Tài liệu 24 Deadly Sins of Software Security doc

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (2.76 MB, 433 trang )

REVIEWS FOR 24 DEADLY SINS OF SOFTWARE SECURITY
“We are still paying for the security sins of the past and we are doomed to failure if we don’t
learn from our history of poorly written software. From some of the most respected authors in
the industry, this hard-hitting book is a must-read for any software developer or security
zealot. Repeat after me–‘Thou shall not commit these sins!’”
—George Kurtz,
co-author of all six editions of Hacking Exposed and senior vice-president and general manager,
Risk and Compliance Business Unit, McAfee Security
“This little gem of a book provides advice on how to avoid 24 serious problems in your
programs—and how to check to see if they are present in others. Their presentation is simple,
straightforward, and thorough. They explain why these are sins and what can be done about
them. This is an essential book for every programmer, regardless of the language they use.
It will be a welcome addition to my bookshelf, and to my teaching material. Well done!”
—Matt Bishop,
Department of Computer Science, University of California at Davis
“The authors have demonstrated once again why they’re the ‘who’s who’ of software security.
The 24 Deadly Sins of Software Security is a tour de force for developers, security pros, project
managers, and anyone who is a stakeholder in the development of quality, reliable, and
thoughtfully-secured code. The book graphically illustrates the most common and dangerous
mistakes in multiple languages (C++, C#, Java, Ruby, Python, Perl, PHP, and more) and
numerous known-good practices for mitigating these vulnerabilities and ‘redeeming’ past
sins. Its practical prose walks readers through spotting patterns that are predictive of sinful
code (from high-level application functions to code-level string searches), software testing
approaches, and harnesses for refining out vulnerable elements, and real-world examples
of attacks that have been implemented in the wild. The advice and recommendations are
similarly down-to-earth and written from the perspective of seasoned practitioners who have
produced hardened—and usable—software for consumption by a wide range of audiences,
from consumers to open source communities to large-scale commercial enterprises.
Get this Bible of software security today, and go and sin no more!”
—Joel Scambray,

CEO of Consciere and co-author of the Hacking Exposed series

This page intentionally left blank

24
DEADLY
SINS
OF

SOFTWARE

SECURITY
Programming Flaws and
How to Fix Them
Michael Howard, David LeBlanc, and John Viega

New York Chicago San Francisco Lisbon
London Madrid Mexico City Milan New Delhi
San Juan Seoul Singapore Sydney Toronto

Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.
ISBN: 978-0-07-162676-7
MHID: 0-07-162676-X
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162675-0, MHID: 0-07-162675-1
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate
training programs. To contact a representative please e-mail us at
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one
copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use
the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may
be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not
warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or
error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless
of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information
accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special,
punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised
of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause
arises in contract, tort or otherwise.

To Jennifer, who has put up with many days of my working
on a book, and to Michael for improving
my writing skills on our
fifth book together.

—David

To my family for simply putting up with me,
and to David as he continues
to find bugs in my code!
—Michael

This page intentionally left blank

ABOUT THE AUTHORS
Michael Howard is a principal security program manager on the Trustworthy Computing (TwC) Group’s Security Engineering team at Microsoft, where he is responsible
for managing secure design, programming, and testing techniques across the company.
Howard is an architect of the Security Development Lifecycle (SDL), a process for
improving the security of Microsoft’s software.
Howard began his career with Microsoft in 1992 at the company’s New Zealand
office, working for the first two years with Windows and compilers on the Product Support
Services team, and then with Microsoft Consulting Services, where he provided security
infrastructure support to customers and assisted in the design of custom solutions and
development of software. In 1997, Howard moved to the United States to work for the
Windows division on Internet Information Services, Microsoft’s web server, before moving
to his current role in 2000.
Howard is an editor of IEEE Security & Privacy, is a frequent speaker at security-related conferences, and regularly publishes articles on secure coding and design. Howard
is the co-author of six security books, including the award-winning Writing Secure Code
(Second Edition, Microsoft Press, 2003), 19 Deadly Sins of Software Security (McGraw-Hill
Professional, 2005), The Security Development Lifecycle (Microsoft Press, 2006), and his
most recent release, Writing Secure Code for Windows Vista (Microsoft Press, 2007).
David LeBlanc, Ph.D., is a principal software development engineer for the Microsoft
Office Trustworthy Computing group and in this capacity is responsible for designing

and implementing security technology used in Microsoft Office. He also helps advise
other developers on secure programming techniques. Since joining Microsoft in 1999, he
has been responsible for operational network security and was a founding member of the
Trustworthy Computing Initiative.
David is the co-author of the award-winning Writing Secure Code (Second Edition,
Microsoft Press, 2003), 19 Deadly Sins of Software Security (McGraw-Hill Professional,
2005), Writing Secure Code for Windows Vista (Microsoft Press, 2007), and numerous articles.
John Viega, CTO of the SaaS Business Unit at McAfee, is the original author of the 19
deadly programming flaws that received press and media attention, and the first edition
of this book is based on his discoveries. John is also the author of many other security
books, including Building Secure Software (Addison-Wesley, 2001), Network Security with
OpenSSL (O’Reilly, 2002), and the Myths of Security (O’Reilly, 2009). He is responsible for
numerous software security tools and is the original author of Mailman, the GNU mailing list manager. He has done extensive standards work in the IEEE and IETF and co-invented GCM, a cryptographic algorithm that NIST has standardized. John is also an
active advisor to several security companies, including Fortify and Bit9. He holds an MS
and a BA from the University of Virginia.

vii

viii

24 Deadly Sins of Software Security

About the Technical Editor
Alan Krassowski is the Chief Architect of Consumer Applications at McAfee, Inc., where
he heads up the design of the next generation of award-winning security protection
products. Prior to this role, Alan led Symantec Corporation’s Product Security Team,
helping product teams deliver more secure security and storage products. Over the past
25 years, Alan has worked on a wide variety of commercial software projects. He has
been a development director, software engineer, and consultant at many industry-leading

companies, including Microsoft, IBM, Tektronix, Step Technologies, Screenplay Systems,
Quark, and Continental Insurance. Alan holds a BS degree in Computer Engineering
from the Rochester Institute of Technology in New York. He currently resides in Portland, Oregon.

AT A GLANCE
Part I
1
2
3
4

Part II
5
6
7
8
9
10

Web Application Sins
SQL Injection . . . . . . . . . . . . . . . . . . .
Web Server–Related Vulnerabilities
(XSS, XSRF, and Response Splitting) . . . .
Web Client–Related Vulnerabilities (XSS) . . .
Use of Magic URLs, Predictable Cookies, and
Hidden Form Fields . . . . . . . . . . . . . .

3
29

63
75

Implementation Sins
Buffer Overruns . . . .
Format String Problems
Integer Overflows . . .
C++ Catastrophes . . .
Catching Exceptions . .
Command Injection . .

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.

.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.

.
.
.
.

.
.
.
.
.
.

89
109
119
143
157
171

ix

x

24 Deadly Sins of Software Security

11
12
13
14

15
16
17
18
Part III
19
20
21
Part IV
22
23
24

Failure to Handle Errors Correctly . . . .
Information Leakage . . . . . . . . . . .
Race Conditions . . . . . . . . . . . . . .
Poor Usability . . . . . . . . . . . . . . .
Not Updating Easily . . . . . . . . . . . .
Executing Code with Too Much Privilege
Failure to Protect Stored Data . . . . . .
The Sins of Mobile Code . . . . . . . . .

.
.
.
.
.

.
.

.
.
.
.
. .
. .

.
.
.
.
.
.
.
.

183
191
205
217
231
243
253
267

Cryptographic Sins
Use of Weak Password-Based Systems . . . . 279
Weak Random Numbers . . . . . . . . . . . . 299
Using Cryptography Incorrectly . . . . . . . . 315
Networking Sins

Failing to Protect Network Traffic . . . . .
Improper Use of PKI, Especially SSL . . .
Trusting Network Name Resolution . . . .
Index . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.

.
.
.
.

337
347
361
371

CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xxix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv

Part I
Web Application Sins
1 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Overview of the Sin . . . .
CWE References . . . . . .
Affected Languages . . . .
The Sin Explained . . . . .
A Note about LINQ
Sinful C# . . . . . . .
Sinful PHP . . . . . .
Sinful Perl/CGI . . .
Sinful Python . . . .
Sinful Ruby on Rails
Sinful Java and JDBC
Sinful C/C++ . . . .
Sinful SQL . . . . . .
Related Sins . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

3
4
5
5
6
6
6
7
8
8
9
9
10
11
12

xi

xii

24 Deadly Sins of Software Security

Spotting the Sin Pattern . . . . . . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . . . .
CVE-2006-4953 . . . . . . . . . . . . . . . . . . . .
CVE-2006-4592 . . . . . . . . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . . . . . . . . . . . .

Validate All Input . . . . . . . . . . . . . . . . . . .
Use Prepared Statements to Build SQL Statements
C# Redemption . . . . . . . . . . . . . . . . . . . .
PHP 5.0 and MySQL 4.1 or Later Redemption . .
Perl/CGI Redemption . . . . . . . . . . . . . . . .
Python Redemption . . . . . . . . . . . . . . . . .
Ruby on Rails Redemption . . . . . . . . . . . . .
Java Using JDBC Redemption . . . . . . . . . . . .
ColdFusion Redemption . . . . . . . . . . . . . . .
SQL Redemption . . . . . . . . . . . . . . . . . . .
Extra Defensive Measures . . . . . . . . . . . . . . . . .
Encrypt Sensitive, PII, or Confidential Data . . . .
Use URLScan . . . . . . . . . . . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

13
13
14
16
18

18
18
19
19
19
20
20
21
22
22
23
23
24
25
25
25
27

2 Web Server–Related Vulnerabilities (XSS, XSRF, and Response Splitting) . . .

29
30
31
31
31
31
32
34
34
37

38
38
38
38
39
39
39
39
40
40

Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . .
DOM-Based XSS or Type 0 . . . . . . . . . . . . . . .
Reflected XSS, Nonpersistent XSS, or Type 1 . . . . .
Stored XSS, Persistent XSS, or Type 2 . . . . . . . . .
HTTP Response Splitting . . . . . . . . . . . . . . . .
Cross-Site Request Forgery . . . . . . . . . . . . . . .
Sinful Ruby on Rails (XSS) . . . . . . . . . . . . . . . .
Sinful Ruby on Rails (Response Splitting) . . . . . . .
Sinful CGI Application in Python (XSS) . . . . . . . .
Sinful CGI Application in Python (Response Splitting)
Sinful ColdFusion (XSS) . . . . . . . . . . . . . . . . .
Sinful ColdFusion (XSS) . . . . . . . . . . . . . . . . .
Sinful C/C++ ISAPI (XSS) . . . . . . . . . . . . . . . .
Sinful C/C++ ISAPI (Response Splitting) . . . . . . .
Sinful ASP (XSS) . . . . . . . . . . . . . . . . . . . . .
Sinful ASP (Response Splitting) . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

Contents

Sinful ASP.NET Forms (XSS) . . . . . . . . . . . . . .
Sinful ASP.NET (Response Splitting) . . . . . . . . . .
Sinful JSP (XSS) . . . . . . . . . . . . . . . . . . . . . .
Sinful JSP (Response Splitting) . . . . . . . . . . . . .
Sinful PHP (XSS) . . . . . . . . . . . . . . . . . . . . .
Sinful PHP (Response Splitting) . . . . . . . . . . . .
Sinful CGI Using Perl (XSS) . . . . . . . . . . . . . . .
Sinful mod_perl (XSS) . . . . . . . . . . . . . . . . . .
Sinful mod_perl (Response Splitting) . . . . . . . . .
Sinful HTTP Requests (XSRF) . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . .
Spotting the XSS Sin During Code Review . . . . . . . . . .
Spotting the XSRF Sin During Code Review . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . .
CVE-2003-0712 Microsoft Exchange 5.5 Outlook Web
Access XSS . . . . . . . . . . . . . . . . . . . . . . .
CVE-2004-0203 Microsoft Exchange 5.5 Outlook Web
Access Response Splitting . . . . . . . . . . . . . .
CVE-2005-1674 Help Center Live (XSS and XSRF) . .
Redemption Steps (XSS and Response Splitting) . . . . . .
Ruby on Rails Redemption (XSS) . . . . . . . . . . . .
ISAPI C/C++ Redemption (XSS) . . . . . . . . . . . .
Python Redemption(XSS) . . . . . . . . . . . . . . . .
ASP Redemption (XSS) . . . . . . . . . . . . . . . . . .
ASP.NET Web Forms Redemption (XSS) . . . . . . .
ASP.NET Web Forms Redemption (RS) . . . . . . . .
JSP Redemption (XSS) . . . . . . . . . . . . . . . . . .

PHP Redemption (XSS) . . . . . . . . . . . . . . . . .
CGI Redemption (XSS) . . . . . . . . . . . . . . . . . .
mod_perl Redemption (XSS) . . . . . . . . . . . . . .
Redemption Steps (XSRF) . . . . . . . . . . . . . . . . . . .
A Note about Timeouts . . . . . . . . . . . . . . . . .
A Note about XSRF and POST vs. GET . . . . . . . .
Ruby on Rails Redemption (XSRF) . . . . . . . . . . .
ASP.NET Web Forms Redemption (XSRF) . . . . . .
Non-Draconian Use of HTML Encode . . . . . . . . .
Extra Defensive Measures . . . . . . . . . . . . . . . . . . .
Use HttpOnly Cookies . . . . . . . . . . . . . . . . . .
Wrap Tag Properties with Double Quotes . . . . . . .
Consider Using ASP.NET ViewStateUserKey . . . . .
Consider Using ASP.NET ValidateRequest . . . . . .
Use the ASP.NET Security Runtime Engine Security .

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

40
40
41
41
41
41
42
42
42
42
43
43
44
44
46

. . . .

46

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

46
47
47
47
48
49
49
50
50
51

53
53
54
55
55
55
56
56
57
57
57
58
58
59
59

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

xiii

xiv

24 Deadly Sins of Software Security

Consider Using OWASP CSRFGuard
Use Apache::TaintRequest . . . . . .
Use UrlScan . . . . . . . . . . . . . .

Set a Default Character Set . . . . . .
Other Resources . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.

59
59
59
60
60
62

3 Web Client–Related Vulnerabilities (XSS) . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.

63
64
65
65
65
67
67
68
68
69
69
69

. . . . . . . .

70

. . . . . . . .
. . . . . . . .
. . . . . . . .

70
71
71

.
.
.
.

72
73
73
74

.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.

.
.

.
.
.
.
.
.

.
.
.
.
.
.

Overview of the Sin . . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . . . . .
Privacy Implications of Sinful Gadgets . . . . .
Sinful JavaScript and HTML . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . .
Microsoft ISA Server XSS CVE-2003-0526 . . .
Windows Vista Sidebar CVE-2007-3033
and CVE-2007-3032 . . . . . . . . . . . . . .

Yahoo! Instant Messenger ActiveX Control
CVE-2007-4515 . . . . . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . . . . . . . . . .
Don’t Trust Input . . . . . . . . . . . . . . . . .
Replace Insecure Constructs with More Secure
Constructs . . . . . . . . . . . . . . . . . . .
Extra Defensive Measures . . . . . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.

.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.

4 Use of Magic URLs, Predictable Cookies, and Hidden Form Fields . . . . .
Overview of the Sin . . . . . . . . . . .

CWE References . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . .
Magic URLs . . . . . . . . . . . .
Predictable Cookies . . . . . . . .
Hidden Form Fields . . . . . . .
Related Sins . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . .
Spotting the Sin During Code Review
Testing Techniques to Find the Sin . .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

75
76
76
76
76
76
77

77
78
78
78
79

Contents

Example Sins . . . . . . . . . .
CVE-2005-1784 . . . . . .
Redemption Steps . . . . . . . .
Attacker Views the Data .
Attacker Replays the Data
Attacker Predicts the Data
Attacker Changes the Data
Extra Defensive Measures . . .
Other Resources . . . . . . . . .
Summary . . . . . . . . . . . . .

.
.
.
.
.
.

.
.
.

.
.
.
.
. .
. .
. .

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

81
81
81
81

81
83
84
85
85
85

Part II
Implementation Sins
5 Buffer Overruns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . . . . . .
64-bit Implications . . . . . . . . . . . . . . . . .
Sinful C/C++ . . . . . . . . . . . . . . . . . . . .
Related Sins . . . . . . . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . . .
CVE-1999-0042 . . . . . . . . . . . . . . . . . . .
CVE-2000-0389–CVE-2000-0392 . . . . . . . . . .
CVE-2002-0842, CVE-2003-0095, CAN-2003-0096
CAN-2003-0352 . . . . . . . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . . . . . . . . . . .
Replace Dangerous String Handling Functions .
Audit Allocations . . . . . . . . . . . . . . . . . .
Check Loops and Array Accesses . . . . . . . . .
Replace C String Buffers with C++ Strings . . .

Replace Static Arrays with STL Containers . . .
Use Analysis Tools . . . . . . . . . . . . . . . . .
Extra Defensive Measures . . . . . . . . . . . . . . . .
Stack Protection . . . . . . . . . . . . . . . . . . .
Nonexecutable Stack and Heap . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

89
90
91
91
92
95

96
99
99
99
100
101
101
101
102
102
103
103
103
103
104
104
104
105
105
105
106
107

xv

xvi

24 Deadly Sins of Software Security

6 Format String Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . . . . . . . . . .
CWE References . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . .
Sinful C/C++ . . . . . . . . . . .
Related Sins . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . .
Spotting the Sin During Code Review
Testing Techniques to Find the Sin . .
Example Sins . . . . . . . . . . . . . .
CVE-2000-0573 . . . . . . . . . .
CVE-2000-0844 . . . . . . . . . .
Redemption Steps . . . . . . . . . . . .
C/C++ Redemption . . . . . . .
Extra Defensive Measures . . . . . . .
Other Resources . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

7 Integer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . . .
Sinful C and C++ . . . . . . . . . . . . . . . . . . . . . . .
Sinful C# . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sinful Visual Basic and Visual Basic .NET . . . . . . . . .
Sinful Java . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sinful Perl . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . . . . . . . .
C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Visual Basic and Visual Basic .NET . . . . . . . . . . . . .
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Multiple Integer Overflows in the SearchKit API
in Apple Mac OS X . . . . . . . . . . . . . . . . . . . .
Integer Overflow in Google Android SDK . . . . . . . . .
Flaw in Windows Script Engine Could Allow

Code Execution . . . . . . . . . . . . . . . . . . . . . .
Heap Overrun in HTR Chunked Encoding Could Enable
Web Server Compromise . . . . . . . . . . . . . . . . .

109
110
110
110
111
113
114
114
114
115
115
115
115
116
116
116
117
117

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

119
120
120
120
121
121
128
130
131
131
132
133
133
135
135
136
136
136

136

. .
. .

136
137

. .

137

. .

137

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

Contents

Redemption Steps . . . . .
Do the Math . . . . .
Don’t Use Tricks . .
Write Out Casts . . .
Use SafeInt . . . . . .
Extra Defensive Measures
Other Resources . . . . . .
Summary . . . . . . . . . .

.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.

138
138
138
139
140
141
142
142

. . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . .
Sinful Calls to Delete . . . . . . . . . . . . . . . . . .
Sinful Copy Constructors . . . . . . . . . . . . . . .

Sinful Constructors . . . . . . . . . . . . . . . . . . .
Sinful Lack of Reinitialization . . . . . . . . . . . . .
Sinful Ignorance of STL . . . . . . . . . . . . . . . .
Sinful Pointer Initialization . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . .
CVE-2008-1754 . . . . . . . . . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . .
Mismatched new and delete Redemption . . . . . .
Copy Constructor Redemption . . . . . . . . . . . .
Constructor Initialization Redemption . . . . . . . .
Reinitialization Redemption . . . . . . . . . . . . . .
STL Redemption . . . . . . . . . . . . . . . . . . . .
Uninitialized Pointer Redemption . . . . . . . . . .
Extra Defensive Measures . . . . . . . . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

143
144
144
145
145
145
146
148
148
149
149
150
150
151
151
151
151
151
152
152
153
153
153
154
154

155

8 C++ Catastrophes

9 Catching Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . . . .
Sinful C++ Exceptions . . . . . . . . . . . . .
Sinful Structured Exception Handling (SEH)
Sinful Signal Handling . . . . . . . . . . . . .

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.

.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

157
158
158
158
158

158
161
163

xvii

xviii

24 Deadly Sins of Software Security

Sinful C#, VB.NET, and Java . .
Sinful Ruby . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . .
Spotting the Sin During Code Review
Testing Techniques to Find the Sin . .
Example Sins . . . . . . . . . . . . . .
CVE-2007-0038 . . . . . . . . . .
Redemption Steps . . . . . . . . . . . .
C++ Redemption . . . . . . . . .
SEH Redemption . . . . . . . . .
Signal Handler Redemption . . .
Other Resources . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . .

.
.
.
.
.

.
.
.
.
.
.
.
.

164
165
165
165
167
167
167
167
167
168
168
168
169

10 Command Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

171
172
172
172
172

174
175
175
177
177
177
178
178
179
181
182
182
182

Overview of the Sin . . . . . . . . . . .
CWE References . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . .
Related Sins . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . .
Spotting the Sin During Code Review
Testing Techniques to Find the Sin . .
Example Sins . . . . . . . . . . . . . .
CAN-2001-1187 . . . . . . . . . .
CAN-2002-0652 . . . . . . . . . .
Redemption Steps . . . . . . . . . . . .
Data Validation . . . . . . . . . .
When a Check Fails . . . . . . . .
Extra Defensive Measures . . . . . . .
Other Resources . . . . . . . . . . . . .

Summary . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

11 Failure to Handle Errors Correctly . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . . . . . . . . .
CWE References . . . . . . . . . . . .
Affected Languages . . . . . . . . . .
The Sin Explained . . . . . . . . . . .
Yielding Too Much Information
Ignoring Errors . . . . . . . . .
Misinterpreting Errors . . . . .
Using Useless Return Values .
Using Non-Error Return Values

Sinful C/C++ . . . . . . . . . .

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.

183
184
184
184
184
185
185
186
186
186
187

Contents

Sinful C/C++ on Windows . . . . . . . . . . . . . . .
Related Sins . . . . . . . . . . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . . . . .
Example Sin . . . . . . . . . . . . . . . . . . . . . . . . . . .
CVE-2007-3798 tcpdump print-bgp.c Buffer Overflow
Vulnerability . . . . . . . . . . . . . . . . . . . . . .

CVE-2004-0077 Linux Kernel do_mremap . . . . . . .
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . .
C/C++ Redemption . . . . . . . . . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.

.
.
.

187
188
188
188
188
188

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.

.

.
.
.
.
.
.

188
189
189
189
190
190

12 Information Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

191
192
192
193
193
193
194
196
198
198
199
199

200
200
200
201
201
201
202
203
203
204
204

Overview of the Sin . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . .
Side Channels . . . . . . . . . . . . . . .
TMI: Too Much Information! . . . . . .
A Model for Information Flow Security
Sinful C# (and Any Other Language) .
Related Sins . . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . .
Spotting the Sin During Code Review . . . .
Testing Techniques to Find the Sin . . . . . .
The Stolen Laptop Scenario . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . .
CVE-2008-4638 . . . . . . . . . . . . . .
CVE-2005-1133 . . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . . . . . .
C# (and Other Languages) Redemption

Network Locality Redemption . . . . .
Extra Defensive Measures . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . .

13 Race Conditions

. . . .
.
.
.
.
.
.

Overview of the Sin
CWE References . .
Affected Languages
The Sin Explained .
Sinful Code .
Related Sins .

. .
.
.
.
.
.
.

.
.
.
.
.
.

. .
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

. . . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

. .
.
.
.
.
.
.

.
.
.
.
.
.

. .
.
.
.
.
.
.

.

205

.
.
.
.
.
.

206
206
207

207
208
209

xix

xx

24 Deadly Sins of Software Security

Spotting the Sin Pattern . . . . . . . .
Spotting the Sin During Code Review
Testing Techniques to Find the Sin . .
Example Sins . . . . . . . . . . . . . .
CVE-2008-0379 . . . . . . . . . .
CVE-2008-2958 . . . . . . . . . .
CVE-2001-1349 . . . . . . . . . .
CAN-2003-1073 . . . . . . . . . .
CVE-2000-0849 . . . . . . . . . .
Redemption Steps . . . . . . . . . . . .
Extra Defensive Measures . . . . . . .
Other Resources . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . .

.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.

210
210
211
211
212
212
212
212
213
213
215
215
215

14 Poor Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . . . . . . . . . .

Who Are Your Users? . . . . . . . . . . . . . . . . . . .
The Minefield: Presenting Security Information
to Your Users . . . . . . . . . . . . . . . . . . . . . . .
Related Sins . . . . . . . . . . . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSL/TLS Certificate Authentication . . . . . . . . . . .
Internet Explorer 4.0 Root Certificate Installation . . . .
Redemption Steps . . . . . . . . . . . . . . . . . . . . . . . . .
When Users Are Involved, Make the UI Simple and Clear
Make Security Decisions for Users . . . . . . . . . . . .
Make Selective Relaxation of Security Policy Easy . . .
Clearly Indicate Consequences . . . . . . . . . . . . . .
Make It Actionable . . . . . . . . . . . . . . . . . . . . .
Provide Central Management . . . . . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

217
218
218
218
218
219

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

220
221
221
221
222
222
222
223
224
224
224
226
226
228
228
228
229

15 Not Updating Easily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin
CWE References . .
Affected Languages
The Sin Explained .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

231
232
232
232
232

Contents

Sinful Installation of Additional Software . . . .
Sinful Access Controls . . . . . . . . . . . . . . .
Sinful Prompt Fatigue . . . . . . . . . . . . . . .
Sinful Ignorance . . . . . . . . . . . . . . . . . . .
Sinfully Updating Without Notifying . . . . . .

Sinfully Updating One System at a Time . . . .
Sinfully Forcing a Reboot . . . . . . . . . . . . .
Sinfully Difficult Patching . . . . . . . . . . . . .
Sinful Lack of a Recovery Plan . . . . . . . . . .
Sinfully Trusting DNS . . . . . . . . . . . . . . .
Sinfully Trusting the Patch Server . . . . . . . .
Sinful Update Signing . . . . . . . . . . . . . . .
Sinful Update Unpacking . . . . . . . . . . . . .
Sinful User Application Updating . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . . .
Apple QuickTime Update . . . . . . . . . . . . .
Microsoft SQL Server 2000 Patches . . . . . . . .
Google’s Chrome Browser . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . . . . . . . . . . .
Installation of Additional Software Redemption
Access Control Redemption . . . . . . . . . . . .
Prompt Fatigue Redemption . . . . . . . . . . .
User Ignorance Redemption . . . . . . . . . . . .
Updating Without Notifying Redemption . . . .
Updating One System at a Time Redemption . .
Forcing a Reboot Redemption . . . . . . . . . . .
Difficult Patching Redemption . . . . . . . . . .
Lack of a Recovery Plan Redemption . . . . . .
Trusting DNS Redemption . . . . . . . . . . . .
Trusting the Patch Server Redemption . . . . . .
Update Signing Redemption . . . . . . . . . . .
Update Unpacking Redemption . . . . . . . . .

User Application Updating Redemption . . . . .
Extra Defensive Measures . . . . . . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

232
233
233
233
233
234
234
234
234
234
234
234
235
235
235

236
236
236
236
237
237
237
237
237
238
238
238
238
239
239
240
240
240
240
240
241
241
241
242

16 Executing Code with Too Much Privilege . . . . . . . . . . . . . . . . . . .

243
244
244

244

Overview of the Sin . . . . . . . . . . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . . . . . . . . . . .

xxi

xxii

24 Deadly Sins of Software Security

The Sin Explained . . . . . . . . . . . .
Related Sins . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . .
Spotting the Sin During Code Review
Testing Techniques to Find the Sin . .
Example Sins . . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . .
Windows, C, and C++ . . . . . .
Linux, BSD, and Mac OS X . . .
.NET Code . . . . . . . . . . . . .
Extra Defensive Measures . . . . . . .
Other Resources . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . .

.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

244
245
246
246
246
247
248

248
250
251
251
251
251

17 Failure to Protect Stored Data . . . . . . . . . . . . . . . . . . . . . . . .

253
254
254
254
254
254
256
258
259
259
259
260
262
262
262
262
262
263
264
264
265

265
265

Overview of the Sin . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . .
Weak Access Controls on Stored Data
Sinful Access Controls . . . . . . . . .
Weak Encryption of Stored Data . . .
Related Sins . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . .
Spotting the Sin During Code Review . . .
Testing Techniques to Find the Sin . . . . .
Example Sins . . . . . . . . . . . . . . . . .
CVE-2000-0100 . . . . . . . . . . . . .
CVE-2005-1411 . . . . . . . . . . . . .
CVE-2004-0907 . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . . . . .
C++ Redemption on Windows . . . .
C# Redemption on Windows . . . . .
C/C++ Redemption (GNOME) . . . .
Extra Defensive Measures . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . .

.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

18 The Sins of Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . .
CWE References . . . . .
Affected Languages . . .
The Sin Explained . . . .
Sinful Mobile Code

.
.
.
.
.

.
.
.
.

.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.

.

.
.
.
.
.

.
.
.
.
.

267
268
269
270
270
270

Contents

Sinful Mobile Code Containers . . . . . .
Related Sins . . . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . .
Testing Techniques to Find the Sin . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . .

CVE-2006-2198 . . . . . . . . . . . . . . .
CVE-2008-1472 . . . . . . . . . . . . . . .
CVE-2008-5697 . . . . . . . . . . . . . . .
Redemption Steps . . . . . . . . . . . . . . . . .
Mobile Code Container Redemption Steps
Mobile Code Redemptions . . . . . . . .
Extra Defensive Measures . . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

270
270
271
271
272
273
273
273
273
273
273
275
275
275
276

Part III
Cryptographic Sins
19 Use of Weak Password-Based Systems . . . . . . . . . . . . . . . . . . .
Overview of the Sin . . . . . . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . . . . . . .
Password Compromise . . . . . . . . . . . . . . .
Allowing Weak Passwords . . . . . . . . . . . . .

Password Iteration . . . . . . . . . . . . . . . . . .
Not Requiring Password Changes . . . . . . . . .
Default Passwords . . . . . . . . . . . . . . . . . .
Replay Attacks . . . . . . . . . . . . . . . . . . . .
Storing Passwords Instead of Password Verifiers .
Brute-Force Attacks Against Password Verifiers .
Revealing Whether a Failure Is Due to an Incorrect
User or Password . . . . . . . . . . . . . . . . .
Online Attacks . . . . . . . . . . . . . . . . . . . .
Returning a Forgotten Password . . . . . . . . . .
Related Sins . . . . . . . . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . . . . . . .
Password Compromise . . . . . . . . . . . . . . .
Allowing Weak Passwords . . . . . . . . . . . . .
Iterated Passwords . . . . . . . . . . . . . . . . . .
Never Changing a Password . . . . . . . . . . . .
Default Passwords . . . . . . . . . . . . . . . . . .
Replay Attacks . . . . . . . . . . . . . . . . . . . .

279

.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.

280
280
280
281
281
281
282
282
282
283
283
283

.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.

284
285
285
285
285
285
285
286
286
286
286

xxiii

xxiv

24 Deadly Sins of Software Security

Brute Force Attacks Against Password Verifiers
Storing Passwords Instead of Password Verifiers
Online Attacks . . . . . . . . . . . . . . . . . . .
Returning a Forgotten Password . . . . . . . . .
Spotting the Sin During Code Review . . . . . . . . .
Testing Techniques to Find the Sin . . . . . . . . . . .
Password Compromise . . . . . . . . . . . . . .

Replay Attacks . . . . . . . . . . . . . . . . . . .
Brute-Force Attacks . . . . . . . . . . . . . . . . .
Example Sins . . . . . . . . . . . . . . . . . . . . . . .
Zombies Ahead! . . . . . . . . . . . . . . . . . .
Microsoft Office Password to Modify . . . . . .
Adobe Acrobat Encryption . . . . . . . . . . . .
WU-ftpd Core Dump . . . . . . . . . . . . . . . .
CVE-2005-1505 . . . . . . . . . . . . . . . . . . .
CVE-2005-0432 . . . . . . . . . . . . . . . . . . .
The TENEX Bug . . . . . . . . . . . . . . . . . . .
Sarah Palin Yahoo E-Mail Compromise . . . . .
Redemption Steps . . . . . . . . . . . . . . . . . . . . .
Password Compromise Redemption . . . . . . .
Weak Password Redemption . . . . . . . . . . .
Iterated Password Redemption . . . . . . . . . .
Password Change Redemption . . . . . . . . . .
Default Password Redemption . . . . . . . . . .
Replay Attack Redemption . . . . . . . . . . . .
Password Verifier Redemption . . . . . . . . . .
Online Brute-Force Attack Redemption . . . . .
Logon Information Leak Redemption . . . . . .
Forgotten Password Redemption . . . . . . . . .
Extra Defensive Measures . . . . . . . . . . . . . . . .
Other Resources . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

286

287
287
287
287
288
288
288
288
288
289
289
289
290
290
290
290
291
291
291
292
292
292
292
292
293
294
295
295
295
296

296

20 Weak Random Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . .

299
300
300
300
300
301
302
303
303
303
304

Overview of the Sin . . . . . . . . . . . . . . . .
CWE References . . . . . . . . . . . . . . . . . .
Affected Languages . . . . . . . . . . . . . . . .
The Sin Explained . . . . . . . . . . . . . . . . .
Sinful Non-cryptographic Generators . .
Sinful Cryptographic Generators . . . . .
Sinful True Random Number Generators
Related Sins . . . . . . . . . . . . . . . . .
Spotting the Sin Pattern . . . . . . . . . . . . .
Spotting the Sin During Code Review . . . . .

.
.
.