secure coding patterns
play

Secure Coding Patterns Andreas Hallberg, TrueSec Trust - PowerPoint PPT Presentation

Feb 19, 2023 •6 likes •666 views

Secure Coding Patterns Andreas Hallberg, TrueSec Trust Domain-Driven Security The Untrusted Pattern Immutability The Inverse Life Coach Pattern Trust The foundation of software security 1. Hello! Im Businessman Bob! 2. Hello! Im the

  1. Secure Coding Patterns Andreas Hallberg, TrueSec

  2. Trust Domain-Driven Security The Untrusted Pattern Immutability The Inverse Life Coach Pattern

  3. Trust The foundation of software security

  5. 1. Hello! I’m Businessman Bob! 2. Hello! I’m the bank! 3. Transfer X euro from account Y to account Z, please! 4. Ok!

  6. 1. Hello! I’m Businessman Bob! 2. Hello! I’m the bank! What might go wrong?

  7. 1. Hello! I’m Businessman Bob! 2. Hello! I’m the bank! 3. Transfer X euro from account Y to account Z, please! 4. Ok! How can the bank be sure that Bob is Bob? How can Bob be sure that the bank is the bank?

  8. 1. Hello! I’m Businessman Bob! 2. Hello! I’m the bank! 3. Transfer X euro from account Y to account Z, please! 4. Ok! Do we know that Bob owns account Y?

  9. 1. Hello! I’m Businessman Bob! 2. Hello! I’m the bank! 3. Transfer X euro from account Y to account Z, please! 4. Ok! Do we know that account Y holds X euro?

  10. 1. Hello! I’m Businessman Bob! 2. Hello! I’m the bank! 3. Transfer X euro from account Y to account Z, please! 4. Ok! Do we even know that X is a number?

  11. HTTP/S request data Database Your Trust boundary application 3 rd party The user services etc...

  12. TRUSTED UNTRUSTED

  13. Untrusted Validation Rejected Trusted

  14. Validation and friends • Validation • Making sure data is valid in the domain Example: I can’t transfer amount “a” or -1 • Canonicalization and/or normalization • Must happen *before* validation! Example: c:\public\fileupload\..\..\secrets\keys => c:\secrets\key • Sanitization • Clean up dangerous/unknown data Example: log injection

  15. Validation, cont. • Always prefer whitelisting over blacklisting • It’s easier to figure out what’s valid over what’s not valid • Strict validation finds bugs early!

  16. Ask yourself... What is the largest acceptable range for this parameter? Don’t accept any more than that!

  17. Trust

  18. Domain-Driven Security Use the type system and your domain objects

  19. 1. Hello! This is Bob again! 2. Hello Bob! I’m still the bank! 3. Transfer -1000 euro from account Y to account Z, please! 4. Ok!

  20. The same validation has to be performed over and over • Easy to forget to validate somewhere • Validation ends up everywhere in the code, but (because of this?) is easily forgotten • Should validate even from “internal” sources such as databases Example: stored XSS

  21. HTTP/S Database request data Validation Trust boundary String String Your application Integer Validation 3 rd party services Integer The user etc...

  22. Domain-Driven Security • Primitive types and data structures are untrusted by default • Strings, integers, byte arrays, collections etc. • Domain objects • Built-in validation • (Immutability – more on this later!)

  23. HTTP/S Database request data Trust boundary String Account Your application Amount 3 rd party services Integer The user etc...

  24. public final class AccountNumber { private final String value; public AccountNumber(String value) { if(!isValid(value)){ throw new IllegalArgumentException("Invalid account number"); } this.value = value; } public static boolean isValid(String accountNumber){ return accountNumber != null && hasLength(accountNumber, 10, 12) && isNumeric(accountNumber); } }

  25. SOAP (int, string, byte[], ...) User Account Webservice

  26. SOAP (int, string, byte[], ...) Exception! User Account Webservice

  27. public void Reticulate(Spline spline, int angle); WTF ?? public void Reticulate(Spline spline, Angle angle);

  28. Domain Driven Security essentials • The type system ensures that the correct domain object must be used • You know that all domain objects are valid • Remember: you still need to validate your business rules! But at least you don’t have to worry about the building blocks being invalid • You know you forgot to validate something when you see primitive types being passed around

  29. One more thing...

  30. Never let null carry information! • Value might not exist => Optional<T> • “This shouldn’t happen!” => Throw!

  31. public class Optional<T> { public bool IsPresent(); public T Get(); } int? foo = null;

  32. Trust Trust Domain-Driven Security

  33. The Untrusted Pattern Make trust a first-class concept at trust boundaries

  34. public void Foo(string bar) { if (!IsValid(bar)) { throw new ValidationException(); } DoSomethingWith(bar); }

  35. public void Foo(string untrusted_bar) { if (!IsValid(untrusted_bar)) { throw new ValidationException(); } var bar = untrusted_bar; DoSomethingWith(bar); }

  36. public void Foo2(string untrusted_bar, string untrusted_frob, byte[] data); WTF ??

  37. public void Foo(string untrusted_bar) { var bar = Validate(untrusted_bar); DoSomethingWith(bar); }

  38. public void Foo(Untrusted<string> bar);

  39. public class Untrusted<T> { readonly T _value; public Untrusted(T value) { _value = value; } private T Value { get { return _value }; } } [assembly: InternalsVisibleTo("Validation")]

  40. // In the "Validation" assembly public abstract class Validator<T> { public T Validate(Untrusted<T> untrusted) { if (!InnerValidate(untrusted.Value)) { throw new ValidationException(); } return untrusted.Value; } protected abstract bool InnerValidate(T value); }

  41. public void HandleAcctNbr(Untrusted<string> accountNbr) { var trusted = new AccountNumberValidator().Validate(accountNbr); DoSomethingWith(trusted); }

  42. public void CreateAccount(string nbr) { var untrustedNbr = new Untrusted<string>(nbr); HandleAccountNbr(untrustedNbr); ... }

  43. Trust Domain-Driven Security The Untrusted Pattern

  44. Immutability Stuff passed over a trust boundary, regardless of direction, should not be able to change later.

  45. Does your application handle concurrency? • Hundreds of threads? • How does that affect validation? • The thing you just validated, is it still valid?

  46. TOCTTOU Time Of Check To Time Of Use

  47. public ic void tryTransfer(Amount amount) { if if (!this.account.contains(amount)) { throw ow new new ValidationException(); TOC } Thread 2: transfer(amount); amount.setValue(1000000); } TOU

  48. public ic class ss Amount { priva vate te final al Intege eger value; public ic Amount(Intege ger value) { if (!isValid(value) { throw new IllegalArgumentException(); } this.value = value; } public ic Inte tege ger getValue() { retur urn this.value; } }

  49. Immutability • Immutability significantly reduces TOCTTOU-problems • Plays very well with Domain Driven Security • … and readability • … and parallelization • … and event sourcing • ... etc

  50. Race condition, web example

  51. static Dictionary<Guid, Data> wizardData = new Dictionary<Guid, Data>(); public Guid Wizard_Step1() { var key = Guid.NewGuid(); wizardData.Add(key, new Data()); return key; } public void Wizard_Step2(Guid key, string productId) { wizardData[key].ProductId = productId; } public void Wizard_Step3(Guid key) { var data = wizardData[key]; if (UserHasAccess(HttpContext.Current.User, data.ProductId)) // TOC { { Wizard_Step2(key, secret_productId) } DoSomethingWith(data); // TOU } }

  52. static Dictionary<Guid, ImmutableData> wizardData = new Dictionary<Guid, ImmutableData>(); public Guid Wizard_Step1() { var key = Guid.NewGuid(); wizardData.Add(key, new ImmutableData()); return key; } public void Wizard_Step2(Guid key, string productId) { var data = wizardData[key]; var newData = data.CloneWithProductId(productId); // Copies data, new productId wizardData[key] = newData; } public void Wizard_Step3(Guid key) { var data = wizardData[key]; if (UserHasAccess(HttpContext.Current.User, data.ProductId)) // TOC { DoSomethingWith(data); // TOU } }

  53. Immutability • Security spray • Should be the norm!

  54. Trust Domain-Driven Security The Untrusted Pattern Immutability

  55. The Inverse Life Coach Pattern Be a pessimist!

  56. boolean success = true; return success;

  57. Assume failure! boolean success = false; return success;

  58. Fail fast and force a narrow path of success public ResultData doStuff(Account account) { if (!hasAccess(account)) { throw new Exception(); } Fail fast (use Exceptions)! Enforce ”path of success ” – no way of return new ResultData(stuffFromCode); exiting without a valid object }

  60. Consider your Trust Boundaries

  61. Enjoy Domain-Driven Security

  62. Immutability should be the norm

  63. Null is a burning bag of dog poop

  64. Fire your Life Coach

  65. @andhallberg andreas.hallberg@truesec.se

  66. http://oredev.org/2015/security-day • Hacking Modern Cars - How to do it and How to Stop it • The Jurassic Web Attack • Hackers toolkit • Security threats and mitigations for iOS developers • HTTP/2 is a faster and safer HTTP • What's up with XXE? • A Live hacking experience!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff &amp; Kenneth R. Van Wyk

753 views • 17 slides
Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern

Secure Coding Patterns @andhallberg TrueSec Trust Domain-Driven Security The Untrusted Pa7ern Immutability The Inverse Life Coach Pa7ern Trust The founda&gt;on of so?ware security 1. Hello! Im Businessman Bob! 2. Hello! Im the bank!

877 views • 69 slides
Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020

Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020

Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Defensive Coding vs. Risk Analysis Risk Analysis All about domain, assets,

561 views • 24 slides
Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020

Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020

Defensive Coding Techniques (Pt. 2) Engineering Secure Software Last Revised: September 25, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Last Time... Always code defensively Validating input Principles

476 views • 19 slides
LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned

LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned

LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned Hackers take advantage of any opening provided But most also lazy (talk to struggling 115/116 student) Any easy success in breaking code encourages

835 views • 58 slides
Investigating grammatical coding patterns using video elicitation Sebastian Fedden Surrey

Investigating grammatical coding patterns using video elicitation Sebastian Fedden Surrey

Investigating grammatical coding patterns using video elicitation Sebastian Fedden Surrey Morphology Group 1 st Affectedness Workshop Nanyang Technological University Singapore 17 June 2014 With thanks to the Ministry of Education of the

1.1k views • 71 slides
On Secure Asymmetric Multilevel Diversity Coding Systems Congduan Li Sun Yat-sen University Jun

On Secure Asymmetric Multilevel Diversity Coding Systems Congduan Li Sun Yat-sen University Jun

On Secure Asymmetric Multilevel Diversity Coding Systems Congduan Li Sun Yat-sen University Jun 21-26, 2020 ISIT 2020 (LA, USA, online) Li, et al. (Sun Yat-sen University) Secure AMDCS Jun 21-26, 2020 1 / 27 Outline 1 Motivation 2 System

699 views • 27 slides
CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel

CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel

CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel Center for Research on Computation and Society Harvard University November 21, 2005 1 Todays Agenda 1. Administrivia 2. Missing Readings

1.29k views • 108 slides
Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates)

Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates)

Secure Coding in C/C++ Dr. Kamil Sarac 2012 REU (Research Experiences for Undergraduates) Department of Computer Science University of Texas at Dallas Slides prepared by Mitch Adair and Kamil Sarac at UT Dallas Outline Objective What

380 views • 35 slides
Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and the Cajadores Overview The Mashup Problem The Offensive and Defensive Code Problems JavaScript (EcmaScript) gets simpler ES3, ES5, ES5/strict,

716 views • 52 slides
Fault-Tolerant and Secure Data Transmission Using Random Linear Network Coding Pouya Ostovari

Fault-Tolerant and Secure Data Transmission Using Random Linear Network Coding Pouya Ostovari

Fault-Tolerant and Secure Data Transmission Using Random Linear Network Coding Pouya Ostovari and Jie Wu Computer &amp; Information Sciences Temple University Center for Networked Computing http://www.cnc.temple.edu Agenda Introduction

398 views • 19 slides
CODING: ICD-10 CODING &amp; UB-04 CODING FOR PDPM NELIA ADACI RN, BSN CDONA, DNS-CT, RAC-CTA

CODING: ICD-10 CODING &amp; UB-04 CODING FOR PDPM NELIA ADACI RN, BSN CDONA, DNS-CT, RAC-CTA

7/22/2019 GREATER NY HEALTHCARE FACILITIES ASSOCIATION THE PROOF IS IN THE pudding CODING: ICD-10 CODING &amp; UB-04 CODING FOR PDPM NELIA ADACI RN, BSN CDONA, DNS-CT, RAC-CTA Vice President The CHARTS Group CMSs MESSAGE: If you do

836 views • 42 slides
Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria

Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria

Tutorial: Security patterns and secure systems design using UML Eduardo B. Fernandez and Maria M. Larrondo Petrie Dept. of Computer Science and Eng. Florida Atlantic University www.cse.fau.edu/~security {ed, maria}@cse.fau.edu ICWMC/ICCGI

2.27k views • 184 slides
Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville &lt; jean-christophe.deneuville@xlim.fr &gt; June the 26 th , 2017 PQCrypto 17 Utrecht Joint work with: P. Gaborit G. Z

1.54k views • 84 slides
Secure Coding Practices for Middleware Barton P. Miller Elisa Heymann James A. Kupsch Computer

Secure Coding Practices for Middleware Barton P. Miller Elisa Heymann James A. Kupsch Computer

Secure Coding Practices for Middleware Barton P. Miller Elisa Heymann James A. Kupsch Computer Architecture and Computer Sciences Department Operating Systems Department University of Wisconsin Universitat Autnoma de Barcelona

1.14k views • 110 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go

Web Security What should be the Threat Model for the Web? Goal and Threat Model Much can go wrong on the web! Clients encounter malicious content Web servers are target of break-ins Fake content/servers trick users Data sent

446 views • 16 slides
HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague RESEARCH CENTER

HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague RESEARCH CENTER

HTTP Mutual authentication and Web security Yutaka OIWA SAAG, IETF 80 Prague RESEARCH CENTER FOR INFORMATION SECURITY (RCIS) NATIONAL INSTITUTE OF ADVANCED INDUSTRIAL SCIENCE AND TECHNOLOGY (AIST) Web security Its importance no need to

404 views • 28 slides
Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019

I5020 Computer Security Session 3 Hash Function, Asymmetric Encryption and Signature Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License.

740 views • 53 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social

CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social

CS 204: Advanced Computer Networks Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences 1403 http://www.cs.ucr.edu/~jiasi/teaching/cs204_spring17/ 1 Why Networks? Supports the applications that we use today Social media

725 views • 46 slides
Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P

Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P

Aleksander Zdyb Modern Security Model for Linux Operating Systems Aleksander Zdyb S OFTWARE E NGINEER T IZEN P LATFORM S ECURITY a.zdyb@samsung.com https://github.com/azdyb Briefly about security requirements About Tizen operating system

920 views • 46 slides
Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009

Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009

Universit degli Studi di Napoli Federico II Corso di Applicazioni Telematiche a. a. 2008-2009 Simon Pietro Romano spromano@unina.it Corso AT AA2008-09 Simon Pietro Romano 1 Session Initiation Protocol (SIP) SIP overview

357 views • 32 slides
Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich with attack vectors to exploit. This presentation explores the many potential PostgreSQL external vulnerabilities and shows how they can be

318 views • 29 slides

More recommend