目次

Introduction xxiii PART I CONTEMPORARY SECURITY 1 The Need for Secure Systems 3 Applications on the Wild Wild Web 5 The Need for Trustworthy Computing 7 Getting Everyone s Head in the Game 7 Using Tact to Sell Security to the Organization 8 Using Subversion 11 Some Ideas for Instilling a Security Culture 13 Get the Boss to Send an E-Mail 14 Nominate a Security Evangelist 15 The Attacker s Advantage and the Defender s Dilemma 19 Principle #1: The defender must defend all points
the attacker can choose the weakest point. 19 Principle #2: The defender can defend only against known attacks
the attacker can probe for unknown vulnerabilities. 20 Principle #3: The defender must be constantly vigilant
the attacker can strike at will. 20 Principle #4: The defender must play by the rules
the attacker can play dirty. 21 Summary 21 2 The Proactive Security Development Process 23 Process Improvements 25 The Role of Education 26 Resistance to Mandatory Training 29 Ongoing Training 29 Advancing the Science of Security 29 Education Proves the More Eyes Fallacy 31 Now the Evidence! 31 Design Phase 32 Security Questions During Interviews 33 Define the Product Security Goals 34 Security Is a Product Feature 37 Making Time for Security 40 Threat Modeling Leads to Secure Design 41 Build End-of-Life Plans for Insecure Features 41 Setting the Bug Bar 41 Security Team Review 43 Development Phase 43 Be Hardcore About Who Can Check In New Code (Check-Ins Checked) 43 Security Peer Review of New Code (Check-Ins Checked) 44 Define Secure Coding Guidelines 44 Review Old Defects 44 External Security Review 45 Security Push 45 Be Mindful of Your Bug Counts 46 Keep Track of Bug Metrics 46 No Surprises and No Easter Eggs! 47 Test Phase 47 Shipping and Maintenance Phases 47 How Do You Know When You re Done? 47 Response Process 48 Accountability 49 Summary 49 3 Security Principles to Live By 51 SD3: Secure by Design, by Default, and in Deployment 51 Secure by Design 51 Secure by Default 53 Secure in Deployment 53 Security Principles 54 Learn from Mistakes 54 Minimize Your Attack Surface 57 Employ Secure Defaults 57 Use Defense in Depth 59 Use Least Privilege 60 Backward Compatibility Will Always Give You Grief 62 Assume External Systems Are Insecure 63 Plan on Failure 64 Fail to a Secure Mode 64 Remember That Security Features != Secure Features 66 Never Depend on Security Through Obscurity Alone 66 Don t Mix Code and Data 67 Fix Security Issues Correctly 67 Summary 68 4 Threat Modeling 69 Secure Design Through Threat Modeling 70 Assemble the Threat-Modeling Team 72 Decompose the Application 73 Determine the Threats to the System 83 Rank the Threats by Decreasing Risk 93 Choose How to Respond to the Threats 106 Choose Techniques to Mitigate the Threats 107 Security Techniques 108 Authentication 109 Authorization 114 Tamper-Resistant and Privacy-Enhanced Technologies 115 Protect Secrets, or Better Yet, Don t Store Secrets 116 Encryption, Hashes, MACs, and Digital Signatures 116 Auditing 117 Filtering, Throttling, and Quality of Service 118 Least Privilege 118 Mitigating the Sample Payroll Application Threats 118 A Cornucopia of Threats and Solutions 120 Summary 124 PART II SECURE CODING TECHNIQUES 5 Public Enemy #1: The Buffer Overrun 127 Stack Overruns 129 Heap Overruns 138 Array Indexing Errors 144 Format String Bugs 147 Unicode and ANSI Buffer Size Mismatches 153 A Real Unicode Bug Example 154 Preventing Buffer Overruns 155 Safe String Handling 156 A Word of Caution About String-Handling Functions 166 The Visual C++ .NET /GS Option 167 Summary 170 6 Determining Appropriate Access Control 171 Why ACLs Are Important 171 A Diversion: Fixing the Registry Code 173 What Makes Up an ACL? 175 A Method of Choosing Good ACLs 178 Effective Deny ACEs 180 Creating ACLs 181 Creating ACLs in Windows NT 4 181 Creating ACLs in Windows 2000 185 Creating ACLs with Active Template Library 189 Getting the ACE Order Right 191 Be Wary of the Terminal Server and Remote Desktop SIDs 193 NULL DACLs and Other Dangerous ACE Types 195 NULL DACLs and Auditing 197 Dangerous ACE Types 197 What If I Can t Change the NULL DACL? 198 Other Access Control Mechanisms 199 .NET Framework Roles 199 COM+ Roles 201 IP Restrictions 202 SQL Server Triggers and Permissions 203 A Medical Example 203 An Important Note About Access Control Mechanisms 205 Summary 206 7 Running with Least Privilege 207 Least Privilege in the Real World 208 Viruses and Trojans 209 Web Server Defacements 210 Brief Overview of Access Control 211 Brief Overview of Privileges 211 SeBackupPrivilege Issues 212 SeRestorePrivilege Issues 215 SeDebugPrivilege Issues 215 SeTcbPrivilege Issues 216 SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege Issues 217 SeLoadDriverPrivilege Issues 217 SeRemoteShutdownPrivilege Issues 217 SeTakeOwnershipPrivilege Issues 217 Brief Overview of Tokens 218 How Tokens, Privileges, SIDs, ACLs, and Processes Relate 218 SIDs and Access Checks, Privileges and Privilege Checks 219 Three Reasons Applications Require Elevated Privileges 220 ACL Issues 220 Privilege Issue 221 Using LSA Secrets 221 Solving the Elevated Privileges Issue 222 Solving ACL Issues 222 Solving Privilege Issues 223 Solving LSA Issues 223 A Process for Determining Appropriate Privilege 223 Step 1: Find Resources Used by the Application 224 Step 2: Find Privileged APIs Used by the Application 224 Step 3: Which Account Is Required? 226 Step 4: Get the Token Contents 226 Step 5: Are All the SIDs and Privileges Required? 232 Step 6: Adjust the Token 233 Low-Privilege Service Accounts in Windows XP and Windows .NET Server 2003 248 The Impersonate Privilege and Windows .NET Server 2003 250 Debugging Least-Privilege Issues 251 Why Applications Fail as a Normal User 251 How to Determine Why Applications Fail 252 Summary 258 8 Cryptographic Foibles 259 Using Poor Random Numbers 259 The Problem: rand 260 Cryptographically Random Numbers in Win32 262 Cryptographically Random Numbers in Managed Code 268 Cryptographically Random Numbers in Web Pages 269 Using Passwords to Derive Cryptographic Keys 269 Measuring the Effective Bit Size of a Password 270 Key Management Issues 272 Long-Term and Short-Term Keys 274 Use Appropriate Key Lengths to Protect Data 274 Keep Keys Close to the Source 276 Key Exchange Issues 279 Creating Your Own Cryptographic Functions 281 Using the Same Stream-Cipher Encryption Key 283 Why People Use Stream Ciphers 284 The Pitfalls of Stream Ciphers 284 What If You Must Use the Same Key? 287 Bit-Flipping Attacks Against Stream Ciphers 289 Solving Bit-Flipping Attacks 290 When to Use a Hash, Keyed Hash, or Digital Signature 290 Reusing a Buffer for Plaintext and Ciphertext 296 Using Crypto to Mitigate Threats 297 Document Your Use of Cryptography 298 9 Protecting Secret Data 299 Attacking Secret Data 300 Sometimes You Don t Need to Store a Secret 301 Creating a Salted Hash 302 Using PKCS #5 to Make the Attacker s Job Harder 303 Getting the Secret from the User 305 Protecting Secrets in Windows 2000 and Later 305 A Special Case: Client Credentials in Windows XP 309 Protecting Secrets in Windows NT 4 311 Protecting Secrets in Windows 95, Windows 98, Windows Me, and Windows CE 315 Getting Device Details Using PnP 316 Not Opting for a Least Common Denominator Solution 320 Managing Secrets in Memory 321 A Compiler Optimization Caveat 322 Encrypting Secret Data in Memory 326 Locking Memory to Prevent Paging Sensitive Data 327 Protecting Secret Data in Managed Code 329 Managing Secrets in Memory in Managed Code 335 Raising the Security Bar 336 Storing the Data in a File on a FAT File System 337 Using an Embedded Key and XOR to Encode the Data 337 Using an Embedded Key and 3DES to Encrypt the Data 337 Using 3DES to Encrypt the Data and Storing a Password in the Registry 337 Using 3DES to Encrypt the Data and Storing a Strong Key in the Registry 337 Using 3DES to Encrypt the Data, Storing a Strong Key in the Registry, and ACLing the File and the Registry Key 338 Using 3DES to Encrypt the Data, Storing a Strong Key in the Registry, Requiring the User to Enter a Password, and ACLing the File and the Registry Key 338 Trade-Offs When Protecting Secret Data 338 Summary 339 10 All Input Is Evil! 341 The Issue 342 Misplaced Trust 343 A Strategy for Defending Against Input Attacks 345 How to Check Validity 347 Tainted Variables in Perl 349 Using Regular Expressions for Checking Input 350 Be Careful of What You Find Did You Mean to Validate? 352 Regular Expressions and Unicode 353 A Regular Expression Rosetta Stone 358 Regular Expressions in Perl 358 Regular Expressions in Managed Code 359 Regular Expressions in Script 360 Regular Expressions in C++ 360 A Best Practice That Does Not Use Regular Expressions 361 Summary 362 11 Canonical Representation Issues 363 What Does Canonical Mean, and Why Is It a Problem? 364 Canonical Filename Issues 364 Bypassing Napster Name Filtering 364 Vulnerability in Apple Mac OS X and Apache 365 DOS Device Names Vulnerability 365 Sun Microsystems StarOffice /tmp Directory Symbolic-Link Vulnerability 366 Common Windows Canonical Filename Mistakes 367 Canonical Web-Based Issues 373 Bypassing AOL Parental Controls 373 Bypassing eEye s Security Checks 374 Zones and the Internet Explorer 4 "Dotless-IP Address" Bug 374 Internet Information Server 4.0 ::$DATA Vulnerability 375 When is a Line Really Two Lines? 377 Yet Another Web Issue Escaping 378 Visual Equivalence Attacks and the Homograph Attack 382 Preventing Canonicalization Mistakes 383 Don t Make Decisions Based on Names 383 Use a Regular Expression to Restrict What s Allowed in a Name 383 Stopping 8.3 Filename Generation 385 Don t Trust the PATH Use Full Path Names 385 Attempt to Canonicalize the Name 386 Calling CreateFile Safely 390 Web-Based Canonicalization Remedies 391 Restrict What Is Valid Input 391 Be Careful When Dealing with UTF-8 391 ISAPIs Between a Rock and a Hard Place 392 A Final Thought: Non-File-Based Canonicalization Issues 393 Server Names 393 Usernames 394 Summary 396 12 Database Input Issues 397 The Issue 398 Pseudoremedy #1: Quoting the Input 401 Pseudoremedy #2: Use Stored Procedures 402 Remedy #1: Never Ever Connect as sysadmin 403 Remedy #2: Building SQL Statements Securely 404 Building SQL Stored Procedures Securely 406 An In-Depth Defense in Depth Example 407 Summary 411 13 Web-Specific Input Issues 413 Cross-Site Scripting: When Output Turns Bad 413 Sometimes the Attacker Doesn t Need a