secure software l.
Skip this Video
Loading SlideShow in 5 Seconds..
Secure Software PowerPoint Presentation
Download Presentation
Secure Software

Loading in 2 Seconds...

play fullscreen
1 / 42

Secure Software - PowerPoint PPT Presentation

  • Uploaded on

Secure Software Professional Recommendations from CWE/SANS References Material is from:: 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, Version 1.4, Oct 29, 2009. Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Secure Software' - omer

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure software

Secure Software

Professional Recommendations from CWE/SANS


Material is from::

  • 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, Version 1.4, Oct 29, 2009.


  • Susan J Lincke, PhD Univ. of Wisconsin-Parkside

Reviewers/Contributors: Todd Burri

Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

problem incorrect input
Problem: Incorrect Input

Car Sale

Model: Chevrolet XR2 Price $: 25.45

VIN: 12K4FG436DDE842 Status: New

Sale to: Rubber Ducky

2222 Atlantic Ocean

Antarctica, NY, 00000

Phone: 911 VISA: RUAFOOL444

problem buffer overflow
Problem: Buffer overflow

Enter Name: Zzzzzzzzzzzzzz




fix input validation
Fix: Input Validation

Assume all input is malicious! Validate:

  • Length
  • Type
  • Syntax
  • Context: Business Rules

Or Use

  • Special input checkers
    • Struts or OWASP ESAPI Validation API
  • Whitelist: List of acceptable input
  • Blacklist: Reject suspect input




problem insecure interaction between components
Problem: Insecure Interaction Between Components

real ->


Program B

Attack: Code is

reverse engineered

and modified to act


fake ->


Server assumes


occurred in client

Does not recheck

Program B*

fix server side authentication
Fix:Server-Side Authentication

real ->


  • Perform authentication and input validation on both client and server sides
  • Use encryption & hash between client & server
problem sql injection
Problem:SQL Injection
  • Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”;
  • Inserted Password: Aa’ OR ‘’=’
  • Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
  • Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘%
  • Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’



Welcome to My System

fix input sanitization
Fix: Input Sanitization
  • Avoid dynamically-constructed query strings
  • Disallow Meta-characters

Persistence Software:

  • Oracle DBMS_ASSERT
  • MySQL mysql_real_escape_string() for C, PHP
  • Hibernate or Enterprise Java Beans if used properly

GUI - Validation

Business Logic

Persistence Layer


problem os command injection
Problem: OS Command Injection

Problem: Command Injection into SQL

  • Inserts ‘|shell(“cmd /c echo “ & char(124) & “format c:”)|’
    • Data and control can traverse same path



Welcome to My System

fix avoid os command injection
Fix: Avoid OS Command Injection
  • Separate control information from data information.
    • E.g. where data-> database, control defines application
  • Use library calls instead of external processes
  • Avoid external control of command input
  • Run code in “jail” or other sandbox environment
  • Provide lowest possible permissions for executable

Data: “Terry, Brian, Jerry, Ann, Louis, …”

Control: Start WPI session, parms -lmk

problem external control of critical state data
User-side data can be modified:


Configuration files


Hidden form fields

Environmental variables

Registry keys

Problem:External Control of Critical State Data

Web request

Web Form

Form with fake data

fix control critical state data
Fix:Control Critical State Data
  • Understand all locations that are accessible to attackers
  • Do not keep state info on client without using encryption and integrity checking (e.g. HMAC)
  • Store state info on server side only: ASP.NET View State, OWASP ESAPI Session Mgmt
problem insecure interaction between components14
Web servers are memoryless

Do not remember sending a form to a client – what type, info

Client side can remove checks, insert other code, return unexpected data, etc.

Problem:Insecure Interaction Between Components

Web access

Web Form

with javascript

Revised form

With data and java script

problem cross site scripting
Problem:Cross-Site Scripting

A reputable site has links to an unknowingly disreputable site

The disreputable site generates a Javascript or VB script, which gets inserted into the reputable company’s html response.

The result looks like a valid web page from the reputable company.

E.g.: Error: Page not found

Web access

to product



Should be

error (Not


Instead: fake


Web Form

with javascript


fix preserve web page structure
Fix:Preserve Web Page Structure
  • Specify strong character encoding such as UTF-8 or ISO-8859.
    • Use on output
    • Check on input
    • Or use other encoders: MS Anti-XSS library, OWASP ESAPI Encoding, Apache Wicket
  • Validate not only input data, but all parts of the HTTP input.
problem forgery

Web access

Web Form

with javascript

Fake form

With data and java script

Real form

Also known as Cross-Site Request Forgery

problem improper access control
Problem:Improper Access Control

Web access

Web Form need authentication

Reply to

Web Reply w. authent.



Web Form for actual data


Web Request for

Web Form for actual data


fix access permissions
Fix:Access Permissions
  • Use Role-Based Access
    • At least permissions: anonymous, normal, privileged, administrative
  • Verify access control at server side
  • Sensitive pages are never cached and must have active authorization token
  • Only provide higher level access when you need it; always run with the minimum possible authorization level
  • Check that files read have the required access level permissions; administrators may not set them properly.
  • Use a good random number generator when generating random session keys – if not random, attackers will figure out next key sequence
problem incorrect access permissions
Problem:Incorrect Access Permissions

What permissions to use for these forms???

fix prevent forgery
Use a nonce for each form

Not predictable

If dangerous operation, send a separate confirmation request

Fix:Prevent Forgery

Name: Ann Winkler

Address: 2526 Pratt Ave

Racine WI

Phone: 262-595-2111

Interests: Horses, Movies, Travel

Security Code: Johnson Rivers

Security Code:




problem cleartext transmit of sensitive info
Problem:Cleartext Transmit of Sensitive Info

Login: Ginger Password: Snap


  • Encrypt data with standard, reliable encryption before transmission
problem race condition
Problem:Race Condition

Thread P1 Thread P2 Comment

cin >> input; .. // read in "hello" into global

.. cin >> input; // read in "good-bye" into global

out = input; out = input; // do a string copy (...use strcpy())

cout << out; .. // print out "good-bye"

.. cout << out; // print out "good-bye“


  • Use Synchronization Primitives around critical code
  • Minimize use of shared resources
  • Test using artificial delays in race window
  • Identify and trigger error conditions

Result: Data Corruption & Denial of Service

problem chatty error messages
“Cannot find file: C:/users/Lincke/validation.txt”

“Invalid password for login ID”

“ error: divide by zero error”


Error messages should avoid file, network configuration, and PII information.

Must be helpful to user

Remove debug info before release

Problem:Chatty Error Messages
problem external control of path
Problem:External Control of Path
  • If you download an external file or navigate to a URL – and execute
  • If you provide access to a file on your system
    • Attacker can insert ../../ and access files outside privilege.


  • Run as low-privilege user
  • Provide fixed input values
  • Run code in ‘jail’: Unix chroot jail and AppArmor

Submit File:

Enter pathname: Browse


problem adopting untrusted software

Use monitoring tools that examine processes as it interacts with the OS

Truss (Solaris)

Strace (Linux)

FileMon, RegMon, Process Monitor, Sysinternals (Windows)

Sniffers, Protocol analyzers

Problem:Adopting Untrusted Software



Free Software … Is it Safe?

problem other security errors
Problem:Other Security Errors

Find the errors:

Security() {

String contents, environment;

String spath = “security.dat”

File security = new File;

if (“spath”) >0)

contents =;

environment =;


print(“Error: Security.dat not found”);


problem other security errors28
Find the errors:

Security() {

String contents, environment;

String spath = “security.dat”

File security = new File;

if (“spath”) >0)

contents =;

environment =;


print(“Error: Security.dat not found”);


Variables contents & environment not initialized

Can cause problems if executed in certain ways

Attacker can initialize or read variables from previous session

“security.dat” is not full pathname.

File can be replaced if run from another location

File ‘security’ not closed

Leaves file open to attack

Keeps unnecessary resources busy

Error message indicates file name

Can give attacker important info

Problem:Other Security Errors
problem more security errors
Problem:More Security Errors

Find the errors:

purchaseProduct() {

password = “N23m**2d3”;

count = form.quantity;

total = count * product.cost();

Message m = new Message(





problem more security errors30
Find the errors:

purchaseProduct() {

password = “N23m**2d3”;

count = form.quantity;

total = count * product.cost();

Message m = new Message(






Password is hardcoded

If attacker finds it, every system can be broken into before software is changed on all computers

Passwords may only be stored in encrypted file

Total may overflow, producing very small number

Input is not checked (could be zero or invalid)

Encryption should be standard algorithm

Home-written variety can be broken into easily

Problem:More Security Errors
fix test all software
Fix: Test All Software!!!
  • Dynamic Tools: use large test suites such as fuzz testing, robustness testing, and fault injection. Software may slow down but should not crash or generate incorrect results
  • Use automated static analysis tools, e.g., warnings on program analysis tools
  • Use manual tests such as penetration testing, threat modeling, and interactive tools to reach beyond auto testing tools
  • Run program under low memory conditions, insufficient privileges, interrupt a transaction or disable connectivity before transaction completed.

A third party inserts attack data into another organization’s html response. This is known as:

  • Cross-Site Scripting
  • Blacklist
  • Race Condition
  • Cleartext

What technique would NOT be appropriate in avoiding OS Command Injection?

  • Separate control information from data information
  • Use library calls instead of external processes
  • Run code in “jail” or other sandbox environment
  • Use a hard-coded password to enable access

Which of the following is true concerning web servers?

  • Servers cannot retain web session state, and thus the client must do it
  • The single best place to do input validation and authentication is at the client-side
  • Using client as storage is safe if encryption and integrity checking are used
  • The server can trust web input if it validates the data in the web form

The BEST way to ensure input validity at the client is:

  • Nonce
  • Whitelist
  • Blacklist
  • Integrity Checking

The BEST implementation of Access Control would be:

  • Do not provide caches for sensitive data
  • Always use minimal possible permissions in code, for as short of a time as possible
  • Avoid using cookies and hidden fields
  • Never provide an authorization above ‘guest’ to web users

SQL Injection is BEST protected against by using:

  • Cleartext
  • Encryption and Integrity Checking
  • Sanitization
  • Clearly defined code such as UTF-8

The main way to avoid replay between a client and server is:

  • Integrity checking
  • Whitelist
  • Blacklist
  • Nonce

An attack that could cause the MOST problems includes:

  • Hard-coded password
  • Race condition
  • Denial of Service
  • Chatty error message

The BEST way to ensure no message modification occurs is:

  • Hashing
  • Whitelist
  • Blacklist
  • Encryption

All of the following EXCEPT which answer can result in invalid data AND break-in?

  • Non-random random number generator
  • Buffer overflow
  • Uninitialized variables resulting in error messages
  • Race conditions

Buffer overflow, SQL injection, OS command injection, cross-site scripting, cleartext, race condition, chatty error message

Sanitization, whitelist, blacklist, nonce, character encoding (UTF-8), jail or sandbox environment