Transcript Создание UX команды. Какие есть варианты?
SDL and the CWE/SANS Top 25
MSSD-3 — третья по счету конференция, посвященная всестороннему обсуждению популярной и важной темы – минимизация уязвимостей программного обеспечения при его разработке.
What is the CWE/SANS Top 25?
The CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software.
They are often easy to find, and easy to exploit.
They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
Risky Resource Management
Risky Resource Management
CWE-120 CWE-22 CWE-494 CWE-829 CWE-676 CWE-131 CWE-134 CWE-190 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Download of Code Without Integrity Check Inclusion of Functionality from Untrusted Control Sphere Use of Potentially Dangerous Function Incorrect Calculation of Buffer Size Uncontrolled Format String Integer Overflow or Wraparound
Mitigating memory corruption
SDL memory corruption related tasks
Remove Vulnerabilities
Removing banned APIs Code analysis Using safe integer arithmetic Fuzzing Education
Add Defenses
Layout randomization Stack cookies NX Safe exception handling Many more…
Removing banned APIs • • SDL has banned over 100 C/C++ functions Removing banned APIs removes potential security bugs with very little engineering effort
Banned API examples • • • • • strcpy and variants lstrcpy, wcscpy, _mbscpy, etc strcat and variants sprintf and variants gets lstrlen
Finding banned APIs • • • Use #include
• • Removing banned APIs C++ std::string #include
Removing banned APIs automatically #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_MEMORY 1 • ~25% of banned APIs removed automatically
Static analysis • • • Native static analysis tool ships with VC++ (/analyze) Finds many common memory corruption bugs As a general rule, any memory corruption bug should be treated as real
Integer overflow memory corruption • Math quiz: 65535 + 1 = ?
Integer overflow pattern size_t cb = num * sizeof(T); T *p = malloc(cb); size_t cb = 5 * 4; T *p = malloc(20); size_t cb = 16384 T *p = malloc(0); * 4;
Safe arithmetic libraries • SafeInt class library for C++ #include
Additional memory corruption defenses • • • • • • Address Space Layout Randomization (ASLR) Stack cookies (/GS) No eXecute (NX) a.k.a. Data Execution Prevention (DEP) Exception handler protection (SafeSEH and SEHOP) HeapSetInformation Encoding long-lived pointers
ASLR process address space
Boot 1
app.exe
user32.dll
ssleay32.dll
ntdll.dll
Boot 2
user32.dll
ntdll.dll
app.exe
ssleay32.dll
Boot 3
ssleay32.dll
app.exe
ntdll.dll
user32.dll
• • •
Randomizes memory locations Introduced in Windows Vista and Server 2008 Images must be linked with /DYNAMICBASE
Exploit: Return address overwrite Local Variables Saved EBP Return address Buffer overflow Arguments • • Common stack-based buffer overflow Return address is overwritten to get code execution
Stack cookies (/GS) Local Variables GS Cookie Saved EBP Return address
0xa47c1039 0x0012ef04 0x7601148c 0x41414141 0x41414141 0x7843110b
Arguments • • • Compiler change introduced in VS2002 – – Cookie inserted into stack frame in function prologue Cooke validated before function return in function epilogue Mismatching cookie leads to process termination Compile with /GS
SDL memory corruption related tasks
Remove Vulnerabilities
Removing banned APIs Code analysis Using safe integer arithmetic Fuzzing Education
Add Defenses
Layout randomization Stack cookies NX Safe exception handling Many more…
Insecure Interaction Between Components
Insecure Interaction Between Components
CWE-89 CWE-78 CWE-79 CWE-434 CWE-352 CWE-601 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Improper Neutralization of Input During Web Page Generation ('Cross site Scripting') Unrestricted Upload of File with Dangerous Type Cross-Site Request Forgery (CSRF) URL Redirection to Untrusted Site ('Open Redirect')
Injection attacks in the news
SDL injection defense related tasks
Remove Vulnerabilities
Encode or escape input Validate input Encode or escape output Code analysis Use anti-forgery tokens
Add Defenses
Reduce privileges HttpOnly X-XSS-Protection
SQL injection string Status = "No"; string sqlstring =""; try { SqlConnection sql= new SqlConnection( @"data source=localhost;" + "user id=sa;password=…;"); sql.Open(); sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.ExecuteScalar() != 0) Status = "Yes"; } catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.Errors) { Status += e.Message + "\n\r"; }
SQL injection string Status = "No"; string sqlstring =""; try { SqlConnection sql= new SqlConnection( @"data source=localhost;" + "user id= sa ;password=…;"); sql.Open(); sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); if ((int)cmd.ExecuteScalar() != 0) Status = "Yes"; } catch (SqlException se) { Status = sqlstring + " failed\n\r"; foreach (SqlError e in se.Errors) { Status += e.Message
+ "\n\r"; }
SQL injection sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql);
SQL injection sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID=@id"; SqlCommand cmd = new SqlCommand(sqlstring,sql); cmd.Parameters.Add("@id", SqlDbType.Int); cmd.Parameters["@id"].Value = Id;
SQL injection sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); IQueryable
SQL injection sqlstring="SELECT HasShipped" + " FROM Shipment WHERE ID='" + Id + "'"; SqlCommand cmd = new SqlCommand(sqlstring,sql); procName="FindShipment"; SqlCommand cmd = new SqlCommand(procName,sql); cmd.CommandType = CommandType.StoredProcedure; cmd.Parameters.Add("@id", SqlDbType.Int); cmd.Parameters["@id"].Value = Id;
Incorrect Filtering ; del delete ete from table
Validate untrusted input • • Use regular expressions for simple cases Beware of ReDoS… • ValidateRequest for ASP.NET Web Forms
Cross-site scripting/HTML injection response.Write( "Hello " + request["name"]);
Cross-site scripting/HTML injection response.Write( "Hello " + request["name"] );
Cross-site scripting/HTML injection response.Write( "Hello " + request["name"] );
Cross-site scripting/HTML injection response.Write( "Hello " + request["name"] );
Escaping/encoding untrusted input response.Write( "Hello " + HtmlEncode (request["name"]));
Static analysis • • FxCop (also integrated with Visual Studio) Code Analysis Tool .NET
Reduce permissions • Permit only stored procedure execution rights
Browser defense-in-depth measures • • HttpOnly cookies IE X-XSS-Protection flag
Cross-site Request Forgery • • Not a code injection vulnerability Still a trust issue http://bank.com/transfer?acct=bryan&amt=1000 • SDL requires use of anti-forgery tokens such as ViewStateUserKey
SDL injection defense related tasks
Remove Vulnerabilities
Encode or escape input Validate input Encode or escape output Code analysis Use anti-forgery tokens
Add Defenses
Reduce privileges HttpOnly X-XSS-Protection
Porous Defenses
Porous Defenses
CWE-306 CWE-862 CWE-798 CWE-807 CWE-250 CWE-863 CWE-829 CWE-732 CWE-307 CWE-311 CWE-327 CWE-759 Missing Authentication for Critical Function Missing Authorization Use of Hard-coded Credentials Reliance on Untrusted Inputs in a Security Decision Execution with Unnecessary Privileges Incorrect Authorization Inclusion of Functionality from Untrusted Control Sphere Incorrect Permission Assignment for Critical Resource Improper Restriction of Excessive Authentication Attempts Missing Encryption of Sensitive Data Use of a Broken or Risky Cryptographic Algorithm Use of a One-Way Hash without a Salt
Click to edit Master title style or used only for decryption Symmetric block Block cipher modes DES, 2 Key 3DES, DESX, RC2, SKIPJACK, CYLINK_ MEK ECB Symmetric stream Asymmetric SEAL, RC4 (<128bit or unreviewed) RSA (<2048 bit), Diffie-Hellman (<2048 bit), 1024 bit DSA Minimally acceptable 3 Key 3DES CCM, GCM RC4 (>= 128bit) Recommended AES (>=128 bit) CBC, CTS None – Block cipher is preferred RSA (>=2048bit), Diffie-Hellman (>=2048bit), Elliptic Curve Cryptography P-256 or greater Hash (including HMAC) SHA-0 (SHA), SHA-1, MD2, MD4, MD5 3DES MAC SHA-2 (includes: SHA-256,SHA-384, SHA-512)
Don’t use broken cryptography • • Use known strong crypto Use non-cryptographic algorithms such as CRC32 • Don’t design your own algorithms
Don’t use stream ciphers Plaintext 1 Plaintext 2 Key 1 Key 1 Ciphertext 1 Ciphertext 1 Ciphertext 2 Ciphertext 2 Plaintext 1 xor Plaintext 2
Threat modeling • “The cornerstone of the SDL” • • • • • Data flow diagrams (DFDs) STRIDE per element Mitigations Assumptions External dependencies Trust boundary Datastore Process
Threat modeling to find authentication/authorization issues • • • • • • Spoofing; mitigated by authentication controls Tampering; mitigated with integrity controls Repudiation; mitigated by many of the other controls Information Disclosure; mitigated by confidentiality controls Denial of Service; mitigated by throttling and authorization controls Elevation of Privilege; mitigated by authorization controls
Additional SDL Activities
Education • • All team members must complete at least one training course per year Conference attendance also accepted
Bug bar Severity Summary Critical • Elevation of privilege (remote) : The ability to either execute arbitrary code OR obtain more privilege than intended Important • Elevation of privilege (remote) : Execution of arbitrary code with extensive user action.
• Elevation of privilege (local) : Local low privilege user can elevate themselves to another user, administrator, and/or local system.
Moderate • Denial of Service : Permanent DoS – requires cold reboot or causes Blue Screen/Bug Check
Summary
Summary • The SDL provides techniques to remove or reduce the number of CWE Top 25 issues in your systems – Prevention, removal and defense in depth • The CWE Top 25 is a useful taxonomy – – But don’t focus on “fixing the CWE 25” Build security into all phases of your development process