CSA SYS300-1-Secure Coding and Compiling

SecureSet Cybersecurity Analyst
AN IMMERSIVE CYBERSECURITY
ANALYT ICS PROGRAM
Systems Administration 300
Secure Coding and Compiling
LEARNING OBJECTIVES
By the end of this session, you should be able to:

LO1: Describe Secure Coding Practices
LO2: Describe Data Validation with Python
LO3: Explain the steps in code compilation
LO4: Create a hexdump of a linux application using xxd
SECURESET.COM
©2018 SecureSet Academy, Inc | All Rights Reserved
SECURE CODING | EXPLANATION
Security Mechanisms built into code

Less expensive to build in initially
Application level of the OSI or TCP/IP models
SECURESET.COM
If good coding practices are implemented into the initial design, it is far less
expensive than having to rework the code later. It is also more secure to have
those functionalities built in from the beginning. Although many of these
vulnerabilities exploit lower OSI or TCP/IP model layers, the vulnerabilities
themselves are coded into the applications running.
SECURE CODING | INPUT VALIDATION
Data validation
Classify data as trusted vs untrusted
Always validate untrusted
Complete on Trusted System (server)
Use specific characterset (UTF-8)
Encode to a common character set
Failures = rejection
SECURESET.COM
Consider the source of data.

VALIDATING INPUT | WHITELISTING CHARACTERS
Validate data types (integer, string, etc)

Validate date ranges
Validate lengths
Use a whitelist of characters or inputs, if possible
SECURESET.COM
Using this strategy can ensure good input at all times, with any non-conforming
data being rejected.
VALIDATING INPUT | BLACKLISTING CHARACTERS
Blacklist validation
Known bad IPs
Reject any input with known bad characters
Considerations
You must maintain an ever growing list of bad characters
New Exploits found
Zero days
Time consuming process as the list expands
SECURESET.COM
VALIDATING INPUT | SANITIZE INPUT
Modify input to be acceptable

Whitelist: remove characters not on the list
Ex: Strip out dashes or other non-numeric characters in phone number or social
security numbers
Blacklist: remove characters on the list
Ex: Removing escape characters
Use a parser or encoder to determine final results
Ex: URL and directory traversals (covered later)
Ex: Base64 encoding for storing files
SECURESET.COM
AUTHENTICATION AND PASSWORDS
Establish and utilize trusted authentication authority

Authentication should fail securely
Generic response (“Invalid username and/or password”)
Use input type “password”
Authentication disabling
Multi-factor authentication
SECURESET.COM
SESSION MANAGEMENT
Ensure sufficiently random session IDs

Domain and path in cookies secure
Logout ends session ID
New session ID with reauthentication
Periodically generate new session ID
SECURESET.COM
ACCESS CONTROL
Access control fails securely

Deny all access if it cannot access security info
Restrict access to “need to know”
Limit number of transactions
SECURESET.COM
GENERAL CODING PRACTICES
Use tested and approved managed code

Use hashes to verify code, libraries, etc.
Utilize locking mechanisms to prevent race conditions
Raise privileges as late as possible and drop immediately after use
SECURESET.COM
PYTHON | PEP-8
PEP 8 is the Style Guide for Python

Common practices and "grammar" for Python
Used to write "beautiful" code
Can be found at:

https://www.python.org/dev/peps/pep-0008/
SECURESET.COM
Part of the students homework will be reading through the PEP-8 guidelines.When
you get to this slide, I would recommend explaining what PEP-8 is and then
opening up to the class and ask how adhering to a style guide could benefit (or
maybe subtract?) their scripts. - Readability - Commenting for next person who
takes your position in the company - etc...
PYTHON | VALIDATION FUNCTIONS
#!/usr/bin/python3
isalpha(), isdigit(), isnumeric(),
isdecimal(), isalnum() def url():
site = input("url: ")
isupper(), islower(), istitle() urlTest(site)
isspace() return site
len() def urlTest(site):

ext = ("com", "org", "net", "gov")
lstrip(), rstrip(), strip() if not site.endswith(ext ):
startswith(), endswith() exit("This is a bad url")

if not site.startswith("https://")
exit("This is a bad url")
If __name__ == "__main__":
site = url()
print(site)
SECURESET.COM
This is a short list of some of the validation functions already in Python3.I would
recommend going through each line and have the class try to figure out when they
might be useful.Then go through the code to the right and try to figure out what it
does. - It is a very quick and dirty url tester to verify that the url you have is
secure and accessing a '.com', '.org', '.net', or '.gov'
PYTHON | WHILE LOOPS
Using while loops

myvalue = ""
while(myvalue == "" or len(myvalue)>10):
myvalue=input("Enter a string less than 10 characters: ")
break statement (infinite loops)
SECURESET.COM
While loops can be used to loop over errors until corrected. They can be
implemented in a way that allows the while <condition> to be the error checking or
they may be a while True: with a break statement that breaks out of the while loop
once the condition is corrected.
PYTHON | TRY-EXCEPT-ELSE STATEMENT
try: #!/usr/bin/python3
Some operations
while True:
except Exception_I:
try:
Some statements
num = input("number: ")
except Exception_II: num = int(n)
More statements break
else: except ValueError:
Execute if no exceptions print("Please choose an int.")
print('You have type an int.')
SECURESET.COM
This is basic. It can get much more complicated (nested try statements, finally:,
etc.). From http://www.pythonforbeginners.com/error-handling/python-try-and-
exceptIOError If the file cannot be opened. ImportError If python cannot find the
module ValueError Raised when a built-in operation or function receives an
argument that has the right type but an inappropriate value KeyboardInterrupt
Raised when the user hits the interrupt key (normally Control-C or Delete) EOFError
Raised when one of the built-in functions (input() or raw_input()) hits an end-of-
file condition (EOF) without reading any data
PYTHON | OUTPUT FORMATTING 1 (WHAT WE HAVE BEEN DOING)
Variable Formatting
name = "Lionel"
course= ["Singing", "Theater", "Dance"]
print(f"Hello {name}, welcome to class")
print(f"Today we will discuss {course[1]}, {course[0]} and {course[2]}.")
import math
print(f"The value of pi is approx. {math.pi:.3f}")
** Remember this format does not work with all versions of Python3 **
SECURESET.COM
This is going to be similar to the next slide.I'd recommend going through each slide
and together and then try to have the class think of why having dynamic output
could be bad or good.
PYTHON | OUTPUT FORMATTING 2 (MOST LANGUAGES FORMAT)
str.format()
print("Hello {}, welcome to {}".format("First Name","Class"))
print("Today we will discuss {1}, {0} and

{2}".format("Systems","Crypto","Networking"))
import math
print("The value of pi is approx. {0:.3f}".format(math.pi))
** This format more common among other languages, but not as clean as the last slide **
SECURESET.COM
LOGGING | EXPLANATION
What to log (where should these be logged?)

Input validation failures
Output validation failures
Authentication successes/failures
Authorization (access control) failures
Session management failures
Application errors and system events
SECURESET.COM
PYTHON | LOGGING
Log to Standard Output

Log to Syslog Level Numeric value
CRITICAL 50
Log to a file ERROR 40
Import Logging module WARNING 30
INFO 20
logging.basicConfig(level=logging.INFO) DEBUG 10
NOTSET 0
SECURESET.COM
Can also be set to logging.ERROR, logging.DEBUT,

etc.References:https://docs.python.org/2.3/lib/node304.htmlhttps://www.loggly.c
om/ultimate-guide/python-logging-
basics/https://docs.python.org/2/library/logging.htmlhttps://fangpenlin.com/pos
ts/2012/08/26/good-logging-practice-in-python/
PYTHON | LOGGING LEVELS
logger.debug()
Good for debugging information. Doesn’t need to get removed after testing
(just set logging level higher)
logger.info()
Subroutine starting, server state changes
logger.warn()
Not an error, but important (login attempts, etc.)
logger.error()
Exceptions thrown, login errors, etc
SECURESET.COM
Compiling Code
COMPILATION PROCESS
Compilation Linking
Preprocessor Generate object
directives Code translated code from Create final
to assembly assembly executable
Preprocessing Assembly
SECURESET.COM
Preprocessor Directives: Pulls down other code that needs to be compiled into this
application
Compilation: Translates human readable (C code) to assembly language, which is

CPU specific (Intel family, 64 bit, for example). This is still human readable.
Assembly: Converts assembly into an “object code,” which is specific to the target
processor. This is not human readable.
C CODE
#include statement (preprocessing directives)

#include <stdio.h>
Functions
Main function
int main(void)
{
SECURESET.COM
C FILE TYPES
.h extension
Header File
Preprocessor directives
Functions/external variables/etc to include
.c extension
Regular C file
.cpp extension
Regular C++ file
SECURESET.COM
GNU COMPILER COLLECTION (GCC)
gcc
Compiler for C, C++, and others
-E Preprocessing
-S Compiling
-c Assembly
-o Linking
-Wall turns on common warnings, help to prevent simple issues
SECURESET.COM
COMPILATION PROCESS
Compilation Linking
Preprocessor Generate object
directives code from
(#include) Code translated assembly Create final
to assembly executable
gcc –E hello.c gcc –c hello.c
gcc –S hello.c gcc –o hello
hello.c
Preprocessing Assembly
SECURESET.COM
HEXDUMP (XXD COMMAND)
xxd <filename>
Prints hex output for the file
-l dd, prints out first dd bytes
-a, autoskips null lines and replaces with a single *
-b, binary instead of hex
SECURESET.COM
PRINTF COMMAND
printf prints formatted output to stdout
printf("This is a decimal, %d, and a string %s",7,"something");
%d, integer
%f, floating point
%c, character
%s, string
%p, pointer (memory location)
SECURESET.COM
COMMAND ARGUMENTS
Default command variables

argc, count of command line parameters
argv, pointer to array of strings of command line parameters
int main (int argc, char *argv[])
SECURESET.COM
Registers
REGISTERS
Specific memory addresses

Stores temporary data for use by CPU and other components
General Registers
Segment Registers
Offset Registers
Special Registers
SECURESET.COM
REGISTERS
Exist physically on CPU

Faster than RAM
EBP: Extended Base Pointer
Stack grows downward from EBP (towards lower addresses)
BP: 16 bit register, EBP: 32 bit register
ESP: Extended Stack Pointer
Moves to lower address as more data pushed onto stack
SP: 16 bit register, ESP: 32 bit register
EIP: Extended Instruction Pointer
Next memory address for instructions (.text section normally)
SECURESET.COM
FUNCTION CALLS
Arguments pushed onto stack

Usually Reverse order
Return address pushed onto stack (EIP)
EBP pushed onto stack
ESP copied into EBP (Register)
SECURESET.COM
GENERAL REGISTERS
EAX: Major calculations

EBX: Extra storage (32 & 64 bit machines)
ECX: Counter register
EDX: Extension for AEX
AX,BX,CX,DX: 16 bit versions
AH,BH,CH,DH: 8 bit high order byte for AX,BX…
AL,BL,CL,DL: 8 bit low order byte for AX,BX…
SECURESET.COM
BASIC REGISTER, RAX
eax,ax,ah,al can refer to specific parts of rax
rax (64 bits)

eax (32 bits)
ax (16 bits)
ah (8 b) al (8 b)
SECURESET.COM
eax refers to the lower 32 bits of rax

ax refers to the lower 16 bits of eax
al refers to the lower 8 bits of ax
ah refers to the upper 8 bits (high) of ax
SEGMENT REGISTERS
CS,SS,DS,ES,FS,GS
16 bits
Hold first part of a memory address point to code, stack and extra data
segments
SECURESET.COM
OFFSET REGISTERS
EBP: Extended Base Pointer, points to beginning of local environment

for a function
ESI: Extended Source Index, holds the data source offset
EDI: Extended Destination Index, holds the destination offset
ESP: Extended Stack Pointer, points to the top of the stack
SECURESET.COM
SPECIAL REGISTERS
EFLAGS: used by CPU to track results of logic and the state of the
processor
EIP: Extended Instruction Pointer, points to next instruction to be

executed
SECURESET.COM
VIRTUAL MEMORY
OS maps virtual memory to physical memory
Memory is dynamically allocated
Each process has its own virtual address space
SECURESET.COM
MEMORY LAYOUT
Stack
Program stack
Constant variables
Heap
Dynamic memory allocation
Uninitialized Data (bss)

Global variables
SECURESET.COM
C BUFFERS
Temporary storage areas
Can be any data type

Often char array, examples:
char *myarray;
char mybuffer[10];
Useful functions
strcpy()
fgets()
SECURESET.COM
We will not be coding in C, but understanding how the language handle memory
locations is important to how the buffer overflows happen and how hackers can
manipulate them.
MEMORY LOCATIONS
Static buffers
Memory allocated at compile time
Defined outside of main function

or by using static keyword
If uninitialized, a pointer in the .bss will
point to the memory in the dynamic
space
If initialized, the variable will be

allocated memory in .data
Examples:
static static_buffer[128];
SECURESET.COM
DYNAMIC BUFFERS
Memory allocated at runtime
Flexible, but require additional

steps for management
Memory leaks
Data leaks
Usually allocated in heap or stack

space
SECURESET.COM

CSA SYS300-1-Secure Coding and Compiling

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSA SYS300-1-Secure Coding and Compiling

Uploaded by

Copyright:

Available Formats

SecureSet Cybersecurity Analyst

By the end of this session, you should be able to:

Security Mechanisms built into code

Consider the source of data.

Validate data types (integer, string, etc)

Modify input to be acceptable

Establish and utilize trusted authentication authority

Ensure sufficiently random session IDs

Access control fails securely

Use tested and approved managed code

PEP 8 is the Style Guide for Python

Can be found at:

len() def urlTest(site):

startswith(), endswith() exit("This is a bad url")

Using while loops

break statement (infinite loops)

print('You have type an int.')

print(f"Today we will discuss {course[1]}, {course[0]} and {course[2]}.")

print("Today we will discuss {1}, {0} and

What to log (where should these be logged?)

Log to Standard Output

Can also be set to logging.ERROR, logging.DEBUT,

Compilation: Translates human readable (C code) to assembly language, which is

#include statement (preprocessing directives)

printf prints formatted output to stdout

printf("This is a decimal, %d, and a string %s",7,"something");

Default command variables

int main (int argc, char *argv[])

Specific memory addresses

Exist physically on CPU

Arguments pushed onto stack

EAX: Major calculations

eax,ax,ah,al can refer to specific parts of rax

rax (64 bits)

eax refers to the lower 32 bits of rax

EBP: Extended Base Pointer, points to beginning of local environment

ESI: Extended Source Index, holds the data source offset

EDI: Extended Destination Index, holds the destination offset

ESP: Extended Stack Pointer, points to the top of the stack

EIP: Extended Instruction Pointer, points to next instruction to be

OS maps virtual memory to physical memory

Memory is dynamically allocated

Each process has its own virtual address space

Uninitialized Data (bss)

Temporary storage areas

Can be any data type

Defined outside of main function

If initialized, the variable will be

Memory allocated at runtime

Flexible, but require additional

Usually allocated in heap or stack

You might also like