Part 4 of the Microsoft Software Implementation Technology Course Series: Writing secure software

Compile and write Security Software

I. OverviewThe so-called secure software means that program code can withstand malicious attacks during design and implementation. Why is secure software so important? With the development of the Internet, most computers are connected to the Internet, which makes them vulnerable to remote attacks. From a moral point of view, many hackers do not think they are at fault in such an attack. Instead, they may think that your system security is all about your own problems. Therefore, developers should always consider the threat of attacks and make more efforts to protect user data and privacy. How to Write secure software? First, security issues should be considered in Software Architecture Design. Second, security issues should also be paid attention to in code implementation. Finally, testing is also a very important stage. Security testing is not a function test. It tests software from the perspective of hackers and imitates hacker attack methods. This can detect many security problems in the software, it is helpful to add security measures throughout the development process, so that the whole process can prevent threats. In addition, it is also important to strengthen the programmer's training on security software development technology and improve security awareness. Security technology is now a hot topic, and there is a lack of talent in security technology. Mastering security technology is also very good for finding the right job. Ii. Security Development ProcessThe attacker's advantages and the defender's dilemmas are mainly manifested in: 1. the defender must defend all points, while the attacker can choose the weakest point in the defense as the starting point. 2. the defender must always be vigilant and never slack off. Attackers can launch attacks at will. 3. Defenders can only defend what they know, while attackers can study the weakest part of the system. Therefore, software developers need to do the following to develop secure software: 1. There must be a process to consider security design during design, this process breeds a secure system, that is, the entire process must ensure the security of the system. Create a threat model, know where the threats are from, and run the program with the minimum permissions. 2. In addition to common basic functions, set security in the default status should be disabled by default to reduce the surface of attacks. You can also use some security functions in Visual Studio. NET, such as the/GS switch during compilation. 3. To secure deployment and installation, follow the security measures specified during deployment, create guidance documents on security deployment, and use some tools to evaluate system security. The security software development flowchart 1 is shown. Iii. Security Design Principles1. The measures that can be taken to reduce the surface of attacks include deep defense, that is, multi-layer security defense; minimum user permission; the default setting must be safe. 2. learn from past mistakes. If there are errors in previous versions and they are under attack, we should defend against some attacks that are prone to such errors, in the next version, we need to make improvements accordingly. 3. Security is also a feature. When developing a development plan, you should also consider the time required for security. Here we will give a brief introduction to the principle of reducing the surface of attacks: If less code is run by default, the chances of attacks will be greatly reduced. The advantage is that the skills required by the system administrator are not high. Users can run well as long as they are installed, without a lot of configuration management knowledge. In addition, due to the narrow scope of attacks, this greatly reduces the urgency of fixing security vulnerabilities. The following is a comparison table of technologies used on the low attack surface and high attack surface:

Lower attack surface	Higher attack surface
TCP	UDP
Local-only	Remote
Authenticated	Unauthenticated
Managed Mobile Code	Native Mobile Code
Managed code	ActiveX
Low privilege	System
Turned off by default	Running by default
Essential features enabled	All features enabled

  4. Threat modelingThere is usually a misunderstanding that the software is safe as long as some security functions are added to the software. The addition of software security does not mean that the written software is secure. For example, the encryption function is added to the program, but the code of this encryption function just has a buffer overflow problem, therefore, attackers can launch attacks. Security functions are not the same as software security. Security functions are only a function that serves software security. Poor coding of security functions also affects software security. Therefore, it is necessary to model possible threats in the software. If you do not understand where the threat is, it is difficult to compile a very secure software. When you know where the threats are, you can consciously prevent these risks at various stages of software design, development, and testing. The process of Threat modeling is as follows: 1. Create a data flow diagram or UML diagram and list the information to be protected. 2. classify possible threats, while stride is usually used to classify the effects of threats. Stride is the first letter of spoofing, tampering, repudiation, Info Disclosure, denial of service, and Elevation of Privilege. Spoofing refers to an attacker disguised as another user or another system recognized by the system. For example, Zhang San pretended to be a system accessed by Li Si and stolen its own identifier. Tampering is an attempt by an attacker to tamper with the data in the system to make it unhealthy. Repudiation means that attackers break into the system and perform some damage, but the system administrator cannot confirm whether the attack happened. Info Disclosure refers to the person who has no permission to know the information. Denial of Service refers to the person who makes the system's legal Users unable to use the system functions normally, so that the system cannot respond to the service requests of legal users in a timely manner and cannot serve the users who actually deserve the service. Elevation of Privilege means that attackers can use illegal means to escalate their privileges to use the system. 3. Classification of threats based on the probability of being attacked and the extent of damage caused by such attacks. Generally, the basis for classification of threats is dread, which is composed of the first letters of damage potential, reproducibility, exploitability, affected users, and discoverability. Damage potential indicates whether the system is vulnerable to damage. Reproducibility refers to the attack repeatability, that is, the first such attack, whether the second attack can be carried out in the same way. Exploitability indicates the availability, that is, the extent to which the threat can be exploited. Affected users indicates the extent to which the threat affects users. Discoverability refers to the discoverability, that is, whether a vulnerability is discovered. A vulnerability is usually discovered as long as it exists. With the above mentioned threat model as a reference, you can know where the most "dangerous" part of the program is when writing a program, so that you can perform a key check during security push, it also helps determine the defense mechanism during encoding. In addition, you can start testing from the most vulnerable areas during software testing. V. Input TrustAll security vulnerabilities can be divided into two categories: Input trust issues (too trusted user input) and everything else. The following describes the content of input trust issues. Remember one sentence: "All input is edevil, until proven otherwise !", It means that all input is very bad until you can prove it is not bad. Common attacks by using input include buffer overflow, SQL injection, and cross-site scripting (Cross-Site Scripting ). 1 Buffer overflow attacksBuffer overflow attacks are based on the principle that when a program executes a function call, both the return address of the function and the local buffer of the function are in the system stack, attackers can exploit the vulnerability in the code that lacks checks on the boundary conditions of local variables to tamper with the return address of the function, cause program exceptions or change the program execution process, and then obtain control of the program. In Figure 2, you can see the specific distribution of functions in the stack. (Figure 2) Example 3 in the stack when the input overflows. (Figure 3) situation 4 in the heap when the input overflows. (Figure 4) the following uses a specific example to understand the basic principle of buffer overflow. The program code is as follows: void copystuff (string data) {char buffer [128]; strcpy (buffer, data); // Do Other Stuff} The system stack calls copystuff () the parameter data value is recorded before the function, and the returned address after the function copystuff () is called is pressed to the stack. After some useful registers are saved, the copystuff () the 128 byte pressure stack allocated for local variables in the function. In this way, when calling a function, if the length of the input string is 8 bytes, this call will not cause any exception, and the string passed through the parameter data will be copied to the buffer. However, if the copystuff () function is called by a malicious person, he can pass in a string that exceeds 128 bytes. At this time, the copystuff () function does not check the data length before calling strcpy. In this way, the string passed through the parameter data will be copied to the system stack starting from the buffer by the strcpy () function, the part exceeding 128 bytes will continue to extend to the high-bit address along the system stack. If the string is long enough, the string content will overwrite the most critical information in the stack-the return address. After the copystuff () function is executed, the correct return address is no longer found. Buffer overflow means disaster. However, the specific disaster depends on the string content passed by the caller. If you are lucky, if the data that overwrites the returned address is only some illegal addresses that cannot be accessed, the program will terminate abnormally when the function returns and report an "illegal access" error. If you are not lucky, if the data that overwrites the returned address points to a valid Code address, the program will produce unpredictable running results. It is possible that the program is always in an unstable state, but it is difficult to determine what is wrong. If you are unlucky, the hacker uses the buffer overflow to put a piece of attack code into the system stack, and changes the return address of the function to the address of the attack code. Then, when the function returns, the system will automatically execute the hacker's attack code. Then, the hacker can obtain the administrator privilege of the system, delete the hard disk data, and control the computer as needed. Let's take a look at the possible hacker attacks against the code just now. An experienced hacker uses a copystuff () function to input a string that is an attack code written using machine commands. The length of the string exceeds the buffer length. When the returned address is exactly overwritten, the data entered by the hacker is the starting address of the attack code, and the system stack is completely tampered. Once the copystuff () function is executed, the system automatically jumps to the starting position of the attack code and starts executing the attack code that hackers have prepared in advance. In this way, the system loses the ability to resist and hackers can do whatever they want. After learning about the principle of the buffer overflow problem, we can know that the solution to the buffer overflow problem is not complicated. As long as we check the validity of parameters during programming, do not randomly use strings of unknown length, and avoid using strings similar to strcpy (), strcat (), sprintf () in this way, insecure library functions can effectively prevent buffer overflow attacks. In addition, Microsoft's new-generation application development environment Visual Studio. Net also provides better security support for application software development. In terms of buffer overflow, Visual Studio. NET provides two solutions. When you use visual c ++. Net to compile a C ++ language program, you can enable the "/Gs" buffer security check option. The "/Gs" option is used to modify the executable code of a function that is prone to buffer overflow. When you enter the function, the return address and the security cookie randomly generated when loading a module are used for exclusive or operation, and the operation result is saved. When you exit the function, verify the correctness of the returned address using the saved operation results and Security cookies. If the returned address has been rewritten, it indicates that a buffer overflow has occurred. At this time, the system reports an error and terminates the execution of the program. Second, you can use the managed code provided by. Net to write applications .. The net public Language Runtime Library provides a powerful security check and security protection mechanism for managed code, the C ++ language program compiled using managed extensions provides security features such as array boundary check and automatic garbage collection, which can effectively solve the buffer overflow problem. 2 , SQL Injection AttackSQL embedding attacks are common Web attacks. The root cause of these attacks is that when programmers use server code to access the database, they do not check the validity of user input information. The following is a piece of code written in the C # language. Let's take a look at how SQL embedding attacks against this section of code are carried out. String status = "no "; String sqlstring = ""; Try { Sqlconnection SQL = new sqlconnection ( @ "Data Source = localhost;" + "User ID = sa; Password = password ;"); SQL. open (); Sqlstring = "select *" + "From orderdetail where id = '" + ID + "'"; Sqlcommand cmd = new sqlcommand (sqlstring, SQL ); If (INT) cmd. executescalar ()! = 0) Status = "yes "; } Catch (exception e ){ Status = E. tostring (); } Good guy : ID: 518 Select *
From orderdetail
Where id = '000000' Not so good guy : ID: 518 'or 1 = 1 -- Select *
From orderdetail
Where id = '20180101' or 1 = 1 --' Really bad guy : ID: 518' Drop table orders -- Select *
From orderdetail
Where id = '000000' drop table orders --' Downright edevil guy : ID: 518' Exec xp_cmdshell (' Fdisk.exe' )-- Select *
From orderdetail
Where id = '000000' exec xp_mongoshell('fdisk.exe ')--' In fact, the most important thing to prevent SQL embedding attacks is to remember not to trust the user input data and verify all input data. In addition, parameterized query can be used to prevent SQL embedding attacks. The preceding code can be improved as follows: Sqldataadapter mycommand = New sqldataadapter ("select * From orderdetail where id = @ ID", Conn ); Sqlparameter parm = Mycommand. selectcommand. Parameters. Add ("@ ID", sqldbtype. varchar, 11 ); Parm. value = ID. text;　　 3 , Cross Site ScriptingThis is the most common vulnerability on the Internet. It is caused by poor performance on the server side, which leads to security issues on the client side. The most fundamental reason is that user input is not effectively checked. Vi. SummaryDeveloping secure software and building secure systems must follow the following principles: 1. Establishing a secure process management mechanism; 2. Formulating product security objectives; 3. Regard security as an important feature of the product; 4. Learn from errors; 5. Grant users only the necessary permissions; 6. Assume that the external environment is insecure; 7. Prepare for failure; 8. Use the default security settings; 9. The security function is not equal to the security of the software; 10. do not establish system security on the assumption that attackers do not understand the system.