Book review: Foundations of Security (Part 2 Secure Programming Techniques)

Chapter 5: Worms and other malware

This chapter present some “famous” worms that had major impact on the security industry.  Every worm presented in the chapter had used one of the security holes that will be presented in the following chapters: Morris worm (buffer overflow of the finger daemon server), the Code Red worm ( buffer overflow of the II Server), the Nimda Worm (buffer overflow of the II Server and infection using the web browser), the Blaster worm (buffer overflow of the DCOM), the SQL Slammer (buffer overflow of the SQL Server).  The authors also presents definitions of another types of malware like rootkits, botnets, spywares, keyloggers, adware, trojan horses, clickbots.

Chapter 6: Buffer Overflows

This chapter threats the buffer overflow vulnerabilities; a very small example (written en C) is presented and explained then the possible solutions to this problem are enumerated and explained :

The end of the chapter presents another types of memory corruption vulnerabilities:

Chapter 7: (Web)Client-State Manipulation

The goal of this chapter is to present how a malicious user can pass to a web server modified requests. The example used as example is a pizza ordering web site which accepts GET requests containing sensitive information as the price of pizzas or the number of bought pizzas.  The attack scenario consists in modifying the values of the parameters sent to the server (ex: by 10000 pizzas at the price of 0 $).  The possible solutions to this kind of attack would be :

  • sensitive information stays on the server. Don’t send sensitive information to the client, send only an id (session id) identifying the client sensitive informations. Another technique is to send to the client a signature of the session in order to prevent the tampering of the session if by a (malicious) client.
  • do not use HTTP GET but use HTTP POST. The HTTP POST use can be combined with the use of cookies and or use of JavaScript.

The main idea of this chapter is  web application should never trust the clients and should always validate the clients input.

Chapter 8: SQL Injection

Using the same example as in the previous chapter (the pizza ordering web site) the authors explains the anatomy of a SQL injections attack and then they propose various solutions to this kind of attacks. The proposed solutions are:

Chapter 9: Password Security

This chapter goal is to present some of the techniques used by a password management system in order to reduce the impact of an attack. The authors will prove some of these techniques by implementing a mini-password manager that can be plugged-in into the toy web server (presented in Chapter2 :Secure Systems Design) for authenticate the users . The mini-password manager implementation starts by a straw man proposal, the users and passwords are stored into a property file. The following state is to replace the passwords by hashed versions. In order to mitigate the dictionary attacks a “salt” is added at every password. At the end of the chapter, the authors briefly presents additional security techniques :

  • password filtering (if a user choose a password that is in the dictionary or identified as easy to guess then must require to the user to choose another one).
  • limited logging attempts (the user have a limited number of login attempts before the account is locked or disabled)
  • aging passwords (the users are forced to change the passwords after a certain time)
  • one time passwords

Chapter 10: Cross-domain Security in Web Applications

This chapter starts by explaining some concepts linked to the web application security; same policy origin, Http Request Authentication, lifetime of the cached cookies and the the HTTP Authentication credentials. Then, some attack patterns are presented in detail:

The last part of the chapter presents the solutions for preventing each of the attack patterns.

The proposed solutions for the XSRF are:

  • inspecting the Http referrer headers (not a complete solution since the Http headers can be modified on the fly )
  • validation of the Http user forms via a user-provided secret (every Html form contains an additional field representing the user password; not very user friendly)
  • validation of the Http forms using an Action Token (in order to distinguish “genuine” instances of forms from ones that were forged by a third party, a token is included as a hidden field in the form. The main difficulty is to find a generation schema in order to be impossible for a third party site to generate valid tokens)

Solutions for preventing the XSSI are:

  • use an Acton Token (s in the case of XSRF)
  • restrictions to form submission only using Http POST

Solutions for preventing XSS are :

  • HTML escaping (any string that is possibly derived from untrusted data and is inserted into an HTML document must be HTML-escaped).
  • HTML tag attributes (form fields attributes, URL attributes, JavaScript-valued attributes) must be quoted.
  • use of HTTP-only cookies (cookies that will no be exposed to client-side scripting)
  • bind Session cookies to IP address

Chapter 11: Exercises to part 2

As for the first part, this chapter contains questions and exercises in order to “walking the walk not just talking the talk”.