Ok I agree there is no golden/ silver bullet.
But here are my thoughts on the scenarios and on some of the replies I have
received.
Also assuming, what to me would be, a worst case scenario, that some other "non
security conscious" developer is writing the higher up functions / components,
accessing the code below and for some or other (unknown) reason the attacker
can set var_userLevel.
If will also have a look and see if the book is available locally.
Scenario 1
==========
Constant USER = 1
Constant ADMIN = 2
With Option 1:
Changing the var_userLevel to anything other then 1 would give the attacker an
escalation to Admin. (Very BAD)
With Option 2:
Changing the var_userLevel to anything other then 2 would leave the attacker at
the lower level. This is better then scenario 1, but still has a downfall,
since we are using scalar values the next and previous variables can be
guessed. (BAD)
With Option 3:
This scenario would be the same as for 2 although any wrong guesses would be
captured by the system. Hopefully the capture is in a pro-active manner
(email?), rather then a re-active manner (some log file?). BAD but better then
1 and 2)
Scenario 2
==========
Constant USER = 687FF22C4F8644A1B0CAE44074ED516F
Constant ADMIN = 7F80CB5268C3492193C5F9EB66FD7D39
With Option 1:
Changing the var_userLevel to anything other then
687FF22C4F8644A1B0CAE44074ED516F would give the attacker an escalation to
Admin. (BAD)
With Option 2:
Changing the var_userLevel to anything other then
7F80CB5268C3492193C5F9EB66FD7D39 would leave the attacker at the lower level.
This is better then scenario 1, but still has a downfall, since the attacker
has the world of time, to guess the other levels. However the complexity of the
variable would hopefully discourage him / her (Better)
With Option 3:
Changing the var_userLevel to anything other then
7F80CB5268C3492193C5F9EB66FD7D39 would leave the attacker at the lower level,
and any incorrect guesses would be logged. The chances that the attacker would
guess the other correct variable is extremely remote. (BEST)
For this reason, I program with complex non sequential numbers for variables,
and is "assists" in making higher non secure code more secure.
However the downfall with this more complex non-sequential variable is that the
more variables there are the easier it becomes to guess. Thus one would find 1
variable in 10 000 000 variables a lot quicker then 1 variable in a 1 000
variables.
Any comments / suggestions welcome (I am here to learn more).
Regards
Anton
-----Original Message-----
From: Damhuis Anton [mailto:DamhuisA@aforbes.co.za]
Sent: dinsdag 4 januari 2005 10:53
To: secprog@securityfocus.com
Cc: Michael Howard
Subject: RE: Microsoft Writing Secure Code
~~Suedo code Begin ~~
Option 1:
If var_userLevel = USER then
... display User info
else
... Display Admin Info
end if
Option 2:
If var_userLevel = ADMIN then
... display Admin info
else
... Display User Info Info
end if
Option 3:
If var_userLevel = ADMIN then
... display Admin info
elseif var_userLevel = USER
... Display User Info Info
else
... Capture Error
end if
~~Suedo code End~~
Confidentiality Warning
=======================
The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.
