The opening keynote at STAR East this morning was James Whittaker (who I'm happy to say has joined Microsoft!) talking about security testing. James focused on three areas:
- Input. One common source of security bugs is unhandled/mishandled input of, shall we say, a special nature. SQL injection for example: entering ' OR 1=1 -- as a user name. If this "user name" is stuffed directly into a SQL query such as
SELECT * FROM USERS WHERE USERNAME='<username>' AND PASSWORD='<password>'
, this attack turns that query into
SELECT * FROM USERS WHERE USERNAME='' OR 1=1 -- AND PASSWORD='<password>'
- which returns every last record, since "1=1" is always true and everything after the "--" is turned into a comment. Oops.
- Environment. Muck with the environment and see what happens. For example, Microsoft Internet Explorer used to have a bug where it did not supply a path when it dynamically loaded its parental ratings DLL. So if you used a tool like Holodeck or Process Explorer to discover that IE loaded a DLL named MSRATINGS.DLL, and then you copied any random file side-by-side to iexplore.exe as MSRATINGS.DLL, IE would follow standard file-searching behavior and load your trojan DLL. The dynamic load would of course now fail and so IE would simply disable parental controls. You can bet thirteen-year-olds everywhere know about this hack! <g/>
- Logic. Ponder how a feature might be implemented and then look for a way to break it. For example, anytime an ActiveX control tries to load, IE pops a message box asking whether you want to let it run. IE used to have a bug where if the load was executed from script and the load was attempted multiple times - in a loop, say - you would only be asked the first time. That's nice of IE, isn't it, to not repeat a question you've already answered? Just one problem: it acted as though you had said "Yes, please load it" even if you answered "No, don't load that nasty evil thing"! All your base are belong to us, indeed.
Each of these exploits requires sophisticated security tools. Like Notepad. Which was James' point: security hacking is often not a sophisticated process. Which means there's no reason why we can't find the problems before we ship.
Of course, if you *like* seeing your company's name on the morning news you can skip security testing...