Software Security Examples

12
Static Code Analysis Introduction and examples Roberto Battistoni ([email protected]) Information Security course 2009/2010: prof. Luigi V. Mancini

Transcript of Software Security Examples

Page 1: Software Security Examples

Static Code AnalysisIntroduction and examples

Roberto Battistoni([email protected])

Information Security course 2009/2010: prof. Luigi V. Mancini

Page 2: Software Security Examples

Secure SDLC(Secure Software Development Life Cycle)

• Abuse Case and Threat Modeling

• Static Analysis or Code Review

Page 3: Software Security Examples

Seven Pernicious Kingdoms

1. Input Validation and Representation

2. API Abuse 3. Security Features 4. Time and State5. Errors

6. Code Quality

7. Encapsulation

8. (*) Environment

Definition: By phylum we mean a specific type of coding error. For example, “Illegal Pointer Value” is a phylum.

Definition: A kingdom is a collection of phyla that share a common theme. For example, “Input Validation and Representation” is a kingdom.

Buffer Overflow. Writing outside the bounds of allocated memory can corrupt data, crash the program, or cause the execution of an attack payload.Command Injection. Executing commands from an untrusted source or in an untrusted environment can cause an application to execute malicious commands on behalf of an attacker.Cross-Site Scripting. Sending unvalidated data to a Web browser can result in the browser executing malicious code (usually scripts).SQL Injection. Constructing a dynamic SQL statement with user input may allow an attacker to modify the statement’s meaning or to execute arbitrary SQL commands.[...]

Page 4: Software Security Examples

Fortify SCA(Static Code Analysis con Fortify SCA)

Page 5: Software Security Examples

Example n° 1Kingdom: API Abuse

/*** Get a database escaped string* @return string*/function getEscaped( $text ) { if (phpversion() < '4.3.0') { return mysql_escape_string( $text ); } else { return mysql_real_escape_string( $text ); }}

Page 6: Software Security Examples

Example n° 1

Page 7: Software Security Examples

Example n° 2Kingdom: Input Validation and Representation (SQL Injection)

/*** Execute the query* @return mixed A database resource if successful, FALSE if not.*/function query($sql = '') { global $mosConfig_debug; if ($sql == '') $sql = $this->_sql; if ($this->_debug) $this->_log[] = $sql; if ($this->_cursor = mysql_query($sql, $this->_resource)) { $this->_errorNum = 0; $this->_errorMsg = ''; return $this->_cursor; } else { $this->_errorNum = mysql_errno( $this->_resource ); $this->_errorMsg = mysql_error( $this->_resource )." SQL=$sql"; if ($this->_debug) $this->debug_trace(); return false; }}

Page 8: Software Security Examples

Example n° 3Kingdom: Encapsulation (System Information Leak)

<html><!-- Copyright (c) 1999 The Apache Software Foundation. All rights reserved. (-->)-->

<body bgcolor="red">

<%@ page isErrorPage="true" %> <h1> The exception <%= exception.getMessage() %> tells me you made a wrong choice. <h2> Exception raised was <%= exception.toString() %>.</h2></body></html>

Page 9: Software Security Examples

Example n° 4

Kingdom: Security Features (Weak Encryption)

private void loadPBESecretKey() throws Exception{

// Create the PBE secret keycipherSpec = new PBEParameterSpec(salt, iterationCount);PBEKeySpec keySpec = new PBEKeySpec(keyStorePassword);SecretKeyFactory factory = SecretKeyFactory.getInstance("PBEwithMD5andDES"); [...]

}

Page 10: Software Security Examples

Example n° 5Kingdom: Security Features (Weak Cryptographic hash)

public String digest(String password, String digestType, String inputEncoding) throws CmsPasswordEncryptionException {

MessageDigest md; String result;

try { if (DIGEST_TYPE_PLAIN.equals(digestType.toLowerCase())) {

result = password;

} else if (DIGEST_TYPE_SSHA.equals(digestType.toLowerCase())) {

byte[] salt = new byte[4]; byte[] digest; byte[] total;

if (m_secureRandom == null) { m_secureRandom = SecureRandom.getInstance("SHA1PRNG"); } m_secureRandom.nextBytes(salt);

md = MessageDigest.getInstance(DIGEST_TYPE_SHA); md.reset(); md.update(password.getBytes(inputEncoding)); md.update(salt);

digest = md.digest(); total = new byte[digest.length + salt.length]; System.arraycopy(digest, 0, total, 0, digest.length); System.arraycopy(salt, 0, total, digest.length, salt.length);

result = new String(Base64.encodeBase64(total));

}

Page 11: Software Security Examples

Example n° 6Kingdom: Errors (Empty Catch Block)

if (!stdinInput) { try { inputReader.close(); } catch (IOException e1) { } }

return inputString; }

Page 12: Software Security Examples

Example n° 7

Kingdom: Errors (overly broad exception)

public AdminClientMain() throws Exception {

[...]