Chapter 4 - Secure Software Implementation/Coding Flashcards
1
Q
What is the most important skill a programmer has?
A
Problem solving.
2
Q
What is a CPU composed of?
A
ALU, control unit, registers
3
Q
What is the ALU
A
Arithmetic Logic Unit
4
Q
What is the main component a CPU communicates with?
A
RAM
5
Q
What is the system bus?
A
The gateway channel between which the components of a system communicates.
6
Q
What is the sequence of executing one instruction?
A
- Fetching (get the instruction from memory)
- Decoding: Deciphers the instruction and moves data from memory to the ALU
- Execution: ALU performs mathematical or logical operation on the data
- Storing: ALU stores the result in memory or register
7
Q
Describe the interal memory layout of a program.
A
- program text
- data
- stack
- heap
8
Q
What is the text segement of a program?
A
The instruction code
9
Q
What is the data segment of a program?
A
The area in memory that contains global data
10
Q
What is the ESP?
A
The Execution Stack Pointer (I think this is wrong and it should be Extended, a remnant of 16->32 bit) Yeah, this is wrong.
11
Q
What is a VHLL?
A
Very High Level Language. These are almost like English.
12
Q
What is another name for machine code?
A
Native code
13
Q
What is another name for native code?
A
Machine code
14
Q
What is a compiled language?
A
Code that is converted from source code to object code, then linked with other modules and/or libraries into machine code.
15
Q
What is complilation and what does it produce?
A
Compilation: The process of converting textual source code written by the programmer into raw processor specific instruction codes. The output of the compilation process is called the object code.
16
Q
What is linking?
A
Duh
17
Q
What are the benefits of static linking?
A
Faster processing speed and ease of portability because dependencies are included.
18
Q
What are the disadvantages of static linking?
A
Larger executables.
19
Q
What is a security risk of using dynamic libraries?
A
If someone compromises a library, they can effective compromise all binaries that use it.
20
Q
What is an interpreted language?
A
One that requires an intermediary host program to read and execute each statement of instruction line by line
21
Q
List common interpreted language.
A
REXX, PostScript, Perl, Ruby, Python.
22
Q
Disadvantages of interpreted languages?
A
Slower, quicker to change, no recompilation
23
Q
What are hybrid languages?
A
the source code is compiled into an intermediate stage that resembles object code.
24
Q
What is an example of a Hybrid Language?
A
Java and .Net
25
What are the typical SDLC models?
* Waterfall
* Iterative
* Spiral
* Agile
26
What is the Waterfall Model
1. Requirements specification
2. Design
3. Construction (also known as implementation or coding)
4. Integration
5. Testing and debugging (also known as verification)
6. Installation
7. Maintenance
27
What are the 5 phases of the Waterfall model according to NIST 800-64?
* Initiation
* Acquisition/development
* Implementation/assessment
* Operations/maintenance
* Sunset
28
What is the defining characteristic of Waterfall?
the unidirectional sequential phased approach to software development.
29
What is the Iterative Model?
the project is broken into smaller versions and developed incrementally
30
Synonym for the Iterative Model?
Prototyping
31
What is the advantage of the Iterative Model?
Increased user input opportunity.
32
What is the disadvantage of Iterative?
If planning cycles are too short, nonfunctional requirements like security get missed.
33
What is the Spiral Model?
The key characteristic of this model is that each phase has a risk assessment review activity.
34
What is the primary benefit of Agile?
changes can be made quickly
35
What are the two agile development methodologies?
XP and Scrum
36
What is XP
Extreme Programming.
| People centric. Small projects.
37
What is Scrum?
An Agile variant that uses short (30 day) release cycles to allow requirements to change on the fly.
Daily progress recorded on a burn down chart
38
What 3 categories do the 2009 CWE/SANS Top 25 programming errors fall into?
* Insecure interaction between components
* Risky resource management
* Porous defenses
39
Describe Injection Flaws
User supplied data is not validated before being processed.
40
What is SQL Injection?
An attacker supplying input that becomes part of a database query.
41
What is one way of thwarting SQL Injection?
Suppress database errors, which are used for reconnaissance.
42
What is blind SQL injection?
SQL injection using boolean SQL expressions to probe a target database.
43
What is OS command injection?
Just like SQL injection.
44
What is LDAP injection
Same principle as SQL and OS. Unsanitized input is used to construct or modify syntax, contents, and commands that are executed as an LDAP query.
45
What is XML Injection?
XML injection occurs when the software does not properly filter or quote special characters or reserved words that are used in XML, allowing an attacker to modify the syntax, contents, or commands before execution.
46
Whati is XPATH injection?
the XPath expression used to retrieve data from the XML data store is not validated or sanitized before processing and built dynamically using user-supplied input.
47
What is XQuery Injection?
XQuery injection works the same way as an XPath injection, except that the XQuery (not XPath) expression used to retrieve data from the XML data store is not validated or sanitized before processing and built dynamically using user-supplied input.
48
What are the common traits for any injection attack?
* User-supplied input is interpreted as a command or part of a command that is executed.
* Input from the user is not sanitized or validated before processing
* The query that is constructed is generated using user-supplied input dynamically.
49
How can you prevent injection flaws?
See Injection Flaws Controls. You mostly know all this.
50
What is cross-site scripting?
user-supplied input is sent back to the browser client without being properly validated and its content escaped
51
What are the types of XSS?
* Nonpersistent - user supplied input script is merely included in the response from the web server
* Persistent/stored - the injected script is permanently stored on the target servers, in a database, a message forum, a visitor log, or an input field
* DOM-based - the payload is executed in the victim’s browser as a result of DOM environment modifications on the client side.
52
What is the consequence of a XSS attack?
Attackers execute code on the user's browser, causing all the usual badness that entails.
53
How do you prevent XSS?
* Escaping or encoding
* Validating user supplied input with a whitelist
* Disallow uploading .htm or .html extensions
* Use innerText, not innerHtml (makes it non-executable)
* Use secure libraries and encoding frameworks that provide XSS protection
* Disable active scripting in the browser, or add a plugin that does the same like NoScript
* HTTPOnly flag on the session
* Application layer firewall
54
What is ESAPI?
OWASP ESAPI Encoding module
55
What is Apache Wicket?
XSS proection
56
Buffer Overflows
I know this already.
57
How do you prevent buffer overflows?
* Input size validation
* Checking buffer size
* Checking buffer bounds
* Integer type checks
* Truncation
* Use a programming language that performs its own memory management and type safety
* Use safe libraries
* Don't use banned API functions like strcpy()
* Use unsigned integers whenever possible
* Leverage compiler security
* ASLR
* DEP
* memory checking tools
58
What compiler features can prevent buffer overflows?
* The Microsoft Visual Studio/GS flag
* Fedora/Red Hat FORTIFY_SOURCE GCC flag
* StackGuard
59
What is ASLR
Address Space Layout Randomization
60
What is DEP?
Data Execution Protection
61
What are examples of broken authentication or session management?
MITM attacks, session hijacking, impersonation
62
What is a CSRF?
Cross Site Request Forgery
An attacker forges a malicious HTTP request as a legitimate one and tricks the victim into submitting that request. Can be from an email, zero-byte image, etc.
Basically, trick a user into clicking something when they're already authenticated.
63
How can users prevent CSRF attacks?
* Don't save username in the browser
* Don't remember me
* Dont' use the same browser to surf and access sensitive sites
* Read email in plain text
* Log off after using a web app
* Use client side browser extensions that mitigate CSRF (CSRF Protector)
64
What can developers do to mitigate CSRF?
* Use a session specific token (nonce)
* CAPTCHAs
* Validate uniqueness of session otkens ont he server
* Use POST instead of GET for sensitive data along with a randomized session identifier
* Use a double submitted cookie. Set the value in the form. Make sure they match. The attacker can change the form value, but not the cookie.
* Check the URL referrer tag
* Reauthenticate every time (complete remediation)
* Transaction signing
* Automated logout
* Use OWASP CSRF Guard and OWASP ESAPI.
* Mitigate XSS
65
What is an insecure object direct reference flaw?
An insecure direct object reference flaw is one wherein an unauthorized user or process can invoke the internal functionality of the software by manipulating parameters and other object values that directly reference this functionality.
For example, passing the username in cleartext in a form.
66
How can you prevent insecure object direct reference flaws?
* avoid exposing internal functionality of the software using a direct object reference that can be easily manipulated
*
67
What is a surf jacking attack?
When a web site encrypts the authentication portion of the transaction but allows the session ID to be transmitted in cleartext, which an attacker then captures.
68
What is a surf jacking attack?
When a web site encrypts the authentication portion of the transaction but allows the session ID to be transmitted in cleartext, which an attacker then captures.
69
How should SSL certificates be set up?
they should be protected, properly configured, and not set to expire so that they are not spoofed. Educate users not to accept expired certificates.
70
What controls can be used to mitigate insecure transport Layer Protection?
* Provide end-to-end channel security protecting the channel using SSL/TLS or IPSec.
* Avoid mixed SSL
* Ensure that the session cookie’s secure flag is set. This causes the browser cookie to be sent only over encrypted channels (HTTPS and not HTTP) mitigating surf jacking attacks.
* Use cryptography
* Use unexpired and unrevoked certs
* Properly configure certs
71
What is pharming?
Modifying local system files to redirect users to fraudulent web sites, or DNS poisoning.
72
What is differential fault analysis?
Fuzzing.
73
What is a cold boot attack?
an attacker can extract secret information by freezing the data contents of memory chips and the booting up to recover the contents in memory.
Data remanence in RAM
74
What is canonicalization?
the process of converting data that has more than one possible representation to conform to a standard canonical form.
75
What is C14N?
Canonicalization
76
What is Code Access Security?
in a managed code environment, when a software program is run, it is automatically evaluated to determine the set of permissions that needs to be given to the code during runtime. Based on what permissions are granted, the program will execute as expected or throw a security exception.
77
In Code Access Security, what are the three categories of security actions that can be performed?
Requests - used to inform the runtime about the permissions that the code needs in order for it to run.
Demands -Demands are used in code to assert permissions and help protect resources from callers.
Overrides - Overrides are used in code to override default security behavior.
78
What is declaractive security syntax?
In the context of CAS, declarative security syntax means that the permissions are defined as security attributes in the metadata of the code
79
What is imperative security syntax?
Imperative security, on the other hand, is implemented using new instance of the permission object inline in code.
80
What is CNG and what are its features?
The replacement to Microsoft's CryptoAPI.
A new cryptographic configuration system that supports better cryptographic agility
Abstraction for key storage and separation of the storage from the algorithm operations
Process isolation for operations with long-term keys
Replaceable random number generators
Better export signing support
Thread-safety throughout the stack
Kernel-mode cryptographic API
81
What is the difference between a dangling pointer and a wild pointer?
A dangling pointer is left when the object a valid pointer references is deleted.
A wild pointer is a pointer used before it is assigned anything.
82
What is ASLR?
Address Space Layout Randomization
83
What is ASLR?
Address Space Layout Randomization
A dll can be loaded into one of 256 different locations.
84
What is DEP
Data Execution Prevention
85
What is NX?
A sysnonym for DEP.
86
What is ESP?
Executable Space Protection.
It's the Unix/Linux equivalent of DEP.
87
What does the /GS flag do?
the executable that is compiled is given the ability to detect and mitigate buffer overflows of the return address pointer stored on the stack memory.
Creates a security cookie before the return address of a function. If the cookie has been overwritten, the process terminates.
88
What is StackGuard?
StackGuard is a compiler technique that provides code pointer integrity checking and protection of the return address in a function against being altered.
89
What compiler does StackGuard work with?
gcc
90
How does StackGuard work?
StackGuard works by placing a known value (referred to as a canary or canary word) before the return address on the stack so that, should a buffer overflow occur, the first datum that will be corrupted is the canary.
91
What is a terminate or random canary?
A random canary is a 32-bit random number that is set on function entry (on program start) and maintained only for the time frame of that function call or program execution.
A terminator canary is made up of common termination symbols for C standard string library functions, such as 0 (null), CR, LF (carriage return, line feed), and -1 (End of File or EOF), and when the attacker specifies these common symbols in their overflow string as part of their exploit code (shellcode or payload), the functions will terminate immediately.
92
What does /SAFESEH do?
It will produce the executable’s safe exception handlers table and write that information into the program executable (PE). This table in the PE is used to verify safe (or valid) exceptions by the OS. When an exception is thrown, the OS will check the exception handler against the safe exception handler list that is written in the PE, and if they do not match, the OS will terminate the process.
93
How can you implement anti-tapering?
Obfuscation, which can be performed on source or object code.
94
What is firmware?
Software for an embedded system.
95
What is MILS?
The MILS architecture makes it possible to create a verified, always invoked, and tamperproof application code with security features that thwart the attempts of an attacker.
