S2L5 - Insecure Coding Practices: Common Programming Errors (Protection…
S2L5 - Insecure Coding Practices: Common Programming Errors
Protection Analysis (PA) Model
Operations are performed in an incorrect order.
IR: Describe legal sequences of operations on a resource, Check all possible sequences match one or more legal sequences
Arises when an operation is considered as one unit in the abstract but is implemented as 2
IR: If 2 operations must be performed sequentially w/o intervening, use mechanism to ensure cannot be divided
Arises when data is not checked for consistency and correctness,
Failure to check return values of functions
IR: Check all function and procedure executions for errors
If a function parameter is an integer but actual argument is a floating point number, function will produce incorrect result
IR: Check types of functions and parameters
Good compiler & well-written code handle this problem, Declared any function before using them. Lets specify the number and type of arguments and type of return value i any
Error of validation often occurs when data is supposed to lie with bounds.
e.g of buffer and size 0 to 99
IR: Ensure all array references access existing elements of array
Improper Deallocation or Deletion
Failing to delete sensitive info raises possibility of another process seeing it at later time.
Similarly, once a process is finished with resource, should be deallocated for other resources to avoid denial of service.
IR: When process finishes using sensitive object, it should be erased then deallocated or deleted. Any resources not needed should also be released
Refers to ambiguity in identifying an object. Two objects have same name, when programmer refer to one of object, it is referred to a different object.
MR: Unique objects require unique names, Interchangeable objects nay share a name
IR: Must ensure context in which an object is named identies correct object
This category describes data and instructions that change over time.Changed values may be inconsistent with previous values causing program to take incorrect actions
The data can reside in shared memory, non-shared or on disk. Last includes file attribute information such as ownership and ACLs
Change in File Contents
Any process that can access shared memory can manipulate data, therefore one process can change data on which a second relies. This could cause second process to violate security policy.
e.g for one reads authentication data and writes, the other authenticates
IR: If process interact with other, interactions should be synchronised.
IR: Whenever possible, data that the process trusts and that it receives from untrusted sources should be kept in seperate areas of memory
Improper Isolation of Implementation Detail
Arises when an abstraction is improperly mapped into an implementation detail.
Notion of a user and a role
Access Control Information
Creating of a process with rights of role
Restricting Protection Domain of the Role Process
Validating the Access Control Entries
Resource Exhaustion & User Identifiers
Program can work with role names while OS uses integers (UIDs). This is ussually done with a user information database that contains mapping, but the program must detect any failures of query and respon appropriately
Improper Choice of Initial Protection Domain
Arise from improper setting of permissions or privileges
Three objects to set permission properly:
File containing program
Access Control File
Memory space of process
Trust in the System
MR4: Identify all system component on which program depends. Check for error when possible and identify components for which error checking will not work.
IR3: Ensure program does not share memory with other program and other program cannot access memory of privileged process.
MR3: Configure memory to enforce principle of least privilege, If section of memory not to contain executables, turn execute permission off. Make read-only if not to be altered.
Access Control File Permissions
IR1: Ensure any assumptions in program are validated. If not possible, document them in installers and maintainers so they know the assumptions that attackers will try to invalidate
MR1: Program that is executed to create the process and all associated control files must be protected from unauthorised use and modification. Should be detected
IR1: Structure process so that all sections requiring extra privileges are modules; should be as small as possible and perform only tasks that require those privileges
MR1: Check process privilege set properly. Insufficient cause Dos. Excessive could enable attacker exploit vulnerabilities.
The privileges of process and time at which process has these privileges must chosen and managed carefully.
Management Rules (Installation, configuration, maintenance)