Software Sleuthing : Security

Top 25 software errors

joshpoley — Mon, 12 Jan 2009 19:41:00 GMT

SANS, along with a coalition of individuals and software organizations, just released their list of top "25 most dangerous programming errors". There has been some talk of making these a "requirement" or some sort of logo program to help protect customers when deciding which software to use or purchase.

From a developer's perspective you should review these and ensure your design and code are doing the right thing. From a tester's perspective, be sure you have cases in place to validate and document how you are verifying these. If the items do become a hard requirement your group will probably have to provide proof of what was tested and how.

Ideally your team is doing all this anyway, but if not, here is a handy checklist to get started.

Security Tools: Codenomicon

joshpoley — Wed, 27 Aug 2008 00:58:00 GMT

About three years ago, when the Xbox 360 was getting close to launching, we went through a security pass of the audio and photo playback capabilities. One of the tools that was recommended to us by another employee was the Codenomicon suite of test files. The folks at this company have taken the time to pick apart some of the typical file formats and produce an extensive library of files which target the specification and common implementations in an attempt to push the limits of your software. Unlike random fuzzing tools, these guys have gone in and hand crafted the files to exercise your implementation in a systematic and precise manner. And one of the major benefits over fuzzing is that you actually get documentation for each test case describing what is interesting about the file.

After running the files through the Xbox's code base, we actually found a couple of edge cases that weren't being handled correctly and warranted a fix. One of the interesting bugs was around an integer overflow that led to memory corruption. We would do some size calculations which resulted in a 32-bit unsigned integer overflowing to zero, which was then passed down to malloc. The cool (from a twisted perspective) thing about malloc(0), is that it actually allocates zero bytes of memory for you and hands back a valid pointer. But unfortunately for us, we would then go and try to write to that pointer which doesn't take very long before something horribly bad happens as we trash memory.

I think it is a fairly accurate statement that you can never do enough testing, and you should definitely try to use all the tools at your disposal. The Codenomicon suites are one such example, and something that not very many people I've talked to have heard about, so it is certainly worth investigating for your product.

Free Security Book: HAC

joshpoley — Mon, 30 Jun 2008 18:17:00 GMT

The Handbook of Applied Cryptography is being offered for free download (for personal use of course) from the University of Waterloo. This book covers a good swath of topics and will be a useful addition to your digital library. And to give you a taste, here is the chapter list:

Chapter 1 - Overview of Cryptography

Chapter 2 - Mathematics Background

Chapter 3 - Number-Theoretic Reference Problems

Chapter 4 - Public-Key Parameters

Chapter 5 - Pseudorandom Bits and Sequences

Chapter 6 - Stream Ciphers

Chapter 7 - Block Ciphers

Chapter 8 - Public-Key Encryption

Chapter 9 - Hash Functions and Data Integrity

Chapter 10 - Identification and Entity Authentication

Chapter 11 - Digital Signatures

Chapter 12 - Key Establishment Protocols

Chapter 13 - Key Management Techniques

Chapter 14 - Efficient Implementation

Chapter 15 - Patents and Standards

For those that prefer cold hard paper, you can also find it at the various common retailers (for slightly more than free).