Tài liệu 24 Deadly Sins of Software Security doc

REVIEWS FOR 24 DEADLY SINS OF SOFTWARE SECURITY

“We are still paying for the security sins of the past and we are doomed to failure if we don’t

learn from our history of poorly written software. From some of the most respected authors in

the industry, this hard-hitting book is a must-read for any software developer or security

zealot. Repeat after me–‘Thou shall not commit these sins!’”

—George Kurtz,

co-author of all six editions of Hacking Exposed and senior vice-president and general manager,

Risk and Compliance Business Unit, McAfee Security

“This little gem of a book provides advice on how to avoid 24 serious problems in your

programs—and how to check to see if they are present in others. Their presentation is simple,

straightforward, and thorough. They explain why these are sins and what can be done about

them. This is an essential book for every programmer, regardless of the language they use.

It will be a welcome addition to my bookshelf, and to my teaching material. Well done!”

—Matt Bishop,

Department of Computer Science, University of California at Davis

“The authors have demonstrated once again why they’re the ‘who’s who’ of software security.

The 24 Deadly Sins of Software Security is a tour de force for developers, security pros, project

managers, and anyone who is a stakeholder in the development of quality, reliable, and

thoughtfully-secured code. The book graphically illustrates the most common and dangerous

mistakes in multiple languages (C++, C#, Java, Ruby, Python, Perl, PHP, and more) and

numerous known-good practices for mitigating these vulnerabilities and ‘redeeming’ past

sins. Its practical prose walks readers through spotting patterns that are predictive of sinful

code (from high-level application functions to code-level string searches), software testing

approaches, and harnesses for refining out vulnerable elements, and real-world examples

of attacks that have been implemented in the wild. The advice and recommendations are

similarly down-to-earth and written from the perspective of seasoned practitioners who have

produced hardened—and usable—software for consumption by a wide range of audiences,

from consumers to open source communities to large-scale commercial enterprises.

Get this Bible of software security today, and go and sin no more!”

—Joel Scambray,

CEO of Consciere and co-author of the Hacking Exposed series

This page intentionally left blank

24

DEADLY

SINS

OF

SOFTWARE

SECURITY

Programming Flaws and

How to Fix Them

Michael Howard, David LeBlanc, and John Viega

New York Chicago San Francisco Lisbon

London Madrid Mexico City Milan New Delhi

San Juan Seoul Singapore Sydney Toronto

Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of

1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval sys￾tem, without the prior written permission of the publisher.

ISBN: 978-0-07-162676-7

MHID: 0-07-162676-X

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162675-0, MHID: 0-07-162675-1

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked

name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trade￾mark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate

training programs. To contact a representative please e-mail us at [email protected].

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or

mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of

any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work.

Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one

copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,

transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use

the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may

be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS

TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,

INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,

AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not

warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or

error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless

of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information

accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special,

punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised

of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause

arises in contract, tort or otherwise.

To Jennifer, who has put up with many days of my working

on a book, and to Michael for improving

my writing skills on our

fifth book together.

—David

To my family for simply putting up with me,

and to David as he continues

to find bugs in my code!

—Michael

This page intentionally left blank

ABOUT THE AUTHORS

Michael Howard is a principal security program manager on the Trustworthy Com￾puting (TwC) Group’s Security Engineering team at Microsoft, where he is responsible

for managing secure design, programming, and testing techniques across the company.

Howard is an architect of the Security Development Lifecycle (SDL), a process for

improving the security of Microsoft’s software.

Howard began his career with Microsoft in 1992 at the company’s New Zealand

office, working for the first two years with Windows and compilers on the Product Support

Services team, and then with Microsoft Consulting Services, where he provided security

infrastructure support to customers and assisted in the design of custom solutions and

development of software. In 1997, Howard moved to the United States to work for the

Windows division on Internet Information Services, Microsoft’s web server, before moving

to his current role in 2000.

Howard is an editor of IEEE Security & Privacy, is a frequent speaker at security-re￾lated conferences, and regularly publishes articles on secure coding and design. Howard

is the co-author of six security books, including the award-winning Writing Secure Code

(Second Edition, Microsoft Press, 2003), 19 Deadly Sins of Software Security (McGraw-Hill

Professional, 2005), The Security Development Lifecycle (Microsoft Press, 2006), and his

most recent release, Writing Secure Code for Windows Vista (Microsoft Press, 2007).

David LeBlanc, Ph.D., is a principal software development engineer for the Microsoft

Office Trustworthy Computing group and in this capacity is responsible for designing

and implementing security technology used in Microsoft Office. He also helps advise

other developers on secure programming techniques. Since joining Microsoft in 1999, he

has been responsible for operational network security and was a founding member of the

Trustworthy Computing Initiative.

David is the co-author of the award-winning Writing Secure Code (Second Edition,

Microsoft Press, 2003), 19 Deadly Sins of Software Security (McGraw-Hill Professional,

2005), Writing Secure Code for Windows Vista (Microsoft Press, 2007), and numerous articles.

John Viega, CTO of the SaaS Business Unit at McAfee, is the original author of the 19

deadly programming flaws that received press and media attention, and the first edition

of this book is based on his discoveries. John is also the author of many other security

books, including Building Secure Software (Addison-Wesley, 2001), Network Security with

OpenSSL (O’Reilly, 2002), and the Myths of Security (O’Reilly, 2009). He is responsible for

numerous software security tools and is the original author of Mailman, the GNU mail￾ing list manager. He has done extensive standards work in the IEEE and IETF and co-in￾vented GCM, a cryptographic algorithm that NIST has standardized. John is also an

active advisor to several security companies, including Fortify and Bit9. He holds an MS

and a BA from the University of Virginia.

vii

About the Technical Editor

Alan Krassowski is the Chief Architect of Consumer Applications at McAfee, Inc., where

he heads up the design of the next generation of award-winning security protection

products. Prior to this role, Alan led Symantec Corporation’s Product Security Team,

helping product teams deliver more secure security and storage products. Over the past

25 years, Alan has worked on a wide variety of commercial software projects. He has

been a development director, software engineer, and consultant at many industry-leading

companies, including Microsoft, IBM, Tektronix, Step Technologies, Screenplay Systems,

Quark, and Continental Insurance. Alan holds a BS degree in Computer Engineering

from the Rochester Institute of Technology in New York. He currently resides in Port￾land, Oregon.

viii 24 Deadly Sins of Software Security

ix

AT A GLANCE

Part I Web Application Sins

1 SQL Injection . . . . . . . . . . . . . . . . . . . 3

2 Web Server–Related Vulnerabilities

(XSS, XSRF, and Response Splitting) . . . . 29

3 Web Client–Related Vulnerabilities (XSS) . . . 63

4 Use of Magic URLs, Predictable Cookies, and

Hidden Form Fields . . . . . . . . . . . . . . 75

Part II Implementation Sins

5 Buffer Overruns . . . . . . . . . . . . . . . . . 89

6 Format String Problems . . . . . . . . . . . . . 109

7 Integer Overflows . . . . . . . . . . . . . . . . 119

8 C++ Catastrophes . . . . . . . . . . . . . . . . 143

9 Catching Exceptions . . . . . . . . . . . . . . . 157

10 Command Injection . . . . . . . . . . . . . . . 171

x 24 Deadly Sins of Software Security

11 Failure to Handle Errors Correctly . . . . . . . 183

12 Information Leakage . . . . . . . . . . . . . . 191

13 Race Conditions . . . . . . . . . . . . . . . . . 205

14 Poor Usability . . . . . . . . . . . . . . . . . . 217

15 Not Updating Easily . . . . . . . . . . . . . . . 231

16 Executing Code with Too Much Privilege . . 243

17 Failure to Protect Stored Data . . . . . . . . . 253

18 The Sins of Mobile Code . . . . . . . . . . . . 267

Part III Cryptographic Sins

19 Use of Weak Password-Based Systems . . . . 279

20 Weak Random Numbers . . . . . . . . . . . . 299

21 Using Cryptography Incorrectly . . . . . . . . 315

Part IV Networking Sins

22 Failing to Protect Network Traffic . . . . . . . 337

23 Improper Use of PKI, Especially SSL . . . . . 347

24 Trusting Network Name Resolution . . . . . . 361

Index . . . . . . . . . . . . . . . . . . . . . . . . 371

CONTENTS

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Part I

Web Application Sins

1 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

A Note about LINQ . . . . . . . . . . . . . . . . . . . . . . . 6

Sinful C# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Sinful PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Sinful Perl/CGI . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Sinful Python . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Sinful Ruby on Rails . . . . . . . . . . . . . . . . . . . . . . . 9

Sinful Java and JDBC . . . . . . . . . . . . . . . . . . . . . . . 9

Sinful C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Sinful SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

xi

Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 13

Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 13

Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 14

Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

CVE-2006-4953 . . . . . . . . . . . . . . . . . . . . . . . . . . 18

CVE-2006-4592 . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Validate All Input . . . . . . . . . . . . . . . . . . . . . . . . . 19

Use Prepared Statements to Build SQL Statements . . . . . . 19

C# Redemption . . . . . . . . . . . . . . . . . . . . . . . . . . 19

PHP 5.0 and MySQL 4.1 or Later Redemption . . . . . . . . 20

Perl/CGI Redemption . . . . . . . . . . . . . . . . . . . . . . 20

Python Redemption . . . . . . . . . . . . . . . . . . . . . . . 21

Ruby on Rails Redemption . . . . . . . . . . . . . . . . . . . 22

Java Using JDBC Redemption . . . . . . . . . . . . . . . . . . 22

ColdFusion Redemption . . . . . . . . . . . . . . . . . . . . . 23

SQL Redemption . . . . . . . . . . . . . . . . . . . . . . . . . 23

Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 24

Encrypt Sensitive, PII, or Confidential Data . . . . . . . . . . 25

Use URLScan . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2 Web Server–Related Vulnerabilities (XSS, XSRF, and Response Splitting) . . . 29

Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

DOM-Based XSS or Type 0 . . . . . . . . . . . . . . . . . . . 31

Reflected XSS, Nonpersistent XSS, or Type 1 . . . . . . . . . 32

Stored XSS, Persistent XSS, or Type 2 . . . . . . . . . . . . . 34

HTTP Response Splitting . . . . . . . . . . . . . . . . . . . . 34

Cross-Site Request Forgery . . . . . . . . . . . . . . . . . . . 37

Sinful Ruby on Rails (XSS) . . . . . . . . . . . . . . . . . . . . 38

Sinful Ruby on Rails (Response Splitting) . . . . . . . . . . . 38

Sinful CGI Application in Python (XSS) . . . . . . . . . . . . 38

Sinful CGI Application in Python (Response Splitting) . . . 38

Sinful ColdFusion (XSS) . . . . . . . . . . . . . . . . . . . . . 39

Sinful ColdFusion (XSS) . . . . . . . . . . . . . . . . . . . . . 39

Sinful C/C++ ISAPI (XSS) . . . . . . . . . . . . . . . . . . . . 39

Sinful C/C++ ISAPI (Response Splitting) . . . . . . . . . . . 39

Sinful ASP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . 40

Sinful ASP (Response Splitting) . . . . . . . . . . . . . . . . . 40

xii 24 Deadly Sins of Software Security

Sinful ASP.NET Forms (XSS) . . . . . . . . . . . . . . . . . . 40

Sinful ASP.NET (Response Splitting) . . . . . . . . . . . . . . 40

Sinful JSP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Sinful JSP (Response Splitting) . . . . . . . . . . . . . . . . . 41

Sinful PHP (XSS) . . . . . . . . . . . . . . . . . . . . . . . . . 41

Sinful PHP (Response Splitting) . . . . . . . . . . . . . . . . 41

Sinful CGI Using Perl (XSS) . . . . . . . . . . . . . . . . . . . 42

Sinful mod_perl (XSS) . . . . . . . . . . . . . . . . . . . . . . 42

Sinful mod_perl (Response Splitting) . . . . . . . . . . . . . 42

Sinful HTTP Requests (XSRF) . . . . . . . . . . . . . . . . . . 42

Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 43

Spotting the XSS Sin During Code Review . . . . . . . . . . . . . . 43

Spotting the XSRF Sin During Code Review . . . . . . . . . 44

Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 44

Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

CVE-2003-0712 Microsoft Exchange 5.5 Outlook Web

Access XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

CVE-2004-0203 Microsoft Exchange 5.5 Outlook Web

Access Response Splitting . . . . . . . . . . . . . . . . . . 46

CVE-2005-1674 Help Center Live (XSS and XSRF) . . . . . . 47

Redemption Steps (XSS and Response Splitting) . . . . . . . . . . 47

Ruby on Rails Redemption (XSS) . . . . . . . . . . . . . . . . 47

ISAPI C/C++ Redemption (XSS) . . . . . . . . . . . . . . . . 48

Python Redemption(XSS) . . . . . . . . . . . . . . . . . . . . 49

ASP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 49

ASP.NET Web Forms Redemption (XSS) . . . . . . . . . . . 50

ASP.NET Web Forms Redemption (RS) . . . . . . . . . . . . 50

JSP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 51

PHP Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . 53

CGI Redemption (XSS) . . . . . . . . . . . . . . . . . . . . . . 53

mod_perl Redemption (XSS) . . . . . . . . . . . . . . . . . . 54

Redemption Steps (XSRF) . . . . . . . . . . . . . . . . . . . . . . . 55

A Note about Timeouts . . . . . . . . . . . . . . . . . . . . . 55

A Note about XSRF and POST vs. GET . . . . . . . . . . . . 55

Ruby on Rails Redemption (XSRF) . . . . . . . . . . . . . . . 56

ASP.NET Web Forms Redemption (XSRF) . . . . . . . . . . 56

Non-Draconian Use of HTML Encode . . . . . . . . . . . . . 57

Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 57

Use HttpOnly Cookies . . . . . . . . . . . . . . . . . . . . . . 57

Wrap Tag Properties with Double Quotes . . . . . . . . . . . 58

Consider Using ASP.NET ViewStateUserKey . . . . . . . . . 58

Consider Using ASP.NET ValidateRequest . . . . . . . . . . 59

Use the ASP.NET Security Runtime Engine Security . . . . . 59

Contents xiii

Consider Using OWASP CSRFGuard . . . . . . . . . . . . . 59

Use Apache::TaintRequest . . . . . . . . . . . . . . . . . . . . 59

Use UrlScan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Set a Default Character Set . . . . . . . . . . . . . . . . . . . . 60

Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

3 Web Client–Related Vulnerabilities (XSS) . . . . . . . . . . . . . . . . . . 63

Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Privacy Implications of Sinful Gadgets . . . . . . . . . . . . . 67

Sinful JavaScript and HTML . . . . . . . . . . . . . . . . . . 67

Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 68

Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 68

Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 69

Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Microsoft ISA Server XSS CVE-2003-0526 . . . . . . . . . . . 69

Windows Vista Sidebar CVE-2007-3033

and CVE-2007-3032 . . . . . . . . . . . . . . . . . . . . . . 70

Yahoo! Instant Messenger ActiveX Control

CVE-2007-4515 . . . . . . . . . . . . . . . . . . . . . . . . . 70

Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Don’t Trust Input . . . . . . . . . . . . . . . . . . . . . . . . . 71

Replace Insecure Constructs with More Secure

Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Extra Defensive Measures . . . . . . . . . . . . . . . . . . . . . . . 73

Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

4 Use of Magic URLs, Predictable Cookies, and Hidden Form Fields . . . . . 75

Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Magic URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Predictable Cookies . . . . . . . . . . . . . . . . . . . . . . . . 77

Hidden Form Fields . . . . . . . . . . . . . . . . . . . . . . . 77

Related Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . . . . 78

Spotting the Sin During Code Review . . . . . . . . . . . . . . . . 78

Testing Techniques to Find the Sin . . . . . . . . . . . . . . . . . . 79

xiv 24 Deadly Sins of Software Security