Getting Started

Previous page
Table of content
Next page

Getting Started

You re a tester and you have an application to test for security weaknesses. Where do you start? Well, it depends on whether you want to perform black-box testing or white-box testing. Black-box testing involves testing the product without access to the source code and, potentially, without the design documents. White-box testing involves reading the specifications and source code and using that knowledge to build test cases. In my opinion, it s not a black or white world the best testers use both methods.

This chapter focuses primarily on black-box testing, augmented by a good understanding of how the application s external interfaces work in the context of the entire system. However, it s assumed you might have access to the source code at some stage to assist in building test applications and tools. Of course, hackers always have access to the code, either the source code itself or the disassembled code.

The ultimate goal is to create security problems by probing the entry points into an application. Take a look at the following C++ program:

#define MAX_BUF (128) void main() { char szBuff[MAX_BUFF]; for (char i = 0; i < 20; i++) { memset(szBuff, i, MAX_BUFF); } }

Not very exciting, is it? Bugs in the compiler aside, this program has no security vulnerabilities because it takes no external input, even though it s using a function that can potentially create a buffer overrun, memset.

An application that takes input from external sources could potentially have one or more vulnerabilities. Now look at the following abbreviated code:

#define MAX_BUFF (128) void CopyMemoryIntoBuffer(char *szBuff) { // Open the registry entry. HKEY hKey; RegOpenKey(..., &hKey); // Query the data size in the registry. DWORD cbData = 0; ReqQueryValueEx(hKey, ..., NULL, &cbData); // Copy the data from the registry. RegQueryValueEx(hKey, ..., szBuff, &cbData); } void main() { char szBuff[MAX_BUFF]; CopyMemoryIntoBuffer(szBuff); }

This code is vulnerable to a buffer overrun because the data in the registry is copied directly into a local buffer without regard for the size of the local buffer. Even though the code is vulnerable to attack, you would not necessarily know the code is vulnerable to a buffer overrun, because there s no direct, measurable output. Remember: a buffer overrun that adds a new user to the local administrators group is silent!

important

To create a useful test case, an application must take input and provide an output that can be evaluated by the tester.

So let s put all of this into practice by looking at building security test plans.


Previous page
Table of content
Next page
Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2005
Pages: 153
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
The Complete Cisco VPN Configuration Guide
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Java Concurrency in Practice
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy