Chapter 4 - Secure Software Implementation/Coding

Question 1

What is the most important skill a programmer has?

Answer 1

Problem solving.

Question 2

What is a CPU composed of?

Answer 2

ALU, control unit, registers

Question 3

What is the ALU

Answer 3

Arithmetic Logic Unit

Question 4

What is the main component a CPU communicates with?

Answer 4

RAM

Question 5

What is the system bus?

Answer 5

The gateway channel between which the components of a system communicates.

Question 6

What is the sequence of executing one instruction?

Answer 6

• Fetching (get the instruction from memory)
• Decoding: Deciphers the instruction and moves data from memory to the ALU
• Execution: ALU performs mathematical or logical operation on the data
• Storing: ALU stores the result in memory or register

Question 7

Describe the interal memory layout of a program.

Answer 7

• program text
• data
• stack
• heap

Question 8

What is the text segement of a program?

Answer 8

The instruction code

Question 9

What is the data segment of a program?

Answer 9

The area in memory that contains global data

Question 10

What is the ESP?

Answer 10

The Execution Stack Pointer (I think this is wrong and it should be Extended, a remnant of 16->32 bit) Yeah, this is wrong.

Question 11

What is a VHLL?

Answer 11

Very High Level Language. These are almost like English.

Question 12

What is another name for machine code?

Answer 12

Native code

Question 13

What is another name for native code?

Answer 13

Machine code

Question 14

What is a compiled language?

Answer 14

Code that is converted from source code to object code, then linked with other modules and/or libraries into machine code.

Question 15

What is complilation and what does it produce?

Answer 15

Compilation: The process of converting textual source code written by the programmer into raw processor specific instruction codes. The output of the compilation process is called the object code.

Question 16

What is linking?

Answer 16

Duh

Question 17

What are the benefits of static linking?

Answer 17

Faster processing speed and ease of portability because dependencies are included.

Question 18

What are the disadvantages of static linking?

Answer 18

Larger executables.

Question 19

What is a security risk of using dynamic libraries?

Answer 19

If someone compromises a library, they can effective compromise all binaries that use it.

Question 20

What is an interpreted language?

Answer 20

One that requires an intermediary host program to read and execute each statement of instruction line by line

Question 21

List common interpreted language.

Answer 21

REXX, PostScript, Perl, Ruby, Python.

Question 22

Disadvantages of interpreted languages?

Answer 22

Slower, quicker to change, no recompilation

Question 23

What are hybrid languages?

Answer 23

the source code is compiled into an intermediate stage that resembles object code.

Question 24

What is an example of a Hybrid Language?

Answer 24

Java and .Net

Question 25

What are the typical SDLC models?

Answer 25

• Waterfall
• Iterative
• Spiral
• Agile

Question 26

What is the Waterfall Model

Answer 26

1. Requirements specification
2. Design
3. Construction (also known as implementation or coding)
4. Integration
5. Testing and debugging (also known as verification)
6. Installation
7. Maintenance

Question 27

What are the 5 phases of the Waterfall model according to NIST 800-64?

Answer 27

• Initiation
• Acquisition/development
• Implementation/assessment
• Operations/maintenance
• Sunset

Question 28

What is the defining characteristic of Waterfall?

Answer 28

the unidirectional sequential phased approach to software development.

Question 29

What is the Iterative Model?

Answer 29

the project is broken into smaller versions and developed incrementally

Question 30

Synonym for the Iterative Model?

Answer 30

Prototyping

Question 31

What is the advantage of the Iterative Model?

Answer 31

Increased user input opportunity.

Question 32

What is the disadvantage of Iterative?

Answer 32

If planning cycles are too short, nonfunctional requirements like security get missed.

Question 33

What is the Spiral Model?

Answer 33

The key characteristic of this model is that each phase has a risk assessment review activity.

Question 34

What is the primary benefit of Agile?

Answer 34

changes can be made quickly

Question 35

What are the two agile development methodologies?

Answer 35

XP and Scrum

Question 36

What is XP

Answer 36

Extreme Programming.

People centric. Small projects.

Question 37

What is Scrum?

Answer 37

An Agile variant that uses short (30 day) release cycles to allow requirements to change on the fly.

Daily progress recorded on a burn down chart

Question 38

What 3 categories do the 2009 CWE/SANS Top 25 programming errors fall into?

Answer 38

• Insecure interaction between components
• Risky resource management
• Porous defenses

Question 39

Describe Injection Flaws

Answer 39

User supplied data is not validated before being processed.

Question 40

What is SQL Injection?

Answer 40

An attacker supplying input that becomes part of a database query.

Question 41

What is one way of thwarting SQL Injection?

Answer 41

Suppress database errors, which are used for reconnaissance.

Question 42

What is blind SQL injection?

Answer 42

SQL injection using boolean SQL expressions to probe a target database.

Question 43

What is OS command injection?

Answer 43

Just like SQL injection.

Question 44

What is LDAP injection

Answer 44

Same principle as SQL and OS. Unsanitized input is used to construct or modify syntax, contents, and commands that are executed as an LDAP query.

Question 45

What is XML Injection?

Answer 45

XML injection occurs when the software does not properly filter or quote special characters or reserved words that are used in XML, allowing an attacker to modify the syntax, contents, or commands before execution.

Question 46

Whati is XPATH injection?

Answer 46

the XPath expression used to retrieve data from the XML data store is not validated or sanitized before processing and built dynamically using user-supplied input.

Question 47

What is XQuery Injection?

Answer 47

XQuery injection works the same way as an XPath injection, except that the XQuery (not XPath) expression used to retrieve data from the XML data store is not validated or sanitized before processing and built dynamically using user-supplied input.

Question 48

What are the common traits for any injection attack?

Answer 48

• User-supplied input is interpreted as a command or part of a command that is executed.
• Input from the user is not sanitized or validated before processing
• The query that is constructed is generated using user-supplied input dynamically.

Question 49

How can you prevent injection flaws?

Answer 49

See Injection Flaws Controls. You mostly know all this.

Question 50

What is cross-site scripting?

Answer 50

user-supplied input is sent back to the browser client without being properly validated and its content escaped

Question 51

What are the types of XSS?

Answer 51

• Nonpersistent - user supplied input script is merely included in the response from the web server
• Persistent/stored - the injected script is permanently stored on the target servers, in a database, a message forum, a visitor log, or an input field
• DOM-based - the payload is executed in the victim’s browser as a result of DOM environment modifications on the client side.

Question 52

What is the consequence of a XSS attack?

Answer 52

Attackers execute code on the user’s browser, causing all the usual badness that entails.

Question 53

How do you prevent XSS?

Answer 53

• Escaping or encoding
• Validating user supplied input with a whitelist
• Disallow uploading .htm or .html extensions
• Use innerText, not innerHtml (makes it non-executable)
• Use secure libraries and encoding frameworks that provide XSS protection
• Disable active scripting in the browser, or add a plugin that does the same like NoScript
• HTTPOnly flag on the session
• Application layer firewall

Question 54

What is ESAPI?

Answer 54

OWASP ESAPI Encoding module

Question 55

What is Apache Wicket?

Answer 55

XSS proection

Question 56

Buffer Overflows

Answer 56

I know this already.

Question 57

How do you prevent buffer overflows?

Answer 57

• Input size validation
• Checking buffer size
• Checking buffer bounds
• Integer type checks
• Truncation
• Use a programming language that performs its own memory management and type safety
• Use safe libraries
• Don’t use banned API functions like strcpy()
• Use unsigned integers whenever possible
• Leverage compiler security
• ASLR
• DEP
• memory checking tools

Question 58

What compiler features can prevent buffer overflows?

Answer 58

• The Microsoft Visual Studio/GS flag
• Fedora/Red Hat FORTIFY_SOURCE GCC flag
• StackGuard

Question 59

What is ASLR

Answer 59

Address Space Layout Randomization

Question 60

What is DEP?

Answer 60

Data Execution Protection

Question 61

What are examples of broken authentication or session management?

Answer 61

MITM attacks, session hijacking, impersonation

Question 62

What is a CSRF?

Answer 62

Cross Site Request Forgery

An attacker forges a malicious HTTP request as a legitimate one and tricks the victim into submitting that request. Can be from an email, zero-byte image, etc.

Basically, trick a user into clicking something when they’re already authenticated.

Question 63

How can users prevent CSRF attacks?

Answer 63

• Don’t save username in the browser
• Don’t remember me
• Dont’ use the same browser to surf and access sensitive sites
• Read email in plain text
• Log off after using a web app
• Use client side browser extensions that mitigate CSRF (CSRF Protector)

Question 64

What can developers do to mitigate CSRF?

Answer 64

• Use a session specific token (nonce)
• CAPTCHAs
• Validate uniqueness of session otkens ont he server
• Use POST instead of GET for sensitive data along with a randomized session identifier
• Use a double submitted cookie. Set the value in the form. Make sure they match. The attacker can change the form value, but not the cookie.
• Check the URL referrer tag
• Reauthenticate every time (complete remediation)
• Transaction signing
• Automated logout
• Use OWASP CSRF Guard and OWASP ESAPI.
• Mitigate XSS

Question 65

What is an insecure object direct reference flaw?

Answer 65

An insecure direct object reference flaw is one wherein an unauthorized user or process can invoke the internal functionality of the software by manipulating parameters and other object values that directly reference this functionality.

For example, passing the username in cleartext in a form.

Question 66

How can you prevent insecure object direct reference flaws?

Answer 66

• avoid exposing internal functionality of the software using a direct object reference that can be easily manipulated
  *

Question 67

What is a surf jacking attack?

Answer 67

When a web site encrypts the authentication portion of the transaction but allows the session ID to be transmitted in cleartext, which an attacker then captures.

Question 68

What is a surf jacking attack?

Answer 68

When a web site encrypts the authentication portion of the transaction but allows the session ID to be transmitted in cleartext, which an attacker then captures.

Question 69

How should SSL certificates be set up?

Answer 69

they should be protected, properly configured, and not set to expire so that they are not spoofed. Educate users not to accept expired certificates.

Question 70

What controls can be used to mitigate insecure transport Layer Protection?

Answer 70

• Provide end-to-end channel security protecting the channel using SSL/TLS or IPSec.
• Avoid mixed SSL
• Ensure that the session cookie’s secure flag is set. This causes the browser cookie to be sent only over encrypted channels (HTTPS and not HTTP) mitigating surf jacking attacks.
• Use cryptography
• Use unexpired and unrevoked certs
• Properly configure certs

Question 71

What is pharming?

Answer 71

Modifying local system files to redirect users to fraudulent web sites, or DNS poisoning.

Question 72

What is differential fault analysis?

Answer 72

Fuzzing.

Question 73

What is a cold boot attack?

Answer 73

an attacker can extract secret information by freezing the data contents of memory chips and the booting up to recover the contents in memory.

Data remanence in RAM

Question 74

What is canonicalization?

Answer 74

the process of converting data that has more than one possible representation to conform to a standard canonical form.

Question 75

What is C14N?

Answer 75

Canonicalization

Question 76

What is Code Access Security?

Answer 76

in a managed code environment, when a software program is run, it is automatically evaluated to determine the set of permissions that needs to be given to the code during runtime. Based on what permissions are granted, the program will execute as expected or throw a security exception.

Question 77

In Code Access Security, what are the three categories of security actions that can be performed?

Answer 77

Requests - used to inform the runtime about the permissions that the code needs in order for it to run.

Demands -Demands are used in code to assert permissions and help protect resources from callers.

Overrides - Overrides are used in code to override default security behavior.

Question 78

What is declaractive security syntax?

Answer 78

In the context of CAS, declarative security syntax means that the permissions are defined as security attributes in the metadata of the code

Question 79

What is imperative security syntax?

Answer 79

Imperative security, on the other hand, is implemented using new instance of the permission object inline in code.

Question 80

What is CNG and what are its features?

Answer 80

The replacement to Microsoft’s CryptoAPI.

A new cryptographic configuration system that supports better cryptographic agility
Abstraction for key storage and separation of the storage from the algorithm operations
Process isolation for operations with long-term keys
Replaceable random number generators
Better export signing support
Thread-safety throughout the stack
Kernel-mode cryptographic API

Question 81

What is the difference between a dangling pointer and a wild pointer?

Answer 81

A dangling pointer is left when the object a valid pointer references is deleted.

A wild pointer is a pointer used before it is assigned anything.

Question 82

What is ASLR?

Answer 82

Address Space Layout Randomization

Question 83

What is ASLR?

Answer 83

Address Space Layout Randomization

A dll can be loaded into one of 256 different locations.

Question 84

What is DEP

Answer 84

Data Execution Prevention

Question 85

What is NX?

Answer 85

A sysnonym for DEP.

Question 86

What is ESP?

Answer 86

Executable Space Protection.

It’s the Unix/Linux equivalent of DEP.

Question 87

What does the /GS flag do?

Answer 87

the executable that is compiled is given the ability to detect and mitigate buffer overflows of the return address pointer stored on the stack memory.

Creates a security cookie before the return address of a function. If the cookie has been overwritten, the process terminates.

Question 88

What is StackGuard?

Answer 88

StackGuard is a compiler technique that provides code pointer integrity checking and protection of the return address in a function against being altered.

Question 89

What compiler does StackGuard work with?

Answer 89

gcc

Question 90

How does StackGuard work?

Answer 90

StackGuard works by placing a known value (referred to as a canary or canary word) before the return address on the stack so that, should a buffer overflow occur, the first datum that will be corrupted is the canary.

Question 91

What is a terminate or random canary?

Answer 91

A random canary is a 32-bit random number that is set on function entry (on program start) and maintained only for the time frame of that function call or program execution.

A terminator canary is made up of common termination symbols for C standard string library functions, such as 0 (null), CR, LF (carriage return, line feed), and -1 (End of File or EOF), and when the attacker specifies these common symbols in their overflow string as part of their exploit code (shellcode or payload), the functions will terminate immediately.

Question 92

What does /SAFESEH do?

Answer 92

It will produce the executable’s safe exception handlers table and write that information into the program executable (PE). This table in the PE is used to verify safe (or valid) exceptions by the OS. When an exception is thrown, the OS will check the exception handler against the safe exception handler list that is written in the PE, and if they do not match, the OS will terminate the process.

Question 93

How can you implement anti-tapering?

Answer 93

Obfuscation, which can be performed on source or object code.

Question 94

What is firmware?

Answer 94

Software for an embedded system.

Question 95

What is MILS?

Answer 95

The MILS architecture makes it possible to create a verified, always invoked, and tamperproof application code with security features that thwart the attempts of an attacker.