Secure coding practices ppt

secure software development secure coding ppt and secure coding principles and practices ppt
NicolusNorton Profile Pic
Published Date:08-07-2017
Your Website URL(Optional)
Secure Coding in C and C++ Integral Security Robert C. Seacord FIRST Conference : June 26, 2006 © 2006 Carnegie Mellon Universityƒƒƒ About this Presentation Derived from the Addison-Wesley book “Secure Coding in C and C++” Presentation assumes basic C/C++ programming skills but does not assume in- depth knowledge of software security Ideas generalize but examples are specific to Microsoft Visual Studio Linux/GCC 32-bit Intel Architecture (IA-32) © 2006 Carnegie Mellon University 2ƒƒ An Integer Story 1 GNU’s Bourne Again Shell (bash) is a drop-in replacement for the Bourne shell (/bin/sh). same syntax as the standard shell but provides additional functionality such as job control, command-line editing, and history. most prevalent use is on Linux. A vulnerability exists in bash versions 1.14.6 and earlier where bash can be tricked into executing arbitrary commands. © 2006 Carnegie Mellon University 3An Integer Story 2 Bash contains an incorrectly declared variable in the yy_string_get() function responsible for parsing the user-provided command line into separate tokens. The error involves the variable string, which has been declared to be of type char . The string variable is used to traverse the character string containing the command line to be parsed. © 2006 Carnegie Mellon University 4An Integer Story 3 As characters are retrieved from this pointer, they are stored in a variable of type int. For compilers in which the char type defaults to signed char, this value is sign-extended when assigned to the int variable. For character code 255 decimal (-1 in two’s complement form), this sign extension results in the value -1 being assigned to the integer. -1 is used in other parts of the parser to indicate the end of a command. © 2006 Carnegie Mellon University 5ƒ An Integer Story 4 The character code 255 decimal (377 octal) serves as an unintended command separator for commands given to bash via the -c option. Example: bash -c 'ls\377who' (where \377 represents the single character with value 255 decimal) executes two commands, ls and who. © 2006 Carnegie Mellon University 6ƒƒ Integer Security Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. Integer range checking has not been systematically applied in the development of most C and C++ software. security flaws involving integers exist a portion of these are likely to be vulnerabilities © 2006 Carnegie Mellon University 7Unexpected Integer Values An unexpected value is a value other than the one you would expect to get using a pencil and paper Unexpected value are a common source of software vulnerabilities (even when this behavior is correct). © 2006 Carnegie Mellon University 8Integer Agenda Integers Vulnerabilities Mitigation Strategies Notable Vulnerabilities Summary © 2006 Carnegie Mellon University 9Integer Section Agenda Representation Types Conversions Error conditions Operations © 2006 Carnegie Mellon University 10Integer Representation Signed magnitude One’s complement Two’s complement These integer representations vary in how they represent negative numbers. © 2006 Carnegie Mellon University 11ƒƒƒ Signed-Magnitude Representation Uses the high-order bit to indicate the sign 0 for positive 1 for negative remaining low-order bits indicate the magnitude of the value 001 0 1001 101 0 1001 32 + 8 + 1 32 + 8 + 1 - 41 + 41 Signed-magnitude representation of +41 and -41 © 2006 Carnegie Mellon University 12One’s Complement One’s complement replaced signed magnitude because the circuitry was too complicated. Negative numbers are represented in one’s complement form by complementing each bit 0 0 1 0 1 0 0 1 each 1 is even the replaced sign bit is with a 0 1 1 0 1 0 1 1 0 reversed each 0 is replaced with a 1 © 2006 Carnegie Mellon University 13Two’s Complement The two’s complement form of a negative integer is created by adding one to the one’s complement representation. 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1 1 1 0 1 0 1 1 0 + 1 = 1 1 0 1 0 1 1 1 Two’s complement representation has a single (positive) value for zero. The sign is represented by the most significant bit. The notation for positive integers is identical to their signed- magnitude representations. © 2006 Carnegie Mellon University 14Integer Section Agenda Representation Types Conversions Error conditions Operations © 2006 Carnegie Mellon University 15Signed and Unsigned Types Integers in C and C++ are either signed or unsigned. For each signed type there is an equivalent unsigned type. © 2006 Carnegie Mellon University 16Signed Integers Signed integers are used to represent positive and negative values. On a computer using two’s complement n-1 arithmetic, a signed integer ranges from -2 n-1 through 2 -1. © 2006 Carnegie Mellon University 17Signed Integer Representation © 2006 Carnegie Mellon University 18Unsigned Integers Unsigned integer values range from zero to a maximum that depends on the size of the type This maximum value can be calculated as n 2 -1, where n is the number of bits used to represent the unsigned type. © 2006 Carnegie Mellon University 19Unsigned Integer Representation two’s complement © 2006 Carnegie Mellon University 20