Professional Documents
Culture Documents
AN IMMERSIVE CYBERSECURITY
ANALYT ICS PROGRAM
Systems Administration 300
Secure Coding and Compiling
LEARNING OBJECTIVES
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
SECURE CODING | EXPLANATION
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
If good coding practices are implemented into the initial design, it is far less
expensive than having to rework the code later. It is also more secure to have
those functionalities built in from the beginning. Although many of these
vulnerabilities exploit lower OSI or TCP/IP model layers, the vulnerabilities
themselves are coded into the applications running.
SECURE CODING | INPUT VALIDATION
Data validation
Classify data as trusted vs untrusted
Always validate untrusted
Complete on Trusted System (server)
Use specific characterset (UTF-8)
Encode to a common character set
Failures = rejection
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
Using this strategy can ensure good input at all times, with any non-conforming
data being rejected.
VALIDATING INPUT | BLACKLISTING CHARACTERS
Blacklist validation
Known bad IPs
Reject any input with known bad characters
Considerations
You must maintain an ever growing list of bad characters
New Exploits found
Zero days
Time consuming process as the list expands
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
VALIDATING INPUT | SANITIZE INPUT
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
AUTHENTICATION AND PASSWORDS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
SESSION MANAGEMENT
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
ACCESS CONTROL
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
GENERAL CODING PRACTICES
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
PYTHON | PEP-8
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
Part of the students homework will be reading through the PEP-8 guidelines.When
you get to this slide, I would recommend explaining what PEP-8 is and then
opening up to the class and ask how adhering to a style guide could benefit (or
maybe subtract?) their scripts. - Readability - Commenting for next person who
takes your position in the company - etc...
PYTHON | VALIDATION FUNCTIONS
#!/usr/bin/python3
isalpha(), isdigit(), isnumeric(),
isdecimal(), isalnum() def url():
site = input("url: ")
isupper(), islower(), istitle() urlTest(site)
isspace() return site
If __name__ == "__main__":
site = url()
print(site)
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
This is a short list of some of the validation functions already in Python3.I would
recommend going through each line and have the class try to figure out when they
might be useful.Then go through the code to the right and try to figure out what it
does. - It is a very quick and dirty url tester to verify that the url you have is
secure and accessing a '.com', '.org', '.net', or '.gov'
PYTHON | WHILE LOOPS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
While loops can be used to loop over errors until corrected. They can be
implemented in a way that allows the while <condition> to be the error checking or
they may be a while True: with a break statement that breaks out of the while loop
once the condition is corrected.
PYTHON | TRY-EXCEPT-ELSE STATEMENT
try: #!/usr/bin/python3
Some operations
while True:
except Exception_I:
try:
Some statements
num = input("number: ")
except Exception_II: num = int(n)
More statements break
else: except ValueError:
Execute if no exceptions print("Please choose an int.")
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
This is basic. It can get much more complicated (nested try statements, finally:,
etc.). From http://www.pythonforbeginners.com/error-handling/python-try-and-
exceptIOError If the file cannot be opened. ImportError If python cannot find the
module ValueError Raised when a built-in operation or function receives an
argument that has the right type but an inappropriate value KeyboardInterrupt
Raised when the user hits the interrupt key (normally Control-C or Delete) EOFError
Raised when one of the built-in functions (input() or raw_input()) hits an end-of-
file condition (EOF) without reading any data
PYTHON | OUTPUT FORMATTING 1 (WHAT WE HAVE BEEN DOING)
Variable Formatting
name = "Lionel"
course= ["Singing", "Theater", "Dance"]
print(f"Hello {name}, welcome to class")
import math
print(f"The value of pi is approx. {math.pi:.3f}")
** Remember this format does not work with all versions of Python3 **
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
This is going to be similar to the next slide.I'd recommend going through each slide
and together and then try to have the class think of why having dynamic output
could be bad or good.
PYTHON | OUTPUT FORMATTING 2 (MOST LANGUAGES FORMAT)
str.format()
print("Hello {}, welcome to {}".format("First Name","Class"))
import math
print("The value of pi is approx. {0:.3f}".format(math.pi))
** This format more common among other languages, but not as clean as the last slide **
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
LOGGING | EXPLANATION
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
PYTHON | LOGGING
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
logger.debug()
Good for debugging information. Doesn’t need to get removed after testing
(just set logging level higher)
logger.info()
Subroutine starting, server state changes
logger.warn()
Not an error, but important (login attempts, etc.)
logger.error()
Exceptions thrown, login errors, etc
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
Compiling Code
COMPILATION PROCESS
Compilation Linking
Preprocessor Generate object
directives Code translated code from Create final
to assembly assembly executable
Preprocessing Assembly
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
Preprocessor Directives: Pulls down other code that needs to be compiled into this
application
Assembly: Converts assembly into an “object code,” which is specific to the target
processor. This is not human readable.
C CODE
Functions
Main function
int main(void)
{
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
C FILE TYPES
.h extension
Header File
Preprocessor directives
Functions/external variables/etc to include
.c extension
Regular C file
.cpp extension
Regular C++ file
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
GNU COMPILER COLLECTION (GCC)
gcc
Compiler for C, C++, and others
-E Preprocessing
-S Compiling
-c Assembly
-o Linking
-Wall turns on common warnings, help to prevent simple issues
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
COMPILATION PROCESS
Compilation Linking
Preprocessor Generate object
directives code from
(#include) Code translated assembly Create final
to assembly executable
gcc –E hello.c gcc –c hello.c
gcc –S hello.c gcc –o hello
hello.c
Preprocessing Assembly
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
HEXDUMP (XXD COMMAND)
xxd <filename>
Prints hex output for the file
-l dd, prints out first dd bytes
-a, autoskips null lines and replaces with a single *
-b, binary instead of hex
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
PRINTF COMMAND
%d, integer
%f, floating point
%c, character
%s, string
%p, pointer (memory location)
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
COMMAND ARGUMENTS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
Registers
REGISTERS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
REGISTERS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
FUNCTION CALLS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
GENERAL REGISTERS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
BASIC REGISTER, RAX
ah (8 b) al (8 b)
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
CS,SS,DS,ES,FS,GS
16 bits
Hold first part of a memory address point to code, stack and extra data
segments
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
OFFSET REGISTERS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
SPECIAL REGISTERS
EFLAGS: used by CPU to track results of logic and the state of the
processor
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
VIRTUAL MEMORY
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
MEMORY LAYOUT
Stack
Program stack
Constant variables
Heap
Dynamic memory allocation
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
C BUFFERS
Useful functions
strcpy()
fgets()
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
We will not be coding in C, but understanding how the language handle memory
locations is important to how the buffer overflows happen and how hackers can
manipulate them.
MEMORY LOCATIONS
Static buffers
Memory allocated at compile time
Examples:
static static_buffer[128];
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
DYNAMIC BUFFERS
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved