Hack Proof: Software Design for a Hostile Internet
1 like182 views
The document outlines key principles for secure software design in a hostile internet environment, covering vulnerabilities such as buffer overflows, injection attacks, and session management. It emphasizes the importance of secure coding practices, including proper user input screening and authentication techniques. Additionally, it provides an overview of encryption methods and resources for web application security education.
Hack Proof: Software Design for a Hostile Internet
- 1. Hack Proof: Software Design for a Hostile Internet Robert Bogue (317) 844-5310 Rob.Bogue@ThorProjects.com
- 4. Objective
- 5. Secure Code = Good Code
- 6. Agenda • Vulnerabilities • Account Management • Session Management • Encryption • Principles
- 8. Vulnerability Types • Buffer Overflow • Replay • Man-in-the-Middle • Injection • Forgery
- 9. Buffer Overflow • The user provides more information than was allocated in memory • Very few concerns in managed languages
- 10. Replay • Taking a valid sequence • Injecting new malicious commands • Replaying the modified sequence
- 11. Man-in-the-Middle • Intercept traffic • Monitor the traffic • Pass it on to the real system
- 12. Injection • SQL • Cross Site Scripting (XSS) • CR/LF
- 13. SQL Injection • Example: • a’; UPDATE users SET password = ‘WooHoo’ -- • Mediation: • Stored Procedures • Clean/Screen User Input • Parameterized Queries
- 14. Cross Site Scripting • Example: • <SCRIPT type="text/javascript"> var adr = '../evil.php?cakemonster=' + escape(document.cookie); </SCRIPT> • Mediation • Clean/Screen User Input • Screen User Output
- 15. CR/LF Injection • Example: • http://www.yoursite.com/somepa ge.php?page=%0d%0aContent- Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtm l%3EHacker Content%3C/html%3E • Mediation: • Clean/Screen User Input
- 16. Forgery • Cross-Site Request Forgery (CSRF/XSRF) • Example • <img src="http://bank.com/transfer.do?ac ct=MARIA&amount=100000" width="0" height="0" border="0"> • Mitigation • Require session ID with request • Use POST with CORS (restricted)
- 18. Authentication Management • Password Requirements • Complexity • History • Operations • Password Reset • Login Failure • Consistent Response • Account Lockout
- 19. Authentication Technique • HTTP • Basic • NTLM • V1 • V2 • Kerberos • Forms • Claims
- 20. Claims • Parties • Issuers • Relying Parties • Benefits • Single Sign On • Transfer of responsibility • Flexibility
- 21. User Validation • Email • Account Setup • Multifactor • Tokens (RSA) • Grid Card • Phone • Text • Phone Call • App
- 24. Cookies • Scope (Parent Domain) • Sensitive (HTTP Only, Secure) • Session IDs (Not Secure info)
- 25. Encryption
- 27. History of Encryption • Symmetric (Private) • Hash (One-Way) • Asymmetric (Public-Private)
- 28. Symmetric • One Key Encrypts and Decrypts • Called Private/Secret Key • Computationally Fast • Problem: Exchanging the Secret Key CC BY-SA 4.0 – Alessandro Nassiri
- 29. Hash • Large message converted to smaller hash value • Small change in source causes large change in hash • Add “secret” salt to accomplish authentication
- 30. Asymmetric • Pair of keys – one public and one private • Computationally expensive
- 31. Encrypt a Verifiable Message 1. Add salt (randomness) 2. Hash message 3. Encrypt message with private key
- 32. Authenticate a Message 1. Get Public Key and Decrypt 2. Generate your hash of the message 3. Compare your hash to the one provided
- 33. Certificates • Host Identifiers • Approved Uses • Public Key • Other Certificates (Signed with Private Key)
- 34. Certificate Chain 1. Trusted a 3rd party authenticates party B 2. 3rd Party issues certificate with encrypted certificate of party B enclosed 3. Party A knows party B by matching host identifiers and decrypting a message from them with the public key
- 35. Transport Layer Security (Simplified) 1. Initiate conversation with list of ciphers 2. Server responds with ciphers and certificate 3. Client confirms certificate, generates session keys, encrypts with server public key, and sends
- 36. WhentoEncrypt
- 37. Principles
- 38. Don’t Share • Don’t • Transmit information you don’t have to • Display errors to the user • Let browsers control caching • Do • Provide least privileges
- 39. Resources
- 40. • http://www.owasp.org • Information and resources about web application security • Education about vulnerability / fault categories and protection strategies
- 41. Common Weakness Enumeration (CWE) • http://cwe.mitre.org • Listing of weakness types • Categorization of weaknesses
- 42. Common Attack Pattern Enumeration and Classification (CAPEC) • http://capec.mitre.org • Listing of vectors of attack against applications
- 43. NVD Common Vulnerability Scoring System • https://nvd.nist.gov/CVSS/v3- calculator • Unified scoring of vulnerabilities • Built in calculator
- 44. Discussion
Editor's Notes
- #5: Footprints… Key milestones Talk about the types, show a few techniques for solving, create awareness If you’re an app dev – good summary/breadth/tools If you’re a app security guy – Tools for discussing w/ developers
- #8: Simultaneous toilet flushing causing problems.
- #9: Or running aground… that’s why we have lighthouses… ways to keep us from running around.
- #10: i.e. if you’re not programming in C++, it’s probably not a problem. By the way, does anyone know what an interrupt table is? (Very start of memory.)
- #12: Yogi Berra “You can observe a lot just by watching.”
- #14: Stored procedures don’t help if you end up doing dynamic SQL inside of them.
- #15: Note example from OWASP.org site (Open Web Application Security Project)
- #16: From Acunetix web site. Mostly not a problem in .NET / Encoding on by default/ IIS 7+ will block
- #17: Require a session for calls… use to transition to Session Management Require Session as a part of submitted information POST HTTP Method CORS = Cross-Origin Resource Sharing / Allows Javascript to make requests across domains.
- #21: Claims example… Drivers License. Including identity, method of verification, and additional attributes. Transfer of responsibility = pass the buck. (Good thing here.)
- #27: Secrecy/Privacy Authenticity/Non-Repudiation
- #28: Hieroglyphs show used in Egypt circa 1900 BC Symmetric – Enigma (German encryption) Public-Private- Computationally expensive – used to securely exchange keys for symmetric Hash – One way – Passwords…
- #29: Picture is an enigma machine. World War II era encryption/cypher device We captured U-505 June 4, 1944 and got the largest cache of intelligence recovered in WWII – including two Enigma machines.
- #30: Diamonds start as carbon and are heated and compressed to form diamonds… they have hidden signatures (flaws) in them. They are small but expensive… Hashs like the weather… a butterfly flapping wings in Brazil causes tornado in Texas. A small change (or misobservation) can lead to a large change in results.
- #31: This is to START SSL – to trade the private key
- #37: In Transit – SSL… Use HTTP Strict Transport Security to force SSL At Rest – We can’t force them to use hard drive encryption – too many machines disappear.