Slashdot Mirror

← Back to Stories (view on slashdot.org)

Building Secure Software

Posted by timothy on from the circle-the-wagons dept.

greg pryzby writes: "A friend has been pushing me to read a number of technical books lately. After reading Building Secure Software: How to Avoid Security Problems the Right Way (BSS:HtASPtRW), I decided I needed to spread the word." Read on below for Greg's word on this one. Building Secure Software: How to Avoid Security Problems the Right Way author John Viega, Gary McGraw pages 528 publisher Addison-Wesley rating 8.5 reviewer greg pryzby ISBN 0201-72152-X summary Good information for anyone involved with the creation of software which should be secure.

BSS:HtASPtRW should be available at your favorite book outlet. It is available in hard cover from Addison-Wesley Professional Computing Series (white cover with blue strip). Since it is a security book, the forward is by Bruce Schneier and displayed on the cover. When you open the book, there are three pages of "Advanced Praise" for the book. So, the stage is set and the expectations are high. Will the book live up to the hype? I thought so.

Who should read the book? Anyone who cares about security. There is information for the manager, coder and everyone in between. Throughout the book, there are plenty of examples which I found very useful. John and Gary use code to show th at what they are talking about is not 'just theory'. That is right, there is code that shows the problems. That means samples of bad code, 'secure' code and code to show exploits.

I decided to look at a few chapters and talk about them specifically. Why did I pick these chapters? Because I found them interesting and thought others would too. I can't cover each chapter because I want John and Gary to write more books , so they need to sell a few copies!

Why do they do this? Isn't this giving the bad guys what they need? The bad guys have the information already. There is belief in the security community of full disclosure. This means not keeping things security and calling it secure. "Full disclosure means that hackers publicly disseminate information about your security problem, usually including a program that can be used to exploit it (sometimes even remotely)." (page 81)

Chapter 7 is on buffer overflows. I have read about buffer overflows for years. The chapter starts by explaining what a buffer overflow is and why it is a problem (pointy headed manager stuff). At this point John and Gary talk about how to protect yourself from buffer overflows. They start by listing problems in C and show why it is a problem. A list of functions that are 'bad' are given, but as any list, this isn't comprehensive. While avoiding the list is a good idea, you need to read why the calls are a problem so you can think about any call you use and why there maybe a buffer overflow.

The chapter then turns very technical. The difference between a heap and stack o verflow is discussed. An example is given that takes a C program and shows how to smash the heap and then how to smash the stack. This is pretty technical stuff , but very interesting. Finally an exploit is given. Very informative.

Chapter 9 is on race conditions. Time-of-check, Time-of-use (TOCTOU) is used to demonstrate a race condition. There is discussion on what a race condition is. John and Gary again step through code that is vulnerable and explain why it is vulnerable. Of course they show you how to write the code securely.

Chapter 10 is on randomness and determinism and lives up the the others. I know that random() isn't really random, is a pseudo-random number generator and should not be used when you need a real randomness. John and Gary give a great example to show how an online gambling poker application was open to cheating. Using some math and educated guessing, a GUI was written that would show you everyone's hand and how to win.

The next part of the chapter talks about how to generate randomness via software and hardware solutions. A discussion on entropy and how to determine the amount of entropy from the random source is given. Things get technical (I think), but you can follow the details or skim them. Regardless of how you decide to read this section, you will walk away with a better understanding of the problem.

I hope from the chapters I discuss, your curiosity has been peaked and you pick up a copy. There is other interesting stuff, like the 10 guiding principles for software security.

Web Resources
The web site recently was overhauled. The code from the book is there as well are web resources. It is worth it to take a look at the web site for more information and to get a feel for the information the book covers.

Contents
Foreword
Preface
Acknowledgments

  1. Introduction to Software Security
  2. Managing Software Security Risk
  3. Selecting Technologies
  4. On Open Source and Closed Source
  5. Guiding Principles for Software Security
  6. Auditing Software
  7. Buffer Overflows
  8. Access Control
  9. Race Conditions
  10. Randomness and Determination
  11. Applying Cryptography
  12. Trust Management and Input Validation
  13. Password Authentication
  14. Database Security
  15. Client-side Security
  16. Through the Firewall

Appendix A. Cryptography Basics
References
Index

You can purchase Building Secure Software from Fatbrain. Want to see your own review here? Just read the book review guidelines, then use Slashdot's handy submission form.

30 of 113 comments (clear)

  1. *runs to post office* by RinkSpringer · · Score: 4, Funny

    I'll send a copy to Microsoft... let's hope they abide it :D

    1. Re:*runs to post office* by 9632 · · Score: 2, Funny

      To late. February is over.

      --
      I've decided to mispell one or more words in all my correspondence. If you don't like it then don't read it.
    2. Re:*runs to post office* by sharkey · · Score: 3, Funny

      I doubt it. They won't even read their OWN guidelines:

      The Windows User Interface Guidelines for Software Design, Microsoft Press.

      Quote from book: "consistency makes the interface familiar and predictable".

      Referenced from the Interface Hall of Shame.

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  2. Random Numbers by Joel+Ironstone · · Score: 2, Informative

    There should be a byte available on each chip (or memory cell) that samples thermal noise in some way. This, as I see it, is the only way to get uncorrelated noise. The other systems use iterating functions and take advantage of chaos to produce 'unpredictable' but certainly not random sequences. Know the iterating function and the last result to the precision it is stored in the iterating function- know the next number in the sequence.

    1. Re:Random Numbers by swagr · · Score: 3, Interesting

      Know the iterating function and the last result to the precision it is stored in the iterating function- know the next number in the sequence.

      This can be very hard to determine. Here is a random number generator with period 2^19937-1. Presumably it could be modified to support a larger period.

      --

      -... --- .-. . -.. ..--..
    2. Re:Random Numbers by CrazyBrett · · Score: 2

      Interesting idea, but somehow I think it would still be too predictable. Taking the principle even further, they should have multiple sensors that measure thermal noise, sound variations, RF signals, power fluctuations, light levels, and humidity. Then combine all that data with a big old hash function, and you'll probably get as close to "random" data as one could hope for in this distinctly un-random world.

    3. Re:Random Numbers by wangi · · Score: 2
      The most common random-noise collection method in use is measuring the time between keystrokes. It doesn't require any additional hardware (except a keyboard ;-) and is fairly random. PGP/GnuPG use this method, and if I'm not mistaken, so does the Linux kernel (to feed /dev/(u)random).

      I have a hard time believing this... You're seriously implying that Linux servers (no keyboard) have an inferior /dev/urandom?

    4. Re:Random Numbers by Fuzion · · Score: 2, Informative

      Don't the Intel CPUs have some feature like this? I remember them advertising a while ago that they can generate true random numbers for power dissipation on resistors or something like that. I'm not very familiar with this, and am just recalling something I heard a while ago.

      If all CPUs implemented something similar then can true random numbers be obtained from that?

      --
      "Knowledge makes us accountable." - Che Guevara
    5. Re:Random Numbers by Tom7 · · Score: 2

      > I have a hard time believing this... You're
      > seriously implying that Linux servers (no
      > keyboard) have an inferior /dev/urandom?

      That's true, actually. Check out /usr/src/linux/drivers/char/random.c.

      /dev/urandom uses all sorts of hardware timings (like incoming packets, hard drive seeks, etc.) to produce add entropy to its pool. Typing or moving the mouse improves this, though I think "inferior" might be too strong a word since they are both nearly unpredictable anyway.

    6. Re:Random Numbers by mikeage · · Score: 2

      The original Pentiums has the ability to do this... it was involked by the FPU, and basically took an integer and returned a float that was offset by approximetly 1E-10, IIRC ;)

      --
      -- Is "Sig" copyrighted by www.sig.com?
    7. Re:Random Numbers by PurpleFloyd · · Score: 2, Insightful
      Then combine all that data with a big old hash function, and you'll probably get as close to "random" data as one could hope for in this distinctly un-random world.
      This world is incredibly random. While things may seem predictable on the human scale, that tends to disintegrate as you go smaller and smaller. Things like Brownian motion (the more or less arbitrary "vibrating" motion of heated particles) are very random.

      You will probably come back with some retort about chaos theory and the formation of patterns, so let me tell you what's wrong with that idea right now: Chaos theory does say that in many cases, "random" data will form identifiable patterns. However, often those patterns are not distinct over a small sample. Even given a few million numbers from a sophisticated random number generator, you would be hard-pressed to come up with a pattern in them - even using incredible amounts of computing power. This is why the NSA was so scared of things like PGP a few years back (and still are!). In short, the world is definately not "un-random", especially in very small domains -- such as those microprocessors operate in.

      --

      That's it. I'm no longer part of Team Sanity.
  3. Comments from author by viega · · Score: 5, Informative

    I'm one of the authors of Building Secure Software. First, thanks for the flattering review. We certainly worked hard on the book for a long time, and believe that we've produced something that's very useful for anybody involved in the development process. That having been said, I would like to let you all know the shortcomings I see, even though they are all fairly minor: 1) The book hasn't really seen any substantial discounts, as far as I know. Being a 400 page hardcover book, it's somewhat expensive to begin with, and I'm sure some people won't buy it just for that reason. We've requested that the next printing be done in soft cover, but I don't think that's going to happen, unfortunately. 2) New books always have tons of little problems with them. Several unfortunate things have been noticed already. Most unfortunately, there were a few outdated or inaccurate statements on MS technologies. All of the problems we've found so far will be fixed in the next printing, which should be pretty soon. However, if you notice a problem, and don't see it on the web site's errata, send us e-mail. 3) The topic area is moving pretty rapidly. We essentially finished the text minus edits in February, 2001. Since then, there have been some new things come up the pike it would have been nice to discuss. Over time, we'll update the book's web site with articles that are interesting supplemental reading. All in all, I hope that people get a lot out of the book, and that it does well enough that we'll have the opportunity to do a second edition at some point to make the book even better.

    1. Re:Comments from author by wangi · · Score: 2
      The book hasn't really seen any substantial discounts, as far as I know

      Just a heads-up for folk in the UK looking to buy this book - it-minds.com are doing it for £37.99, 10% off of list price. I think you have to go in via theregister.co.uk

      amazon.co.uk have got it for £41.99

    2. Re:Comments from author by richardbowers · · Score: 2

      1) The book hasn't really seen any substantial discounts, as far as I know. Being a 400 page hardcover book, it's somewhat expensive to begin with, and I'm sure some people won't buy it just for that reason. We've requested that the next printing be done in soft cover, but I don't think that's going to happen, unfortunately

      It's on for a 15% discount at Readme.Doc right now.

      --
      Law is whatever is boldly asserted and plausibly maintained. -- Aaron Burr
  4. Engineered in by Uruk · · Score: 5, Interesting

    This type of book will no doubt help people write more secure applications, but security in larger projects still needs to be engineered in, rather than added on at a later date as a "feature".

    For example, Freenet starts with the assumption that nodes on the network will sometimes be hostile to the network, and that they will fail without reason. That fundamental assumption makes their network stronger IMHO than it would have been if they started with a blue-sky look at the network and added code to prevent certain types of attacks.

    Also, it seems to me that security in applications is probably something won by hard experience. I'm not even sure if it's possible for somebody whose been hacking for just 1 year to build a fundamentally secure application, but trying to learn never hurts. :)

    --
    -- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
    1. Re:Engineered in by viega · · Score: 5, Informative

      Actually, that's the thesis of the first couple chapters of the book. We discuss how to incorporate security into the design process from the beginning.

  5. Great Read by tenman · · Score: 2, Funny

    This book was a very good read technicly. However, it's dry and we had to strugle to get through it. I just wish Tolkien had written books about crypto and secure software. They would have been more interesting that way. In the end, I recomend Building Secure Software.

  6. Secure Programming for Linux and Unix HOWTO by geirt · · Score: 5, Informative

    My favorite:

    http://www.dwheeler.com/secure-programs/

    --

    RFC1925
    1. Re:Secure Programming for Linux and Unix HOWTO by viega · · Score: 5, Informative

      This is indeed a good document. The best thing about it is that it's online, and therefore it can keep up with new things better than a print book. Our book tends to go a lot deeper in general, though. In particular, David's has little to no code.

  7. Re:LOL! by viega · · Score: 2, Informative

    Nice FUD, but untrue. Gary got his PhD under Doug Hofstadter, then went directly to the company that is now Cigital.

  8. Security is very important in today's software by Semi_War · · Score: 4, Interesting
    I'm teaching programming in a college in holland, and we have a nice course here to write a "simple" IntToStr. The outcome is so suprising, nobody thinks about simple things like:

    -Minus not followed by digit
    -several minus signs after each other
    -minus preceded by a digit

    It goes to show, it is easy to catch the under/overflows (and even that doesn't happen all to often) but writing good software is hard. This book is definitly going to be on my teachers wish list for this year.
    1. Re:Security is very important in today's software by GGardner · · Score: 2

      Do you mean StrToInt?

      If so, I'm always surprised at how many people miss the common case of correctly parsing the most negative integer.

      Praise grid for libraries, in this case.

  9. Security is like Online Gaming. by Anonymous Coward · · Score: 4, Insightful

    No, really. Software for both has to be designed from the *start* with certain ideas at hand.

    For security? Everyone and everything around you is a hax0r. Games? Everyone and everything around you cheats.

    Look at a game like EverQuest. Are their cheaters? Certainly. Are nintey nine percent of the subscribers to EQ affected by them? Nope. The reason being, EQ realizes that to remain 'cheat free', it has to look at every aspect at the game that the design team proposes, and sit their thinking of ways that people might try to take advantage of and cheat with them.

    Other games don't do this. The Diablo series, with duping/etc. Phantasy Star Online, with duping/illegal player killing/corruption of characters/etc. Half-Life and its mods, with spiked models/etc.

    The result? Games which believe the player is guilty until proven innocent tend to remain, for the most part, cheat free. Those which don't end up ridden with so many cheaters that the game then becomes unplayable.

    Security is the same way. If you think, "No one will do that." with your program, you've already lost. Because, in the end, someone will, just to be an ass.

    As has been said quite a few times before, security isn't an option. It's not something that can be added as an afterthought. It's a vital part of the design process, and cannot be left out.

    Software isn't the United States - remember, it's okay to design with the thought that all your users are malicious.

  10. Seminar By Author by Proaxiom · · Score: 4, Informative
    I find this interesting because I was planning on attending a seminar in a couple of weeks by Gary McGraw, one of the book's authors.

    It's hosted by the Centre For Applied Cryptography Research (CACR) at the University of Waterloo. Anyone in southern Ontario who liked the book might consider attending.

    Info:
    Building Secure Software: How to Avoid Security Problems the Right Way
    Gary McGraw, Cigital
    Mar 20 (Wednesday), 2:30 pm, DC 1302

  11. Security is a process by stevey · · Score: 3, Insightful

    Its a well known fact that security is a process, it should be considered right from the word go, and not just prior to a software release.

    I've been writing a network server, recently, for streaming MP3's, so I been thinking a lot about the various issues.

    I came up with a list of things that I should be doing, partly after reading bugtrack, and partly due to things I've picked up over the years.

    I think its good to see books like this come out - if only to educate the newer/younger programmers who've never though about the issues before. After all many programmers just work on applications which aren't installed setuid, etc, so when they have to work on such a beast, for the first time, they're likely to work the way that they always have.

    I believe that all the programmer courses available should have a section on security - largely because too many people learn from code printing in books, or online, which has all the error checking omitted, so the user can focus on the example. Its obvious from reading many peoples code that they never expect a malloc to fail!

  12. Truely Random Numbers from Intel by ka9dgx · · Score: 2
    Yes, the 810 (and later) series chip sets include a hardware random number generator, based on thermal noise. They have done quite a few things to make sure that it holds up well as a good source of randomness. Intel has a FAQ on the hardware, and how to use it.

    --Mike--

  13. Re:LOL! by gemcigital · · Score: 2, Informative

    Um, in the mid 80's I was in high school in East Tennessee. Had a little company named "M^2 Computing, Inc." with my friend and current compiler god Greg Morrisett (Cornell CS). More detail here . Oh yeah, and I was an apple ][+ kid. gem

  14. Not that simple. by dmaxwell · · Score: 2

    I think the parent poster was trying to point out that some vulnerabilities conform to general patterns that can be spotted in a debugger. There is a big difference between looking for a few specific cases in the code and trying to reverse engineer an API.

    I wouldn't be surprised if black hat tools exist which can scan disassemblies for probable stack and buffer vulnerabilities. Where this gets tricky is figuring out enough of what that section of code does to craft an exploit. It is still less difficult than full blown reverse engineering. The process would be akin to finding cheats in MAME or looking for Nintendo cheats with a Game Genie. One way I can think of to ease that part of it is to rebuild the disassembled code so that it can be single stepped when executed. Something like Bochs could also be used so that the black hat investigator can monitor the execution environment to any level of granularity desired. Once it's known what functionality the suspect code implements, one can start coding prospective exploits.

    Recreating a secret API would be FAR more difficult. An exploit is basically something that adds itself to already running code. One doesn't have to have extremely deep knowledge of what the vulnerable code does. A project like WINE attempts to replicate the functionality of that code in a source maintainable format. It's a whole 'nother kettle of fish altogether.

  15. Re:Speaking of rand() [OT] by gweihir · · Score: 3, Informative
    From the manpage under linux:

    The versions of rand() and srand() in the Linux C Library
    use the same random number generator as random() and sran
    dom(), so the lower-order bits should be as random as the
    higher-order bits. However, on older rand() implementa
    tions, the lower-order bits are much less random than the
    higher-order bits.


    I saw an older manpage of rand() years ago, where they explicitely stated that the lowest bit would alternate and recommended only to use the high bits.

    For a good PRNG check out the Mersenne-Twister
    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
  16. Har har :D by The+Great+Wakka · · Score: 2

    ... After reading Building Secure Software: How to Avoid Security Problems the Right Way (BSS:HtASPtRW), I decided I needed to ...

    Quite an abbrevation, doncha think? :D
    Abbreviations are supposed to be shorter than the word... how about BSS (Building Secure Software). One can normally omit the subtitle in an abbrevation

    Moderators NB: This is intended as humor. The last bit (about an abbrevation suggestion) was tacked on 'cos it was a thought.
    --
    Everything is mainstream now.