 |
| 24 DEADLY SINS OF SOFTWARE SECURITY |
How to Fix Them
Michael Howard, David LeBlanc, and John Viega
To Jennifer, who has put up with many days of my working
on a book, and to Michael for improving
my writing skills on our
fifth book together.
—David
To my family for simply putting up with me,
and to David as he continues
to find bugs in my code!
—Michael
ABOUT THE AUTHORS
Michael Howard is a principal security program manager on the Trustworthy Computing
(TwC) Group’s Security Engineering team at Microsoft, where he is responsible
for managing secure design, programming, and testing techniques across the company.
Howard is an architect of the Security Development Lifecycle (SDL), a process for
improving the security of Microsoft’s software.
Howard began his career with Microsoft in 1992 at the company’s New Zealand
office, working for the first two years with Windows and compilers on the Product Support
Services team, and then with Microsoft Consulting Services, where he provided security
infrastructure support to customers and assisted in the design of custom solutions and
development of software. In 1997, Howard moved to the United States to work for the
Windows division on Internet Information Services, Microsoft’s web server, before moving
to his current role in 2000.
Howard is an editor of IEEE Security & Privacy, is a frequent speaker at security-related
conferences, and regularly publishes articles on secure coding and design. Howard
is the co-author of six security books, including the award-winning Writing Secure Code
(Second Edition, Microsoft Press, 2003), 19 Deadly Sins of Software Security (McGraw-Hill
Professional, 2005), The Security Development Lifecycle (Microsoft Press, 2006), and his
most recent release, Writing Secure Code for Windows Vista (Microsoft Press, 2007).
David LeBlanc, Ph.D., is a principal software development engineer for the Microsoft
Office Trustworthy Computing group and in this capacity is responsible for designing
and implementing security technology used in Microsoft Office. He also helps advise
other developers on secure programming techniques. Since joining Microsoft in 1999, he
has been responsible for operational network security and was a founding member of the
Trustworthy Computing Initiative.
David is the co-author of the award-winning Writing Secure Code (Second Edition,
Microsoft Press, 2003), 19 Deadly Sins of Software Security (McGraw-Hill Professional,
2005), Writing Secure Code for Windows Vista (Microsoft Press, 2007), and numerous articles.
John Viega, CTO of the SaaS Business Unit at McAfee, is the original author of the 19
deadly programming flaws that received press and media attention, and the first edition
of this book is based on his discoveries. John is also the author of many other security
books, including Building Secure Software (Addison-Wesley, 2001), Network Security with
OpenSSL (O’Reilly, 2002), and the Myths of Security (O’Reilly, 2009). He is responsible for
numerous software security tools and is the original author of Mailman, the GNU mailing
list manager. He has done extensive standards work in the IEEE and IETF and co-invented
GCM, a cryptographic algorithm that NIST has standardized. John is also an
active advisor to several security companies, including Fortify and Bit9. He holds an MS
and a BA from the University of Virginia.
About the Technical Editor
Alan Krassowski is the Chief Architect of Consumer Applications at McAfee, Inc., where
he heads up the design of the next generation of award-winning security protection
products. Prior to this role, Alan led Symantec Corporation’s Product Security Team,
helping product teams deliver more secure security and storage products. Over the past
25 years, Alan has worked on a wide variety of commercial software projects. He has
been a development director, software engineer, and consultant at many industry-leading
companies, including Microsoft, IBM, Tektronix, Step Technologies, Screenplay Systems,
Quark, and Continental Insurance. Alan holds a BS degree in Computer Engineering
from the Rochester Institute of Technology in New York. He currently resides in Portland, Oregon.
CONTENTS AT A GLANCE
Part I Web Application Sins
1 SQL Injection . . . . . . . . . . . . . . . . . . . 3
2 Web Server–Related Vulnerabilities
(XSS, XSRF, and Response Splitting) . . . . 29
3 Web Client–Related Vulnerabilities (XSS) . . . 63
4 Use of Magic URLs, Predictable Cookies, and
Hidden Form Fields . . . . . . . . . . . . . . 75
Part II Implementation Sins
5 Buffer Overruns . . . . . . . . . . . . . . . . . 89
6 Format String Problems . . . . . . . . . . . . . 109
7 Integer Overflows . . . . . . . . . . . . . . . . 119
8 C++ Catastrophes . . . . . . . . . . . . . . . . 143
9 Catching Exceptions . . . . . . . . . . . . . . . 157
10 Command Injection . . . . . . . . . . . . . . . 171
11 Failure to Handle Errors Correctly . . . . . . . 183
12 Information Leakage . . . . . . . . . . . . . . 191
13 Race Conditions . . . . . . . . . . . . . . . . . 205
14 Poor Usability . . . . . . . . . . . . . . . . . . 217
15 Not Updating Easily . . . . . . . . . . . . . . . 231
16 Executing Code with Too Much Privilege . . 243
17 Failure to Protect Stored Data . . . . . . . . . 253
18 The Sins of Mobile Code . . . . . . . . . . . . 267
Part III Cryptographic Sins
19 Use of Weak Password-Based Systems . . . . 279
20 Weak Random Numbers . . . . . . . . . . . . 299
21 Using Cryptography Incorrectly . . . . . . . . 315
Part IV Networking Sins
22 Failing to Protect Network Traffic . . . . . . . 337
23 Improper Use of PKI, Especially SSL . . . . . 347
24 Trusting Network Name Resolution . . . . . . 361
Index . . . . . . . . . . . . . . . . . . . . . . . . 371
+++++++++++++++++++++++++++++++
CONTENTS
Foreword . . . . .. . . . . . . . . xxix
Acknowledgments . . . . . . . . . . . xxxiii
Introduction . . . . . . . . . . . . . . . . . . . . xxxv
Part 1
Web Application Sins
1 SQL Injection
1 SQL Injection
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A Note about LINQ . . . . . . . . . . . . . . . . . . . . . . . 6
Sinful C# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Sinful PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Sinful Perl/CGI . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Sinful Python . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Sinful Ruby on Rails . . . . . . . . . . . . . . . . . . . . . . . 9
Sinful Java and JDBC . . . . . . . . . . . . . . . . . . . . . . . 9
Sinful C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Sinful SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 13
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 13
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 14
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CVE-2006-4953 . . . . . . . . . . . . . . . . . . . . . . . . . . 18
CVE-2006-4592 . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Validate All Input . . . . . . . . . . . . . . . . . . . . . . . . . 19
Use Prepared Statements to Build SQL Statements . . . . . . 19
C# Redemption . . . . . . . . . . . . . . . . . . . . . . . . . . 19
PHP 5.0 and MySQL 4.1 or Later Redemption . . . . . . . . 20
Perl/CGI Redemption . . . . . . . . . . . . . . . . . . . . . . 20
Python Redemption . . . . . . . . . . . . . . . . . . . . . . . 21
Ruby on Rails Redemption . . . . . . . . . . . . . . . . . . . 22
Java Using JDBC Redemption . . . . . . . . . . . . . . . . . . 22
ColdFusion Redemption . . . . . . . . . . . . . . . . . . . . . 23
SQL Redemption . . . . . . . . . . . . . . . . . . . . . . . . . 23
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 24
Encrypt Sensitive, PII, or Confidential Data . . . . . . . . . . 25
Use URLScan . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2 Web Server–Related Vulnerabilities (XSS, XSRF, and Response Splitting)
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
DOM-Based XSS or Type 0 . . . . . . . . . . . . . . . . . . . 31
Reflected XSS, Nonpersistent XSS, or Type 1 . . . . . . . . . 32
Stored XSS, Persistent XSS, or Type 2 . . . . . . . . . . . . . 34
HTTP Response Splitting . . . . . . . . . . . . . . . . . . . . 34
Cross-Site Request Forgery . . . . . . . . . . . . . . . . . . . 37
Sinful Ruby on Rails (XSS) . . . . . . . . . . . . . . . . . . . . 38
Sinful Ruby on Rails (Response Splitting) . . . . . . . . . . . 38
Sinful CGI Application in Python (XSS) . . . . . . . . . . . . 38
Sinful CGI Application in Python (Response Splitting) . . . 38
Sinful ColdFusion (XSS) . . . . . . . . . . . . . . . . . . . . . 39
Sinful ColdFusion (XSS) . . . . . . . . . . . . . . . . . . . . . 39
Sinful C/C++ ISAPI (XSS) . . . . . . . . . . . . . . . . . . . . 39
Sinful C/C++ ISAPI (Response Splitting) . . . . . . . . . . . 39
Sinful ASP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . 40
Sinful ASP (Response Splitting) . . . . . . . . . . . . . . . . . 40
Sinful ASP.NET Forms (XSS) . . . . . . . . . . . . . . . . . . 40
Sinful ASP.NET (Response Splitting) . . . . . . . . . . . . . . 40
Sinful JSP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Sinful JSP (Response Splitting) . . . . . . . . . . . . . . . . . 41
Sinful PHP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . 41
Sinful PHP (Response Splitting) . . . . . . . . . . . . . . . . 41
Sinful CGI Using Perl (XSS) . . . . . . . . . . . . . . . . . . . 42
Sinful mod_perl (XSS) . . . . . . . . . . . . . . . . . . . . . . 42
Sinful mod_perl (Response Splitting) . . . . . . . . . . . . . 42
Sinful HTTP Requests (XSRF) . . . . . . . . . . . . . . . . . . 42
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 43
Spotting the XSS Sin During Code Review . . . . . . . . . . . . . . 43
Spotting the XSRF Sin During Code Review . . . . . . . . . 44
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 44
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
CVE-2003-0712 Microsoft Exchange 5.5 Outlook Web
Access XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
CVE-2004-0203 Microsoft Exchange 5.5 Outlook Web
Access Response Splitting . . . . . . . . . . . . . . . . . . 46
CVE-2005-1674 Help Center Live (XSS and XSRF) . . . . . . 47
Redemption Steps (XSS and Response Splitting) . . . . . . . . . . 47
Ruby on Rails Redemption (XSS) . . . . . . . . . . . . . . . . 47
ISAPI C/C++ Redemption (XSS) . . . . . . . . . . . . . . . . 48
Python Redemption(XSS) . . . . . . . . . . . . . . . . . . . . 49
ASP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 49
ASP.NET Web Forms Redemption (XSS) . . . . . . . . . . . 50
ASP.NET Web Forms Redemption (RS) . . . . . . . . . . . . 50
JSP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 51
PHP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . 53
CGI Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 53
mod_perl Redemption (XSS) . . . . . . . . . . . . . . . . . . 54
Redemption Steps (XSRF) . . . . . . . . . . . . . . . . . . . . . . . 55
A Note about Timeouts . . . . . . . . . . . . . . . . . . . . . 55
A Note about XSRF and POST vs. GET . . . . . . . . . . . . 55
Ruby on Rails Redemption (XSRF) . . . . . . . . . . . . . . . 56
ASP.NET Web Forms Redemption (XSRF) . . . . . . . . . . 56
Non-Draconian Use of HTML Encode . . . . . . . . . . . . . 57
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 57
Use HttpOnly Cookies . . . . . . . . . . . . . . . . . . . . . . 57
Wrap Tag Properties with Double Quotes . . . . . . . . . . . 58
Consider Using ASP.NET ViewStateUserKey . . . . . . . . . 58
Consider Using ASP.NET ValidateRequest . . . . . . . . . . 59
Use the ASP.NET Security Runtime Engine Security . . . . . 59
Consider Using OWASP CSRFGuard . . . . . . . . . . . . . 59
Use Apache::TaintRequest . . . . . . . . . . . . . . . . . . . . 59
Use UrlScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Set a Default Character Set . . . . . . . . . . . . . . . . . . . . 60
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3 Web Client–Related Vulnerabilities (XSS)
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Privacy Implications of Sinful Gadgets . . . . . . . . . . . . . 67
Sinful JavaScript and HTML . . . . . . . . . . . . . . . . . . 67
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 68
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 68
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 69
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Microsoft ISA Server XSS CVE-2003-0526 . . . . . . . . . . . 69
Windows Vista Sidebar CVE-2007-3033
and CVE-2007-3032 . . . . . . . . . . . . . . . . . . . . . . 70
Yahoo! Instant Messenger ActiveX Control
CVE-2007-4515 . . . . . . . . . . . . . . . . . . . . . . . . . 70
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Don’t Trust Input . . . . . . . . . . . . . . . . . . . . . . . . . 71
Replace Insecure Constructs with More Secure
Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 73
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4 Use of Magic URLs, Predictable Cookies, and Hidden Form Fields
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Magic URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Predictable Cookies . . . . . . . . . . . . . . . . . . . . . . . . 77
Hidden Form Fields . . . . . . . . . . . . . . . . . . . . . . . 77
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 78
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 78
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 79
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
CVE-2005-1784 . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Attacker Views the Data . . . . . . . . . . . . . . . . . . . . . 81
Attacker Replays the Data . . . . . . . . . . . . . . . . . . . . 81
Attacker Predicts the Data . . . . . . . . . . . . . . . . . . . . 83
Attacker Changes the Data . . . . . . . . . . . . . . . . . . . 84
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 85
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Part 2
Implementation Sins
5 Buffer Overruns
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
64-bit Implications . . . . . . . . . . . . . . . . . . . . . . . . 95
Sinful C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 99
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 99
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 100
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
CVE-1999-0042 . . . . . . . . . . . . . . . . . . . . . . . . . . 101
CVE-2000-0389–CVE-2000-0392 . . . . . . . . . . . . . . . . . 101
CVE-2002-0842, CVE-2003-0095, CAN-2003-0096 . . . . . . . 102
CAN-2003-0352 . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Replace Dangerous String Handling Functions . . . . . . . . 103
Audit Allocations . . . . . . . . . . . . . . . . . . . . . . . . . 103
Check Loops and Array Accesses . . . . . . . . . . . . . . . . 103
Replace C String Buffers with C++ Strings . . . . . . . . . . 104
Replace Static Arrays with STL Containers . . . . . . . . . . 104
Use Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . 104
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 105
Stack Protection . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Nonexecutable Stack and Heap . . . . . . . . . . . . . . . . . 105
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6 Format String Problems
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Sinful C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 114
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 114
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 115
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
CVE-2000-0573 . . . . . . . . . . . . . . . . . . . . . . . . . . 115
CVE-2000-0844 . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
C/C++ Redemption . . . . . . . . . . . . . . . . . . . . . . . 116
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 116
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
7 Integer Overflows
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Sinful C and C++ . . . . . . . . . . . . . . . . . . . . . . . . . 121
Sinful C# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Sinful Visual Basic and Visual Basic .NET . . . . . . . . . . . 130
Sinful Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Sinful Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 132
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 133
C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
C# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Visual Basic and Visual Basic .NET . . . . . . . . . . . . . . . 136
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 136
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Multiple Integer Overflows in the SearchKit API
in Apple Mac OS X . . . . . . . . . . . . . . . . . . . . . . 136
Integer Overflow in Google Android SDK . . . . . . . . . . . 137
Flaw in Windows Script Engine Could Allow
Code Execution . . . . . . . . . . . . . . . . . . . . . . . . 137
Heap Overrun in HTR Chunked Encoding Could Enable
Web Server Compromise . . . . . . . . . . . . . . . . . . . 137
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Do the Math . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Don’t Use Tricks . . . . . . . . . . . . . . . . . . . . . . . . . 138
Write Out Casts . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Use SafeInt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 141
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
8 C++ Catastrophes
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Sinful Calls to Delete . . . . . . . . . . . . . . . . . . . . . . . 145
Sinful Copy Constructors . . . . . . . . . . . . . . . . . . . . 146
Sinful Constructors . . . . . . . . . . . . . . . . . . . . . . . . 148
Sinful Lack of Reinitialization . . . . . . . . . . . . . . . . . . 148
Sinful Ignorance of STL . . . . . . . . . . . . . . . . . . . . . 149
Sinful Pointer Initialization . . . . . . . . . . . . . . . . . . . 149
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 150
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 150
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 151
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
CVE-2008-1754 . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Mismatched new and delete Redemption . . . . . . . . . . . 151
Copy Constructor Redemption . . . . . . . . . . . . . . . . . 152
Constructor Initialization Redemption . . . . . . . . . . . . . 152
Reinitialization Redemption . . . . . . . . . . . . . . . . . . . 153
STL Redemption . . . . . . . . . . . . . . . . . . . . . . . . . 153
Uninitialized Pointer Redemption . . . . . . . . . . . . . . . 153
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 154
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9 Catching Exceptions
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Sinful C++ Exceptions . . . . . . . . . . . . . . . . . . . . . . 158
Sinful Structured Exception Handling (SEH) . . . . . . . . . 161
Sinful Signal Handling . . . . . . . . . . . . . . . . . . . . . . 163
Sinful C#, VB.NET, and Java . . . . . . . . . . . . . . . . . . 164
Sinful Ruby . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 165
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 165
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 167
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
CVE-2007-0038 . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
C++ Redemption . . . . . . . . . . . . . . . . . . . . . . . . . 167
SEH Redemption . . . . . . . . . . . . . . . . . . . . . . . . . 168
Signal Handler Redemption . . . . . . . . . . . . . . . . . . . 168
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
10 Command Injection
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 175
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 175
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 177
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
CAN-2001-1187 . . . . . . . . . . . . . . . . . . . . . . . . . . 177
CAN-2002-0652 . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Data Validation . . . . . . . . . . . . . . . . . . . . . . . . . . 179
When a Check Fails . . . . . . . . . . . . . . . . . . . . . . . . 181
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 182
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
11 Failure to Handle Errors Correctly
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Yielding Too Much Information . . . . . . . . . . . . . . . . 185
Ignoring Errors . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Misinterpreting Errors . . . . . . . . . . . . . . . . . . . . . . 186
Using Useless Return Values . . . . . . . . . . . . . . . . . . 186
Using Non-Error Return Values . . . . . . . . . . . . . . . . 186
Sinful C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Sinful C/C++ on Windows . . . . . . . . . . . . . . . . . . . 187
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 188
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 188
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 188
Example Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
CVE-2007-3798 tcpdump print-bgp.c Buffer Overflow
Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . 188
CVE-2004-0077 Linux Kernel do_mremap . . . . . . . . . . . 189
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
C/C++ Redemption . . . . . . . . . . . . . . . . . . . . . . . 189
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
12 Information Leakage
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Side Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
TMI: Too Much Information! . . . . . . . . . . . . . . . . . . 194
A Model for Information Flow Security . . . . . . . . . . . . 196
Sinful C# (and Any Other Language) . . . . . . . . . . . . . 198
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 199
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 199
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 200
The Stolen Laptop Scenario . . . . . . . . . . . . . . . . . . . 200
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
CVE-2008-4638 . . . . . . . . . . . . . . . . . . . . . . . . . . 201
CVE-2005-1133 . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
C# (and Other Languages) Redemption . . . . . . . . . . . . 202
Network Locality Redemption . . . . . . . . . . . . . . . . . 203
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 203
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
13 Race Conditions
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Sinful Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 210
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 210
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 211
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
CVE-2008-0379 . . . . . . . . . . . . . . . . . . . . . . . . . . 212
CVE-2008-2958 . . . . . . . . . . . . . . . . . . . . . . . . . . 212
CVE-2001-1349 . . . . . . . . . . . . . . . . . . . . . . . . . . 212
CAN-2003-1073 . . . . . . . . . . . . . . . . . . . . . . . . . . 212
CVE-2000-0849 . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 215
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
14 Poor Usability
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Who Are Your Users? . . . . . . . . . . . . . . . . . . . . . . 219
The Minefield: Presenting Security Information
to Your Users . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 221
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 221
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 222
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
SSL/TLS Certificate Authentication . . . . . . . . . . . . . . 222
Internet Explorer 4.0 Root Certificate Installation . . . . . . . 223
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
When Users Are Involved, Make the UI Simple and Clear . . . 224
Make Security Decisions for Users . . . . . . . . . . . . . . . 224
Make Selective Relaxation of Security Policy Easy . . . . . . 226
Clearly Indicate Consequences . . . . . . . . . . . . . . . . . 226
Make It Actionable . . . . . . . . . . . . . . . . . . . . . . . . 228
Provide Central Management . . . . . . . . . . . . . . . . . . 228
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
15 Not Updating Easily
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Sinful Installation of Additional Software . . . . . . . . . . . 232
Sinful Access Controls . . . . . . . . . . . . . . . . . . . . . . 233
Sinful Prompt Fatigue . . . . . . . . . . . . . . . . . . . . . . 233
Sinful Ignorance . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Sinfully Updating Without Notifying . . . . . . . . . . . . . 233
Sinfully Updating One System at a Time . . . . . . . . . . . 234
Sinfully Forcing a Reboot . . . . . . . . . . . . . . . . . . . . 234
Sinfully Difficult Patching . . . . . . . . . . . . . . . . . . . . 234
Sinful Lack of a Recovery Plan . . . . . . . . . . . . . . . . . 234
Sinfully Trusting DNS . . . . . . . . . . . . . . . . . . . . . . 234
Sinfully Trusting the Patch Server . . . . . . . . . . . . . . . 234
Sinful Update Signing . . . . . . . . . . . . . . . . . . . . . . 234
Sinful Update Unpacking . . . . . . . . . . . . . . . . . . . . 235
Sinful User Application Updating . . . . . . . . . . . . . . . 235
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 235
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 236
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 236
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Apple QuickTime Update . . . . . . . . . . . . . . . . . . . . 236
Microsoft SQL Server 2000 Patches . . . . . . . . . . . . . . . 237
Google’s Chrome Browser . . . . . . . . . . . . . . . . . . . . 237
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Installation of Additional Software Redemption . . . . . . . 237
Access Control Redemption . . . . . . . . . . . . . . . . . . . 237
Prompt Fatigue Redemption . . . . . . . . . . . . . . . . . . 238
User Ignorance Redemption . . . . . . . . . . . . . . . . . . . 238
Updating Without Notifying Redemption . . . . . . . . . . . 238
Updating One System at a Time Redemption . . . . . . . . . 238
Forcing a Reboot Redemption . . . . . . . . . . . . . . . . . . 239
Difficult Patching Redemption . . . . . . . . . . . . . . . . . 239
Lack of a Recovery Plan Redemption . . . . . . . . . . . . . 240
Trusting DNS Redemption . . . . . . . . . . . . . . . . . . . 240
Trusting the Patch Server Redemption . . . . . . . . . . . . . 240
Update Signing Redemption . . . . . . . . . . . . . . . . . . 240
Update Unpacking Redemption . . . . . . . . . . . . . . . . 240
User Application Updating Redemption . . . . . . . . . . . . 241
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 241
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
16 Executing Code with Too Much Privilege
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 246
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 246
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 246
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Windows, C, and C++ . . . . . . . . . . . . . . . . . . . . . . 248
Linux, BSD, and Mac OS X . . . . . . . . . . . . . . . . . . . 250
.NET Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 251
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
17 Failure to Protect Stored Data
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Weak Access Controls on Stored Data . . . . . . . . . . . . . 254
Sinful Access Controls . . . . . . . . . . . . . . . . . . . . . . 256
Weak Encryption of Stored Data . . . . . . . . . . . . . . . . 258
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 259
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 259
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 260
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
CVE-2000-0100 . . . . . . . . . . . . . . . . . . . . . . . . . . 262
CVE-2005-1411 . . . . . . . . . . . . . . . . . . . . . . . . . . 262
CVE-2004-0907 . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
C++ Redemption on Windows . . . . . . . . . . . . . . . . . 263
C# Redemption on Windows . . . . . . . . . . . . . . . . . . 264
C/C++ Redemption (GNOME) . . . . . . . . . . . . . . . . . 264
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 265
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
18 The Sins of Mobile Code
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Sinful Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . 270
Sinful Mobile Code Containers . . . . . . . . . . . . . . . . . 270
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 271
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 271
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 272
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
CVE-2006-2198 . . . . . . . . . . . . . . . . . . . . . . . . . . 273
CVE-2008-1472 . . . . . . . . . . . . . . . . . . . . . . . . . . 273
CVE-2008-5697 . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Mobile Code Container Redemption Steps . . . . . . . . . . 273
Mobile Code Redemptions . . . . . . . . . . . . . . . . . . . 275
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 275
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Part 3
Cryptographic Sins
19 Use of Weak Password-Based Systems
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Password Compromise . . . . . . . . . . . . . . . . . . . . . 281
Allowing Weak Passwords . . . . . . . . . . . . . . . . . . . 281
Password Iteration . . . . . . . . . . . . . . . . . . . . . . . . 282
Not Requiring Password Changes . . . . . . . . . . . . . . . 282
Default Passwords . . . . . . . . . . . . . . . . . . . . . . . . 282
Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Storing Passwords Instead of Password Verifiers . . . . . . . 283
Brute-Force Attacks Against Password Verifiers . . . . . . . 283
Revealing Whether a Failure Is Due to an Incorrect
User or Password . . . . . . . . . . . . . . . . . . . . . . . 284
Online Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Returning a Forgotten Password . . . . . . . . . . . . . . . . 285
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 285
Password Compromise . . . . . . . . . . . . . . . . . . . . . 285
Allowing Weak Passwords . . . . . . . . . . . . . . . . . . . 285
Iterated Passwords . . . . . . . . . . . . . . . . . . . . . . . . 286
Never Changing a Password . . . . . . . . . . . . . . . . . . 286
Default Passwords . . . . . . . . . . . . . . . . . . . . . . . . 286
Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Brute Force Attacks Against Password Verifiers . . . . . . . 286
Storing Passwords Instead of Password Verifiers . . . . . . . 287
Online Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Returning a Forgotten Password . . . . . . . . . . . . . . . . 287
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 287
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 288
Password Compromise . . . . . . . . . . . . . . . . . . . . . 288
Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Brute-Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . 288
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Zombies Ahead! . . . . . . . . . . . . . . . . . . . . . . . . . 289
Microsoft Office Password to Modify . . . . . . . . . . . . . 289
Adobe Acrobat Encryption . . . . . . . . . . . . . . . . . . . 289
WU-ftpd Core Dump . . . . . . . . . . . . . . . . . . . . . . . 290
CVE-2005-1505 . . . . . . . . . . . . . . . . . . . . . . . . . . 290
CVE-2005-0432 . . . . . . . . . . . . . . . . . . . . . . . . . . 290
The TENEX Bug . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Sarah Palin Yahoo E-Mail Compromise . . . . . . . . . . . . 291
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Password Compromise Redemption . . . . . . . . . . . . . . 291
Weak Password Redemption . . . . . . . . . . . . . . . . . . 292
Iterated Password Redemption . . . . . . . . . . . . . . . . . 292
Password Change Redemption . . . . . . . . . . . . . . . . . 292
Default Password Redemption . . . . . . . . . . . . . . . . . 292
Replay Attack Redemption . . . . . . . . . . . . . . . . . . . 292
Password Verifier Redemption . . . . . . . . . . . . . . . . . 293
Online Brute-Force Attack Redemption . . . . . . . . . . . . 294
Logon Information Leak Redemption . . . . . . . . . . . . . 295
Forgotten Password Redemption . . . . . . . . . . . . . . . . 295
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 295
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
20 Weak Random Numbers
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Sinful Non-cryptographic Generators . . . . . . . . . . . . . 301
Sinful Cryptographic Generators . . . . . . . . . . . . . . . . 302
Sinful True Random Number Generators . . . . . . . . . . . 303
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 303
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 304
When Random Numbers Should Have Been Used . . . . . . 304
Finding Places That Use PRNGs . . . . . . . . . . . . . . . . 304
Determining Whether a CRNG Is Seeded Properly . . . . . . 304
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 305
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
TCP/IP Sequence Numbers . . . . . . . . . . . . . . . . . . . 306
ODF Document Encryption Standard . . . . . . . . . . . . . 306
CVE-2008-0166 Debian “Random” Key Generation . . . . . 307
The Netscape Browser . . . . . . . . . . . . . . . . . . . . . . 308
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Windows, C, and C++ . . . . . . . . . . . . . . . . . . . . . . 308
Windows with Trusted Platform Module (TPM) Support . . . 309
.NET Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Replaying Number Streams . . . . . . . . . . . . . . . . . . . 312
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 312
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
21 Using Cryptography Incorrectly
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Using Home-Grown Cryptography . . . . . . . . . . . . . . 317
Creating a Protocol from Low-Level Algorithms When
a High-Level Protocol Will Do . . . . . . . . . . . . . . . . 317
Using a Weak Cryptographic Primitive . . . . . . . . . . . . 318
Using a Cryptographic Primitive Incorrectly . . . . . . . . . 318
Using the Wrong Cryptographic Primitive . . . . . . . . . . 321
Using the Wrong Communication Protocol . . . . . . . . . . 321
Failing to Use Salt . . . . . . . . . . . . . . . . . . . . . . . . . 321
Failing to Use a Random IV . . . . . . . . . . . . . . . . . . . 321
Using a Weak Key Derivation Function . . . . . . . . . . . . 322
Failure to Provide an Integrity Check . . . . . . . . . . . . . 322
Failure to Use Agile Encryption . . . . . . . . . . . . . . . . . 323
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 323
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 323
Using Home-Grown Cryptography (VB.NET and C++) . . . 324
Creating a Protocol from Low-Level Algorithms When
a High-Level Protocol Will Do . . . . . . . . . . . . . . . . 324
Using a Weak Cryptographic Primitive (C# and C++) . . . . 325
Using a Cryptographic Primitive Incorrectly (Ruby, C#,
and C++) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Using the Wrong Cryptographic Primitive . . . . . . . . . . 326
Using the Wrong Communication Protocol . . . . . . . . . . 326
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 326
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Microsoft Office XOR Obfuscation . . . . . . . . . . . . . . . 326
Adobe Acrobat and Microsoft Office Weak KDF . . . . . . . 327
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Using Home-Grown Cryptography Redemption . . . . . . . 328
Creating a Protocol from Low-Level Algorithms When
a High-Level Protocol Will Do Redemption . . . . . . . . 328
Using a Weak Cryptographic Primitive Redemption . . . . . 328
Using a Cryptographic Primitive Incorrectly Redemption . . 328
Using the Wrong Cryptographic Primitive Redemption . . . 330
Failing to Use Salt Redemption . . . . . . . . . . . . . . . . . 330
Failing to Use a Random IV Redemption . . . . . . . . . . . 330
Using a Weak Key Derivation Function Redemption . . . . 330
Failure to Provide an Integrity Check Redemption . . . . . . 331
Failure to Use Agile Encryption Redemption . . . . . . . . . 332
Using the Wrong Communication Protocol Redemption . . 332
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 332
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Part 4
Networking Sins
22 Failing to Protect Network Traffic
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 343
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 343
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 343
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
E-Mail Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 344
E*TRADE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 346
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
23 Improper Use of PKI, Especially SSL
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 350
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 351
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 352
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
CVE-2007-4680 . . . . . . . . . . . . . . . . . . . . . . . . . . 353
CVE-2008-2420 . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Ensuring Certificate Validity . . . . . . . . . . . . . . . . . . 354
Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 358
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
24 Trusting Network Name Resolution
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Sinful Applications . . . . . . . . . . . . . . . . . . . . . . . . 365
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 366
Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 367
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 367
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
CVE-2002-0676 . . . . . . . . . . . . . . . . . . . . . . . . . . 368
CVE-1999-0024 . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
ACKNOWLEDGMENTS
No book is written solely by the authors; there is plenty of excellent
feedback and commentary from reviewers.We are lucky in that we
know a lot of very good people who are some of the best people in
their field and we can ask those people for their input on specific subjects. If
it were not for these other people, the 24 Deadly Sins would be inaccurate and worthless!
First, we need to thank our families for giving up their precious time, and allowing us to write yet another book. Next, we’d like to thank Jane Brownlow for her patience and support managing this book to
completion, despite all of the authors being very busy doing their day jobs. Alan Krassowski did just
as excellent a job with technical review as he did for the first edition. Joya Anthony helped us keep
everything organized and on schedule. Rachel Gunn provided her project management talents, and
Robert Campbell contributed his truly great copy editing skills.
Wewould like to thank the following people who gave us feedback that helped us shape the book.
From Microsoft: Jim Deville, Alpha Chen, Cliff Moon, Bryan Sullivan, Tom Gallagher, Alan
Myrvold, Jeremy Dallman, and Eric Lawrence.
From outside Microsoft: Peter Gutmann (Auckland University), Rob Mack (VitalSource Technologies,
Inc), Chris Weber (Casaba Security, LLC), and Dan Kaminsky (IOActive.)
Michael Howard
David LeBlanc
John Viega
September 2009
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 2,834 KB |
Pages
|
433 p |
File Type
|
PDF format |
ISBN
| 978-0-07-162676-7 |
Copyright
|
2010 by The McGraw-Hill Companies
|
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
