| |
| |
| |
Software Security and Static Analysis | |
| |
| |
| |
The Software Security Problem | |
| |
| |
| |
Defensive Programming Is Not Enough | |
| |
| |
| |
Security Features != Secure Features | |
| |
| |
| |
The Quality Fallacy | |
| |
| |
| |
Static Analysis in the Big Picture | |
| |
| |
| |
Classifying Vulnerabilities | |
| |
| |
The Seven Pernicious Kingdoms | |
| |
| |
| |
Summary | |
| |
| |
| |
Introduction to Static Analysis | |
| |
| |
| |
Capabilities and Limitations of Static Analysis | |
| |
| |
| |
Solving Problems with Static Analysis | |
| |
| |
Type Checking | |
| |
| |
Style Checking | |
| |
| |
Program Understanding | |
| |
| |
Program Verification and Property Checking | |
| |
| |
Bug Finding | |
| |
| |
Security Review | |
| |
| |
| |
A Little Theory, a Little Reality | |
| |
| |
Success Criteria | |
| |
| |
Analyzing the Source vs. Analyzing Compiled Code | |
| |
| |
Summary | |
| |
| |
| |
Static Analysis as Part of the Code Review Process | |
| |
| |
| |
Performing a Code Review | |
| |
| |
The Review Cycle | |
| |
| |
Steer Clear of the Exploitability Trap | |
| |
| |
| |
Adding Security Review to an Existing Development Process | |
| |
| |
Adoption Anxiety | |
| |
| |
Start Small, Ratchet Up | |
| |
| |
| |
Static Analysis Metrics | |
| |
| |
Summary | |
| |
| |
| |
Static Analysis Internals | |
| |
| |
| |
Building a Model | |
| |
| |
Lexical Analysis | |
| |
| |
Parsing | |
| |
| |
Abstract Syntax | |
| |
| |
Semantic Analysis | |
| |
| |
Tracking Control Flow | |
| |
| |
Tracking Dataflow | |
| |
| |
Taint Propagation | |
| |
| |
Pointer Aliasing | |
| |
| |
| |
Analysis Algorithms | |
| |
| |
Checking Assertions | |
| |
| |
Naive Local Analysis | |
| |
| |
Approaches to Local Analysis | |
| |
| |
Global Analysis | |
| |
| |
Research Tools | |
| |
| |
| |
Rules | |
| |
| |
Rule Formats | |
| |
| |
Rules for Taint Propagation | |
| |
| |
Rules in Print | |
| |
| |
| |
Reporting Results | |
| |
| |
Grouping and Sorting Results | |
| |
| |
Eliminating Unwanted Results | |
| |
| |
Explaining the Significance of the Results | |
| |
| |
Summary | |
| |
| |
| |
Pervasive Problems | |
| |
| |
| |
Handling Input | |
| |
| |
| |
What to Validate | |
| |
| |
Validate All Input | |
| |
| |
Validate Input from All Sources | |
| |
| |
Establish Trust Boundaries | |
| |
| |
| |
How to Validate | |
| |
| |
Use Strong Input Validation | |
| |
| |
Avoid Blacklisting | |
| |
| |
Don't Mistake Usability for Security | |
| |
| |
Reject Bad Data | |
| |
| |
Make Good Input Validation the Default | |
| |
| |
Check Input Length | |
| |
| |
Bound Numeric Input | |
| |
| |
| |
Preventing Metacharacter Vulnerabilities | |
| |
| |
Use Parameterized Requests | |
| |
| |
Path Manipulation | |
| |
| |
Command Injection | |
| |
| |
Log Forging | |
| |
| |
Summary | |
| |
| |
| |
Buffer Overflow | |
| |
| |
| |
Introduction to Buffer Overflow | |
| |
| |
Exploiting Buffer Overflow Vulnerabilities | |
| |
| |
Buffer Allocation Strategies | |
| |
| |
Tracking Buffer Sizes | |
| |
| |
| |
Strings | |
| |
| |
Inherently Dangerous Functions | |
| |
| |
Bounded String Operations | |
| |
| |
Common Pitfalls with Bounded Functions | |
| |
| |
Maintaining the Null Terminator | |
| |
| |
Character Sets, Representations, and Encodings | |
| |
| |
Format Strings | |
| |
| |
Better String Classes and Libraries | |
| |
| |
Summary | |
| |
| |
| |
Bride of Buffer Overflow | |
| |
| |
| |
Integers | |
| |
| |
Wrap-Around Errors | |
| |
| |
Truncation and Sign Extension | |
| |
| |
Conversion between Signed and Unsigned | |
| |
| |
Methods to Detect and Prevent Integer Overflow | |
| |
| |
| |
Runtime Protection | |
| |
| |
Safer Programming Languages | |
| |
| |
Safer C Dialects | |
| |
| |
Dynamic Buffer Overflow Protections | |
| |
| |
Dynamic Protection Benchmark Results | |
| |
| |
Summary | |
| |
| |
| |
Errors and Exceptions | |
| |
| |
| |
Handling Errors with Return Codes | |
| |
| |
Checking Return Values in C | |
| |
| |
Checking Return Values in Java | |
| |
| |
| |
Managing Exceptions | |
| |
| |
Catch Everything at the Top Level | |
| |
| |
The Vanishing Exception | |
| |
| |
Catch Only What You're Prepared to Consume | |
| |
| |
Keep Checked Exceptions in Check | |
| |
| |
| |
Preventing Resource Leaks | |
| |
| |
C and C++ | |
| |
| |
Java | |
| |
| |
| |
Logging and Debugging | |
| |
| |
Centralize Logging | |
| |
| |
Keep Debugging Aids and Back-Door Access Code out of Production | |
| |
| |
Clean Out Backup Files | |
| |
| |
Do Not Tolerate Easter Eggs | |
| |
| |
Summary | |
| |
| |
| |
Features and Flavors | |
| |
| |
| |
Web Applications | |
| |
| |
| |
Input and Output Validation for the Web | |
| |
| |
Expect That the Browser Has Been Subverted | |
| |
| |
Assume That the Browser Is an Open Book | |
| |
| |
Protect the Browser from Malicious Content | |
| |
| |
| |
HTTP Considerations | |
| |
| |
Use POST, Not GET | |
| |
| |
Request Ordering | |
| |
| |
Error Handling | |
| |
| |
Request Provenance | |
| |
| |
| |
Maintaining Session State | |
| |
| |
Use Strong Session Identifiers | |
| |
| |
Enforce a Session Idle Timeout and a Maximum Session Lifetime | |
| |
| |
Begin a New Session upon Authentication | |
| |
| |
| |
Using the Struts Framework for Input Validation | |
| |
| |
Setting Up the Struts Validator | |
| |
| |
Use the Struts Validator for All Actions | |
| |
| |
Validate Every Parameter | |
| |
| |
Maintain the Validation Logic | |
| |
| |
Summary | |
| |
| |
| |
XML and Web Services | |
| |
| |
| |
Working with XML | |
| |
| |
Use a Standards-Compliant XML Parser | |
| |
| |
Turn on Validation | |
| |
| |
Be Cautious about External References | |
| |
| |
Keep Control of Document Queries | |
| |
| |
| |
Using Web Services | |
| |
| |
Input Validation | |
| |
| |
WSDL Worries | |
| |
| |
Over Exposure | |
| |
| |
New Opportunities for Old Errors | |
| |
| |
JavaScript Hijacking: A New Frontier | |
| |
| |
Summary | |
| |
| |
| |
Privacy and Secrets | |
| |
| |
| |
Privacy and Regulation | |
| |
| |
Identifying Private Information | |
| |
| |
Handling Private Information | |
| |
| |
| |
Outbound Passwords | |
| |
| |
Keep Passwords out of Source Code | |
| |
| |
Don't Store Clear-Text Passwords | |
| |
| |
| |
Random Numbers | |
| |
| |
Generating Random Numbers in Java | |
| |
| |
Generating Random Numbers in C and C++ | |
| |
| |
| |
Cryptography | |
| |
| |
Choose a Good Algorithm | |
| |
| |
Don't Roll Your Own | |
| |
| |
| |
Secrets in Memory | |
| |
| |
Minimize Time Spent Holding Secrets | |
| |
| |
Share Secrets Sparingly | |
| |
| |
Erase Secrets Securely | |
| |
| |
Prevent Unnecessary Duplication of Secrets | |
| |
| |
Summary | |
| |
| |
| |
Privileged Programs | |
| |
| |
| |
Implications of Privilege | |
| |
| |
Principle of Least Privilege | |
| |
| |
This Time We Mean It: Distrust Everything | |
| |
| |
| |
Managing Privilege | |
| |
| |
Putting Least Privilege into Practice | |
| |
| |
Restrict Privilege on the Filesystem | |
| |
| |
Beware of Unexpected Events | |
| |
| |
| |
Privilege Escalation Attacks | |
| |
| |
File Access Race Conditions | |
| |
| |
Insecure Temporary Files | |
| |
| |
Command Injection | |
| |
| |
Standard File Descriptors | |
| |
| |
Summary | |
| |
| |
| |
Static Analysis in Practice | |
| |
| |
| |
Source Code Analysis Exercises for Java | |
| |
| |
| |
Installation | |
| |
| |
| |
Begin with the End in Mind | |
| |
| |
| |
Auditing Source Code Manually | |
| |
| |
| |
Running Fortify SCA | |
| |
| |
| |
Understanding Raw Analysis Results | |
| |
| |
| |
Analyzing a Full Application | |
| |
| |
| |
Tuning Results with Audit Workbench | |
| |
| |
| |
Auditing One Issue | |
| |
| |
| |
Performing a Complete Audit | |
| |
| |
| |
Writing Custom Rules | |
| |
| |
Answers to Questions in Exercise 13.2 | |
| |
| |
| |
Source Code Analysis Exercises for C | |
| |
| |
| |
Installation | |
| |
| |
| |
Begin with the End in Mind | |
| |
| |
| |
Auditing Source Code Manually | |
| |
| |
| |
Running Fortify SCA | |
| |
| |
| |
Understanding Raw Analysis Results | |
| |
| |
| |
Analyzing a Full Application | |
| |
| |
| |
Tuning Results with Audit Workbench | |
| |
| |
| |
Auditing One Issue | |
| |
| |
| |
Performing a Complete Audit | |
| |
| |
| |
Writing Custom Rules | |
| |
| |
Answers to Questions in Exercise 14.2 | |
| |
| |
Epilogue | |
| |
| |
References | |
| |
| |
Index | |