[SecurityRatty] tag: swap

Improve Security with "A Layer of Hurt"

Thu, 31 Jul 2008 15:13:00 +0000

Hello, Michael here.

I got a lot of interesting comments from my TechEd 2008 presentation entitled, "How To Review Your Code And Test For Security Bugs," but the most comments and questions were reserved for fuzz testing; I was blown away by the number of people who thought fuzz testing was hard, or that you only left fuzz testing to ‘leet hackers.

During the presentation I mentioned in some depth how to perform fuzz testing, and what parts of an application should be fuzz testing targets. I also introduced an idea (that's not new) to help people who have never performed fuzz testing begin fuzz testing with very little cost and friction. The idea is to add a small layer of code to an application to automatically mutate untrusted data as it comes into an application; I called that code layer "a layer of hurt."

Before I continue, I want to point out that fuzzing is an SDL requirement, but the idea in this blog post is not an SDL requirement, it's just another way to help meet SDL fuzzing requirements.

Adding a layer of hurt, as shown in the picture below, is pretty simple as it involves adding code to an application to tweak data as it comes into an application. You can work out where to place the fuzzing code by looking at your threat models to see where data crosses trust boundaries. You could also simply grep the code looking for APIs that read data, for example:

Read from files: fread, ReadFile
Reading from sockets: recv, recvfrom
For .NET code, any stream.Read

You get the picture.

The fuzzing code should appear right after the API that reads that data.

For example, C or C++ code that reads from a UDP socket and then fuzzes the data before it's consumed by the rest of the application might look like this:

char RecvBuf[1024];
int BufLen = sizeof(RecvBuf);

int result = recvfrom(
   RecvSocket,
   RecvBuf,
   BufLen,
   0,
   (SOCKADDR *)&SenderAddr,
   &SenderAddrSize);

#ifdef _FUZZ
Fuzz(RecvBuf,&BufLen);
#endif

Or, in C#, code that reads from an untrusted file:

FileStream fileStream = new FileStream(filename, FileMode.Open, FileAccess.Read);
uint len = (uint)(fileStream.Length);
byte[] fileData = new byte[fileStream.Length];
fileStream.Read(fileData, 0, (int)len);
fileStream.Close();

#if _FUZZ_
Malform pain = new Malform();
fileData = pain.Fuzz(fileData);
#endif

In both code examples, Fuzz() mutates the incoming data. In the C++ case, the fuzzing code looks like this:

void Fuzz(_Inout_bytecap_(*pcbBuf) char *pBuf,
_Inout_ size_t *pcbBuf) {

if (!pcbBuf || !pBuf || !*pcbBuff || *pBuf) return;
if ((rand() % 100) > 5) return; // fuzz about 5% of Buffers

size_t cLoop = 1 + (rand() % 4);

for (size_t j = 0; j < cLoop; j++) {

    size_t i=0,
      iLow = rand() % *pcbBuf,
      iHigh = 1+rand() % *pcbBuf,
      iIter = 1+rand() % 8;

    if (iLow > iHigh)
      {size_t t=iHigh; iHigh=iLow; iLow=t;}

char ch=0;
switch(rand() % 9) {

      case 0 : // reset upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] &= 0x7F;
        break;

      case 1 : // set upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] |= 0x80;
        break;

      case 2 : // toggle all bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] ^= 0xFF;
        break;

      case 3 : // set to random chars
        for (i=iLow; i < iHigh; i++)
          pBuf[i] = (char)(rand() % 256);
        break;

      case 4 : // set NULL chars to (possibly) non-NULL
        for (i=iLow; i < iHigh; i++)
          if (!pBuf[i])
            pBuf[i] = (char)(rand() % 256);
        break;

      case 5 : // swap adjacent bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          {char t=pBuf[i]; pBuf[i] = pBuf[i+1]; pBuf[i+1]=t;}
        break;

      case 6 : // set to random chars every n-bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          pBuf[i] = (char)(rand()%256);
        break;

      case 7 : // set bytes to one random char
        ch=(char)(rand() % 256);
          for (i=iLow; i < iHigh; i++)
            pBuf[i] = ch;
        break;

      default: // truncate stream
        *pcbBuf = iHigh;
        break;
     }
   }
}

The sample C# and C++ fuzzing code is available as a ZIP file at the end of this post.

This code is an example of dumb-fuzzing, which is fuzzing with little or no regard for the data structure being manipulated. If you've never performed any kind of fuzz testing in the past, then you will probably find bugs with this simple fuzzing technique. Once you have weeded out the low-hanging bugs, you may need to turn your attention to smarter fuzzers. For example, in theory, this code would find few if any bugs in a PNG parser, because PNG files have a built in check-sum, so if you fuzz a PNG file, you'd have to recalculate the checksum to get decent code coverage.

When I showed this code during my presentation, I urged people to add it to their applications today if they currently don't do fuzz testing, and simply run their applications through their normal testing processes. Within three days of my presentation I received emails from people saying they had found bugs. I have no doubt others did too.

One of the comments I made during the session was,"If you can't spend the time on great fuzzing, fuzz anyway" and adding a "layer of hurt" is a reasonable start.

Please feel free to sound off if you have ideas to help improve the code and let us know what you think, either through email or comments to this post.

A better DOS than DOS and a better Windows than Windows

Thu, 17 Apr 2008 17:33:39 +0000

Anybody remember that slick marketing line? You are a winner if you picked OS/2. OK I will admit it, I was an OS/2 user. I liked it much better than Windows 3.1 and used it even after Windows 95 came out. I still think it was a superior product to anything that the guys from Redmond put out. Why don't we all run OS/2 today instead of Windows? Good question, I ask myself that all the time. Some say it is because Microsoft used strong arm tactics to persuade ISV's from developing apps for OS/2. That may be true, but for me the real problem was IBM's strategy was instead of fighting the fight to get OS/2 apps developed, they said go ahead and run Windows and DOS apps on OS/2, we can run them better. They could, but at the end of the day they were still Windows and DOS apps and this gave Microsoft an inherent advantage that could not be overcome.

I was reminded of this today while reading an article in eWeek by Joe Wilcox on how Microsoft is in so much trouble and how nobody is using Vista (better not tell the 100 million or so users of Vista that). Joe points out the recent Gartner report that says Microsoft is headed for a train wreck around 2011 or so because Windows is vulnerable (to competition that is, not necessarily to vulnerabilities. Well actually it is vulnerable to those too, but that is for another blog). Not to be outdone by the G-men, straight off the shrimp boat the Forest-er Gump crew come out with a pair of reports (here and here), that detail Vista's adoption issues. The net of one is that while tech folks see the benefit of upgrading to Vista, it is a tough sell to the CIOs and CFOs of the world. Many according to the article are saying they will wait for Windows 7, whenever that comes out. I don't buy this myself. I remember similar talk when XP came out.

Where I really disagree with Wilcox though is his comments regarding Mac OSX replacing Windows in the enterprise:

I disagree that Mac OS X is no alternative, particularly when businesses must swap out hardware anyway and Exchange-supporting Office 2008 is available. Mac OS X nicely plugs into Active Directory. I don't expect massive conversions to Mac OS X, but I strongly disagree with contention that it's "simply not a viable option."

What will enable this Mac revolution? Virtualization according to Wilcox and those who believe as he does. This is where they step in the footsteps of OS/2 before them. If OSX is a better OS, fine. But don't fool yourself. If you are going to rely on Microsoft Exchange, Microsoft AD and other Microsoft server products plus Microsoft applications and you are going to run your Mac hardware running Windows in a virtual hypervisor on top of it, you are just a "better Windows than Windows" but you still run Windows. Microsoft will use its stranglehold on the applications to make sure that they run better, faster, cheaper on the real Windows.

Gartner, Forester and Joe Wilcox miss the point here. Windows will not be in serious danger of losing its preeminent position on the desktop until there are enough applications that run natively on another OS and don't run on Windows. I don't see many application developers willing to walk away from the Windows market for that to be a reality. That makes desktop Linux, Mac OS and the rest just more OS/2s.

A better DOS than DOS and a better Windows than Windows

Thu, 17 Apr 2008 16:36:34 +0000

I was reminded of this today while reading an article in eWeek by Joe Wilcox on how Microsoft is in so much trouble and how no body is using Vista (better not tell the 100 million or so users of Vista that). Joe points out the recent Gartner report that says Microsoft is headed for a train wreck around 2011 or so because Windows is vulnerable (to competition that is, not necessarily to vulnerabilities. Well actually is vulnerable to those too, but that is for another blog). Not to be outdone by the G-men, straight off the shrimp boat the Forest-er Gump crew come out with a pair of reports (here and here), that detail Vista's adoption issues. The net of one is that while tech folks see the benefit of upgrading to Vista, it is a tough sell to the CIOs and CFOs of the world. Many according to the article are saying they will wait for Windows 7, whenever that comes out. I don't buy this myself. I remember similar talk when XP came out.

Where I really disagree with Wilcox though is his comments regarding Mac OSX replacing Windows in the enterprise:

I disagree that Mac OS X is no alternative, particularly when businesses must swap out hardware anyway and Exchange-supporting Office 2008 is available. Mac OS X nicely plugs into Active Directory. I don't expect massive conversions to Mac OS X, but I strongly disagree with contention that it's "simply not a viable option."

What will enable this Mac revolution? Virtualization according to Wilcox and those who believe as he does. This is where they step in the footsteps of OS2 before them. If OSX is a better OS, fine. But don't fool yourself. If you are going to rely on Microsoft Exchange, Microsoft AD and other Microsoft server products plus Microsoft applications and you are going to run your Mac hardware running Windows in a virtual hypervisor on top of it, you are just a "better Windows than Windows" but you still run Windows. Microsoft will use its stranglehold on the applications to make sure that they run better, faster, cheaper on the real Windows.

Women in IT: A Note from the Non-Booth-Babe Blogger

Thu, 03 Apr 2008 10:58:30 +0000

Okay Alan! Your blog this morning has cracked me up, I’ve definitely had a good giggle from it. I have to say though, I’m surprised, amused and embarrassed all at the same time. Blonde- yes, Blogger- yes… not sure about the other parts!

I may disagree on the photo comment. First of all, it’s really bad. Secondly, I’ve emailed responses to several of my readers’ comments and (much to my surprise) found they didn’t realize I was ‘a girl’. Shocking right? When they saw ‘Jennifer’ in my email signature they figured it out. So, I don’t know that the photo has any impact on readership, but I could be wrong. However, if you do read my blog because I’m female and you like the photo- I’m okay with that- you’ll still learn something ;)

Note to self: I definitely have to do something about that horrible photo! I’ve been procrastinating for a while and searching for a photographer and stylist to get some new ‘real’ head shots taken. I hate having my photo taken, so I’ll keep you posted on that.

Women in IT…

The timing of your post is amazing as well. Over the past couple of weeks I’ve received several emails from fellow women in IT who wanted to make a connection, swap stories and find a commerad-ess, or two, in the world. I’ve even received postcards and written notes from thoughtful ladies who found my information online. I guess I never realized what a struggle some women have in the ‘man’s world’ of IT. I’m starting to realize it more, as I meet new friends and hear their war stories of moving up and gaining respect in the industry.

I’ve been lucky- I grew up in the IT industry and somehow managed to circumvent a lot of the ‘gender issues’. When I was about 16, I developed and taught computer and Internet-related courseware, and had to teach it to adults (and yes, they’re actually worse than the 2nd graders!) Around that same time, I was sitting on a state agency board as a SME on web usage and development.

I was young and a female (and blonde), so I most certainly had to prove myself and establish a repertoire to gain the respect of my peers; mostly middle-aged and older men who had been in the industry longer than I’d been alive.

Knowing what you don’t know…

Getting thrown in early certainly taught me valuable lessons. I made sure I knew my stuff inside and out, and conversely, I made sure I was comfortable asking questions on topics I didn’t know about. Part of the respect comes from ‘knowing what you don’t know’ and being able to admit it. I think I’m pretty good at that and it’s carried me far. :) Plus, I had two great role models to learn from.

However it happened- through some combination of luck and hard work- I’m happy to be where I am. Our customers, partners and colleagues look to me for answers and insight. I know they trust me and and that’s an amazing feeling. It’s also what drives me to be the best at what I do, and to keep learning, studying and working at it.

They’ve given me their trust, and I try really hard to give them something back that’s equally as important.

# # #

RSA Blogger Buzz & Anticipation

Thu, 27 Mar 2008 11:07:00 +0000

Well, I’m getting more and more excited about the upcoming Security Bloggers Meetup at RSA.

I’ve had the distinct pleasure of having a brief run-in with Alan Shimel and Ryan Russell just this week, so I can cross them off my ‘yet to meet’ list and add them to the ‘looking forward to seeing again’ list.

With my recent addition of (and addiction to) Twitter, I’ve had the opportunity to chat and swap semi-meaningless banter with a variety of other SBN members, especially the ‘glue’ of the event, Jennifer Leggio, and some of the main ‘characters’… a fitting term I’d say… including Martin McKeay, The Hoffmeister, Rich Mogull, Ryan Naraine, Mister Brad Feld, the second Jack Daniel I now know, plus our recently-crowned greatest live-tweeter ever- Ben J and several others- I’m still learning who’s who and who’s going to the Meetup at RSA. Sorry if I’ve missed anyone, but please hop on the SBN site and check out the latest blogs and member links.

You’ll definitely be seeing more info and updates from me as we get closer to RSA, and I plan to try and blog regularly while there to let you all know what shenangians are going on. Until then, here’s a little more info to stay in the loop!

Want to know more? You can find more blog links on SBN and a fit-to-twit list at (the other) Jennifer’s Security Twit post.

Want to watch the event Live? If you’re a regular reader of my blog, or any of the other SBN group, you’ll get a chance to join us virtually. Evidently they (or I guess ‘we’) will be streaming live with conferencing and video blogs. Check this link for details on live event streams. Guaranteed to be entertaining!

# # #

Consumer networks for business use

Mon, 10 Mar 2008 06:30:00 +0000

If all the hype is to be believed then IT execs who ignore Web 2.0 collaboration technologies could be hurting their company's bottom line. That, apparently, is the message from IT leaders and industry analysts who are convinced that Web 2.0 technologies are the real deal. And, as it's published in CIO Magazine then it must surely be true. The article goes on to cite examples from the real world (the one where you have real friends and real business relationships) that demonstrate just how vital these collaboration technologies are. - A company - Serena Software - where some customers only talk to them via Facebook because they've "given up on e-mail because it's such a horrendous technology" - The same company has Facebook Fridays where "executives encourage their 900 employees in 18 countries to connect with customers, business partners and each other over the company's group portal on the popular social networking site." - Cisco, "where the virtual world of Linden Lab's Second Life....is quickly becoming a preferred method of interaction among the company's employees, business partners and customers" - Gartner, who say that "organizations can create a mash-up, a combination of multiple applications, of their CRM database and their employees' Facebook contacts to identify personal links among sales prospects." Before I talk about why I think all of the above is misguided advice, opens up the network and data to unacceptable risks as well as increasing personal risks to employees, there are actually some good words of wisdom in the same article. Accenture, for instance, who rather than using a public site, .. opted to build a social networking platform behind the company's firewall on Microsoft Office SharePoint Server to connect Accenture's more than 170,000 employees worldwide. This is a good approach because it's using technology specifically developed with business functionality in mind, it has strong security, and Accenture are keeping it within the boundaries of their own networks. As soon as you start sharing company data across a public facing, consumer network that's also being used by your children to share happy slapping videos and news about what happened down the rec on Friday night then you've lost the plot. Show me the business case and cost savings model that led you to believe that it's a good idea. I'll wager that you don't have one, but that you've leapt straight in and done it anyway because of all the industry pundits telling you to do so and threatening that you're going to get left behind if you don't. The example quoted above where the company uses Facebook in place of "horrendous" email is one instance where you wonder just what problem they are trying to solve and why and how swapping over to an email service provisioned by an organisation that will know all your contacts and all of their contacts, and all of the information being swapped makes it better. Are you really using Facebook's email service to swap company information? Good grief! Remind me not to use your company if I ever need the type of product you're selling. Just read back through their privacy policy and tell me that you still want to use Facebook in this way. I realise that not every organisation has the deep pockets necessary to invest in tools such as SharePoint and that they will want to utilise consumer technologies to some degree. Fine, but you generally get what you pay for and if you're getting something for free then don't complain when you find your business profiles being used for marketing purposes by either a) a competitor or b) somebody else pretending to be you. Oh yes, and also don't complain when the service goes down the next time that the Pakistani or some other government gets upset about some of the content. My personal advice is to not cheapen your brand and to seriously consider the security risks associated with using consumer networks as a corporate sharepoint for email and business relationships. Embracing new technologies is one thing but long term success is built on what comes prior to the embrace: assessing the benefits, working out the costs, determining the risks etc etc. Does that make sense?

Michael Vick's journey from the NFL to a jail cell

Tue, 11 Dec 2007 00:13:00 +0000

I watched CNN this morning as they announced that Michael Vick had been sentenced to 23 months incarceration for his part in organizing illegal dog fighting and animal abuse. I have never been a star quarterback so I do not know how it feels to go from being a NFL superstar to a Felon, but I bet it can't be easy.

There's not much upside to this story either. The sentencing Judge, Henry E. Hudson, was not buying the idea that it had been a "momentary lack of judgement." He described Vick as being a "full partner" in the crime. He also told him that he owed an apology to the young children who used to look up to him as a role model.

As if all of this humilation was not enough, Vick is still liable to be prosecuted under State Law. Other than an acquital, which is highly unlikely after his conviction in Federal court, the best he can hope for is to have all of his State sentence run concurrently (at the same time as the Federal time).

I recently wrote about Risk Management. For the life of me, I do not understand why one of the highest earning super stars in the NFL (his 10 year contract was reportedly worth $130,000,000.00)would not hire personal security consultants to keep him out of trouble. While a personal protection agent's main role is usually keeping his client safe from outside threats and attacks, in the case of celebrities, this often means keeping them safe - from themselves.

A colleague and I were talking last year about an assignment that involved protecting a world famous boxer who had a penchant for getting into trouble. He said that he never worried about anyone attacking his client, but he constantly worried about his client getting into trouble. This was most especially the case where females were involved. As a result he was like a baby sitter and was never able to take his eyes off of the client (baby) for more than a second. He said the money was great, but in the end it just wore him down too much.

Guys like Vick are really to be pitied. Most of them go from relative obscurity and poverty to overnight stardom. Which of us would not fold under that pressure? We see Lotto winners losing fortunes all the time. There are always too many hanger-ons, both from the old days and new found friends who are afraid to speak their minds. However, having the courage to speak up and voice an unpopular opinion might be just what it takes to keep these guys out of trouble.

They need tough love so they don't swap their Armani for prison stripes. If you come across any super stars to be, tell them about us. We'll keep them safe. At the same time we'll keep them out of lawsuits, gossip columns, bankruptcy courts and jail. It's probably too late for Vick. At the time of writing his houses are being auctioned off and the creditors are moving in.

As I said before, this is the opposite of Risk Management. This is avoidance. We all have risk. The secret is knowing how to best manage it.

Grayware?

Wed, 07 Mar 2007 04:11:45 +0000

Very interesting definitions that I found on www.dqchannels.com which I would like to highlight:

'Grayware' is a term that regularly appears on IT and security professionals' radar screens today. An umbrella term applied to a wide range of applications that are installed on a user's computer to track and/or report certain information back to some external source, these applications are usually installed and run without the permission of the user.

Grayware categories

Adware: Adware is usually embedded in freeware applications that users can download and install at no cost. Adware programs are used to load pop-up browser windows to deliver advertisements when the application is open or run.

Dialers: Dialers are grayware applications that are used to control the PC's modem. These applications are generally used to make long distance calls or call premium 900 numbers to create revenue for the thief.

Gaming: Gaming grayware applications are usually installed to provide jokes or nuisance games.

Joke: Joke grayware are applications that are used to change system settings, but do no damage to the system. Examples include changing the system cursor or Windows' background image.

Peer-to-Peer: P2P grayware are applications that are installed to perform file exchanges. (P2P) While P2P is a legitimate protocol that can be used for business purposes, the grayware applications are often used to illegally swap music, movies, and other files.

Spyware: Spyware applications are usually included with freeware. Spyware is designed to track and analyze a user's activity, such a user's web browsing habits. The tracked information is sent back to the originator's Web site where it may be recorded and analyzed. Spyware can be responsible for performance related issues on the user's PC.

Key logger: Key loggers are perhaps one of the most dangerous grayware applications. These programs are installed to capture the keystrokes made on a keyboard. These applications can be designed to capture user and password information, credit card numbers, email, chat, instant messages, and more.

Hijacker: Hijackers are grayware applications that manipulate the Web browser or other settings to change the user's favorite or bookmarked sites, start pages, or menu options. Some hijackers have the ability to manipulate DNS settings to reroute DNS requests to a malicious DNS server.

Plugins: Plugin grayware applications are designed to add additional programs or features to an existing application in an attempt to control, record, and send browsing preferences or other information back to an external destination.

Network management: Network management tools are grayware applications that are designed to be installed to for malicious purposes. These applications are used to change Tools network settings, disrupt network security, or cause other forms of network disruption.

Remote administration tools: These tools are grayware applications that allow an external user to remotely gain access, change, or monitor a computer on a network.

BHO: BHO grayware applications are DLL files that are often installed as part of a software application to allow the program to control the behavior of Internet Explorer. Not all BHOs are malicious, but the potential exists to track surfing habits and gather other information stored on the host.

Toolbar: Toolbar grayware applications are installed to modify the computer's existing toolbar features. These programs can be used to monitor web habits, send information back to the developer, or change the functionality of the host.

Download: Downloaders are grayware applications that are installed to allow other software to be downloaded and installed without the user's knowledge. These applications are usually run during the startup process and can be used to install advertising, dial software, or other malicious code.