|
|
 |
|
|
|
Writing Secure Code, Second Edition
|
|
|
Author
|
|
Michael Howard and David LeBlanc
|
|
|
Pages
|
800
|
|
Disk
|
N/A
|
|
Level
|
Intermediate
|
|
Published
|
12/04/2002
|
|
ISBN
|
9780735617223
|
|
Price
|
$49.99
To see this book's discounted price, select a reseller below.
|
|
|
|
|
|
|
|
|
Index
Symbols and Numbers
\\?\ (format for file names), 370
" (quotation marks), 422, 677
3DES key, 337-38
A
AcceptConnection example, 465-70
access checks vs. context handles, 492-93
access control entries (ACEs)
adding to ACLs, 191-93
dangerous types, 197-99
deny type, 179, 180-81
getting the order right, 191-93
overview, 177, 178, 179
access control lists (ACLs)
adding ACEs to, 191-93
ATLACL.cpp file, 189-90
code example, 172-75
creating in Windows 2000, 185-89
creating in Windows NT, 181-85
creating with Active Template Library, 189-91
discretionary type (DACLs), 175, 177, 184, 195-99, 211, 669
DPAPI and, 305-6
elevated privilege issues, 220-21, 222-23
examples of secured resources, 177
file system support, 175-76
how to choose, 178-81
importance of; 171-75
NTLACL.cpp file, 181-84
overview, 114, 175, 177, 211
proper use, 725
role of SIDs in performing access checks, 219-20
SDDLACL.cpp file, 186
securing data in the absence of, 315-20
system type (SACLs), 175, 177, 184
trusted data aspect, 344-45
types of ACLs, 175, 177
access control techniques. See also access control entries; access control lists
COM+ roles, 201
IP restrictions, 202-3, 205
medical example, 203-4
.NET Framework roles, 199-201
overview, 171, 199
SQL Server permissions, 203
SQL Server triggers, 203, 204
access tenet, Safe Harbor Principles, 645
accounts
domain, 666-67
local, 503, 665, 666, 667
Network Service, 665
security implications, 665-67
ACEs. See access control entries
ACK packets, 463, 465
ACLs. See access control lists
Active Directory, identifying where data comes from, 573
Active Template Library (ATL)
_alloca function and, 691-92
creating ACLs with, 189-91
regular expressions and, 360-61
SiteLock, 514-15
string conversion macros, 691-92
ActiveX controls
binding to Web sites, 514-15
developer's checklist, 733
digitally signing, 510
identifying parameters as part of security testing process, 571
InternetCrackURL.cpp file, 513-14
killing, 515
limiting domain usage, 513-14
<OBJECT> tag, 593-95
overview, 509
restricting how they operate, 514-15
role of SiteLock, 514-15
rules of safe for initialization, 511-15
rules of safe for scripting, 511-15
safe for initialization, 510
safe for scripting, 510
security best practices, 509-15
testing applications, 592, 593-95
vulnerabilities, 510-11
AdjustTokenPrivilege function, 245
administrative accounts
malware and, 208-10
reasons for requiring elevated privileges, 220-22
sample Windows application, 226
when not to use, 60-62, 726-27
Administrator SIDs, 689-90
affected users, as DREAD category, 94
Allchin, Jim, 14
_alloca function, 691-92, 719
AllocateUserPhysicalPages function, 327
AllowPartiallyTrustedCallersAttribute attribute, 556-57
alternate data streams, 368, 369
America Online. See AOL parental controls, bypassing
annotating RPC endpoints, 498-99
ANSI characters
buffer size mismatches, 153-54
interchanging with Unicode as testing technique, 575
AOL parental controls, bypassing, 373-74
Apache Web server, vulnerability, 365
APIs, low-level security, 638
Apple Computer, vulnerability in Mac OS X and Apache, 365
applets, identifying as part of security testing process, 571
Application Log, 693-94
applications. See secure applications; software
Argamal, Lamagra, 147
array indexing errors, 144-47
ArrayIndexError.cpp file, 144-47
ASP.NET
assemblies and, 542
<custom error> configuration setting, 561-62
disabling tracing and debugging before deploying applications, 561
forms-based authentication and, 111
HttpServerUtility.HTMLEncode method, 422
Microsoft Passport and, 111
storing sensitive data, 555-56
ValidateRequest configuration option, 427-28
assemblies, .NET
AllowPartiallyTrustedCallersAttribute attribute, 556-57
ASP.NET and, 542
Authenticode-signing, 541-42
calling from partially trusted code, 556-57
checking with FxCop, 539-40
permission requirements, 542-45
strong-naming, 540-41, 555
Assert method, 545-47, 548, 549-50
assets, defined, 87
asymmetric ciphers, 284
asynchronous calls, DCOM and, 508-9
ATL. See Active Template Library
ATLACL.cpp file, 189-90
attack surface
determining, 611-13
minimizing, 57
attack vectors, determining bias, 612-13
attackers vs. defenders, 19-21
attacks, defined, 87
auditing
as authorization mechanism, 117
NULL DACLs and, 197
authentication
basic type, 110
digest type, 110
forms-based, 110-11
IPSec, 113
Kerberos, 112
Microsoft Passport, 111
mutual, 488
NTLM protocol, 112
overview, 109-10
RADIUS, 114
requiring in RPC server-based applications, 484-89
as threat mitigation technique, 109-14
Windows protocols, 112
X.509 certificates, 112-13
Authenticode, 510
AuthnLevel argument, 485
AuthnSvc argument, 486, 487
authorization
access control lists, 114
IP restrictions, 115
overview, 114
privileges, 114
server-specific permissions, 115
B
Back Orifice, 209
backward compatibility, 62, 63, 365
banner strings, 667
BBBOnline, 645, 646
best practices
documenting, 698-700
secure ActiveX, 509-15
secure DCOM, 499-509
secure RPC, 482-99
secure services, 663-67
binary order, 448
bind function, 456, 720
BindDemoSvr.cpp file, 457-63
binding handles, remote procedure calls and, 482
birth dates, 661
bit-flipping attacks
digital signatures and, 294-96
keyed hashes and, 290-91
overview, 289-90
solving, 290-96
blanket, DCOM, 505, 508-9
block ciphers, 284, 287, 289
breaking applications. See security testing
buffer overruns. See also array indexing errors; format string bugs
CodeRed worm and, 592
common flaws, 619
dangerous APIs, 714-16
as example of misplaced trust in input data, 343-45
exploitability, 133
heap-based, 138-44
HeapOverrun.cpp file, 140-44
as internationalization issue, 441-42
Internet Printing Protocol vulnerability, 154-55, 210
in ISAPI applications and filters, 433-36
in Microsoft Index Server, 592
OffByOne.c example, 136-38
overview, 127-29
pointers and, 625
preventing, 155-67
stack-based, 129-38
StackOverrun.c example, 129-36
string handling and, 128, 156-67
testing with random data, 578-84
Unicode and ANSI buffer size mismatches, 153-55
Unicode-related, 441-42
Visual C++ .NET /GS option, 167-70
buffers
reusing for plaintext and ciphertext, 296-97
zero-length read and write, 672
bug e-mails, 18
bug tracking
BugTraq, 15, 139-40, 147
categorizing threats, 46-47
limiting bug counts, 46
bugs, cockroach analogy, 67-68
BugTraq, 15, 139-40, 147
bytes vs. words, 442
C
C and C++ programming languages
ArrayIndexError.cpp file, 144-47
creating salted hash, 302-3
format string bug example, 148-52
HeapOverrun.cpp file, 140-44
migrating components to managed code, 694
OffByOne.c example, 136-38
rand function, 260-62
regular expressions overview, 359-61
remote procedure calls and, 478
role of classes in validating input, 360-61
sample code for handling LSA secrets, 313-15
security issues in compiler optimization, 322-26
stack overrun examples, 131-38
StackOverrun.c example, 129-36
Standard Template Library, 162-63
string handling, 156-67
C#
moving C and C++ components to, 694
regular expressions example, 359
role of classes in validating input, 360-61
testing HTTP-based server applications using WebClient class, 590-91
callback functions, 469, 495-97
canonicalization
attempting, 386-90
CleanCanon.cpp file, 378-90
common Windows filename mistakes, 367-73
defined, 364
filename issues, 364-73
Macintosh/Apache vulnerability, 365
MS-DOS device name vulnerability, 365
myriad ways to represent characters in URLs and Web pages, 378-81
Napster filter example, 364-65
non-file-based issues, 393-96
preventing filename mistakes, 383-91
preventing Web-based mistakes, 391-92
server name issues, 393-94
Sun symbolic-link vulnerability, 366
username issues, 394-96
Web-based issues, 373-81
CanonServer.cpp file, 393-94
CAPICOM, 282, 283
carriage return/line feed characters, 377-78, 604
CAS (code access security), 537-39
case, as input issue, 429-30
CAtlRegExp class, 360-61
CB_GETLBTEXT message, 718
CB_GETLBTEXTLEN message, 718
CCryptRandom class, 266
Character Map application, 357-58
characters
conversion issues, 444, 619-20
homograph attacks, 483
multiple binary representation problem, 450
similarities and mixups, 382
special, 586
visual equivalence attacks, 483
chargen service, 532
checking returns, 624-25
Chief Privacy Officer (CPO), 648
Children's Online Privacy Protection Act (COPPA), 646
CHM files, 418, 420
choice tenet, Safe Harbor Principles, 644
chokepoints, for input, 345-47
class identifiers (CLSIDs), 506, 515
classes, role in validating input, 361-62
CleanCanon.cpp file, 378-90
Clear method, 336
client-side applications
inherent security problems, 687-88
privacy options, 656-58
template for privacy specifications, 651
Clipboard, identifying as part of security testing process, 571
CloseFileByID function, 494
CLR. See common language runtime
CLSIDs, 506, 515
code. See also development process; managed code; secure applications
adding security comments, 674
building secure SQL statements, 404-7
dangers in mixing with data, 67
defining guidelines for, 44
migrating C and C++ components to C# or managed code, 694
partially trusted, 556-57
restricting method access, 554-55
reviewing old defects, 44-45, 54-56
scheduling external reviews, 45
sealing classes, 554-55
security checklists, 169, 731-35
code access security (CAS), 537-39
codepages, forcing, 423-24
CodeRed worm, 592
code-scanning tools, 169
CoImpersonateClient function, 678
CoInitializeSecurity function, 505-7
COM (Component Object Model)
developer's checklist, 733
identifying methods, properties, and events as part of security testing process, 571
identifying where data comes from, 573
testing applications, 592-93
COM+, protecting secret data when constructing objects, 333-34
COM+ roles, 201
command line
identifying arguments as part of security testing process, 571
identifying where argument data comes from, 573
security testing arguments, 597-600
comments
adding to code, 674
special characters, 586
common language runtime (CLR)
Assert method, 545-47, 548, 549-50
Demand method, 547, 548, 550-52
requesting permissions, 542-45
Common Language Specification (CLS), code access security elements, 537-39
compact privacy policy statements, 655-56
CompareString function, 443
compatibility, backward, 62, 63
compatws security template, 608
compilers
security issues in C and C++ compiler optimization, 322-26
task of removing unnecessary code, 323, 324, 325
turning off optimization, 326
Component Fraud and Abuse Act (CFAA), 646
Component Services MMC tool, 334
confidentiality. See privacy
configuration files, security issues, 535, 555
connectable objects, 508-9
connection-based protocols, vulnerability to spoofing attacks, 473-74
connectionless protocols, vulnerability to spoofing attacks, 473
connections
AcceptConnection example, 465-70
firewall-friendly rules, 471-73
minimizing need for, 471
multiplexing applications, 472
requiring authentication in RPC server-based applications, 484-89
ways to accept, 464-70
which protocols are best, 472
ConnectionString function, 410
Conover, Matt, 138-39
console input, identifying as part of security testing process, 571
containers, perturbing, 577-78
context handles
vs. access checks, 492-93
NULL problems, 493-94
remote procedure calls and, 482
when not to rely on, 492-93
when to be strict, 491-92
contingency plans, need for, 64
cookies
cross-site scripting and, 415, 417
HttpOnly option, 424-25
predictability, 436-37
role of ValidateRequest configuration option, 427-28
vulnerability, 435-36
Cooper, Russ, 15
CopyData function, 343
CopyFile function, 721
CopyMemory function, 714
corporate names, embedding in code, 692
cover-your-tracks feature, 658
Cowan, Crispin, 139, 167, 169
CPU starvation attacks, 521-29
CPU_DoS_Example.cpp file, 521-29
CREATE_ALWAYS flag, 684
CreateDirectory function, 716
CreateEvent function, 716
CreateFile function, 372, 390-91, 443, 681-82, 684, 716
CreateFileMapping function, 716
CreateHardLink function, 716
CreateJobObject function, 716
CreateMailslot function, 716
CreateMutex function, 679, 716
CreateNamedPipe function, 679, 716
CreateProcess function, 665, 675-77, 717
CreateProcessAsUser function, 218, 675-77, 717
CreateProcessWithLogon function, 717
CreateRandomPrefix.cpp file, 685-86
CreateSemaphore function, 716
CreateWaitableTimer function, 716
CreateWellKnownSid function, 192
credentials, client, 309-11
credit-card information, 661
Crocker, Steve, 272
cross-site scripting (XSS)
embedding scripts in HTML tags, 428-29
how an attack works, 415-16
remedies, 421-28
reviewing code for bugs, 431
role of chokepoints, 346-47
security testing, 604-5
as Web vulnerability, 346, 413-21
CryptAcquireContext function, 266, 267
CryptDeriveKey function, 304
CryptExchangeKey function, 279
CryptExportKey function, 277
CryptGenKey function, 277
CryptGenRandom function, 262-68, 311, 316, 578-79
CryptGetHashParam function, 303
CryptImportKey function, 277
CryptoAPI, 117, 285, 301, 302-3
cryptographic keys
CryptExchangeKey function, 279
CryptExportKey function, 277
CryptGenKey function, 277
CryptImportKey function, 277
deriving using system hardware data, 316-20
deriving with passwords, 269-72, 304
exchange issues, 279-81
keeping close to source, 276-79
long-term vs. short-term, 274
management issues, 272-81
ProtectKey.cpp file, 277-79
ways to use in storing secret data, 337-38
which length to use, 274-75
Cryptographic Service Provider (CSP), 266
cryptography
breaking DVD encryption, 273
common solutions to threads, 297
creating functions, 281-83
developer's checklist, 734
importance of documenting algorithms, 298
key management issues, 272-81
problems and limitations, 259-98, 724-25
CryptProtectData function, 305, 306, 556
CRYPTPROTECT_LOCAL_MACHINE flag, 305, 306
CryptProtectMemory function, 326
CryptReleaseContext function, 266
CryptUnprotectData function, 305, 307
CryptUnprotectMemory function, 326
CSSInject.pl file, 605
<custom error> ASP.NET configuration setting, 561-62
D
DACLs. See discretionary access control lists
damage potential, as DREAD category, 93
data, trusted vs. untrusted, 341, 342-43. See also input
Data Encryption Standard (DES), 269
data flow diagrams (DFDs)
general concept, 75, 76
list of key symbols, 75
number of levels, 80
payroll application example, 77, 79, 81
role in threat modeling, 73-81
tips for using, 78
vs. Unified Modeling Language, 74
data integrity tenet, Safe Harbor Principles, 645
data mutation, 575-87
Data Protection API. See DPAPI
data segments, shared and writable, 677-78
data tampering threats
attacks on secret data, 300
list of specific threats and solutions, 120-23
mitigating, 108
overview, 84, 97
payroll application example, 98, 100-101
testing techniques, 574, 607
data transfer, 661
databases
building secure SQL statements, 404-7
identifying access technologies as part of security testing process, 571
identifying stored procedures as part of security testing process, 571
input vulnerability issues, 397-411
quoting input as remedy, 401-2
secure in-depth example, 407-11
stored procedures as remedy, 402-3
DataProtection.cs file, 329-32
DCOM. See Distributed COM
deadlocks, 670
debugger, role in security testing, 587-88
debugging
disabling before deploying ASP.NET applications, 561
least-privilege issues, 251-58
decomposing applications prior to threat modeling, 74-83
defacing Web servers, 210
default installations, defining, 53, 57-58
defense in depth concept, 59-60
delegates, security issues, 558
Demand method, 547, 548, 550-52, 553
demands, remoting, 553
denial of service (DoS) threats
API issues, 719-20
application crashes, 517-21
CPU starvation attacks, 521-29
list of specific threats and solutions, 120-23
memory starvation attacks, 529-30
mitigating, 108
network bandwidth attacks, 532
operating systems crashes, 517-21
overview, 85, 98, 517
payroll application example, 99-100
resource starvation attacks, 530-31
testing techniques, 575, 576, 587
deny ACEs, 180-81
Deny method, 550
deny-only SIDs, 236-37
Department of Justice Computer Crime and Intellectual Property Section (CCIPS), 11
desktop, role of services, 664-65
developers
as defenders, 19-21
security checklist, 731-35
development process
accountability aspect, 49
defining guidelines for secure coding, 44
design security principles, 54-68
external code reviews, 45
learning from past mistakes, 44-45, 54-56
limiting bug counts, 46
peer reviewing new code, 44
reviewing old defects, 44-45, 54-56
role of threat modeling, 70-108
and SD3, 51-54
who can check in new code, 43
device names, 372-73, 386, 387
device objects, creating, 669
DFDs. See data flow diagrams
dh.exe tool, 587
dialog boxes, identifying as part of security testing process, 571
dictionary attacks, 302, 303
Diffle-Hellman key agreement, 281
digest function, 301. See also hashing
digital signatures
as authorization mechanism, 117
creating, 294-96
vs. keyed hashes, 294
overview, 294
directory junctions, 686-87
directory structure, as security issue, 370-71
disclosure. See information disclosure threats
discoverability, as DREAD category, 94
discretionary access control lists (DACLs), 175, 177, 184, 195-99, 211, 669
Dispose method, 336
Distributed COM (DCOM)
application-level security, 502
as authorization mechanism, 116
configuring, 500-501
defined, 499
developer's checklist, 733
handling of asynchronous calls, 508-9
overview, 500-501
programmatic security, 505-8
RPC and, 477, 499
running objects as interactive user, 503
running objects as launching user, 503
running objects as local system account, 503
running objects as specific user, 504-5
security best practices, 499-509
security text application, 507-8
testing of applications, 592-93
user context options, 502-5
DLL functions, identifying as part of security testing process, 571
documentation
reviewing product specifications, 708
security issues, 695-700
SOAP server product example, 698-700
domain accounts, 666-67
domain credentials, 309
DOS. See MS-DOS, device name vulnerability
DoS. See denial of service threats
DPAPI (Data Protection API)
ACL and, 305-6
vs. LSA, 312
overview, 305-7
ways to use, 305
DREAD risk categories, 93-95
Driver Verifier, 668
drivers
allocation of memory, 670
buffer-handling issues, 671-73
reliability, 668
security issues, 669
serialization primitives and, 670-71
setting FILE_DEVICE_SECURE_OPEN, 669
symbolic links and, 670
types of handles, 670
DsMakeSPN function, 488
DVD encryption, breaking, 273
dynamic buffers, 322
Dynamic Data Exchange (DDE), identifying as part of security testing process, 571
Dynamic HTML (DHTML), 687
dynamic memory, _alloca function and, 691-92
E
Eastlake, Donald, 272
echo service, 532
EDI (Electronic Data Interchange), 661
education
changing mind-sets, 29-30
example of its value, 31-32
keeping workers attuned, 18
mandatory vs. voluntary, 28, 29
ongoing aspect, 17-18, 29
role in developing security-savvy workers, 26-28
eEye, bypassing security checks, 374
EIP register, 585
Electronic Data Interchange (EDI), 661
elevation of privilege threats
list of specific threats and solutions, 120-23
mitigating, 108
overview, 85, 98
payroll application example, 101
remote procedure calls and, 494-95
testing techniques, 575
e-mail
identifying as part of security testing process, 571
as tool, 14-15, 18
embedded keys, and storage of secret data, 337
embedding IP addresses, 473
employees. See hiring employees
encoding output, 422
Encrypting File System (EFS)
as authorization mechanism, 116
temporary files and, 686
endpoints, RPC, 498-99
enforcement tenet, Safe Harbor Principles, 645
EnterCriticalSection function, 719
environment, identifying where data comes from, 573
environment variables, identifying as part of security testing process, 571
ErasableData class, 335-36
error messages
bad examples, 700, 701, 702-3
being specific, 705-6
changing in fixes, 668
cryptic vs. detailed, 663
good example, 701-2
information disclosure issues, 701-5
informed consent and, 702-4
local vs. remote settings, 561-62
progressive disclosure and, 704-5
remoteOff settings, 561-62
security information in, 700-701
usability testing, 707-8
error paths, 668
errors, checking returns, 624-25
escape codes, 378, 381
ESRB trust program, 645, 646
European Union Directives on Data Protection, 643
eval() function, 431-32
event log, role in security testing, 588
Everyone (DELETE) ACE type, 198
Everyone (FILE_DELETE_CHILD) ACE type, 198
Everyone (GENERIC_ALL) ACE type, 198, 221
Everyone (WRITE_DAC) ACE type, 197, 198
Everyone (WRITE_FILE_ADD_FILE) ACE type, 197-98
Everyone (WRITE_OWNER) ACE type, 197, 198
ExAllocatePoolWithQuotaTag function, 670
exception handling, 588
exchanging keys, 279-81
EXE functions, identifying as part of security testing process, 571
ExerciseArgs.pl file, 598-99
ExInterlockedInsertHeadList function, 670
exploitability, as DREAD category, 94
external code reviews, 45
external data, as insecure, 63-64
F
failure
inevitability, 64
methods to prevent, 639-40
secure vs. insecure, 64-66, 347
tools for determining why applications fail, 251-58
withholding details from attackers, 562-63
FAT file systems, storing secret data, 337
features, whether to enable by default, 58
fgets function, 163
file extensions
IsBadExtension function, 348
as security issue, 348-49, 368
as valid input, 347-50
file I/O vs. isolated storage, 559-60
FILE_ATTRIBUTE_TEMPORARY flag, 684
FILE_FLAG_DELETE_ON_CLOSE flag, 684, 685
FileIOPermission, 543, 544, 547, 551
FileMon tool, 254, 257
filenames
\\?\ format, 370
attempting to canonicalize, 386-90
avoiding name-based security decisions, 383
canonical name issues, 364-73
case sensitive, 371
character mixups, 382
common Windows canonical mistakes, 367-73
device names, 372, 373, 386, 387
directory and parent path vulnerabilities, 370-71
preventing short (8.3) filenames, 385
problems with short (8.3) representations of long names, 367-68
relative vs. absolute, 371
as security issue, 347-50, 364-73
strong names, 540-42
trailing characters as problem, 369-70
as valid input, 347-50
FILE_REPARSE_POINT attribute, 687
files
flowchart for investigating potential access failures, 257
identifying as part of security testing process, 571
identifying where data comes from, 573
local, vulnerability to XSS attacks, 418-20
security testing applications, 596
FileStream class, 560
filtering, as authorization mechanism, 118
FIN packets, 465, 467
FIPS 140-1 standard, 267, 268
firewalls
cross-site scripting and, 417
FTP as unfriendly application, 471
limitations, 725
protective role, 470
vs. routers, 470
rules for application developers, 471-73
Flake, Halvar, 140
floating-point arithmetic, 620
FoldString function, 450
foreign languages. See languages other than English, Unicode regular expression issues
format string bugs, 147-52
forms-based authentication, 110-11
<FRAME SECURITY> attribute, 426-27
FTP (File Transfer Protocol), as example of firewall-unfriendly application, 471
function calls, checking returns, 624-25
FunLove virus, 209
FXCop tool, 539-40
G
Gabrilovich, Evgeniy, 382
games, multiplayer, protecting from attack, 9
Garg, Praerit, 86
Garms, Jason, 86
GetCurrentProcessID function, 263
GetCurrentThreadID function, 263
GetFileType function, 681
GetKeyHandle function, 277
GetLocalTime function, 264
gets function, 163, 715
GetServerBlanket function, 508
GetServerVariable function, 154
GetStringTypeEx property, 449
GetTickCount function, 263, 621
GetUnicodeCategory method, 449
Gflags.exe tool, 587
global data LSA secret, 312
Gontmakher, Alex, 382
Gramm-Leach Bliley Act (GLBA), 646
H
Hailstorm tool, 587
Hal.dll file, 668
handles, security issues, 670. See also context handles
hardware, system data as basis for cryptographic keys, 316-20
hardware devices, identifying as part of security testing process, 571
hashing
creating salted hashes, 302-3
overview, 116-17
role of PKCS #5, 303-4
verifier overview, 301
HEAD request, 6
Health Information Portability Accountability Act (HIPAA), 646
heap overruns
HeapOverrun.cpp file, 140-44
overview, 138-40
HeapAlloc function, 322
HeapCreate function, 322
HeapOverrun.cpp file, 140-44
HeapSize function, 322
Help files, 420-21
hexadecimal escape codes, 378
hiring employees
qualities to look for in security employees, 16-17
security questions to ask during interviews, 33-34
hisecdc security template, 608, 609
hisecws security template, 608, 609
Hoglund, Greg, 169
honeypots, 5
HTML escape codes, 381
HTML files
building malicious test code, 600-602
forcing into zones, 425-26
mark of the Web, 425-26
vulnerability to XSS attacks, 418
HTML Help files, 420-21
HTML tags
embedding scripts in, 428-29
vulnerability, 428-29, 430
HTMLEncode method, 422
HTTP 1.0 protocol, 110
HTTP requests
ascertaining data structures, 573
identifying as part of security testing process, 571
REFERER header, 432-33
trust issues, 432-33
HTTP server port, 6
HTTP-based server applications, testing, 589-92
HttpGetClientProtocol class, 590
HttpOnly, as cookie option, 424-25
HttpPostClientProtocol class, 590
I
I18N. See internationalization issues
IAccessControl interface, 505
IBM Sendmail bug, 588
IClientSecurity interface, 505, 508
IDisposable interface, 336
IDL. See Interface Definition Language files, [range] attribute
ILoveYou virus, 209
ImpersonateAnonymousToken function, 678
ImpersonateDdeClientWindow function, 678
ImpersonateLoggedOnUser function, 678
ImpersonateNamedPipeClient function, 678
ImpersonateSecurityContext function, 678
ImpersonateSelf function, 678
impersonation functions, 678, 718-19
impersonation model, trusted subsystem model and, 250-51
Indexing Service, 685
INF files, 669
information disclosure threats
attacks on secret data, 300
error message issues, 701-5
list of specific threats and solutions, 120-23
mitigating, 108
Napster filter example, 364-65
overview, 84, 97, 98
payroll application example, 88, 98
as spoofing threats, 300
testing techniques, 574, 607
information sources, 15-16
informed consent, 702-4
inheritance, security issues, 554-55
InheritanceDemand method, 553
InitializeCriticalSection function, 719
innerText property, 423
input
checking for validity using regular expressions, 349-53
checking for validity using string compares, 348-49
database issues, 397-411
defending against use in attacks, 345-47
encoding, 422
misplaced trust problem, 343-45, 398, 625-26
quoting, 401-2
role of classes in validating, 361-62
to trust or not to trust, 342-43
valid vs. invalid, 347-50, 391
Web-specific issues, 413-37
installation, default, 53, 57-58
installing secure applications, 627-40
integer overflows, 620-24
integer underflows, 624
interactive desktop, role of services, 664-65
Interface Definition Language (IDL) files, [range] attribute, 483-84
interfaces
ascertaining data structures, 573
list of vulnerability characteristics, 572
ranking for testing by potential vulnerability, 572
internationalization issues
basic rules, 440
buffer overruns, 441-42
character set conversion, 444, 619-20
Unicode and regular expressions, 353-58
validating Unicode strings, 443
Internet
as hostile environment, 4, 5-7
Web-specific input issues, 413-37
Internet Explorer
version 4 and dotless-IP address bug, 374-75
version 4 security zone issue, 374-75
version 6 HttpOnly cookie option, 424-25
version 6 mark of the Web, 425-26
version 6 privacy eye, 652
Internet Information Services (IIS), 6, 375-77, 667, 668
Internet Printing Protocol (IPP)
buffer overrun vulnerability, 154-55, 210
role in Web server defacements, 210
Internet Server Application Programming Interfaces (ISAPIs), 392, 433-36
InternetCrackURL.cpp file, 513-14
Invariant locale, 448
invasions of privacy, 642. See also privacy
I/O Manager, 672
I/O request packets, 672, 673-74
IObjectWithSite interface, 513
IoCreateDeviceSecure function, 669
IP addresses, why not to embed in application layer, 473
IP protocol. See IPv6
IP restrictions, 202-3, 205
IPSec
authentication methods dialog box, 280
as authorization mechanism, 116
support for authentication, 113
IPv6, 455, 456, 474-75
IRP (I/O request packet) cancellation, 673-74
ISAPIs (Internet Server Application Programming Interfaces), 392, 433-36
IsBadCodePtr function, 721
IsBadExtension function, 348
IsBadHugeReadPtr function, 721
IsBadHugeWritePtr function, 721
IsBadReadPtr function, 721
IsBadStringPtr function, 721
IsBadWritePtr function, 721
IsCallerInRole method, 201
ISerializable interface, 558-59
IsNLSDefinedString function, 443
ISO 17799, 36-37
isolated storage
when not to use, 560
when to use, 559-60
IsValidDomain function, 514
J
JettisonPrivs.cpp file, 246-47
JScript
encrypting and decrypting messages, 282
eval() function, 431-32
regular expression example, 360
K
KeAcquireSpinLock primitive, 670
Kerberos
authentication, 112
remote procedure calls and, 488
kernel mode
buffer-handling issues, 671-73
handles and, 670
high-level security issues, 669
overview, 668
symbolic links and, 670
key streams. See stream ciphers
keyed hashes
common mistakes, 291
creating, 291-94
MAC.cpp file, 292-94
overview, 290
keys. See cryptographic keys
Klaus, Christopher W., 95
Knuth, Donald, 260
Kohnfelder, Loren, 86
L
languages other than English, Unicode regular expression issues, 353-58
laptops
and cryptographic keys, 320
security concerns, 320
LB_GETTEXT message, 718
LB_GETTEXTLEN message, 718
LCMapString function, 443
LDAP sources, identifying as part of security testing process, 571
least privilege concept
debugging issues, 251-58
good reasons for running with, 208-10
installation issues, 628-30
as mitigation technique, 118
overview, 60-62, 118, 207-8
storing user data, 678-79
legislation, privacy, 643-46
linear congruential function, 260-61, 262
link demands, 551
LinkDemand example, 551-52
Linkd.exe file, 686
Linux
device name issues, 373, 387
symbolic-link vulnerabilities, 366
Litchfield, David, 147
LoadLibrary function, 717
LoadLibraryEx function, 717
LoadUserProfile function, 306
local accounts, 503, 665, 666, 667
local Active Directory, 688
local administrators group
object ownership in Windows XP and later versions, 217
when not to use, 60-62
local data LSA secret, 312
local files, vulnerability to XSS attacks, 418-20
local procedure calls (LPCs), identifying as part of security testing process, 571
Local Security Authority (LSA)
LsaRetrievePrivateData function, 221, 307, 312
LsaStorePrivateData function, 221, 222, 307, 312, 315
overview, 221-22, 312
removing privileges, 245
role of DPAPI, 223, 312
sample C++ code for handling secrets, 313-15
in Windows .NET Server 2003, 245
locales, 448
LocalRPC (LRPC), 497, 498
locking. See spin locks
logging
as authorization mechanism, 117
and BindDemoServer example, 462
overview, 693-94
long filenames, 367-68
long passwords, allowing, 690
lpApplicationName parameter, 676, 677
lpCommandLine parameter, 676, 677
LSA. See Local Security Authority
LSA_HANDLE object, 530
LsaRetrievePrivateData function, 221, 307, 312
LsaStorePrivateData function, 221, 222, 307, 312, 315
lstrcat function, 714
lstrcpy function, 714
lstrcpyn function, 714
LVM_GETISEARCHSTRING message, 717
M
MAC.cpp file, 292-94
machine data LSA secret, 312
Macintosh OS X, vulnerability, 365
MACs (message authentication codes)
as authorization mechanism, 117
SSL/TLS and, 115
mailing lists, 15
mailslots
identifying as part of security testing process, 570
opening, 372
managed code
developer's checklist, 734-35
migrating C and C++ components to, 694
overview, 535-36
partially trusted, 556-57
protecting secret data, 329-36
regular expressions overview, 359-60
restricting method access, 554-55
management, selling security idea to, 8-11
MandrakeUpdate application, 682
_mbccpy function, 715
_mbscat function, 714
_mbscpy function, 714
_mbsdec function, 715
_mbsinc function, 715
_mbslen function, 715
_mbsnbcat function, 714
_mbsnbcpy function, 714
_mbsncat function, 715
_mbsncpy function, 715
_mbsnextc function, 715
_mbsnset function, 715
_mbsrev function, 715
_mbsset function, 715
_mbsstr function, 715
_mbstok function, 715
MD5 hash function, 301
Meltzer, David, 530, 532
memcpy function, 714
memory
allocated by drivers, 670
cleaning out dynamic buffers, 322
compiler optimization and, 322-26
encrypting secret data, 326-27
keeping secret data in, 321-28
locking to protect data, 327, 328
starvation DoS attacks and, 529-30
Memory Descriptor List (MDL), 672
message authentication codes. See MACs
message digests, 301
MessageBox function, 664-65
metacharacters, 586
Microphone, identifying as part of security testing process, 571
Microsoft Corporation
Allchin e-mail, 14
Microsoft Security Response Center, 127
Secure Windows Initiative, 26, 51-54
Windows 2000 test site, 6
Windows Security Push, 26, 28, 128
Microsoft IDL (MIDL) compiler, /robust switch, 483, 581
Microsoft .NET. See also common language runtime
checking assemblies with FxCop, 539-40
code access security elements, 537-39
protecting secret data, 329-36
role of delegates, 558
XCOPY deployment, 329
Microsoft Passport, 111
Microsoft RPC, 477
Microsoft Telnet server, 680
Microsoft Visual Basic, 201
Microsoft Visual Basic .NET, 359, 360-61
Microsoft Visual C++. See C and C++ programming languages
Microsoft Visual C++ .NET, GS option, 167-70
mistakes, learning from, 44-45, 54-56
mitigating threats, techniques
auditing, 117
authentication, 109-14
authorization, 114-15
digital signatures, 116-17
encryption, 116-17
mitigating threats, techniques, (continued)
filtering, 118
hashes, 116-17
least privilege, 118
MACs, 116-17
privacy enhancement, 115-16
quality of service, 118
tamper resistance, 115-16
throttling, 118
Mitnick, Kevin, 473
mixing code and data, 67
MmProbeAndLockPages function, 671
Morris, Robert T., 127
motives, defined, 87
MoveFile function, 716, 721
MS-DOS, device name vulnerability, 365
MultiByteToWideChar function, 153, 440, 444, 445, 620, 715
multiplayer games, protecting from attack, 9
multiplexing applications, 472
mutated data. See data mutation
mutexes, 681
mutual authentication, 488
My Computer zone, 419
MyToken.cpp file, 227-30
N
named objects, 680-81
named pipes
identifying as part of security testing process, 571
identifying where data comes from, 573
opening, 372
testing of applications, 592
names, as security issue, 363-96. See also canonicalization
name-squatting, 716
naming of devices, 372-73
Napster, bypassing filters as canonicalization example, 364-65
NAT (network address translation), 473
.NET Framework roles, 199-201. See also Microsoft .NET
NetApi32 calls, 720-21
NetBIOS
identifying as part of security testing process, 570
identifying where data comes from, 573
network address translation (NAT), 473
network bandwidth attacks, 532
network protocol analyzers, 88
network protocols, remote procedure calls and, 481-82
Network Service account, 665
networks, API issues, 720-21
Newsham, Tim, 147
NLS. See Windows National Language Support
normalizing Unicode strings, 450
notice tenet, Safe Harbor Principles, 644
NTBugTraq, 15
Ntdsapi.dll file, 488
NTFS alternate data streams, 368, 369
NTFS file system, support for directory junctions, 686-87
NTLACL.cpp file, 181-84
NTLM authentication, 112
Ntoskrnl.exe file, 668
NTStrsafe.h file, 668
NULL DACLs, 195-99
O
obfuscation, as security test, 660
object creation mistakes, 679-81
object owners, 217
<OBJECT> tag, 593-95
ObReferenceObjectByHandle function, 670
OffByOne.c example, 136-38
Oh.exe tool, 587
ONC. See Open Network Computing
online trust programs, 645, 646
onward transfer tenet, Safe Harbor Principles, 644
Open Network Computing (ONC), defined, 477
Open Software Foundation (OSF), 479
OpenDesktop function, 665
OpenFileByID function, 494
OpenProcessToken function, 230
OpenWindowStation function, 665
operating systems. See also Windows operating system
denial of service (DoS) threats, 517-21
role in security handling, 674
output, encoding, 422
Own3d (hacker slang), 13
owners, object, 217
P
P3P (Platform for Privacy Preference Project), 652, 653-56
pack function, 583
packages, signing, 639
packet privacy and integrity, remote procedure calls and, 489-90
Pagefile.sys file, 300
paging, preventing, 327, 328
paper trails, 660
partially trusted code, 556-57
passwords. See also secret data
in aftermath of software installation, 630
embedding in code, 692
as information disclosure issue, 701
keeping them secret, 301-5
long, allowing, 690
measuring effective bit size, 270-72
role of PKCS #5, 303-4
storing in registry, 337
using to derive cryptographic keys, 269-72, 304
weaknesses in, 269-72
path analysis, 95-96
PATH environment variable, avoiding, 385
path names, using in full, 385-86
payroll application example
analyzing specific threats, 98-102
data flow diagrams, 77, 79, 81
list of components, 82-83
mitigating threats, 118-19
tables describing threats, 98-102
threat tree overview, 88-90
threat trees illustrated, 89, 102-4
peer reviewing code, 44, 617
Performance Monitor, role in security testing, 587-88
Perl
CSSInject.pl file, 605
ExerciseArgs.pl file, 598-99
invoking taint (-T) option, 349, 350
pack function, 583
regular expressions overview, 358
role in testing HTTP-based server applications, 589-92
role in testing sockets-based applications, 589
security testing for scripting attacks, 604-5
security testing SOAP services, 602-3
SmackPOST.pl file, 589-90
SmackQueryString.pl file, 590
TCPJunkServer.pl file, 606
testing clients with rogue servers, 606
testing file-based applications, 596
testing HTTP-based server applications, 589-90
testing registry-based applications, 596-97
TestSoap.pl file, 602-3
permissions
assembly requirements, 542-45
asserting, 545-47, 548, 549-50
declarative, 543, 545
demanding, 547, 548, 550-52
FileIOPermission, 543, 544
imperative, 545
optional, 544-45
role in SQL Server, 203
server-specific, 115
unmanaged code and, 548
unneeded, 544
PermitOnly method, 550
personally identifiable information (PII), 643
perturbing data to test security, 575-87
Phone application example, 480, 484, 486-87, 488
Ping of Death, 518
pipe bomb bug, 588
PKCS #5 standard, 303-4
Platform for Privacy Preference Project (P3P), 652, 653-56
Plug and Play, role in deriving cryptographic keys, 316-20
PnP. See Plug and Play, role in deriving cryptographic keys
pointers, reviewing code, 625
policy reference files, 654
port 80, 6
ports
binding sockets, 456-57
scanning, 6, 469
predictable cookies, 436-37
primitives, serialization, 670-71
PrincipalPermission class, 200
principals, 200-201
printf family of functions, 714-15
privacy
annoying invasions, 642
benefits of team organization, 647-48
building infrastructure, 647-48
for client-side applications, 656-58
defined, 116
exploring user preferences, 652-62
major legislation, 643-46
malicious invasions, 642
policy statement, 651-52, 654
review template, 651
role in application development process, 649-52
role of advocate, 648
role of Chief Privacy Officer, 648
vs. security, 646-47
specification template, 650-51
then and now, 641
trust and, 641-42
U.S. Federal laws, 646
privacy advocate, 648
private data LSA secrets, 312
private information. See secret data
private keys, 280
PrivilegeCheck function, 233
privileges
access control list issues, 220-21
accounting for in administrator's token, 223-48
allowing less-privileged accounts to run applications, 233-34
as authorization mechanism, 114
debugging least-privilege issues, 251-58
privileges, (continued)
determining what's appropriate, 223-48
determining which ones are required, 232-33
elevation of privilege threats, 85, 98, 101, 108
finding in Windows application example, 224-26
flowchart for investigating potential failures, 255
JettisonPrivs.cpp file, 246-47
overview, 211-12
reasons for requiring administrative access, 220-22
reasons that applications require elevated privileges, 220-22
removing permanently when unneeded, 243-47
SeAssignPrimaryTokenPrivilege issues, 217, 218
SeBackupPrivilege issues, 212-15
SeChangeNotifyPrivilege issues, 218
SeDebugPrivilege issues, 215-16
SeIncreaseQuotaPrivilege issues, 217, 218
SeLoadDrivePrivilege issues, 217
separating, 61-62
SeRemoteShutdownPrivilege issues, 217
SeRestorePrivilege issues, 215
SeTakeOwnershipPrivilege issues, 217
SeTcbPrivilege issues, 216
solving elevated privilege issues, 222-23
vs. tokens and SIDs, 218-20
when not to use, 60-62, 118
WOWAccess.cpp file, 212-14
ProbeForRead function, 671, 672
ProbeForWrite function, 672
product features, whether to enable by default, 58
profiles, roaming, 560
profiling, 527-29
Program Files directory, 678-79
programming languages, remote procedure calls and, 478
programs. See code; secure applications; software
progressive disclosure, 704-5
promiscuous mode, 88, 89
ProtectKey.cpp file, 277-79
protocols. See also TCP protocol; User Datagram Protocol
DCOM and, 501
reasons not to multiplex applications, 472
sequences for remote procedure calls, 499
Public Key Cryptography Standard (PKCS) #5, 303-4
pushes, security, 45-46
Q
QoS. See quality of service, as authorization mechanism
quality of service, as authorization mechanism, 118
QueryPerformanceCounter function, 264
quotas, resource, 530-31
quotation marks ("), 422, 677
quoting input, as remedy for database attackers, 401-2
R
RADIUS (Remote Authentication Dial-In User Service), 114
rand function, 260-62
random data, as security testing tool, 578-84
random numbers
creating salted hashes, 302-3
cryptographically random, 262-68
generating with CryptGenRandom function, 262-68
generating with rand function, 260-62
in managed code, 262-69
predictable, 260-62
[range] attribute, 483-84
RASQ (relative attack surface quotient), 611-13
RC4Test.cpp file, 285-87
ReadFileByID function, 494
read-only access, 679
real names, embedding in code, 692
recv function, 720
REFERER header, 432-33
Regex++, 360
registry
ACLs and, 172-73
flowchart for investigating potential access failures, 256
identifying as part of security testing process, 571
identifying where data comes from, 573
levels of security need, 337, 338, 555-56, 629-30
security testing applications, 596-97
storing passwords in, 337
usage by SafeQuery example, 409-10
ways to store sensitive data, 337, 338, 555-56
RegMon tool, 254, 256
RegQueryValueEx function, 173
regression bugs, 12
regular expressions
C++ overview, 360-61
C# example, 359
CAtlRegExp class, 360-61
finding data vs. validating data, 352-53
as input validation tool, 349-53
managed C++ example, 359-60
managed code overview, 359-60
Perl overview, 358
restricting allowable filenames, 383-85
in scripts, 360
Unicode and, 353-58
Visual Basic .NET example, 359
relative attack surface quotient (RASQ), 611-13
Remote API (RAPI), identifying as part of security testing process, 571
Remote Authentication Dial-In User Service (RADIUS), 114
Remote Desktop Users SID, 193-94
remote procedure calls (RPCs)
as authorization mechanism, 116
as C and C++ technology, 478
compiling code, 479-80
context handles vs. access checks, 492-93
creating applications, 479-80
DCE (Distributed Computing Environment) variant, 477
developer's checklist, 733
history, 477
how applications communicate, 481-82
identifying as part of security testing process, 571
identifying where data comes from, 573
Kerberos support, 488
list of possible security setting levels, 485
multiple RPC servers in single processes, 497-99
ONC (Open Network Computing) variant, 477
overview, 477, 478-79
performance issues, 489
Phone application example, 480
potential security threats to, 482
relationship to DCOM, 477, 499
requiring authenticated connections, 484-89
role of security callback functions, 495-97
role of strict context handles, 491-92
security best practices, 482-99
testing applications, 592
testing performance characteristics, 489
vulnerabilities, 477-78
reproducibility, as DREAD category, 93
repudiation threats
list of specific threats and solutions, 120-23
mitigating, 108
overview, 84, 98
testing techniques, 574
res: protocol, 420-21
reserve names, 372-73
resources
finding in Windows application example, 224
names as security issue, 363-96
starvation DoS attacks, 530-31
Restrict.cpp file, 238-39
reusable components, 345, 689
roaming profiles, 560
/robust MIDL switch, 483, 581
rogue servers, 606
role-based security
COM+ roles, 201
.NET Framework roles, 199-201
overview, 199
root (hacker slang), 13
rootsec security template, 608
RoundTrip.cpp file, 445-47
routers, vs. firewalls, 470
RpcBindingInqAuthClient function, 486-87, 488
RpcBindingSetAuthInfo function, 484-85, 486, 489, 495
RpcBindingToStringBinding function, 497
RpcEpRegister function, 498-99
RpcImpersonateClient function, 494, 678
RPCs. See remote procedure calls
RpcServerRegisterAuthInfo function, 486
RpcServerUseProtSeq function, 497
RpcStringBindingParse function, 497
RPCSvc application, 489
RppServerRegisterIf function, 495
RppServerRegisterIf2 function, 495, 496
RppServerRegisterIfEx function, 495, 496
RSA algorithm, 26-27, 281
RSA Data Security, 301, 303
S
Safe Harbor Principles
access tenet, 645
choice tenet, 644
data integrity tenet, 645
enforcement tenet, 645
history, 643
notice tenet, 644
onward transfer tenet, 644
overview, 644
security tenet, 645
safe string handling, 156-67
SafeQuery example, 407-11
SAFER.cpp file, 242-43
salt values, 287-88
salted hashes, creating, 302-3
sample applications, making secure, 688
SANS (System Administration, Networking, and Security) Institute, 4
SB_GETLBTEXTLENGTH message, 718
SB_GETTEXT message, 718
SB_GETTIPTEXT message, 718
scanf function, 715
Schiller, Jeffrey, 272
<SCRIPT> blocks, 417-18
scripting, ActiveX controls best practices, 511-15. See also cross-site scripting
SD3, 51-54
SDDL. See Security Descriptor Definition Language
SDDLACL.cpp file, 186
SearchPath function, 717
SeAssignPrimaryTokenPrivilege privilege, 217, 218, 249
SeAuditPrivilege privilege, 249
SeBackupPrivilege privilege, 212-15, 249
SeChangeNotifyPrivilege privilege, 218, 249
SeCreatePagefilePrivilege privilege, 249
SeCreatePermanentPrivilege privilege, 249
SeCreateTokenPrivilege privilege, 249
secret data. See also passwords
and compiler optimization, 322-26
encrypting in memory, 326-27
hash overview, 301
keeping it secret, 301-5
memory issues, 321-28
preventing paging of, 327, 328
protecting in managed code, 329-36
protecting in Windows 95, 315-20
protecting in Windows 98, 315-20
protecting in Windows 2000, 305-11
protecting in Windows CE, 315-20
protecting in Windows Me, 315-20
protecting in Windows NT, 311-15
protecting in Windows XP, 305-11
protection trade-offs, 338-39
storing hashes, 301-5
threat susceptibility, 300
ways of attacking, 300
ways to store, 336-38
Secret.txt file, 336-38
secure applications. See also code; software
adding security to new products, 38-41
banner strings, 667
checklists, 169, 731-35
cost factors in fixing vulnerabilities, 10-11
CPU starvation attacks, 521-29
defining default installation, 53, 57-58
defining security goals for new products, 34-37
denial of service (DoS) threats, 517-21
disabling tracing and debugging before deploying ASP.NET applications, 561
enabling product features by default, 58
installing, 627-40
multiplexing, 472
profiling, 527-29
as quality issue, 4-5, 6-7, 8
reasons for building, 8-11
role of threat modeling, 70-108
SD3, 51-54
secure by default, 53
secure by deployment, 53-54
secure by design, 51-53
security as product feature, 37-40
Secure Windows Initiative, 26, 51-54
securedc security template, 608
SecureIIS, 374
securews security template, 608
SecureZeroMemory function, 325
security
ActiveX best practices, 509-15
adding incremental improvements to development process, 25-26
canonicalization issues, 363-96
common excuses, 723-28
common shortcomings, 23-24
as competitive issue, 9
as consumer issue, 9, 10
cost factors in fixing vulnerabilities, 10-11
DCOM best practices, 499-509
design principles, 54-68
designer's checklist, 729
developer's checklist, 731-36
as a discipline, 54-68
documentation issues, 695-700
fire analogy, 87
as media issue, 9
vs. privacy, 646-47
as product feature, 37-40
as quality issue, 4-5, 6-7, 8
reasons for making a priority, 8-11
role of testers, 567-68
role of users, 675
RPC best practices, 482-99
services best practices, 663-67
subversion as wake-up call, 11-13
tester's checklist, 737
threat mitigation techniques, 107-18
trade-offs in protecting secret data, 338-39
ways to instill consciousness, 13-19
when to add to new products, 38-41
where to begin, 7-13
security blanket, DCOM, 505, 508-9
security callback functions, 495-97
security code reviews
how to deal with large applications, 617-18
multiple-pass approach, 618
overview, 615-16
vs. peer reviews, 617
security comments, adding to code, 674
Security Configuration and Analysis snap-in, 630-31
Security Configuration Editor
creating new configuration database, 631-32
creating templates, 632-33
overview, 627, 630-31
SecInstall example, 633-37
Security Descriptor Definition Language (SDDL), 185-89
security descriptors (SDs), 184, 669
security identifiers (SIDs)
accounting for in administrator's token, 223-48
Administrator SID, 689-90
applying deny-only attribute, 236-37
determining which ones are required, 232-33
list of well-known types, 188-89
overview, 177, 184, 185
Remote Desktop SID, 193-94
in SetUpdateACL.cpp file, 192
Terminal Server SID, 193-94
vs. tokens and privileges, 218-20
security pushes, 45-46
security settings, 708-9
Security Support Provider Interface (SSPI), 112
security templates, 607-9
Security Templates snap-in, 630, 631
security tenet, Safe Harbor Principles, 645
security testing
ActiveX applications, 592, 593-95
building test plans from threat models, 569-605
building tools for finding flaws, 588-605
COM and DCOM applications, 592-93
command line arguments, 597-600
cross-site scripting, 604-5
determining attack surface, 611-13
file-based applications, 596
finding bug variations, 609-10
formulating test plans for attacking applications, 573-75
vs. functional testing, 568-69
HTTP-based server applications, 589-92
identifying component interfaces, 570-71
named pipes applications, 592
overview, 47, 567
quality of test code, 610
ranking interfaces by potential vulnerability, 572
registry-based applications, 596-97
role of list of system components, 570
role of rogue servers, 606
role of templates, 607-9
role of testers, 567-68
RPC applications, 592
setting up application monitoring first, 587-88
SOAP services, 602-3
sockets-based applications, 589
techniques for denial of service (DoS) threats, 575, 576, 587
techniques for perturbing data, 575-87
security zones. See zones, security
SecurityFocus, 15, 16
SeDebugPrivilege privilege, 215-16, 249
SeEnableDelegationPrivilege privilege, 249
SeImpersonatePrivilege privilege, 250-51
SeIncreaseBasePriorityPrivilege privilege, 249
SeIncreaseQuotaPrivilege privilege, 217, 218, 249
SeLoadDriverPrivilege privilege, 217, 249
SeLockMemoryPrivilege privilege, 249
SeMachineAccountPrivilege privilege, 249
semaphores, 681
send function, 720
Sendmail bug, 588
SeProfileSingleProcessPrivilege privilege, 249
SeRemoteShutdownPrivilege privilege, 217, 249
SeRestorePrivilege privilege, 215, 249
serialization
deserializing data from untrusted sources, 562
security issues, 558-59
serialization primitives, 670-71
SerializationFormatter permission, 562
serializing, defined, 562
Server Message Block (SMB) protocol, 63, 609
server names, as canonicalization issue, 393-94
servers
avoiding hijacking, 456-63
building test cases to attack, 588-605
choosing interfaces, 464
embedding names in code, 692
hijacking, 456
insecure, 63-64
rogue-type, 606
testing HTTP-based applications, 589-92
server-specific permissions, 115
Service account, SeImpersonatePrivilege privilege, 250
Service Control Manager (SCM), 219
services
account guidelines, 665-67
overview, 664
role of Windows desktop, 664-65
security best practices, 663-67
SeSecurityPrivilege privilege, 249
SeShutdownPrivilege privilege, 249
SeSyncAgentPrivilege privilege, 249
SeSystemEnvironmentPrivilege privilege, 249
SeSystemProfilePrivilege privilege, 249
SeSystemtimePrivilege privilege, 249
SeTakeOwnershipPrivilege privilege, 217, 249
SetBlanket method, 505, 508
SeTcbPrivilege privilege, 216, 249
SetFileSecurity function, 184
SetNamedSecurityInfo function, 184
SetProcessWindowStation function, 665
SetSecurityDescriptorDacl function, 184, 718-19
SetSecurityDescriptorGroup function, 184
SetSecurityDescriptorOwner function, 184
SetSecurityDescriptorSacl function, 184
SetThreadToken function, 678
SetThreatDesktop function, 665
setup security template, 608
SetUpdatedACL.cpp file, 192-93
SeUndockPrivilege privilege, 249
SHA-1 hash function, 301
Shannon, Claude, 270
shared data segments, 677-78
shared memory, identifying as part of security testing process, 571
ShellExecute function, 675, 717
Shimomura, Tsutomu, 473
shipping new software
knowing when it's safe to ship, 47-48
response process, 48
short filenames
preventing generation of 8.3 filenames, 385
problems with 8.3 representations of long names, 367-68
SIDs. See security identifiers
Simple Network Management Protocol (SNMP), 629
sinks, DCOM and, 509
SiteLock, 514-15
SmackPOST.pl file, 589-90
SmackQueryString.pl file, 590
sneaker-net, 280
SN.exe tool, 333
sniffers, 88
SNMP (Simple Network Management Protocol), 629
_snprintf function, 161-62, 714
_snwprintf function, 714
SOAP (Simple Object Access Protocol)
code access security checks and, 553
identifying requests as part of security testing process, 571
security testing services, 602-3
SoapHttpClientProtocol class, 603
social security numbers, 661
sockets
BindDemoSvr.cpp file, 457-63
binding, 456-57
identifying where data comes from, 573
IP addresses and, 457
libraries, 457
overview, 455
testing, 589
SO_CONDITIONAL_ACCEPT socket option, 467
SO_EXCLUSIVEADDRUSE socket option, 457, 461, 462, 463
software. See also code; secure applications
common security mistakes, 23-24
cost factors in fixing vulnerabilities, 10-11
creating RPC applications, 479-80
deciding which bugs to fix, 41-43
decomposing prior to threat modeling, 74-83
defining default installation, 53, 57-58
defining security goals for products, 34-37
design security principles, 54-68
designing privacy-aware applications, 649-62
end-of-life plans, 41
improving development process, 25-26
installing applications securely, 630-38
knowing when it's safe to ship, 47-48
limiting access to your applications, 659-60
reasons for making secure, 8-11
security code reviews for large applications, 617-18
security practices during design phase, 32-43
security practices during development phase, 43-47
security practices during shipping and maintenance phases, 47-49
tolerance for defects, 41-43
tools for determining why applications fail, 251-58
what to do about insecure features, 41
when to add security to new products, 38-41
whether to enable product features by default, 58
Software Restriction Policies, 241-43
Solar Designer, 139-40
special characters, 586
spin locks, 670-71
spoofing threats
connection-based protocols and, 473-74
connectionless protocols and, 473-74
host-based trusts and, 473
as information disclosure threats, 300
list of specific threats and solutions, 120-23
mitigating, 108
overview, 84, 97, 473
payroll application example, 101-2
port-based trusts and, 473-74
testing techniques, 574
sprintf function, 160-61, 714
SQL injection, 399, 400
SQL (Structured Query Language)
building secure statements, 404-7
database input issues, 398-401
SQL Server
connecting as sysadmin, 401, 403-4
medical access control example, 204
permissions, 203
and sysadmin, 403-4
triggers, 203, 204
SQLConnection object, 409
SSL/TLS
client issues, 437
defined, 115
example, 661, 662
stack overruns
how to tell if they're exploitable, 133
OffByOne.c example, 136-38
overview, 129
StackOverrun.c example, 129-36
StackGuard, 139, 167
StackOverrun.c example, 129-36
Standard Template Library (STL), 162-63
starvation (DoS attacks)
starving CPU, 521-29
starving memory, 529-30
starving resources, 530-31
state, remote procedure calls and, 482
store-and-forward interfaces, identifying as part of security testing process, 571
stored procedures
building securely, 406-7
as database input remedy, 402-3
Stored User Names And Passwords feature, 309-11
strcat function, 714
strcpy function, 129, 156-57, 714
stream ciphers
bit-flipping attacks, 289-96
defined, 283
how they work, 284
pitfalls, 284-87
RC4Test.cpp file, 285-87
reusing same key, 287-89
what they're used for, 284
streams. See alternate data streams
STRIDE threat categories
formulating test plans for attacking applications, 573-75
list of categories, 83-86
strings
buffer overruns and, 128, 156
common flaws, 619-20
moving to resource DLLs, 693
normalizing, 450
safe handling, 156-67
_snprintf function, 161-62
sprintf function, 160-61
strcpy function, 129, 156-57, 714
strncpy function, 158-59, 619, 624, 714
Strsafe.h file, 163-66
Unicode multiplicity problem, 450
Strings tool, 273
StripBackslash functions, 525, 526-27, 528, 529
strlen function, 715
strncat function, 714
strncpy function, 158-59, 619, 624, 714
strong names, 540-42
Strsafe.h file, 163-66, 668
SubSeven, 209
subversion, as wake-up call, 11-13
Sun Microsystems, symbolic-link vulnerability, 366
Sun RPC, 477. See also Open Network Computing
SuppressUnmanagedCodeSecurityAttribute attribute, 552-53, 557
surrogate pairs, 442
swprintf function, 714
symbolic-link vulnerabilities, 366
symbolic links, 670, 686
symmetric ciphers, 284
SYN packets, 465, 470
sysadmin, when not to connect to database servers as, 401, 403-4
system access control lists (SACLs), 175, 177, 184
System Administration, Networking, and Security (SANS) Institute, 4
System.EnterpriseServices namespace, 333, 334
System.Runtime.InteropServices namespace, 329
System.Runtime.Serialization namespace, 562
T
tamper resistance, 115-16
tampering. See data tampering threats
TB_GETBUTTONTEXT message, 717
TCP protocol
accepting connections, 465-70
binding sockets to ports, 456
identifying sockets as part of security testing process, 570
vs. UDP protocol, 472
window sizes and, 463
TCP/IP protocol, 63, 455
TCPJunkServer.pl file, 606
_tcscat function, 714
_tcscpy function, 714
_tcslen function, 715
_tcsncat function, 714
_tcsncpy function, 714
Telnet server, 680
templates
privacy specification template, 650-651
sample applications as, 688
security, 607-9
temporary files
CreateFile flags, 684
creating, 683-84
Encrypting File System and, 686
list of vulnerabilities, 682
random filename prefixes, 685
secure, 682-86
security properties, 683
Terminal Server SID, 193-94
TerminateProcess function, 719, 720
TerminateThread function, 719, 720
test code, 610
testing. See security testing
TestSoap.pl file, 602-3
threat modeling
benefits, 70-71
categorizing threat effects using STRIDE, 84-85
common threats listed with solutions, 120-23, 297
determining overall risk rating, 105
determining threats, 83-93
identifying threats, 86-91
including technical writers and editors in process, 697-98
items to note, 92-93
mitigating threats, 107-18
overview, 41, 69-70
payroll application example, 77, 79, 81, 82-83, 97-104, 118-19
process summary, 105-6
ranking threats by risk, 93-106
role in building security test plans, 569-605
role of threat trees, 86-91
significance in creating secure applications, 41
SOAP server product example, 698-700
steps in process, 71-72
usefulness of data flow diagrams, 73-81
ways to respond to threats, 106-8
threat targets, 83, 86, 87
threat trees
converting to outlines, 90
making more readable, 90, 91
overview, 86-87
payroll application example, 88-90
threats, defined, 87. See also mitigating threats, techniques
throttling, as authorization mechanism, 118
Token Master tool, 230-31
tokens
accounting for SIDs and privileges, 223-48
applying deny-only attribute to SIDs, 236-37
determining SIDs and privileges in, 226-32
MyToken.cpp file, 227-30
overview, 218
vs. privileges and SIDs, 218-20
reducing capabilities, 233-47
removing privileges, 235
Restrict.cpp file, 238-39
SAFER.cpp file, 242-43
sample restricted token code, 237-41
specifying restricting SIDs, 235-36
ways to restrict, 235-37
when restricted tokens are appropriate, 237
tracing, disabling before deploying ASP.NET applications, 561
trade-offs in protecting secret data, 338-39
trailing characters, in filenames, 369-70
transferring data securely, 661
transforms, 640
triaging bugs, 19
triggers, SQL Server, 203, 204
Trojan horses, 208, 209, 717
trust, as privacy issue, 641-42
trust boundaries, for input, 345-47
TRUSTe program, 645, 646
trusted data
ACLs and, 344-45
assumptions, 343-45
buffer overrun example, 343-45
overview, 341, 342-43
vs. untrusted data, 341, 342-43
trusted subsystem model, impersonation model and, 250-51
trustworthy computing, overview, 7
try/except blocks, 670, 671
_tscanf function, 715
TTM_GETTEXT message, 717
TVM_GETISEARCHSTRING message, 717
U
UCS-2 encoding, 380-81
UDP protocol. See User Datagram Protocol
UML (Unified Modeling Language), 74, 178, 179
UNC. See Universal Naming Convention shares
Unicode
buffer overruns and, 441-42
buffer size mismatches, 153-54
character properties, 448-49
importance in internationalization, 440
interchanging with ANSI characters as testing technique, 575
Internet Printing Protocol buffer overrun vulnerability, 154-55
regular expressions and, 353-58
string multiplicity problem, 450
surrogate pairs, 442
UCS-2 encoding, 380-81
UTF-8 encoding, 378-80, 381
validating strings, 443
Unified Modeling Language (UML), 74, 178, 179
Universal Naming Convention (UNC) shares, 371-72
UNIX
symbolic-link vulnerabilities, 366
temporary file vulnerabilities, 682
unmanaged code, calling, 548, 557
URLs
canonical name issues, 373-81
myriad ways to represent characters, 378-81
as security issue, 373-81
User Datagram Protocol (UDP)
accepting connections, 464
binding sockets to ports, 456, 457
as connectionless, 464, 472
DoS attack problem, 517-18
identifying sockets as part of security testing process, 570
vs. TCP protocol, 472
user principal names (UPNs), 394, 395
user profiles, roaming, 560
UserInput class, 361-62
usernames, as canonicalization issue, 394-96
users, role in security, 675
UTF-8 encoding, 378-80, 381, 391-92, 440
UTF-16 encoding, 440
UTF-32 encoding, 440
V
VBScript
determining bit size of passwords, 270-71
regular expression example, 360
setting IP restrictions, 202-3
vectors. See attack vectors, determining bias
verifiers, 301
VirtualLock function, 327, 328
viruses, 208, 209
Visual Basic, 201
Visual Basic .NET, 359, 360-61
Visual C++. See C and C++ programming languages
Visual C++ .NET, GS option, 167-70
vulnerabilities, defined, 87
W
w00w00 Security Development (WSD), 138
wcscat function, 714
wcscpy function, 714
wcslen function, 715
wcsncat function, 714
wcsncpy function, 714
Web applications
developer's checklist, 732-33
HTTP trust issues, 432-33
input issues, 413-31
security issues, 413-37
vulnerability of JavaScript eval() function, 431-32
Web pages
applying .NET Framework roles, 200
myriad ways to represent characters, 378-81
Web servers
applying IP restriction, 202-3, 205
changing version header, 667
defacing, 210
Web services
applying .NET Framework roles, 200
privacy specifications, 651
Web sites
canonical Web-based issues, 373-81
cross-site scripting error problem, 346, 413-21
file upload example, 347-50
privacy policy statements, 651-52, 654
WebClient class, 590, 591-92
web.config files, security issues, 535, 555
WideCharToMultiByte function, 154, 440, 444, 445-47, 619-20
WinCrypt.h file, 262
window sizes, 463
Windows 95
deriving keys using system hardware data, 316-20
protecting secret data, 315-20
Windows 98
deriving keys using system hardware data, 316-20
protecting secret data, 315-20
Windows 2000
creating ACLs in, 185-89
protecting secret data, 305-11
Security Configuration Editor, 627
security templates, 607-9
user principal names, 394, 395
vs. Windows NT, 320-21
Windows 2000 test site, 6
Windows applications
finding privileged APIs used by, 224-26
finding resources used by, 224
Windows authentication, 112
Windows CE
deriving keys using system hardware data, 316-20
protecting secret data, 315-20
Windows Event Viewer, 252-53
Windows Help files, 418, 420
Windows Installer, 638-40
Windows Me
deriving keys using system hardware data, 316-20
protecting secret data, 315-20
Windows Media Player, 658-59
Windows National Language Support (NLS), 440
Windows .NET Server 2003
low-privilege service accounts, 245, 248-50
SeImpersonatePrivilege and, 250-51
Windows NT
creating ACLs in, 181-85
protecting secret data, 311-15
Security Configuration Editor, 627
vs. Windows 2000, 320-21
Windows operating system
accommodating differences in versions, 320-21
common canonical filename mistakes, 367-73
MS-DOS device name vulnerability, 365
role of services, 664-65
Windows Security Push, 26, 28, 128
Windows Sockets 2.0. See Winsock
windows styles, 717-18
Windows XP
client credentials, 309-11
local service account, 248, 249
local system account, 248, 249
low-privilege service accounts, 248-50
network service account, 248, 249
object ownership, 217
protecting secret data, 305-11
Security Configuration Editor, 627
security templates, 607-9
Software Restriction Policies, 241-43
Stored User Names And Passwords, 309-11
WinExec function, 675-77, 717
Winsock, 464
wireless data, identifying as part of security testing process, 570
words vs. bytes, 442
World Wide Web, as hostile environment, 4, 5-7
worms, 208
WOWAccess.cpp file, 212-14
writable data segments, 677-78
WSAAccept function, 467, 470
wscanf function, 715
WSD (w00w00 Security Development), 138
Wysopal, Chris, 457
X
X.509 certificates, 112-13
XCOPY, 329
XFree86, 682
Xing Technologies, 273
XML (Extensible Markup Language)
privacy policy statement, 654-55
security testing the code handling payloads, 600-602
XML data, mutating, 583-84
XOR operator, 282, 287, 289, 337
XSLT (XSL Transformation), 560
XSS. See cross-site scripting
Z
ZeroMemory function, 322, 323, 324, 325
zones, security
Internet Explorer and, 419-20
mark of the Web and, 425-26
My Computer zone, 419
overview, 420
Last Updated: November 14, 2002
|
