Once upon a time a tortoise and a hare had an argument about who was
faster.

They decided to settle the argument with a race. They agreed on a route
and started off the race.

The hare shot ahead and ran briskly for some time.
Then seeing that he was far ahead of the tortoise, he thought he'd sit under
a tree for some time and relax before continuing the race. He sat under
the tree and soon fell asleep.

The tortoise plodding on overtook him and soon finished the race, emerging as the undisputed champ.

The hare woke up
and realized that he'd lost the race.

The moral- "Slow and steady wins the race. This is the version of the
story that we've all grown up with."

there are few more interesting
things.....it continues as follows......

The hare was disappointed at losing the race and he did some
soul-searching.

He realized that he'd lost the race only because he had been overconfident,
careless and lax.

If he had not taken things for granted, there's no way the tortoise could have beaten him. So he challenged the tortoise to another race.

The tortoise agreed. This time, the hare went all out and ran without
stopping from start to finish. He won by several miles.

The moral - " Fast and consistent will always beat the slow and steady.
It's good to be slow and steady; but it's better to be fast and reliable."

The tortoise did some thinking this time, and realized that there's no
way it can beat the hare in a race the way it was currently formatted.

It thought for a while, and then challenged the hare to another race, but
on a slightly different route. The hare agreed. They started off. In keeping
with his self-made commitment to be consistently fast, the hare took off and
ran at top speed until he came to a broad river. The finishing line was a
couple of kilometres on the other side of the river.

The hare sat there
wondering what to do.

In the meantime the tortoise trundled along, got into the river, swam to the opposite bank, continued walking and finished the race.

The moral - "First identify your core competency and then change the
playing field to suit your core competency."

The hare and the tortoise, by this time, had become pretty good friends
and they did some thinking together.

Both realized that the last race could
have been run much better. So they decided to do the last race again, but to
run as a team this time.

They started off, and this time the hare carried the tortoise till the riverbank. There, the tortoise took over and swam
across with the hare on his back. On the opposite bank, the hare again carried
the tortoise and they reached the finishing line together. They both felt a
greater sense of satisfaction than they'd felt earlier.

The moral - "It's good to be individually brilliant and to have strong
core competencies; but unless you're able to work in a team and harness each
other's core competencies, you'll always perform below par because
there will always be situations at which you'll do poorly and someone else
does well.

Teamwork is mainly about situational leadership, letting the person
with the relevant core competency for a situation take leadership.

Note that neither the hare nor the tortoise gave up after failures. The
hare decided to work harder and put in more effort after his failure. The
tortoise changed his strategy because he was already working as hard as
he could."

In life, when faced with failure,

sometimes it is appropriate to work
harder and put in more effort.

Sometimes it is appropriate to change strategy and try something different.

And sometimes it is appropriate to do both.

The hare and the tortoise also learnt another vital lesson. When we stop competing against a rival and instead start competing against the
situation, we perform far better.

To sum up- the story of the hare and tortoise has much to say:
Chief among them are that fast and consistent will always beat slow and
steady;work to your competencies; pooling resources and working as a team will always beat individual performers; never give up when faced with
failure; & finally, compete against the situation - not against a rival.

Quote

Extend the power of MSN Search Toolbar with Windows Desktop Search

Henceforth, alll blog entries have been moved to http://msmvps.com/vipul

Hoep to catch all of you there.

Here is the webchat transcript of the final webchat of the series - Writing Secure Code, this one focussing on writing secure .NET code.

Chat Topic: Writing Secure .NET Code
Date: Wednesday, April 20, 2005

subhashini (Moderator):
the chat begins at 5.00 pm IST


subhashini (Moderator):
Request all of you to refrain from sending any private messages as that lead sto disconnection of the expert from the chat


subhashini (Moderator):
hello everbody . A very good evening to all of you.


subhashini (Moderator):
welcome to today's chat on writing Secure .NET code


subhashini (Moderator):
we had chats on writing secure code earlier on 13'th and 14'th April .

and today is the last part in series.


subhashini (Moderator):
We have with us Vipul Patel (MVP)


subhashini (Moderator):
to host today's chat


subhashini (Moderator):
After pursuing a bachelor's degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India's college chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.

subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com <mailto:vipul_d_patel@hotmail.com> or vipul.patel@patni.com <mailto:vipul.patel@patni.com>.

subhashini (Moderator):
before we begin the chat


subhashini (Moderator):
 few chat rules


subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat

subhashini (Moderator):
This leads to disconnection of the expert from the chat


subhashini (Moderator):
Chat Procedures:

This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.

subhashini (Moderator):
let's welcome Vipul and hope you find this chat useful and informative


subhashini (Moderator):
Hi Vipul


Vipul Patel (Expert):
Thanks Subhashini


Vipul Patel (Expert):
Welcome all to the final episode of writing secure code. Today we shall focus on "Writing Secure .NET code"


Vipul Patel (Expert):
I shall skim thru the best practises and tips on writing secure .NET code.... and will answers the questions on completion of the best practises.


Vipul Patel (Expert):
While the .NET Framework is a robust one, we need to exercise care while coding to make the application secure.


Vipul Patel (Expert):
The good thing about .NET Framework is that common security attacks are not bound to happen with .NET application. But vulnerabilities are still possible.


Vipul Patel (Expert):
A classical example will be sQL injection.... To avoid such an attach, you need to follow the best practises as outlines in the earlier web chats.....


Vipul Patel (Expert):
today will focus more on the .NET side of coding practises...


Vipul Patel (Expert):
Dont forget to apply secure coding techniques like:


Vipul Patel (Expert):
a. Dont store secrets in code or web.config files


Vipul Patel (Expert):
b. Dont create your own encryption; use the one provided by the framework. Use the classes in the System.Security.Cryptography namespace.


Vipul Patel (Expert):
c. Dont trust user input till you have validated its correctness.


Vipul Patel (Expert):
.NET code helps migitate a number of common security vulnerabilities such as buffer overruns. Security in .NET provides code with different level of trust based not only on the user's capabilities but also on system policy and evidence (digital signature) of code.


Vipul Patel (Expert):
But before that a question to the audience.....


Vipul Patel (Expert):
How many of you are aware of FxCop?


Vipul Patel (Expert):
please reply using the Guest Chat option.....


Vipul Patel (Expert):
thats great. we have one user who actively uses that....


Vipul Patel (Expert):
Tip: Add your own rules to FxCOp if you want to implement coding rules beyond the ones provided by the FxCop...


Vipul Patel (Expert):
For those who are not aware, Fxcop is available from http://www.gotdotnet.com. It is a code analysis tool that checks.NET assemblies for conformation to .NET Framework Design guidelines at http://msdn.microsoft.com/library/en-us/cpgenref/html/cpconnetframeworkdesignguidelines.asp


Vipul Patel (Expert):
FxCop can produce an XMLfile that lists any design guideline violoations in your assembly.


Vipul Patel (Expert):
What are the two most common errors flagged by FxCop are ?


Vipul Patel (Expert):
a. Lack of strong name on the assembly


Vipul Patel (Expert):
b. Failure of the assembly to specify permssion requests.


Vipul Patel (Expert):
How to prevent these errors. Lets take them one by one


Vipul Patel (Expert):
 Use strong name for assemblies:
Lack of strong name

Vipul Patel (Expert):
sn -k keypair.snk


Vipul Patel (Expert):
Over and above strong names, you may want to Authenticode-sign  an assembly to identify the publisher. Do this after strong naming your assemblies.


Vipul Patel (Expert):
You cannot use Authenticode first because the string name signature will appear as "tampering" to the Authenicode signature check.


Vipul Patel (Expert):
Additionally, You can delay-sign your assemblies to prevent information disclosure by a careless  developer.


Vipul Patel (Expert):
Tip: Strong nammed assemblies can only refer to other strong named assemblies. Get your application design ready to use GAC.


Vipul Patel (Expert):
Next we come to second most popular finding of FxCop - Failure of the assembly to specify permssion requests.


Vipul Patel (Expert):
pinto: can you rephrase your question?


Vipul Patel (Expert):
For that, we need to know about CAS or Code Access Security: The theory of the same is located at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconcodeaccesssecurity.asp


Vipul Patel (Expert):
Best practises for CAS


Vipul Patel (Expert):
a. Request minimal permission set: Requesting helps ensure that your code is granted only the permissions it needs.


Vipul Patel (Expert):
eg. if your appliation requires only FileIOPermissions to read one file, and nothing more, add this line to your code:

Vipul Patel (Expert):

[assembly: FileIOPermission(SecurityAction.RequestMinimum, Read = @"c:\FileName.xml")]

Vipul Patel (Expert):
pinto: that depends on your FxCop settings.....


Vipul Patel (Expert):
pinto: you need to disable this rule if it is already on....


Vipul Patel (Expert):
coming back to CAS, you should use RequestMinimum to define the minimum must-have grant set. If the runtime cannot grant the minimum set to the application, it will raise a PolicyException exception and your application will not run.


Vipul Patel (Expert):
b. Refuse Unneeded Permission:  Simply refuse permissions you dont need.


Vipul Patel (Expert):
e.g. If there is no FileIO operations in the application,

[assembly: FileIOPermission (SecurityAction.RequestRefuse, Unrestricted= true)]

Vipul Patel (Expert):
a simple code snippet such as above will refuse File IO access thru your secure code.....


Vipul Patel (Expert):
Tip: If you dont get the requisite permissions, there will be exceptions. Handle these possible exceptions that may arise if the requested permissions are not granted.


Vipul Patel (Expert):

c. use Assert wisely


Vipul Patel (Expert):
What we need to apply for this is that we should make sure that code permissions are granted rationally.


Vipul Patel (Expert):
Suppose A has permissions to do anything on the server

And B has permission to make calls on A.


Vipul Patel (Expert):
now if A makes an Assert statement, B will get access to all resources permitted to A.

This implies that Thru A, B can make any changes on the server and this may not be the desired scenario.


Vipul Patel (Expert):
Q: aren't you trying to say about the SecurityExceptions?

A: no, the exception being referred here is PolicyException.....


Vipul Patel (Expert):
d. Keep the Assertion as small as possible


Vipul Patel (Expert):
If you do need to Assert, make sure that you revertAssert as soon as you are done.


Vipul Patel (Expert):
in C# code, this will be implied by

CodeAccessPermission.RevertAccess();

Vipul Patel (Expert):
Tip: When Deny, Assert and PermitOnly are used together, Deny has the highest precedence.


Vipul Patel (Expert):
e. Limit who uses your code


Vipul Patel (Expert):
How: Consider sealing your classes. This will make them non-inhertiable.


Vipul Patel (Expert):
Also, You can use InheritanceDemand to require that derived classes have a specified identity  or permission.


Vipul Patel (Expert):

[EnvironmentPermission (securityAction.InheritanceDemand, Unrestricted = true)]

public class A

{

}

public class B : A

{

}

Vipul Patel (Expert):
this will imply that if the inheriting class request a actions thru an inherited class, the framework will see if the calling class has the permissions needed to do the action.....


Vipul Patel (Expert):
in the earlier example, B must have environmentPermission, if it were to inherit A.


Vipul Patel (Expert):
Other security Tips for .NET programmers


Vipul Patel (Expert):
Q: How to protect Images in a ASP.NET Project i.e Print, Print Screen, Save Page.... etc

A: i <b>believe<b> that disabling menu options on browsers is achievable thru JavaScript....... I need time to investigate this in details. Please email me at vipul_d_patel@hotmail.com stating your complete requirement.


Vipul Patel (Expert):
a. No Sensitive Data in XML or Configuration files


Vipul Patel (Expert):
Storing data of non secure nature is ok in configuration files such as web.config.


subhashini (Moderator):
Please use the radial button "submit a question " to ask any questions to the expert


Vipul Patel (Expert):

It is an oxymoron that storing data in registry is safer than storing in the web.config... We need to make a judicious call here...as registry access violates No touch deployment fundas.


Vipul Patel (Expert):
A better option will be to use SQL Server as data storage for confidential information.


Vipul Patel (Expert):
ASP.NET v1.1 supports optional data Protection API encryption of secrets stored in registry. The configurations ectiosn that take advantage of this are <processModel>, <identity>, and <sessionState>....


Vipul Patel (Expert):
aspnet_setreg.exe is a cool tool to explore  for using registry to store confidential information....


Vipul Patel (Expert):
Tip: Review Assemblies that allow partial trust


Vipul Patel (Expert):
if you want your assembly to be invoked from partially trust sources, you need to tag it

[assembly: AllowPartiallyTrustedCallers]

Vipul Patel (Expert):
Further more you need the review in details  all the assemblies that make calls to this assembly in partial trusted mode... thats because a partial trusted code has considerable access on the resources handled by the called assembly...


Vipul Patel (Expert):
IMP: Assemblies that allow partially trusted callers should never expose objects from assemblies that do not allow partially trusted callers.


Vipul Patel (Expert):
Never forget to review the code of the calling assembly lest it causes any security breach.


Vipul Patel (Expert):
Tip: Check Managed Wrappers to Unmananged code for correctness

Make sure that code calling into unmanaged is well written and safe.


Vipul Patel (Expert):
Issues with Serialization


Vipul Patel (Expert):
Give special attention to classes that implement the ISerializable interface if an object based on the class could contain sensitive object information.


Vipul Patel (Expert):
If these classes store password, it could pose as a considerable security concern.


Vipul Patel (Expert):
Q: Vipul: i have learned that you can save the session in SQL to identify the broken sessions to continue with where they stoped... and do you think suggest such kind of storage?

A: yes, storing session information in SQL server would be a good option... optionally if that code or the user has access to registry, you can use the DPAPI also....

SQL server is better...


Vipul Patel (Expert):
Using Isolated storage


Vipul Patel (Expert):
using Isolated STorage provided by the .NET Framework has the advantage that only the code in a given assembly can access the isolated data when any of the following conditions are met: application is running when the assembly created the store is using the assembly, or when the user who created the store is running the application.


Vipul Patel (Expert):

using System.IO.IsolatedStorage;

..

IsolatedStorageFile isoFile = IsolatedStorageFile.GetStore (IsloatedStorageScope.User || IsloatedStorageScope.Assembly, null, null);

Vipul Patel (Expert):
The major advantage of using isolated storage is that it does not require FileIOPermission to operate correctly.


subhashini (Moderator):
Friends , we have the last 15 minutes left for the chat to conclude


Vipul Patel (Expert):
But Don't use isolated storage to store sensitive data, because it is not protected from highly trusted code or trusted users of the computer.


Vipul Patel (Expert):
Other tips


Vipul Patel (Expert):
Disable Tracing and Debugging Before Deploying ASP.NET Application


Vipul Patel (Expert):
Because: you can potentially give an attacker too much information


subhashini (Moderator):
So please rush in your questions to Vipul


Vipul Patel (Expert):
How to do this:


Vipul Patel (Expert):

1. Remove Debug verb from IIS.

2. Disable debugging ad tracing within ASP.NET aplication pAge directive

<%@ Page Language="VB" Trace="False" Debug="False" %>

3. In web.Config file

<trace enabled = 'false'/>

<compilation debug ='false'/>

Vipul Patel (Expert):
Also, Do not deserialize data from untrusted sources.


Vipul Patel (Expert):
in case the application fails, do not tell the attacker too much when you fail.. Rather , write to the application log an error code which is known only to developers


Vipul Patel (Expert):
Thats all for the tips and tricks. Now to your questions.....


Vipul Patel (Expert):
Q: Vipul: can you through some light on "SecurityException"?

A: Security exception occurs when a security error is detected, like making IO calls when the user does not rights on it...

POlicyexception on the other hand is generated when code requests more permissions than the policy will grant or the policy is configured to prohibit running the code.

Vipul Patel (Expert):
OK team,,, the recsources that should keep you going.....


Vipul Patel (Expert):
A book by Michaol Howard titles "Writing Secure Code". It is by Microsoft Press. Its an extremely good book. Recommend all to read when you get time....


Vipul Patel (Expert):
visit digitalblackbelt.com and view the webcasts on security they are great.


Vipul Patel (Expert):
Also on MSDN webcasts, there is a series of webcasts on Writing Secure Code, you can view them if you can get hands on the book....


Vipul Patel (Expert):
thats all from my side....


Vipul Patel (Expert):
Q: Vipul: i have a small situation.. can i ask you now?

A: sure..


Vipul Patel (Expert):
Q: thnx vipul

A: anytime man


Vipul Patel (Expert):
u can visit http://msdn.microsoft.com/asp.net/articles/security/default.aspx for more information on security \


subhashini (Moderator):
well, we are almost close to time-up!


subhashini (Moderator):
there's time for one last question


subhashini (Moderator):
To ask any additional queries , please feel free to email Vipul


subhashini (Moderator):
at  vipul_d_patel@hotmail.com


Vipul Patel (Expert):
go on chakravarty.. is your question over?


subhashini (Moderator):
Hope this chat in series was informative


subhashini (Moderator):
To read chat transcripts of earlier chats , visit http://www.microsoft.com/india/communities/chat/Transcripts.aspx


subhashini (Moderator):
thanks to all of you for attending today's chat\


Vipul Patel (Expert):
chakravarty: can you email me this question? I shall reply ASAP. My email id is vipul_D_patel@hotmail.com


subhashini (Moderator):
Special thanks to Vipul for taking time out for this informative session with his geographical constraints regarding timings


Vipul Patel (Expert):
Thanks all for attending this chat


subhashini (Moderator):
Thanks a lot Vipul


Vipul Patel (Expert):
welcome subhashini


subhashini (Moderator):
request all of you to pool in your queries through email


subhashini (Moderator):
Have alovely evening


subhashini (Moderator):
Also feel free to pool in your feedback for these chats at commind@microsoft.com

Here is the webchat transcript of the second webchat of the series - "Writing Secure Code"

Chat Topic: Writing Secure Code -II
Date: Thursday, April 14, 2005

subhashini (Moderator):
hello everybody


subhashini (Moderator):
:-) a very good evening to all of you


subhashini (Moderator):
and welcome all of you to join us for the second part of the series chat


subhashini (Moderator):
on writing secure code


subhashini (Moderator):
Thansk to Vipul Patel (MVP) for hosting this series chat


subhashini (Moderator):
Guys, thanks to him, he's based out of US and is currently hosting the chat during his odd hours


subhashini (Moderator):
Once again a quick rrun through the chat rules


subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat

subhashini (Moderator):
Chat Procedures:

This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts. We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.

subhashini (Moderator):
thansk to all of you for attending this chat.


subhashini (Moderator):
and lets welcome vipul


Vipul Patel (Expert):
Thanks Subhashini for the opportunity. Welcome to the second part of the series on Writing secure code.


subhashini (Moderator):
to continue the series


subhashini (Moderator):
Hi Vipul


Vipul Patel (Expert):
Hello all


Vipul Patel (Expert):
Those wo missed out yesterday: a quick recap. Yesterday the main focus was the need for writing secure code, threat modeling and we saw two security concerns: buffer overrun and ACLs.


Vipul Patel (Expert):
Today we shall focus on the other security concerns....


Vipul Patel (Expert):
We begin with poor cryptographic tehcniques


Vipul Patel (Expert):
Crypto can help secure data from specific threats, but it does not secure the application from coding errors.


Vipul Patel (Expert):
Common mistakes people make when using cryptography include

Vipul Patel (Expert):
a. using poor random numbers


Vipul Patel (Expert):
b. using password to derive cryptographic

Vipul Patel (Expert):
Lets catch them one by one


Vipul Patel (Expert):
Did you know that the Random function provided by the Operating systems generetes the same sequence of random numbers everytime.


Vipul Patel (Expert):
Same case with the Frameworks......


Vipul Patel (Expert):
Consider this code in C++

// Always print 52 4 26 66 26

void main()

{

  srand(12366);

  for (int i = 0; o< 10 ; i++)

 {

    int i = rand() % 100;

    printf("%d " , i);

  }

}

Vipul Patel (Expert):
The above code snippet always results in the same sets of numbers.....


Vipul Patel (Expert):
lets see one in C#

class Class1

{

/// <summary>

/// The main entry point for the application.

/// </summary>

  [STAThread]

  static void Main(string[] args)

  {

//

// TODO: Add code to start application here

//

    Random rnd = new Random(1234);

    for(int i = 0; i <20; i++)

    {

      Console.WriteLine(rnd.Next(100));

    }

  }

}

Vipul Patel (Expert):
The above code also results in the same sequence of random numbers being generated.


Vipul Patel (Expert):
The problem with using such functions is that if your application is of a secure nature like a financial institution application, such a dependency on system provided (read predictable) numbers can be easily tracked by the hacker......


Vipul Patel (Expert):
If the random numbers are used for say saving the session key, then all the session information is at risk....


Vipul Patel (Expert):
How to avoid such a situation.....


Vipul Patel (Expert):
For win32 applications use the CryptGenRandom class.....................


Vipul Patel (Expert):
and those of you coding in C#, Use the RNGCryptoServiceProvider class available in the system.Security.Cryptography namespace


Vipul Patel (Expert):
another poor cryptographic technique is "Using Passwords to Derive Cryptographic keys"

Vipul Patel (Expert):
some applications are based on a security model that you ask the user for the password for a specfic action and then this user-provided password is used as a cryptographic key.


Vipul Patel (Expert):
The problem with such a approach is that if the password is small, then it is easy to predict thru Dictionary attack......


Vipul Patel (Expert):
Dictionary attack: try all possible words from the dictionary to see which works as an key....


Vipul Patel (Expert):
Suggesstion: Keep your passwords long and randon.


Vipul Patel (Expert):
You can make this a network policy.....


Vipul Patel (Expert):
With Win2003 Server and later, you can validate password compliance with NetValidatePasswordPolicy.


Vipul Patel (Expert):
More information available at <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp>

Vipul Patel (Expert):
Use Keyed Hash

Vipul Patel (Expert):
Keyed Hash: Is a hash that includes some secret data, data known only to the sender and recipients. It is typically created by hashing the plaintext concatenated to some secret key or a derivation of the secret key. It is one kind of message authentication code (MAC).

Vipul Patel (Expert):
the idea here is to not use a simple hash but to use a keyed hash........ This is secure things a bit....


subhashini (Moderator):
sorry guys, vipul


subhashini (Moderator):
might have just got logged out


subhashini (Moderator):
please hold on for coupel of mins. he would be back


subhashini (Moderator):
vipul has lost his wireless connection and has had to reboot


subhashini (Moderator):
so, he would be back any minute


subhashini (Moderator):
thanks for cooperating


subhashini (Moderator):
thanks guys


Vipul Patel (Expert):
sorry for the confusion guys...


Vipul Patel (Expert):
lets continue


Vipul Patel (Expert):
Creating a Keyed hash

HMACSHA1 hmac = new HMACSHA1();

Hmac.Key = key;

byte[] hash = hmac.ComputeHash(message);

Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself.

Vipul Patel (Expert):
Creating a Keyed hash

Tip: Use the Operating system or .NET framework libraries. It’s much easier than implementing the logic yourself.

HMACSHA1 hmac = new HMACSHA1();

Hmac.Key = key;

byte[] hash = hmac.ComputeHash(message);

subhashini (Moderator):
apologies for the technical tricks played on us by the chat tool :-) we are back and lets get the chat rocking!


Vipul Patel (Expert):
So how do you protect secrets?


Vipul Patel (Expert):
We usually hash the data.....


Vipul Patel (Expert):
But better than hash, do a salted hash...


Vipul Patel (Expert):
Hash: is a cryptographic algorithm that produces a different output, called a message digest, for each unique element of data


Vipul Patel (Expert):
Better than hash, use a salted hash


Vipul Patel (Expert):
Salt is a random number that is added to the hashed data to eliminate the use of precompiled dictionary attacks, making an attempt to recover the original secret extremely expensive. The salt is stored unencrypted with the hash.

Vipul Patel (Expert):
More information is available at <http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx>

Vipul Patel (Expert):
Coming to talk of DPAPI, lets see what is available in Windows 2000 and above


Vipul Patel (Expert):
In Windows 2000 and later, we can use the Data Protection API (DPAPI) functions CryptProtectData and CryptUnprotectData.  

Vipul Patel (Expert):
http://www.vsdotnet.be/blogs/tommer/PermaLink,guid,66a14fe3-bfc7-4089-8b55-69480a7b78fc.aspx


Vipul Patel (Expert):
Guys the above link shoud work...


Vipul Patel (Expert):
These functions encrypt (DPAPI) and decrypt data by using a key derived from the user’s password. In addition, decryption can be done only on the computer where the data was encrypted unless the user has a roaming profile, in which case she can decrypt the data from another computer on the network.

Vipul Patel (Expert):
A Special Case: Client Credentials in Windows XP

Vipul Patel (Expert):
Windows XP includes functionality named Stored User Names And Passwords to make handling users’ passwords and other credentials, such as private keys, easier, more consistent, and safer. If your application includes a client component that requires you to prompt for or store a user’s credentials, you should seriously consider using this feature for the following reasons:

·               Support for different types of credentials, such as passwords and keys, on smart cards.

·               Support for securely saving credentials by using DPAPI.

·               No need to define your own user interface. It’s provided, although you can add a custom image to the dialog box.

Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks.

Vipul Patel (Expert):
Other small nuances to take care of.....


Vipul Patel (Expert):
Use NTFS for enhanced security. FAT and FAT32 do not enforce strict security checks


Vipul Patel (Expert):
Trust no input

Vipul Patel (Expert):
Always validate any user input for all possible values: minimum, maximum, boundary conditions, etc.

You can check the format of the inputed data by regular expressions


Vipul Patel (Expert):
DOS device name vulnerability

Due to compatility reasons, DOS  device named have been carried over to Windows. That’s why you cant create a file named PRN or COM1, COM@ or LPT. Creating such files (even for temporary purpose) thru code should be avoided.

Vipul Patel (Expert):
Don’t trust PATH variable. Use Full path names

If your application uses the PATH variable explicitly for a good number of reasons, it is better to create a custom environment variable for the purpose as PATH variable should not be dependede upon as a lot of applications may be and modify it..

Vipul Patel (Expert):
SQL Injection attacks


Vipul Patel (Expert):
consider a SQL statement


Vipul Patel (Expert):

string sql = "select * from client where name = '" + name + "'"

Vipul Patel (Expert):
imagine a user entering

Blake' or 1 = 1

Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through Stored procedures.

A: no for SQL injection , SPs are not a solution.

People use two solutions


Vipul Patel (Expert):
Q: vipul, is SQL injection attacks fully prevantable through Stored procedures.

A: Correct solution is

a. never ever connect as sysadmin (This limits database damage by SQL injection)

b. Build your SQL statements securely, use Parameterized commands in your SP..............


Vipul Patel (Expert):
Q: what are your strong recommendations to deal with SQL injection attacks

A: a. never ever connect as sysadmin (This limits database damage by SQL injection)

b. Build your SQL statements securely, use Parameterized commands in your SP..............

subhashini (Moderator):
guys, we have the last 13 mins left for the chat to conclude for today


subhashini (Moderator):
please ask the last few questions to get them answered


Vipul Patel (Expert):
I agree with Chakravarthy: If possible prevent the user from entering "'" when he is specifing text based information. But the problem is with names like L'Oreal... how to deal with that..  :D


Vipul Patel (Expert):
Q: vipul, is there any other security areas that you need to highlight and you may not have time to disscuss them fully here.

A: I will not be able to cover the security in .NET framework whcih I will cover tomorrow.......


Vipul Patel (Expert):
Q: i want to ask whether parameterized commands are foolproof.

A: Depends on your code. But it is deemed and projected as quite secure..


Vipul Patel (Expert):
Q: suppose, i have a web application, then..using encryption class is not going to help much, as encryption would occur at server side, after all data is transfered across the n/w with out encryption. m i right???

A: If you use SSL,, then your data will be secure when transferred from the client to the server....


Vipul Patel (Expert):
Q: Hi, tell me more about DPAPI and what all complexities are involved implementing it ?

A: already answered....


Vipul Patel (Expert):
Yes,,, dont allow where word, if possible, I must add....


Vipul Patel (Expert):
Chakravarthy: Whidbey: I shall answer that tomorrow.....


subhashini (Moderator):
So this brings us to teh end of today's chat


subhashini (Moderator):
and hope to see you all tomorrow


subhashini (Moderator):
and hold on to your questions till tomorrow


subhashini (Moderator):
alos feel free to email vipul at vipul_d_patel@hotmail.com


Vipul Patel (Expert):
The best resource on writing secure code is a book by Michael Howard titled "Writing secure code".......... Google for more information on the book....


Vipul Patel (Expert):
Chakravarthy:..... go ahead...


subhashini (Moderator):
go ahead chakravarthy


Vipul Patel (Expert):
For securing already written code, I suggest that you have a robust code review policy, revisit your design,, bascially perform a threat modelling for a already existing application..


Vipul Patel (Expert):
That is a judgement call, if you feel that the previously written code is not secure, demo the failure to your team lead, and then suggest that the following remedies will apply....


Vipul Patel (Expert):
what do you mean by wrapping mechanism?


Vipul Patel (Expert):
Best practises for writing secure code:


Vipul Patel (Expert):
a. Dont tell the attacker anything


Vipul Patel (Expert):
b. Dont leak information in banner strings and unhandled errors...


Vipul Patel (Expert):
Doubel check your error messagess and paths...


Vipul Patel (Expert):
Add security commenst to your code...


Vipul Patel (Expert):
Dont write user files to \Program Files


Vipul Patel (Expert):
Dont write user data to HKLM


Vipul Patel (Expert):
Allow long passwords...


Vipul Patel (Expert):
and have an application log.


Vipul Patel (Expert):
Thats all for today.....


subhashini (Moderator):
thanks again to all of you for attending teh chat


Vipul Patel (Expert):
if you have any further questions,,,, please email me at vipul_d_patel@hotmail.com or visit my unfrequented blog at http://spaces.msn.com/members/vipul and leave your comments there. I shall revert...


subhashini (Moderator):
see you alla gain tomorrow for the last part of this series


subhashini (Moderator):
have a lovely evening.

Vipul Patel (Expert):
With that background, lets begin our discussion on designing secure systems.


Vipul Patel (Expert):
What are the two most common security mistakes made by software companies?


Vipul Patel (Expert):
a. The application is designed, written, tested, and shipped to customers, but the developers forget to make it secure. Or they think they have, but they got the design wrong. It’s wrong because they added some security technology to their application to be “buzzword-compliant,” but the technology doesn’t mitigate any real security threats


Vipul Patel (Expert):
b. The second mistake is adding security to the application as an afterthought. Security aspect of the code should be from the design phase itself.


Vipul Patel (Expert):
Adding security features after the application is developed should be prevented for the following reasons:


Vipul Patel (Expert):
i. Adding security later is wrapping security around existing features, rather than designing features and security with both in mind


Vipul Patel (Expert):
ii. Adding any feature, including security, as an afterthought is expensive


Vipul Patel (Expert):
iii. Adding security might change the way you’ve implemented features. This too can be expensive


Vipul Patel (Expert):
iv. Adding security might change the application interface, which might break the code that has come to rely on the current interface.


Vipul Patel (Expert):
There is a need for the security principles to be imbibed in a software developement process. These principles are as under:


Vipul Patel (Expert):
a. Establish a security process


Vipul Patel (Expert):
b. Define the product security goals]


Vipul Patel (Expert):
c. Consider security as a product feature


Vipul Patel (Expert):
d. Learn from mistakes


Vipul Patel (Expert):
e. Use least privilege


Vipul Patel (Expert):
f. Use defense in depth

g. Assume external systems are insecure

h. Plan on failure

i. Fail to a secure mode

j. Employ secure defaults

h. Remember that security features != secure features

i. Never depend on security through obscurity


Vipul Patel (Expert):
Please let me complete the section theory for today, then I will jump to examples.... :)


Vipul Patel (Expert):
and then take up all the questions raised.


Vipul Patel (Expert):
How to incorporate security features thru design? The answer is thru Threat Modelling


Vipul Patel (Expert):
You cannot build a secure system until you understand your threats. It's as simple as that.


Vipul Patel (Expert):
A threat model is a security based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves.


Vipul Patel (Expert):
The goal is to determine which threasts require migitation and how to migitate the threats.


Vipul Patel (Expert):
Benefits of threat modeling


Vipul Patel (Expert):
a. It helps to understand the threat better.


Vipul Patel (Expert):
b. Threat models helps you find bugs.


Vipul Patel (Expert):
b. Threat models helps you find bugs.


Vipul Patel (Expert):
c. You can discover serious design bugs in the process


Vipul Patel (Expert):
d. Threat models can help new team members understand the application in detail.


Vipul Patel (Expert):
Threat modeling process:


Vipul Patel (Expert):
1. Assemble the threat-modelling team


Vipul Patel (Expert):
2. Decompose the application


Vipul Patel (Expert):
3. Determine the threats to the application using STRIDE model


Vipul Patel (Expert):
4. Rank the threats by decreasing risk


Vipul Patel (Expert):
5. Choose how to respond to the threats


Vipul Patel (Expert):
6. Choose techniques to mitigate the threats


Vipul Patel (Expert):
We are now done with the theory ;)  . and we shall  begin examples of security vulnerabilities.


Vipul Patel (Expert):
The biggest security issue has been the Buffer overrun....


Vipul Patel (Expert):
Q: what is STRIDE model?

A: STRIDE model is a model to understand the security flaws. It includes analysis for the following type of flaws: "Spoofing identity", "Tampering with data" , "Repudiation", "Information disclosure", "Denial of service", "Elevation of privilege"

More details are available at http://msmvps.com/secure/archive/2004/06/22/8728.aspx


Vipul Patel (Expert):
No Sundar: The good thing about the .NET Framework is that it is no longer a security issue with .NET using C# and VB.NET. With VC++.NET, you need to compile your project with /GS option to identify any such possible buffer overflows in your project.


Vipul Patel (Expert):
Sai: Your question has been answered in the previous post.


Vipul Patel (Expert):
Q: How can Buffer Overrun be a security issue ?

A: I am coming to that with an example


Vipul Patel (Expert):
Defintion of buffer overrun: A stack based buffer overrun occurs when a buffer declared on the stack is overwritten by copying data larger than the buffer.


Vipul Patel (Expert):
Variables declared on the stack are located next to the return address for the function's caller. The culprit here is the return address for the function gets overwritten by an address chosen by the attacker.


Vipul Patel (Expert):
e.g. code

void food (const char* input)

{

                char buf[10];

                // print statement to see the stack

                printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");

                strcpy(buf, input)

                printf("%s\n", buf);

                printf ("New Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");

}

void bar(void)

{

                printf ("Uh Oh");

}

int main (int argc, char* argv[])

{

                printf("Address of foo = %p\n", foo);

                printf("Address of bar = %p\n", bar);

                if (argc != 2)

                {

                                printf("Please supply a string as argument\n");

                                return -1;

                }

                foo(argv[1]);

                return 0;

}

Vipul Patel (Expert):
please read "foo" instead of foo for the first function declaration.


Vipul Patel (Expert):
sat: which kind of failure is being talked of here?


Vipul Patel (Expert):
IN the above code sample : observe the code

// print statement to see the stack

                printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");

This code is used to see the stack contents


Vipul Patel (Expert):
Q: What are other major security issuess to be taken care of , mainly with .NET ?

A: This concern will be addressed in the third webchat of the series scheduled on Friday this week..


Vipul Patel (Expert):
If we pass a string of less than 10 characters, it will work fine. Example of execution:

c:\Mycode>StackEx.exe Hello

Address of foo = 00401000

Address of bar = 00401045

Stack status:

00000000

00000000

7FFDF000

0012FF80

0040108A  <This is the address we want to overwrite

00410EDE

Hello

New stack status:

6C6C6548  < You can see where Hello was copied in

0000000F

7FFDF000

0012FF80

0040108A

00410EDE

Vipul Patel (Expert):
See that the first memory location gets modified with the text. The second memory location is the instruction set for the second call.


Vipul Patel (Expert):
Now input a long string

:\Mycode>StackEx.exe AAAAAAAAAAAAAAAAAAAAAAA

Address of foo = 00401000

Address of bar = 00401045

Stack status:

00000000

00000000

7FFDF000

0012FF80

0040108A 

00410EDE

AAAAAAAAAAAAAAAAAAAAAAA

New stack status:

41414141

41414141

41414141

41414141

41414141

41414141

Vipul Patel (Expert):
If you use a longer string the whole stack buffer gets rewritten with the data from the string input.....


Vipul Patel (Expert):

And we also get an application error claiming the instruction at 0x41414141 tried to access memory at address 0x41414141.


Vipul Patel (Expert):
Q: But Vipul....is'nt this limitation limited to Unmanaged code in the .Net.....i mean over-writing the return address of a function in the stack....

A: Yes, thats the limitattion limited to unmanaged code in the .NET. That  is not an issue with .NET application. I agree


Vipul Patel (Expert):
Q: what kind of security issues normally hit the web applications

A: For web applications, you need to make sure to consider the following during threat modelling:

a. Unvalidated paramaters

b. Broken access control

c. Borken authentication and session management

d. Cross site scripting flaws

e. Buffer overflows

f. Command injection flaws

g. Error handling problems

h. Insecure storage

i. Denial of service (!!! The top most threat)

You also need to see that there is no undue priviledge evevation


Vipul Patel (Expert):
If a smart hacker were to know of this vulnerability, he will write a script to execute the above executable with a specifc string which will expose this flaw.


Vipul Patel (Expert):
More information about this is available at

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp


Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?

A: Yes, Buffer overrun can be migitated by the following steps

a. Always validate your input for the type and length.

b. Make sure your string handling operations are safe


Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?

A: in the above code if we had the  following check it could have been prevented

if (strlen (input) < sizeof(buf))

{

  // everything in place

  strcpy(buf, input)

}

else

{

  // do the processing for failure...

}

Vipul Patel (Expert):
Q: How does MS address the Denial of Service.....i mean does the web-server has any means of preventing it...and does IIS have any feature of this kind....?

A: Hello Rakesh, we will take up Denial of Service tomorrow... Today we shall be limiting ourselves to Buffer overrun and ACLs..


Vipul Patel (Expert):
Sundar: you are right about storing int like data structure on the stack and the reference types on heap..


Vipul Patel (Expert):
But heap buffer overrun is also posisble, but it is dificult to exploit.


Vipul Patel (Expert):
Q: You never answerd what's the impact of buffer overrun in .Net world, in C run time world I think those who familier with that have better understanding :)

A: Fortunately, buffer overrun is not an issue with .NET. The .NET framework handles the issue with buffer overruns.... it is only an issue with legacy applications and unmanaged code written in VC++.NET


Vipul Patel (Expert):
Q: in C# i guess only the basic data types like int variables are stored in stack . basically the reference objects are stored in heaps so the risk is very low. in this case how ill a function get executed?

A: This is not applicable to .NET applications in C#


Vipul Patel (Expert):
Q: other than String Handling errors and Array indexing errors what are all the possible causes for Heap overruns

A: Unicode and ANSI Buffer size mismatches are another source for the heap overruns


Vipul Patel (Expert):
Q: can u please throw some light on Array Indexing errors and its impact on Heap over runs?

A: I shall discuss this later


Vipul Patel (Expert):
Q: Why did microsoft not consider the /GS behavior default ?

A: it is only applicabel for unmanaged code in VC++.NET


Vipul Patel (Expert):
Q: is there any way in .Net to avoid Heap Over runs? because there are ways to have non executable stacks in operating systems and there are also tools like StackGuard  to avoid stack based overruns. is there something like that for heap over runs

A: safe string handling for one..

I need to investigate this more.....


Vipul Patel (Expert):
Q: Oh sorry I got a look at the article you reffered recently, so strsafe.h is the solution right

A: yes


Vipul Patel (Expert):
Q: Recently C librarys has improved functions, like the one I mentioned earlier nstrcpy(), is that type of implementations are missing in VC++

A: it was missing in VC++ 6.0


Vipul Patel (Expert):
Q: Give a simple security method for a windows application which is connecting to www or some Dedicated line often

A: Have a firewall installed


Vipul Patel (Expert):
Q: What are the different ACLs that can be employed and how to chose the best of it?

A: ACL strategy

1. Determine the resource you need

2. Determine the business defined acccess requirement

3. Determine the appropriate access control technology

4. Convert the access requirements to access control technology

Vipul Patel (Expert):
Q: is one required to have diffrent security model for "Intranet" or "Internet" application

A: no, if you have Single Signon for INtranet, yes other wise, because the scenarios are different for both


subhashini (Moderator):
We have almost come to the end of this chat today. Space for one more question!


subhashini (Moderator):
I willw ait for Vipul to complete answering the questions to announce the closure of this chat.


Vipul Patel (Expert):
Most of us are admin on our machines. Imagine what will happen when you download a malicious script and the script gets running in admin mode... your machine is bound to be infected.


subhashini (Moderator):
So that brings us to the end of today's chat


subhashini (Moderator):
Hold on to your questions till tomorrow


subhashini (Moderator):
because this chat is a series chat


Vipul Patel (Expert):
Q: but is'nt this discrimination between intranet and internet handled by .Net CLR implicitly.....

A: We are not talking from .NET CLR perspective, but rather from a developer point of view using any developement language.


subhashini (Moderator):
that willc ontinue till friday


subhashini (Moderator):
So friends , meet you again tomorrow


subhashini (Moderator):
and be ready with your questions ..let's shoot it out to Vipul


subhashini (Moderator):
:-)


subhashini (Moderator):
So lets catch up with teh seciond series of this chat tomorrow at 5pm


subhashini (Moderator):
Till then , have  a lovely evening


Vipul Patel (Expert):
Q: And what are security issues with desktop or client server applications  ?

A: improper file permission, undue Access control   to name a few


Vipul Patel (Expert):
Q: what are security issues with desktop or client server applications ?

A: improper file permission, undue Access control   to name a few


subhashini (Moderator):
And lets thank Vipul for his great spirit to take this chat in succession


subhashini (Moderator):
:-) Thanks Vipul


subhashini (Moderator):
And all of you have a lovely evening ..


Vipul Patel (Expert):
One of the best articles on running with least privildge is http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx\


Vipul Patel (Expert):
THats all for today. See you all tomorrow when we discuss about Cryptographic Foibles, Storing Secrets, Canonical Representation Issues and Network-Based Application Considerations

Vipul Patel (Expert):
good day to all.... and a good morning to me... its 5:45 am in los angeles and time to go to work.....

Here is the transcript of the first webchat in the "Writing Secure Code" webchat series.

If you have any questions, please drop it as a comment here or mail me at vipul_d_patel@hotmail.com

Chat Topic: Writing Secure Code - I
Date: Wednesday, April 13, 2005

subhashini (Moderator):
The chat is about to begin


subhashini (Moderator):
sharp at 5pm IST


subhashini (Moderator):
hello everbody . A very good evening to all of you. :-)

subhashini (Moderator):
Welcome to today's webchat on writing secure code

subhashini (Moderator):
This is a chat in series


subhashini (Moderator):
and today is the part one of the series


subhashini (Moderator):
we have with us our MVP Vipul Patel


subhashini (Moderator):
with us today for the chat.


subhashini (Moderator):
To give a quick intro about him

subhashini (Moderator):
After pursuing a bachelor's degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India's college chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.

subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com <mailto:vipul_d_patel@hotmail.com> or vipul.patel@patni.com <mailto:vipul.patel@patni.com>.

subhashini (Moderator):
As always , few chat rules


subhashini (Moderator):
before we beging the chat


subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat

subhashini (Moderator):
Chat Procedures:

This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts.

subhashini (Moderator):
We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.

subhashini (Moderator):
lets get the chat rolling


subhashini (Moderator):
let us welcome Vipul


subhashini (Moderator):
Hi Vipul


Vipul Patel (Expert):
Thanks Subhashini and welcome to all to the first of the series of webchats on "Writing secure code"


Vipul Patel (Expert):
Our topic Writing secure code is gaining popularity day by day and we are here to discuss about the same.


Vipul Patel (Expert):
I shall start with small introduction.


Vipul Patel (Expert):
If you have any questions , please feel free to send them to me thru "expert chat" radio  button


Vipul Patel (Expert):
As the Internet grows in importance, applications are becoming highly interconnected.


Vipul Patel (Expert):
Earlier computers were not as highly interconnected as they are today, and hence most people wouldn't care much about security.


Vipul Patel (Expert):
But times have changed. Virtually all computers—servers, desktop personal computers, and, more recently, cell phones, pocket-size devices, and other form factor devices such as embedded systems—are interconnected.


Vipul Patel (Expert):
that means that if one of the interconnected system is affected, it can affect the whole network


Vipul Patel (Expert):
No wonder why the World Wide Web is often referred to as the Wild Wild Web.  ;)


Vipul Patel (Expert):
It is not only important to write robust code, the need of the day is to produce reliable & secure systems.


Vipul Patel (Expert):
Your system, if connected to Internet, is a potential victim for an attack.


Vipul Patel (Expert):
So Why is security important for you and me?


Vipul Patel (Expert):
1. The Media (and Your Competition) Leap on Security Issues: This is a business impact. If your application makes a security breach headlines, you are bound to lose a chunk of your business, not mentioning the bad publicity that you get. The media will hound you for days and your competition will mention it for years to come....


Vipul Patel (Expert):
2. People Shy Away from Products That Don’t Work As Advertised: If your application keeps crashing every now and then, then people will start avoiding your product.


Vipul Patel (Expert):

3. Security Vulnerabilities Are Expensive to Fix: If security flaws are detected after the product is released to market, then the cost of fixing that Vulnerability as well as deployment costs for the fix are enormous.

Use Passwords to Derive Cryptographic keys

Few applications use the user typed password to generate the cryptographic keys to access the application. The fallback with this approach is that if a robust password is not provided by the user, the hacker can try different combinations of the password to derice the cryptographic keys.

The passwords should be long and random.  

With Win2003 Server and later, you can validate password compliance with NetValidatePasswordPolicy.

More information available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netvalidatepasswordpolicy.asp

One of the nuances of using security mechanisms provided by the framework is the over trust of the framework.

E.g. The mechanism to generate random number using the Random function in any progrmaming language yields the same set of random numbers on repeated execution of the same code.

e.g. of C++ code 

// Always print 52 4 26 66 26

void main()

{

  srand(12366);

  for (int i = 0; o< 10 ; i++)

 {

    int i = rand() % 100;

    printf("%d " , i);

  }

}

e.g. of the C# code

class Class1

{

/// <summary>

Codes such as above produce regular numbers.

Such a regular pattern of random number generation can be exploited by a hacker.

How to using Random number generation safely in Win32

Using the CryptGenRandom class

How to using Random number generation safely in C#

Use the RNGCryptoServiceProvider class available in the system.Security.Cryptography namespace.

The webchat transcipt is continued here

Vipul Patel (Expert):
Defintion of buffer overrun: A stack based buffer overrun occurs when a buffer declared on the stack is overwritten by copying data larger than the buffer.


Vipul Patel (Expert):
Variables declared on the stack are located next to the return address for the function's caller. The culprit here is the return address for the function gets overwritten by an address chosen by the attacker.


Vipul Patel (Expert):
e.g. code

void food (const char* input)

{

                char buf[10];

                // print statement to see the stack

                printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");

                strcpy(buf, input)

                printf("%s\n", buf);

                printf ("New Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");

}

void bar(void)

{

                printf ("Uh Oh");

}

int main (int argc, char* argv[])

{

                printf("Address of foo = %p\n", foo);

                printf("Address of bar = %p\n", bar);

                if (argc != 2)

                {

                                printf("Please supply a string as argument\n");

                                return -1;

                }

                foo(argv[1]);

                return 0;

}

Vipul Patel (Expert):
please read "foo" instead of foo for the first function declaration.


Vipul Patel (Expert):
sat: which kind of failure is being talked of here?


Vipul Patel (Expert):
IN the above code sample : observe the code

// print statement to see the stack

                printf ("Stack status :\n%p\n%p\n%p\n%p\n%p\n\n");

This code is used to see the stack contents


Vipul Patel (Expert):
Q: What are other major security issuess to be taken care of , mainly with .NET ?

A: This concern will be addressed in the third webchat of the series scheduled on Friday this week..


Vipul Patel (Expert):
If we pass a string of less than 10 characters, it will work fine. Example of execution:

c:\Mycode>StackEx.exe Hello

Address of foo = 00401000

Address of bar = 00401045

Stack status:

00000000

00000000

7FFDF000

0012FF80

0040108A  <This is the address we want to overwrite

00410EDE

Hello

New stack status:

6C6C6548  < You can see where Hello was copied in

0000000F

7FFDF000

0012FF80

0040108A

00410EDE

Vipul Patel (Expert):
See that the first memory location gets modified with the text. The second memory location is the instruction set for the second call.


Vipul Patel (Expert):
Now input a long string

:\Mycode>StackEx.exe AAAAAAAAAAAAAAAAAAAAAAA

Address of foo = 00401000

Address of bar = 00401045

Stack status:

00000000

00000000

7FFDF000

0012FF80

0040108A 

00410EDE

AAAAAAAAAAAAAAAAAAAAAAA

New stack status:

41414141

41414141

41414141

41414141

41414141

41414141

Vipul Patel (Expert):
If you use a longer string the whole stack buffer gets rewritten with the data from the string input.....


Vipul Patel (Expert):

And we also get an application error claiming the instruction at 0x41414141 tried to access memory at address 0x41414141.


Vipul Patel (Expert):
Q: But Vipul....is'nt this limitation limited to Unmanaged code in the .Net.....i mean over-writing the return address of a function in the stack....

A: Yes, thats the limitattion limited to unmanaged code in the .NET. That  is not an issue with .NET application. I agree


Vipul Patel (Expert):
Q: what kind of security issues normally hit the web applications

A: For web applications, you need to make sure to consider the following during threat modelling:

a. Unvalidated paramaters

b. Broken access control

c. Borken authentication and session management

d. Cross site scripting flaws

e. Buffer overflows

f. Command injection flaws

g. Error handling problems

h. Insecure storage

i. Denial of service (!!! The top most threat)

You also need to see that there is no undue priviledge evevation


Vipul Patel (Expert):
If a smart hacker were to know of this vulnerability, he will write a script to execute the above executable with a specifc string which will expose this flaw.


Vipul Patel (Expert):
More information about this is available at

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure03102004.asp


Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?

A: Yes, Buffer overrun can be migitated by the following steps

a. Always validate your input for the type and length.

b. Make sure your string handling operations are safe


Vipul Patel (Expert):
Q: how should we handle this buffer overrun then ? by validating user input ?

A: in the above code if we had the  following check it could have been prevented

if (strlen (input) < sizeof(buf))

{

  // everything in place

  strcpy(buf, input)

}

else

{

  // do the processing for failure...

}

Vipul Patel (Expert):
Q: How does MS address the Denial of Service.....i mean does the web-server has any means of preventing it...and does IIS have any feature of this kind....?

A: Hello Rakesh, we will take up Denial of Service tomorrow... Today we shall be limiting ourselves to Buffer overrun and ACLs..


Vipul Patel (Expert):
Sundar: you are right about storing int like data structure on the stack and the reference types on heap..


Vipul Patel (Expert):
But heap buffer overrun is also posisble, but it is dificult to exploit.


Vipul Patel (Expert):
Q: You never answerd what's the impact of buffer overrun in .Net world, in C run time world I think those who familier with that have better understanding :)

A: Fortunately, buffer overrun is not an issue with .NET. The .NET framework handles the issue with buffer overruns.... it is only an issue with legacy applications and unmanaged code written in VC++.NET


Vipul Patel (Expert):
Q: in C# i guess only the basic data types like int variables are stored in stack . basically the reference objects are stored in heaps so the risk is very low. in this case how ill a function get executed?

A: This is not applicable to .NET applications in C#


Vipul Patel (Expert):
Q: other than String Handling errors and Array indexing errors what are all the possible causes for Heap overruns

A: Unicode and ANSI Buffer size mismatches are another source for the heap overruns


Vipul Patel (Expert):
Q: can u please throw some light on Array Indexing errors and its impact on Heap over runs?

A: I shall discuss this later


Vipul Patel (Expert):
Q: Why did microsoft not consider the /GS behavior default ?

A: it is only applicabel for unmanaged code in VC++.NET


Vipul Patel (Expert):
Q: is there any way in .Net to avoid Heap Over runs? because there are ways to have non executable stacks in operating systems and there are also tools like StackGuard  to avoid stack based overruns. is there something like that for heap over runs

A: safe string handling for one..

I need to investigate this more.....


Vipul Patel (Expert):
Q: Oh sorry I got a look at the article you reffered recently, so strsafe.h is the solution right

A: yes


Vipul Patel (Expert):
Q: Recently C librarys has improved functions, like the one I mentioned earlier nstrcpy(), is that type of implementations are missing in VC++

A: it was missing in VC++ 6.0


Vipul Patel (Expert):
Q: Give a simple security method for a windows application which is connecting to www or some Dedicated line often

A: Have a firewall installed


Vipul Patel (Expert):
Q: What are the different ACLs that can be employed and how to chose the best of it?

A: ACL strategy

1. Determine the resource you need

2. Determine the business defined acccess requirement

3. Determine the appropriate access control technology

4. Convert the access requirements to access control technology

Vipul Patel (Expert):
Q: is one required to have diffrent security model for "Intranet" or "Internet" application

A: no, if you have Single Signon for INtranet, yes other wise, because the scenarios are different for both


subhashini (Moderator):
We have almost come to the end of this chat today. Space for one more question!


subhashini (Moderator):
I willw ait for Vipul to complete answering the questions to announce the closure of this chat.


Vipul Patel (Expert):
Most of us are admin on our machines. Imagine what will happen when you download a malicious script and the script gets running in admin mode... your machine is bound to be infected.


subhashini (Moderator):
So that brings us to the end of today's chat


subhashini (Moderator):
Hold on to your questions till tomorrow


subhashini (Moderator):
because this chat is a series chat


Vipul Patel (Expert):
Q: but is'nt this discrimination between intranet and internet handled by .Net CLR implicitly.....

A: We are not talking from .NET CLR perspective, but rather from a developer point of view using any developement language.


subhashini (Moderator):
that willc ontinue till friday


subhashini (Moderator):
So friends , meet you again tomorrow


subhashini (Moderator):
and be ready with your questions ..let's shoot it out to Vipul


subhashini (Moderator):
:-)


subhashini (Moderator):
So lets catch up with teh seciond series of this chat tomorrow at 5pm


subhashini (Moderator):
Till then , have  a lovely evening


Vipul Patel (Expert):
Q: And what are security issues with desktop or client server applications  ?

A: improper file permission, undue Access control   to name a few


Vipul Patel (Expert):
Q: what are security issues with desktop or client server applications ?

A: improper file permission, undue Access control   to name a few


subhashini (Moderator):
And lets thank Vipul for his great spirit to take this chat in succession


subhashini (Moderator):
:-) Thanks Vipul


subhashini (Moderator):
And all of you have a lovely evening ..


Vipul Patel (Expert):
One of the best articles on running with least privildge is http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx\


Vipul Patel (Expert):
THats all for today. See you all tomorrow when we discuss about Cryptographic Foibles, Storing Secrets, Canonical Representation Issues and Network-Based Application Considerations

If you have additional questions, please post them here.

Below is the copy of the transcript of the web chat - Writing Secure Code Part 1, conducted on 13th April 2005 at 5 pm.

Chat Topic: Writing Secure Code - I
Date: Wednesday, April 13, 2005

subhashini (Moderator):
The chat is about to begin


subhashini (Moderator):
sharp at 5pm IST


subhashini (Moderator):
hello everbody . A very good evening to all of you. :-)

subhashini (Moderator):
Welcome to today's webchat on writing secure code

subhashini (Moderator):
This is a chat in series


subhashini (Moderator):
and today is the part one of the series


subhashini (Moderator):
we have with us our MVP Vipul Patel


subhashini (Moderator):
with us today for the chat.


subhashini (Moderator):
To give a quick intro about him

subhashini (Moderator):
After pursuing a bachelor's degree in Chemical Engineering, Vipul pursued a Masters in Computer Application from Gujarat University for the sheer love for computers. He is currently with Patni Computer Systems, and has been working on .NET technologies since last 1.5 years. Once the Chairperson of the Computer Society of India's college chapter at Nirma Institute of Technology (www.nit.edu <http://www.nit.edu>) in his academic days, he sincerely believes that communities can be a powerful platform for developers to share their experiences and queries.

subhashini (Moderator):
He can be contacted at vipul_d_patel@hotmail.com <mailto:vipul_d_patel@hotmail.com> or vipul.patel@patni.com <mailto:vipul.patel@patni.com>.

subhashini (Moderator):
As always , few chat rules


subhashini (Moderator):
before we beging the chat


subhashini (Moderator):
Please refrain from sending any private messages to the expert during the chat

subhashini (Moderator):
Chat Procedures:

This chat will last for one hour. During this hour, our Experts will respond to as many questions as they can. Please understand that there may be some questions we cannot respond to due to lack of information or because the information is not yet public. We encourage you to submit questions for our Experts.

subhashini (Moderator):
We ask that you stay on topic for the duration of the chat. This helps the Guests and Experts follow the conversation more easily. We invite you to ask off topic questions after this chat is over.

subhashini (Moderator):
lets get the chat rolling


subhashini (Moderator):
let us welcome Vipul


subhashini (Moderator):
Hi Vipul


Vipul Patel (Expert):
Thanks Subhashini and welcome to all to the first of the series of webchats on "Writing secure code"


Vipul Patel (Expert):
Our topic Writing secure code is gaining popularity day by day and we are here to discuss about the same.


Vipul Patel (Expert):
I shall start with small introduction.


Vipul Patel (Expert):
If you have any questions , please feel free to send them to me thru "expert chat" radio  button


Vipul Patel (Expert):
As the Internet grows in importance, applications are becoming highly interconnected.


Vipul Patel (Expert):
Earlier computers were not as highly interconnected as they are today, and hence most people wouldn't care much about security.


Vipul Patel (Expert):
But times have changed. Virtually all computers—servers, desktop personal computers, and, more recently, cell phones, pocket-size devices, and other form factor devices such as embedded systems—are interconnected.


Vipul Patel (Expert):
that means that if one of the interconnected system is affected, it can affect the whole network


Vipul Patel (Expert):
No wonder why the World Wide Web is often referred to as the Wild Wild Web.  ;)


Vipul Patel (Expert):
It is not only important to write robust code, the need of the day is to produce reliable & secure systems.


Vipul Patel (Expert):
Your system, if connected to Internet, is a potential victim for an attack.


Vipul Patel (Expert):
So Why is security important for you and me?


Vipul Patel (Expert):
1. The Media (and Your Competition) Leap on Security Issues: This is a business impact. If your application makes a security breach headlines, you are bound to lose a chunk of your business, not mentioning the bad publicity that you get. The media will hound you for days and your competition will mention it for years to come....


Vipul Patel (Expert):
2. People Shy Away from Products That Don’t Work As Advertised: If your application keeps crashing every now and then, then people will start avoiding your product.


Vipul Patel (Expert):

3. Security Vulnerabilities Are Expensive to Fix: If security flaws are detected after the product is released to market, then the cost of fixing that Vulnerability as well as deployment costs for the fix are enormous.


Vipul Patel (Expert):
With that background, lets begin our discussion on designing secure systems.


Vipul Patel (Expert):
What are the two most common security mistakes made by software companies?


Vipul Patel (Expert):
a. The application is designed, written, tested, and shipped to customers, but the developers forget to make it secure. Or they think they have, but they got the design wrong. It’s wrong because they added some security technology to their application to be “buzzword-compliant,” but the technology doesn’t mitigate any real security threats


Vipul Patel (Expert):
b. The second mistake is adding security to the application as an afterthought. Security aspect of the code should be from the design phase itself.


Vipul Patel (Expert):
Adding security features after the application is developed should be prevented for the following reasons:


Vipul Patel (Expert):
i. Adding security later is wrapping security around existing features, rather than designing features and security with both in mind


Vipul Patel (Expert):
ii. Adding any feature, including security, as an afterthought is expensive


Vipul Patel (Expert):
iii. Adding security might change the way you’ve implemented features. This too can be expensive


Vipul Patel (Expert):
iv. Adding security might change the application interface, which might break the code that has come to rely on the current interface.


Vipul Patel (Expert):
There is a need for the security principles to be imbibed in a software developement process. These principles are as under:


Vipul Patel (Expert):
a. Establish a security process


Vipul Patel (Expert):
b. Define the product security goals]


Vipul Patel (Expert):
c. Consider security as a product feature


Vipul Patel (Expert):
d. Learn from mistakes


Vipul Patel (Expert):
e. Use least privilege


Vipul Patel (Expert):
f. Use defense in depth

g. Assume external systems are insecure

h. Plan on failure

i. Fail to a secure mode

j. Employ secure defaults

h. Remember that security features != secure features

i. Never depend on security through obscurity


Vipul Patel (Expert):
Please let me complete the section theory for today, then I will jump to examples.... :)


Vipul Patel (Expert):
and then take up all the questions raised.


Vipul Patel (Expert):
How to incorporate security features thru design? The answer is thru Threat Modelling


Vipul Patel (Expert):
You cannot build a secure system until you understand your threats. It's as simple as that.


Vipul Patel (Expert):
A threat model is a security based analysis that helps people determine the highest level security risks posed to the product and how attacks can manifest themselves.


Vipul Patel (Expert):
The goal is to determine which threasts require migitation and how to migitate the threats.


Vipul Patel (Expert):
Benefits of threat modeling


Vipul Patel (Expert):
a. It helps to understand the threat better.


Vipul Patel (Expert):
b. Threat models helps you find bugs.


Vipul Patel (Expert):
b. Threat models helps you find bugs.


Vipul Patel (Expert):
c. You can discover serious design bugs in the process


Vipul Patel (Expert):
d. Threat models can help new team members understand the application in detail.


Vipul Patel (Expert):
Threat modeling process:


Vipul Patel (Expert):
1. Assemble the threat-modelling team


Vipul Patel (Expert):
2. Decompose the application


Vipul Patel (Expert):
3. Determine the threats to the application using STRIDE model


Vipul Patel (Expert):
4. Rank the threats by decreasing risk


Vipul Patel (Expert):
5. Choose how to respond to the threats


Vipul Patel (Expert):
6. Choose techniques to mitigate the threats


Vipul Patel (Expert):
We are now done with the theory ;)  . and we shall  begin examples of security vulnerabilities.


Vipul Patel (Expert):
The biggest security issue has been the Buffer overrun....


Vipul Patel (Expert):
Q: what is STRIDE model?

A: STRIDE model is a model to understand the security flaws. It includes analysis for the following type of flaws: "Spoofing identity", "Tampering with data" , "Repudiation", "Information disclosure", "Denial of service", "Elevation of privilege"

More details are available at http://msmvps.com/secure/archive/2004/06/22/8728.aspx


Vipul Patel (Expert):
No Sundar: The good thing about the .NET Framework is that it is no longer a security issue with .NET using C# and VB.NET. With VC++.NET, you need to compile your project with /GS option to identify any such possible buffer overflows in your project.


Vipul Patel (Expert):
Sai: Your question has been answered in the previous post.


Vipul Patel (Expert):
Q: How can Buffer Overrun be a security issue ?

A: I am coming to that with an example

Contd in another post

The Gurus of .NET have shown a new way of charity. 30 such gurus have combined their might and come out with a novel idea to aid charity for the Tsunami victims. More details can be found here.

The consultants in this auction are Michelle Leroux Bustamante, Kimberly L. Tripp, Jonathan Goodyear, Andrew Brust, Richard Campbell, Adam Cogan, Malek Kemmou, Jackie Goldstein, Ted Neward, Kathleen Dollard, Hector M Obregon, Patrick Hynds, Fernando Guerrero, Kate Gregory, Joel Semeniuk, Scott Hanselman, Barry Gervin, Clemens Vasters, Jorge Oblitas, Stephen Forte, Jeffrey Richter, John Robbins, Jeff Prosise, Deborah Kurata, Goksin Bakir, Edgar Sánchez, Thomas Lee, J. Michael Palermo IV, Vishwas Lele, and John Lam.

You can check out the details at http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=5552696499