Originated from: http://blog.9cbs.net/zjzcl/archive/2004/09/21/111626.aspx write a full software
I. Overview
The so-called security software is that the program code can withstand malicious attacks when designing and implementation. Why is safe software so important? Because with the development of the Internet, most of the computers are connected to the Internet, which is easy to be attacked from remote initiatives. Many hackers have been in morality, do not think that there is something wrong with such an attack, they may think that your system is unsafe is your own problem. Therefore, as a developer of the program should always take into account the threat of attacked, making more efforts in protecting the user's data and privacy. How to write safe software? First, when designing software architecture, security issues should be considered; followed by security issues in code implementation; the final test is also a very important phase. Safety test is not functional test, it is a hacker's perspective to imitate the hacker's attack means, which can discover a lot of security issues in the software, which is conducive to joining security measures in the development of the entire process, making the entire process It has a function of preventing threats. In addition, strengthening the training of security software development technologies and improving security awareness is also very important. Safety technology is now a very hot topic. Talents in safety technology are also very lacking, and the technical techniques are also very beneficial for finding appropriate work.
Second, the process of security development
The advantage of the attacker and the predicament of the defender are mainly:
1. Defense must defense all points, and attackers can choose to defense the weakest place as the entry point.
2. Defensive must always be vigilant and unrestrained; and attackers can attack at will.
3. The defender can only defend what you know, and an attacker can study the weakest part of the system.
Therefore, software developers want to develop secure software need to do the following things:
1. Consider safety during design
There must be a process when designing, this process should have a safe system, that is, the entire process must ensure the safety of the system. To create a threat model, know where the threat is from, and let the program run at the lowest authority.
2, the default state setting security
In addition to commonly used basic functions, the rest should be turned off by default to reduce the surface that may be attacked. You can also use some of the security features in Visual Studio .NET, such as / GS switches for compile.
3, deploy installation should be safe
To follow the security measures specified in the deployment, create a guidance document on secure deployment, and use some tools to evaluate the security of the system.
Safe software development flow chart is shown in Figure 1.
Third, the principle of safety design
1, reduce the surface of the attack
The measures that can be taken have deep defensive, that is, there are multiple layers of security defensive; the user's smallest use permission; the default setting must be safe.
2, learn from previous mistakes
If there is an error in the previous version and therefore attacked, it should be an attack that is easy to cause for such errors, then the corresponding improvements should be made in the next version.
3, safety itself is also a function
When doing development plans, you should also consider the time problems taken by security.
In this focus on reducing the principle of attacked surfaces.
The less code in the program runs by default, then it will greatly reduce the opportunity to be attacked. The benefit is that the requirements for system administrators are not high, and users can run well, do not require a lot of configuration management knowledge. In addition, since the range of attacks can be reduced, this is greatly reduced to repair the urgency of security vulnerabilities.
Below is a comparison table of low attack surfaces and high attack surfaces:
Lower Attack Surface Higher Attack Surface TCP UDP Local-only Remote Authenticated Unauthenticated Managed Mobile Code Native Mobile Code Managed Code ActiveX Low privilege SYSTEM Turned off by default Running by default Essential features enabled All features enabled Fourth, the threat modeling
There is usually a misunderstanding, that is, this software is safe as long as it adds some security features in the software. Increasing software security features do not mean that the software written is safe. If the program adds encryption function, this encrypted function is just a buffer overflow problem, then the attacker can attack. Safety features are not equal to software security, and security features are just a function of software security services, and the code of security features will not affect software security. To this end, it is necessary to model threats that may exist in the software. Because if you don't understand, it is difficult to write a safe software. I know that threats, you can have a conscious to prevent these hidden dangers at all stages of software design, development, and testing.
The process of threat modeling is as follows:
1. Built a data flow map or UML map and listed the information you need to be protected into a list.
2, classify possible threats, and Stride is usually used to classify the threat. Stride is composed of spoofing, timpering, repudiation, info disclosure, degiler of service, and elevation of privilege's first letters. Spoofing refers to an attacker disguise to a system or other system-approved system, such as Zhang San into a Lee Si Access system, stealing its own identifier. TAMPERING refers to an attempt of data in the system to reach its right. Repudiation means that the attacker breaks into the system has made some damage, but the system administrator cannot confirm whether this happens. Info Disclosure means that the information is disclosed to a person who knows this information. Denial of Service refers to an attacker to make the system's legitimate users cannot usually use system functions, so that the system cannot respond to the legitimate user's service request, and people who do not actually get service should not be served. Elevation of Privilege refers to an attacker through some illegal means, so that the permissions of its own use system are improved.
3. The threat is graded based on the probability that may be attacked and the degree of damage caused. It is usually based on the threat to DREAD, DREAD is made of Damage Potential, Reproducture, ExploveRability, Affected Users, the first letter of Discoverability. Damage potential means whether the system is easily destroyed. ReproduCibility refers to the repeatability of the attack, that is, the first time you attack, whether you can attack the same way in the same way. ExploitAbility refers to the degree of utilization, which can be utilized. Affected Users refers to this threat to more wide range of users. Discoverability refers to the discovery, that is, whether the vulnerability will be discovered, usually, as long as there is a vulnerability, it will be discovered.
With the threat model described above, you can know where the most "dangerous" in the program is written. This will also be inspected when making security push, and also helps when encoding Determine the mechanism of defense. In addition, you can test from the most vulnerable place when doing software testing.
V. Enter trust issues
All security vulnerabilities can be divided into two categories, ISSUES (inputs to users) and Everything else. The following will briefly introduce the contents of Input Trust Issues. Keep in mind, "All INPUT IS Evil, UnTil Proven Otherwise!" Means that all inputs are very bad until you can prove that it is not bad. Common ways to attack with inputs include buffer overflow attacks, SQL INJECTION attacks, cross-site scripting (using cross-station script attack).
1, buffer overflow attack
The buffer overflow attack is based on the program in executing the function call, the local buffer of the function return address and the function is located in the system stack. Use the loophole for local variable boundary conditions to the local variable boundary condition, and the return address of the function. Incidentally, the program is abnormal or changing the program execution process, and then obtains the attack method of program control.
In Figure 2, everyone can see the specific distribution of functions in the stack.
(figure 2)
The case in the stack is shown in Figure 3 when entering overflow.
(image 3)
The case where the input overflow is in the heap is shown in Figure 4.
(Figure 4)
By a specific example, the basic principle of the buffer overflow is understood. The program code is as follows:
Void CopyStuff (String Data) {
CHAR BUFFER [128];
STRCPY (Buffer, Data);
// DO Other Stuff
}
The system stack records the value of the parameter DATA before calling the coupystuff () function, and then the function copystuff () call back the return address stack, after saving some useful registers, assign the copySTUFF () function for local variables 128 bypasal stacks.
This is called when the function is called, if the incoming string length is 8 bytes, then the call does not cause any exception, and the string passed through the parameter DATA is copied into the buffer buffer. However, if you call the coupystuff () function is a uncomfortable person, he can get into a string that exceeds 128 words. At this time, the CopyStuff () function does not perform any check on the length of the DATA before calling strcpy (). Thus, the string passed through the parameter DATA will be copied by the strcpy () function to the system stack starting from the buffer, and the 128-byte portion will continue to extend in the direction of the high address along the system stack. If the string is long enough, the string content will override the most critical information in the stack - return the address. After the CopyStuff () function is executed, it will never find the correct return address.
Buffer overflow means the disaster coming. But what kind of disaster is specifically, but also to see the character string content introduced by the adjuvant. If more fortunate, override the data of the return address is just a illegal address that cannot be accessed, and the program will terminate when the function returns, and reports "illegal access" errors. If you are not lucky, override the data of the return address points to a legal code address, and the program generates a difficult expected operation result. Possible case is that the program is always in unstable state, but it is difficult to determine where there is a problem. If you are very busy, hackers use buffer overflow to place an attack code into the system stack, and change the return address of the function to the address of the attack code. Then when the function returns, the system will automatically execute the hacker's attack code. If the hacker can get the system administrator privilege, and then delete the hard disk data, and control the computer as you want.
Let's take a look at the hacker attacks that may happen to the code just now. The string of experienced hackers incompatient CopyStuff () is an attack code written by machine instructions that exceeds the length of the buffer. The data fill in the return address is just the start address of the attack code. At this time, the system stack is completely tampered. If the copystuff () function is executed, the system will automatically jump to the starting position of the attack code and start executing the hacker prior to edit the attack code. In this way, the system has lost its resistance, and hackers can do their desired. After understanding the principle of the buffer overflow problem, you can know that the method to solve the buffer overflow problem is not complicated. As long as we pay attention to the legitimacy of the parameters, do not use the unknown string, and avoid using similar structures (), strcat (), sprintf () so unsafe library function, can effectively prevent buffers Overflow attack.
In addition, Microsoft's new generation of application development environments Visual Studio.NET also provides better security support for application software development. Take the buffer overflow, Visual Studio.net provides two solutions.
First, when using Visual C . Net compiles the C language program, you can open the "/ GS" buffer security check option. The "/ GS" option is to function for functions that are easy to overflow, the compiler will modify the executable code of the function. When entering the function, the returned address and the secure cookie generated when loaded, and saves the calculation result; when exiting the function, the correctness of the return address is checked by the saved operation result and the security cookie test. If the return address has been rewritten, the buffer overflow has occurred, and the system will report an error and terminate the execution of the program.
Second, you can use the managed code provided by .NET to write applications. The .NET public language runtime provides a powerful security check and security mechanism for managed code, and the C language program written in the hosted extension has the security features such as array boundary check and automatic garbage collection, which can effectively solve the buffer overflow problem.
2, SQL INJECTION attack
SQL embedded attack is a common web attack method, the root caused by programmers, when accessing the database with the server code, does not check the legality of the user input information. Here is a code written in C # language, let's take a look at how this code SQL embedded attack is proceed.
String status = "no";
String sqlstring = ""
Try {
SqlConnection SQL = New SQLCONNECTION
@ "Data Source = localhost;"
"User ID = sa; password = password;");
SQL.Open ();
SQLSTRING = "SELECT *"
"From orderdetail where id = '" ID "'"
SQLCommand cmd = new sqlcommand (sqlstring, sql);
IF ((int) cmd.executescalar ()! = 0)
Status = "yes";
} catch (exception e) {
Status = e.tostring ();
}
Good guy:
ID: 518
Select * from OrderDetail where id = '518'
Not so good guy: ID: 518 'OR 1 = 1 -
Select * from OrderDetail where id = '518' OR 1 = 1 - '
Really Bad Guy:
ID: 518 'Drop Table Orders -
Select * from OrderDetail where id = '518' Drop Table ORDERS - '
DownRight Evil Guy:
ID: 518 'EXEC XP_CMDSHELL (' fdisk.exe ') -
Select * from OrderDetail where id = '518' exec Xp_cmdshell ('fdisk.exe') - '
In fact, the most important point to prevent SQL embedded attack is to keep in mind that the data content entered by the user is not allowed to verify all inputs. In addition, parameterized query can be used to prevent the occurrence of SQL embedded attacks, and the improved method of the above code is as follows:
SqlDataAdapter mycommand =
New SqldataAdapter ("Select * from OrderDetail where id = @ID", conn);
SQLParameter PARM =
Mycommand.selectcommand.parameters.add ("@ id", sqldbtype.varchar, 11);
PARM.VALUE = id.text;
3, Cross Site scripting
This is the most common vulnerability on the Internet because the server is not doing well, and the client has a security issue. Its most fundamental reason still does not have a valid check for the user's input.
Six, summary
Developing secure software, the principles that build security systems must follow:
1. Establish a safe process management mechanism;
2, formulate the safety objectives of the product;
3, regard safety as an important feature of the product;
4, learn lessons from errors;
5, only grant the user's necessary use permissions;
6, assuming that the external environment is unsafe;
7, prepare for failure;
8, use security default settings;
9. The safety function is not equal to the security of the software;
10. Do not build system security on the assumption that the attacker does not understand the system.