I will jump to examples.... :)
Vipul Patel (Expert):
and then take up all the questions raised.
Vipul Patel (Expert):
How to incorporate security features thru design? The answer is thru Threat Modelling
Vipul Patel (Expert):
You cannot build a secure system until you understand your threats. It's as simple as that.
Vipul Patel (Expert):
A threat model is a security based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves.
Vipul Patel (Expert):
The goal is to determine which threasts require migitation and how to migitate the threats.
Vipul Patel (Expert):
Benefits of threat modeling
Vipul Patel (Expert):
a. It helps to understand the threat better.
Vipul Patel (Expert):
b. Threat models helps you find bugs.
Vipul Patel (Expert):
b. Threat models helps you find bugs.
Vipul Patel (Expert):
c. You can discover serious design bugs in the process
Vipul Patel (Expert):
d. Threat models can help new team members understand the application in detail.
Vipul Patel (Expert):
Threat modeling process:
Vipul Patel (Expert):
1. Assemble the threat-modelling team
Vipul Patel (Expert):
2. Decompose the application
Vipul Patel (Expert):
3. Determine the threats to the application using STRIDE model
Vipul Patel (Expert):
4. Rank the threats by decreasing risk
Vipul Patel (Expert):
5. Choose how to respond to the threats
Vipul Patel (Expert):
6. Choose techniques to mitigate the threats
Vipul Patel (Expert):
We are now done with the theory ;) . and we shall begin examples of security vulnerabilities.
Vipul Patel (Expert):
The biggest security issue has been the Buffer overrun....
Vipul Patel (Expert):
Q: what is STRIDE model?
A: STRIDE model is a model to understand the security flaws. It includes analysis for the following type of flaws: "Spoofing identity", "Tampering with data" , "Repudiation", "Information disclosure", "Denial of service", "Elevation of privilege" More details are available at http://msmvps.com/secure/archive/2004/06/22/8728.aspx
Vipul Patel (Expert):
No Sundar: The good thing about the .NET Framework is that it is no longer a security issue with .NET using C# and VB.NET. With VC++.NET, you need to compile your project with /GS option to identify any such possible buffer overflows in your project.
Vipul Patel (Expert):
Sai: Your question has been answered in the previous post.
Vipul Patel (Expert):
Q: How can Buffer Overrun be a security issue ?
A: I am coming to that with an example
Contd in another post
|
Tools 
