Secure Coding SwA Pocket Guide - Build Security In - US-CERT

More documents

Recommendations

Info

Allocate Memory and Other Resources CarefullyMinimize the computer resources made available to each process. For example, for software that will run on Unix, use ulimit(),getrlimit(), setrlimit(), getrusage(), sysconf(), quota(), quotactl(), and quotaon() (also pam_limits for pluggable authenticationmodule processes) to limit the potential damage that results when a particular process fails or is compromised and to helpprevent denial-of-service (DoS) attacks on the software.If the software is a web server application or web service, the developer should set up a separate process to handle eachsession and limit the amount of central processing unit (CPU) time each session in each process is allowed to use. Doing so willprevent any attacker request that causes excessive memory or CPU cycles from interfering with tasks beyond its own session. Itwill also make it difficult to create DoS attacks by spawning multiple sessions.Memory locations for cache buffers should not be contiguous with executable stack/heap. Whenever possible, the stack shouldbe non-executable. Data Execution Prevention (DEP), a security feature for Windows operating systems, provides an easy wayto ensure that writable memory cannot be executed [Pop 2010]. DEP can help block a malicious program in which a virus orother type of attack has injected a process with additional code and then tries to run the injected code. On a system with DEP,execution of the injected code causes an exception. Software-enforced DEP can help block programs that take advantage ofexception-handling mechanisms in Windows.To avoid return-to-libc attacks, where the return address of the program is overwritten to execute what the attacker wants, thesystem code should be moved to different points in the memory. Address Space Layout Randomization (ASLR), another securityfeature for Windows operating systems, moves the executable, the libraries, and other important parts of the code, to randompoints in the memory every time the system is booted [Pop 2010]. This makes it harder for exploit code to operate predictably.Resources» “A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack2, Windows XP Tablet PC Edition 2005, and Windows Server 2003”. Microsoft Support. 26September 2006. Microsoft. 17 November 2010 .» “Address Space Layout Randomization in Windows Vista”. Howard, Michael. Michael Howard's WebLog: A Simple Software Security Guy at Microsoft! 26 May 2006. MSDN Blogs. 17 November 2010.» “DEP/ASLR Implementation Progress in Popular Third-party Windows Applications”. Pop, Alin Rad.Secunia.com. 29 June 2010. Secunia. 17 November 2010.Secure Error and Exception HandlingSoftware has to be survivable to be secure. Survivable software contains more error- and exception-handling functionality thanprogram functionality. All error- and exception-handling routines should be made with two goals in mind:1. Handle faults to prevent the software from entering an insecure state.2. To ensure that the software can continue operating in a degraded manner until a threshold is reached that triggers an orderly,secure termination of the software’s execution.Developers who “reactively extend” native exception handlers (e.g., by pasting exception classes into source code after an erroror fault has been observed in the program’s testing or operation) need to be careful not to rely solely on this approach toexception handling. Otherwise the result will be a program that fails to capture and handle any exceptions that have not yet beenSoftware Assurance Pocket Guide Series:Development Volume VI – Version 2.0, , May 18, 2012Secure Coding21
thrown during testing or operation. Exception handling should be proactively designed to the greatest extent possible, throughcareful examination of code constraints as they occur during the concept and implementation phases of the life cycle.The developer should list all predictable faults (exceptions and errors) that could occur during software execution and define howthe software will handle each of them. In addition, the developer ought to address how the software will behave if confronted withan unanticipated fault or error. In some cases, potential faults may be preempted in the design phase, particularly if the softwarehas been subjected to sufficiently comprehensive threat modeling. In others, developers could preempt additional faults duringpseudo-coding by cautiously examining the logical relationships between software objects and developing “pseudo” exceptionhandling routines to manage these faults.Table 1, below, lists several common software errors and suggests remediation methods for those errors at the design andimplementation levels.Table 1 -- Software Errors and Suggested Remediation MethodsExpected ProblemHow Software Should Handle the ProblemInput contains anomalous content.The execution environment differs significantly from theenvironment for which the software was designed.There are errors in the results returned by calledfunctions.The software contains vulnerabilities that were notmitigated or detected before the software was deployed.IMPLEMENTATION: Restrict the possible inputwhenever possible. Also validate all input.DESIGN: Recognize all explicit and implicitassumptions COTS and OSS components have abouttheir environment. Design to mitigate vulnerabilitiescreated by mismatch between componentassumptions and actual environment. Design also tominimize external exposure ofcomponent/environment interfaces.DESIGN: Design for resilience.IMPLEMENTATION: Anticipate all likely errors andexceptions, and implement error and exceptionhandling to explicitly address those errors/exceptions.DESIGN: Include measures that isolate un-trusted,suspicious, and compromised components, and thatconstrain and recover from damage.IMPLEMENTATION: Measures that reduce exposureof un-trusted and vulnerable components to externallysourced attack patterns (e.g., using wrappers, inputfilters, etc.).The exception-handling block should log when and why an exception was thrown; auditors can review this log later. Theexception-handling block should also be written to include messaging code that will automatically send an alert to the systemadministrator when an exception requires human intervention.Above all, the software should never throw exceptions that allow it to crash, dump core memory, or expose its caches, temporaryfiles, and other transient data exposed. To find ways to prevent data being exposed from error messages, see the mitigations forCWE 209 “Error Message Information Leak” in the Key Practices for Mitigating the Most Egregious Exploitable SoftwareWeaknesses pocket guide.Practices for implementing effective error and exception handling are described below.Software Assurance Pocket Guide Series:Development Volume VI – Version 2.0, , May 18, 2012Secure Coding22
Page 1 and 2: SOFTWARE ASSURANCE IN ACQUISITION:
Page 3 and 4: Information contained in this pocke
Page 5 and 6: o Filter and Sanitize Output and Ca
Page 7 and 8: Create a Secure Development Process
Page 9 and 10: damaged [Grembi 2010]. Having the c
Page 11 and 12: Resources» CERT Secure Coding Stan
Page 13 and 14: Review Code During and After Coding
Page 15 and 16: Secure Coding PracticesCWE/SANS Top
Page 17 and 18: parsers have changed the input to c
Page 19: systems is driving the definition o
Page 25 and 26: eveals sensitive information about
Page 27 and 28: » What language is used and why?»
Page 29 and 30: Anyone making further distribution

Secure Coding SwA Pocket Guide - Build Security In - US-CERT

Create successful ePaper yourself

Delete template?

Save as template?