- ISBN: 9780321424778 | 0321424778
- Cover: Paperback
- Copyright: 6/29/2007
B rian Chess is a founder of Fortify Software. He currently serves as Fortify’s Chief Scientist, where his work focuses on practical methods for creating secure systems. Brian holds a Ph.D. in Computer Engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service. He lives in Mountain View, California.
J acob West manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. Before joining Fortify, Jacob worked with Professor David Wagner at the
University of California at Berkeley to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security. He lives in San Francisco, California.
Software Security and Static Analysis | p. 1 |
The Software Security Problem | p. 3 |
Defensive Programming Is Not Enough | p. 4 |
Security Features != Secure Features | p. 6 |
The Quality Fallacy | p. 9 |
Static Analysis in the Big Picture | p. 11 |
Classifying Vulnerabilities | p. 14 |
The Seven Pernicious Kingdoms | p. 15 |
Summary | p. 19 |
Introduction to Static Analysis | p. 21 |
Capabilities and Limitations of Static Analysis | p. 22 |
Solving Problems with Static Analysis | p. 24 |
Type Checking | p. 24 |
Style Checking | p. 26 |
Program Understanding | p. 27 |
Program Verification and Property Checking | p. 28 |
Bug Finding | p. 32 |
Security Review | p. 33 |
A Little Theory, a Little Reality | p. 35 |
Success Criteria | p. 36 |
Analyzing the Source vs. Analyzing Compiled Code | p. 42 |
Summary | p. 45 |
Static Analysis as Part of the Code Review Process | p. 47 |
Performing a Code Review | p. 48 |
The Review Cycle | p. 48 |
Steer Clear of the Exploitability Trap | p. 54 |
Adding Security Review to an Existing Development Process | p. 56 |
Adoption Anxiety | p. 58 |
Start Small, Ratchet Up | p. 62 |
Static Analysis Metrics | p. 62 |
Summary | p. 69 |
Static Analysis Internals | p. 71 |
Building a Model | p. 72 |
Lexical Analysis | p. 72 |
Parsing | p. 73 |
Abstract Syntax | p. 74 |
Semantic Analysis | p. 76 |
Tracking Control Flow | p. 77 |
Tracking Dataflow | p. 80 |
Taint Propagation | p. 82 |
Pointer Aliasing | p. 82 |
Analysis Algorithms | p. 83 |
Checking Assertions | p. 84 |
Naive Local Analysis | p. 85 |
Approaches to Local Analysis | p. 89 |
Global Analysis | p. 91 |
Research Tools | p. 94 |
Rules | p. 96 |
Rule Formats | p. 97 |
Rules for Taint Propagation | p. 101 |
Rules in Print | p. 103 |
Reporting Results | p. 105 |
Grouping and Sorting Results | p. 106 |
Eliminating Unwanted Results | p. 108 |
Explaining the Significance of the Results | p. 109 |
Summary | p. 113 |
Pervasive Problems | p. 115 |
Handling Input | p. 117 |
What to Validate | p. 119 |
Validate All Input | p. 120 |
Validate Input from All Sources | p. 121 |
Establish Trust Boundaries | p. 130 |
How to Validate | p. 132 |
Use Strong Input Validation | p. 133 |
Avoid Blacklisting | p. 137 |
Don't Mistake Usability for Security | p. 142 |
Reject Bad Data | p. 143 |
Make Good Input Validation the Default | p. 144 |
Check Input Length | p. 153 |
Bound Numeric Input | p. 157 |
Preventing Metacharacter Vulnerabilities | p. 160 |
Use Parameterized Requests | p. 161 |
Path Manipulation | p. 167 |
Command Injection | p. 168 |
Log Forging | p. 169 |
Summary | p. 172 |
Buffer Overflow | p. 175 |
Introduction to Buffer Overflow | p. 176 |
Exploiting Buffer Overflow Vulnerabilities | p. 176 |
Buffer Allocation Strategies | p. 179 |
Tracking Buffer Sizes | p. 186 |
Strings | p. 189 |
Inherently Dangerous Functions | p. 189 |
Bounded String Operations | p. 195 |
Common Pitfalls with Bounded Functions | p. 203 |
Maintaining the Null Terminator | p. 213 |
Character Sets, Representations, and Encodings | p. 218 |
Format Strings | p. 224 |
Better String Classes and Libraries | p. 229 |
Summary | p. 233 |
Bride of Buffer Overflow | p. 235 |
Integers | p. 236 |
Wrap-Around Errors | p. 236 |
Truncation and Sign Extension | p. 239 |
Conversion between Signed and Unsigned | p. 241 |
Methods to Detect and Prevent Integer Overflow | p. 242 |
Runtime Protection | p. 251 |
Safer Programming Languages | p. 251 |
Safer C Dialects | p. 255 |
Dynamic Buffer Overflow Protections | p. 258 |
Dynamic Protection Benchmark Results | p. 263 |
Summary | p. 263 |
Errors and Exceptions | p. 265 |
Handling Errors with Return Codes | p. 266 |
Checking Return Values in C | p. 266 |
Checking Return Values in Java | p. 269 |
Managing Exceptions | p. 271 |
Catch Everything at the Top Level | p. 272 |
The Vanishing Exception | p. 273 |
Catch Only What You're Prepared to Consume | p. 274 |
Keep Checked Exceptions in Check | p. 276 |
Preventing Resource Leaks | p. 278 |
C and C++ | p. 279 |
Java | p. 283 |
Logging and Debugging | p. 286 |
Centralize Logging | p. 286 |
Keep Debugging Aids and Back-Door Access Code out of Production | p. 289 |
Clean Out Backup Files | p. 292 |
Do Not Tolerate Easter Eggs | p. 293 |
Summary | p. 294 |
Features and Flavors | p. 295 |
Web Applications | p. 297 |
Input and Output Validation for the Web | p. 298 |
Expect That the Browser Has Been Subverted | p. 299 |
Assume That the Browser Is an Open Book | p. 302 |
Protect the Browser from Malicious Content | p. 303 |
HTTP Considerations | p. 319 |
Use POST, Not GET | p. 319 |
Request Ordering | p. 322 |
Error Handling | p. 322 |
Request Provenance | p. 327 |
Maintaining Session State | p. 328 |
Use Strong Session Identifiers | p. 329 |
Enforce a Session Idle Timeout and a Maximum Session Lifetime | p. 331 |
Begin a New Session upon Authentication | p. 333 |
Using the Struts Framework for Input Validation | p. 336 |
Setting Up the Struts Validator | p. 338 |
Use the Struts Validator for All Actions | p. 338 |
Validate Every Parameter | p. 342 |
Maintain the Validation Logic | p. 343 |
Summary | p. 346 |
XML and Web Services | p. 349 |
Working with XML | p. 350 |
Use a Standards-Compliant XML Parser | p. 350 |
Turn on Validation | p. 352 |
Be Cautious about External References | p. 358 |
Keep Control of Document Queries | p. 362 |
Using Web Services | p. 366 |
Input Validation | p. 366 |
WSDL Worries | p. 368 |
Over Exposure | p. 369 |
New Opportunities for Old Errors | p. 370 |
JavaScript Hijacking: A New Frontier | p. 370 |
Summary | p. 376 |
Privacy and Secrets | p. 379 |
Privacy and Regulation | p. 380 |
Identifying Private Information | p. 380 |
Handling Private Information | p. 383 |
Outbound Passwords | p. 388 |
Keep Passwords out of Source Code | p. 389 |
Don't Store Clear-Text Passwords | p. 391 |
Random Numbers | p. 397 |
Generating Random Numbers in Java | p. 398 |
Generating Random Numbers in C and C++ | p. 401 |
Cryptography | p. 407 |
Choose a Good Algorithm | p. 407 |
Don't Roll Your Own | p. 409 |
Secrets in Memory | p. 412 |
Minimize Time Spent Holding Secrets | p. 414 |
Share Secrets Sparingly | p. 415 |
Erase Secrets Securely | p. 416 |
Prevent Unnecessary Duplication of Secrets | p. 418 |
Summary | p. 420 |
Privileged Programs | p. 421 |
Implications of Privilege | p. 423 |
Principle of Least Privilege | p. 423 |
This Time We Mean It: Distrust Everything | p. 426 |
Managing Privilege | p. 427 |
Putting Least Privilege into Practice | p. 427 |
Restrict Privilege on the Filesystem | p. 433 |
Beware of Unexpected Events | p. 436 |
Privilege Escalation Attacks | p. 439 |
File Access Race Conditions | p. 440 |
Insecure Temporary Files | p. 446 |
Command Injection | p. 450 |
Standard File Descriptors | p. 452 |
Summary | p. 454 |
Static Analysis in Practice | p. 457 |
Source Code Analysis Exercises for Java | p. 459 |
Installation | p. 460 |
Begin with the End in Mind | p. 461 |
Auditing Source Code Manually | p. 469 |
Running Fortify SCA | p. 471 |
Understanding Raw Analysis Results | p. 472 |
Analyzing a Full Application | p. 478 |
Tuning Results with Audit Workbench | p. 479 |
Auditing One Issue | p. 483 |
Performing a Complete Audit | p. 487 |
Writing Custom Rules | p. 491 |
Answers to Questions in Exercise 13.2 | p. 499 |
Source Code Analysis Exercises for C | p. 503 |
Installation | p. 504 |
Begin with the End in Mind | p. 505 |
Auditing Source Code Manually | p. 513 |
Running Fortify SCA | p. 514 |
Understanding Raw Analysis Results | p. 515 |
Analyzing a Full Application | p. 520 |
Tuning Results with Audit Workbench | p. 521 |
Auditing One Issue | p. 525 |
Performing a Complete Audit | p. 529 |
Writing Custom Rules | p. 531 |
Answers to Questions in Exercise 14.2 | p. 537 |
Epilogue | p. 541 |
References | p. 545 |
Index | p. 559 |
Table of Contents provided by Ingram. All Rights Reserved. |
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.