I just uploaded the latest version of this tool to sourceforge and updated its page at owasp.org : https://www.owasp.org/index.php/DN_BOFinder.

Let me know what you think of it.

I basically decided to accept a very generous (and flexible) offer by
OunceLabs (http://www.ouncelabs.com) to (as a contractor and special
advisor) help with the development of their product and on their
technical consultancy services.

As you know I value my independence and integrity very highly and am
happy to say that the contract with Ounce will still allow me to work on
other projects (i.e. I am only committed to Ounce a certain number of
days per month). Basically I am replacing my current recurring contact
with a global bank with a recurring contract with source code security
scanner vendor.

This changes nothing on my current OWASP responsibilities and
commitment. If anything it will increase it since Ounce benefits
enormously with OWASP’s growth, maturity and reach.

I am still 100% committed to OWASP values, and please let me know (and
hit me on the head) if I go off on weird tangents.

One of the reasons I chose to accept Ounce’s proposal was the
opportunity to work and help to develop the next generation of source
code scanners (especially in the .NET area). As you know I do have
strong views on how they should work, what they should do and where they
should be used, and it is my plans to document and blog about it as much
as possible.

Of course that when I speak with my OWASP hat I will have to be
independent which means that I will not make those posts ‘under-
cover marketing messages’ or anti-Fortify (the main competitor) rants.

This will also be an opportunity to start defining better how OWASP
materials should be referenced since OunceLabs is one of the companies
that currently ‘abuses’ OWASP’s top 10 (them and every other web app
scanner). So I view as one of my responsibilities to sort this mess out
and really clarify what (using the Top 10 as an example) can and can’t
be detected using XYZ tool/technique.

This means that OWASP’s board will now be made of 1 member from a vendor
organization (me) and 3 from a training/consulting company (Jeff, Andrew
and Dave (all from Aspect)). Side Note, it would be interesting to do a
similar analysis about our project and chapter leaders.

As committed as always to OWASP,

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org

1) Microsoft Develoment Environment:

* IIS with ASP.NET
* Windows 2003 Web edition with SP1
* .Net Framework 1.1
* .Net Framework 2.0
* .Net Framework SDK 2.0
* Visual Studio C# Express
* Visual Studio C++ Express
* Visual Studio Web Developer Express
* MSSQL Server 2005 Express
* MSDN Express Library

2) other non-security windows tools

* Winzip (evaluation)
* FireFox
* Adobe Acrobat Reader
* Java Runtime
* VMWare Tools
* SnagIt (evaluation)
* TrueCrypt
* Eclipse
* Regulator - RegEx builder tool

3) OWASP Tools

* OWASP WebScarab
* OWASP WebGoat
* OSG - OWASP Site Generator
* ORG - OWASP Report Generator
* OWASP Tiger
* CAL 9000
* Sprajax
* offline copy of the
- OWASP Top 10
- OWASP Testing Guide (new one)
- OWASP Guide

4) Network / Infrastructure tools:
* WinPCap & WireShark
* Cain & Able
* Echo Mirage - C++ Tcp Trafic hooking tool
* IIS 6.0 Resource kit (mainly for the IIS Metabase tools: MetaAcl.exe and MtaEdt22.exe)
* MSBA (Microsoft Baseline Security Analyzer)
* Microsoft Threat Modeling tool (both versions)
* Metasploit 2.6 & 3.0
* Nessus
* SysInternals tools:
- Process Explorer
- FileMon
- RegMon
- TCPView
- TDIMon
- DbgView
- TokenMon
- AccessChk
- Autoruns
- Handle
- RootkitRevealer
- WinObj

4) Debuggers

* Microsoft Debugging tools for Windows
* OllyDbg
* PEBrowse Pro
* PEBrowse Debugger

5) Web attack tools
* SQL Power Injector
* GnuCitizen AttackAPI - XSS attack toolkit
* WinHTTrack
* Brutus
* Nikto

6) .Net tools
* Reflector
* Fiddler - Web Proxy
* CLRProfiler 2.0
* FxCop
* Managed SPY - .Net manipulation Tool (for local .Net processes)
* NProf - .Net Profiler
* WoanWare tools (from www.woany.co.uk):
- Requester
- HttpCodeGen
- Encoder
- HttpLibrary
* Enterprise Library
* WSE 3.0

7) Browser extensions
* Sleuth (Evaluation) - Has a great IE browser plug-in that allows the direct editing of Web pages
* for IE
- IE Dev Toolbar
- Tamper IE
- WoanWare Quick’n'Dirty
* for Firefox
- Tamper Data
- Add N Edit Cookies
- WebDeveloper
- Switch Proxy
- Header Monitor
- LiveHttp Headers
- JavaScript Debugger
- View Source Chart
- IE View

8 ) Foundstone tools
* Hacme Bank
* Validator .Net
* Code Scout
* CookieDiger
* dotNetMon - tool trace .Net methods in real time
* SiteDigger
* WSDigger

9) Web Applications

* Community Server
* DNN
* ASPNuke

10) Additional material (I usually put this on a separate folder called ‘Additional .Net tools’

[.] [GotDotNet Win32Security]
[..] [LogParser]
[2.0 Membership Provider] [MS Solution for Windows-based Hosting version 3.0]
Absinthe-1.4.1-Source.tar.gz [NET Profiling API material]
Absinthe-1.4.1-Windows.zip [Nunit]
[ASP.NET user authentication] [Partially Trusted Material]
[ASPNET WatchDog] [Strong Naming]
[ASPNET windows authentication] [Using PersonalizationStarter (2.0)]
[CLR SPY] [SharpDevelop]
[DotNet Hook Library 2.1] [Snippet Compiler (C# Development Environment)]
[Encryption and Key Management] [_XSD Object Generator]
[GotDotNet RoleBasedSecurityExample]

• Practical Anti-DNS Pinning Writeup
• Circumventing DNS Pinning for XSS
• (somewhat) breaking the same-origin policy by undermining dns-pinning
• http://t3.dotgnu.info/blog/insecurity/dns-pinning-explored.html

This looks to me to be a much bigger problem that is seems (and is being acknowleged).

Basically to exploit DSN Pinning ‘all’ the attacker needs to do is to:

1) get the victim to open a page from www.atacker.com (the www.atacker.com DNS will give out two IPs: the first will be the real www.atacker.com IP and the 2nd will be the IP of the www.targetwebsite.com (which could be internal))

2) the attacker drops the www.atacker.com server (dinamic firewall rule or other) so that the victim’s browser will clear that DNS entry

3) the script loaded in the victim’s browser opens another page from www.atacker.com/target.html which will now be fetched not from www.atacker.com but from the IP of www.targetwebsite.com (and having access to it’s contents since from the browser point of view it is still the same website/DNS name).

As with CSRF, this means that most websites out there are vulnerable.

I actually want to do a bit more research on this since this is sounding too bad to be true. Hopefully there will be some variations that will reduce the exploitability (one for example will be that this will not work if the server is doing virtual DNS name mappings and doesn’t accept direct IP requests or requests from other domains)

So the logic here is that by 2011 there as been a clear and hard move to to execute non-kernel code in Partial Trust Managed Code environments (note that I group Full Trust with unmanaged code) together with the use of VPCs (or VMware) to execute certain type of applications which don’t need direct access to the user’s assets (for example games)

And that by 2015/2020, the conversion is made and most of the code executed is Partial Trust Managed Code. The issue will then be the security of that 1% of unmanaged & Full Trust code, and the CAS policies that control the rest of the code (and that will be a job for the security companies).

The good news is that altough we will probably still need some types of AV,IDS, HPS (or whatever they will call themselves at the time), in this managed and verifiable world these tools will actually have a chance to detect and contain malicious behaviour / activities.

The reason I am moving a lot of code into the Virtual PC world is because I was looking at some of the use-cases of the software that it is used everyday, and there are large types of applications which only need “hardware + OS resources” to run (games are the best example), and don’t need any (or very limited) access to user’s assets. So in those cases it makes sense to run those apps in virtual pc environments, and here think ‘Citrix Application Virtualization’ ( http://www.citrix.com/English/ps2/products/product.asp?contentID=186) and not ‘VMWare’ (note that those applications don’t need an entire OS, they only should need the hardware, the kernel, the win32 APIs and a couple of supporting services).

Ideally that ‘bridge’ between the Virtual PC environment and the user assets would be implemented via a PTMC (Partial Trust Managed Code) application which would then envorce CAS rules to user’s assets accesses

Even I with my focus on PTMC application I know that PTMC games will NOT happen anytime soon, and since most games NEED almost full access to the user’s hardware (and admin/system access) there is NO way they will be written in user-land PTMC (on that note, we might want to make some changes in our hardware access so that code running under admin / system inside one of those VMs can NOT rootkit my network card by patching it’s flash memory.

So I think that with time we will find that large parts of the apps we run everyday are executed inside this ’sandboxed’ OS environments.

———————————

Final comment, don’t agree with this ideas? no problem, show me your solution?

Vista, XP (and soon) Mac OSX /Linux clearly shown the limitations of trying to control and sandbox unmanaged code (oh, I forgot UAC is not a security feature anymore!).

So what is the plan to secure the user’s assets in 2,5, 10 years from now?”

• ‘Awareness Mode 1) Blissful ignorance’ - When companies have no idea of their vulnerabilities. This changes when they are attacked or pay for a competent and thorough security penetration test
• ‘Awareness Mode 2) The Patching Dance’ - When companies know where the problems are, and issue regular patches to solve them (this mode usually contains a healthy security full-discosure market)
• ‘Awareness Mode 3) The SDL Dream’ - After a while in mode 2, companies start to fall for the dream that ‘we can detect, solve or greatly reduce these issues using a strong, security focused SDL’
• ‘Awareness Mode 4) The Alignment’ - Once the limitations of Mode 3 are apparent (and correctly diagnosed) the companies realize that the only ‘real’ solution is to change their business model (

Microsoft is currently in Mode 3 with its 2007 releases (Vista, Office, Sharepoint, etc…) and on Mode 2 with its other OSes (and products) and Mode 1 with its online services.

The day the following happens, will be the day that Microsoft is aligning its business model to its security requirements:

• De-coupling of OS and it’s current bundled applications (i.e. stop selling Megalomaniac Operation Systems, and start selling each major component separately (Kernel, windows GUI, User Applications, IE, IIS, etc….)
• De-coupling of the .NET framework and its core components
• Focus on Managed/Verifiable code (creating the ‘Brand’ that will make clients recognize such products)
• Really embracing Open Standards and stopping ‘lock-in predatorial behaviour’
• Running online services under partial trust (making their clients aware of it, and tying its SLA to it)

Note that moving software in-house to provide it as a service (as google will soon find out) is not something that has less security requirements than a normal ‘desktop/server packaged applications’, it has MORE security requirements since its security exploitation will affect ALL customers (i.e. in a ’software by service’ mode, Awareness Mode 4 is even more important)

As with all my previous meetings/lunches with Microsoft employees, it was an interesting intellectual discussion but with no tangible results or actionable actions since they (and Microsoft) are currently not focused on this problem (or don’t think that Partial Trust Managed Code is a valid solution). I also think that I need to speak with their bosses, but unfortunately their bosses are not talking to me.
—————————————

There are numerous reasons that explain the current lack of focus (and faith) by Microsoft (and others) on Partial Trust Managed Code (PTMC), the main ones being:

• the lack of attacks to Full Trust environments (think of all those ISPs selling Full Trust ASP.NET accounts which are trivial to exploit and 0wn)
• the failure by Microsoft’s .NET team to implement certain types of applications and OS components in Partial Trust Managed Code (you can just hear the C++ crowd saying “man those guys can’t even do it in Full Trust!!!”)
• the non existent of public attacks that exploit the fact that our “main security defence method is the reliance of the non execution of malicious code in our environments” (this would had changed if WinZip, Flash or Adobe (for example) had been infected with malicious code that was successfully exploited in a spectacular and public way)
• (from Microsoft’s point of view) the fact that it’s main competitors are also in denial and not going in that direction

To solve it, changes will need to occur in multiple areas (and will need to address them all in order to have a real solution)

• Technological
• Political
• Strategical
• Economical
• Social
• Educational

Technological

We need better tools to write Partial Trust Managed Code (PTMC), manage its environment and prevent/detect/stop malicious code. For example:

• Dynamically calculate required CAS permissions (don’t get me started on PermCalc)
• Refactor code that requires higher permissions into separate assemblies (so that only 1% of the code will need to run outside the Sandbox)
• Converters of unmanaged code to managed code (i.e. C++ to C#, VB6 to VB.Net, etc…)
• Source code audit tools that identify vulnerabilities or areas that might have vulnerabilities
• “.Net Time-machine (ala Flight Recorder)” - ability to record the entire state of all objects during a .Net Execution and allow the execution, debugging and fuzzing from any arbitrary point (see Java’s DeJaVu and JaRec Projects (I remember seeing another PoC of this type of tool, but can’t seem to be able to find the link))
• Smart fuzzers (to find run-time vulnerabilities)
• ‘Security rating calculators’ which will give a product (or dll) a rating based on the ‘threat profile of that application’ (for example the more unmanaged code, the worse rating) . This will be a very important part of the ‘Partial Trust Brand’
• Development environments that allow the development of complex and feature rich partial Trust applications like IE in managed code
• New execution environments (aka mini CLRs) that allow the execution of Managed/Verifiable code in : Services, Drivers, plug-ins etc…
• New Virtual PC Execution environments that allow the safe execution of ‘potential malicious applications’ whose interface with the user’s assets are controlled by a managed/verifiable application (and CAS policies)
• ‘What is going on’ tools. When I run an application I need to know EVERYTHING it does. And if the application somehow escapes the ‘execution monitoring system’ I want to know that it did. Now that Microsoft bought SysInternals, can we have a massive boast on those tools capabilities?. This tools must also build CAS polices based on what they detected the target application needs.
• Tools that allow the easy development and use of CAS and RBS (Role Base Security) and frameworks for securing an application’s Business-Logic (for example using a CAS to prevent the user account’s from being changed, or an bank account from being accessed)
• Code Coverage Tools - To know how much of an application has been tested, fuzzed or executed
• ‘Real time Hot Patching of Jitted methods (without using the .NET profiler)’ - For advanced defence solutions we will need the capability to make changes to jitted code (i.e . writing patches in C#)
• For ASP.NET we need:
  • WAF (Web Application Firewalls) with pluggable modules for: Data Validation, Authentication, Authorization, Anti-CSRF, DoS, Business-Logic vulnerabilities, etc…
  • A framework similar to Struts (which force the developers to do the right thing (i.e. explicitly define all inputs into their application)
  • IDS (Intrusion Detection Systems) with the capability to change the application’s behaviour when under attack
  • Native Http Pipeline for IIS 5 and 6 (similar to what seems that will happen in IIS 7)
    • This will be very important to protect ASP Classic pages . I know several companies that are trying to implement such modules, and they will not have the resources and knowledge to implement a comprehensive and secure solution
  • CAS demands for dangerous methods (for example methods and classes that allow SQL Injections, XSS, etc…)
    • The current CAS permission’s model is designed to protect the server and the other co-hosted applications. This needs to be extended so that CAS can be used to protect the actual application from vulnerabilities in its code
  • CAS demands for methods or code that ’should’ exist (for example data valiation checks, authorization, etc….)

We also need to normalize the windows security features into a common framework. I would propose that we used the current CAS model for all security related decisions and configurations (for example using CAS to define: Windows ACLs, Firewall rules, UAC settings, etc..). But for this to be practical, CAS (and all it’s pluming) should be removed from the .NET Framework’s BLOB and be implemented as a separate, de-coupled module

Political

Microsoft needs to come out loud and clear and say ‘Managed Verifiable code is the way to go, and we all (MS and its community) need to go that way’

The fact that Sun, Apple, Google and the Linux crowd are not doing this should not be seen as an excuse but it should be seen as an opportunity.

We need a ‘Towards a Managed and Verifiable world’ memo (Ray are you listening?)

Strategic

Microsoft needs to change its core business model from selling massive highly-coupled applications (best examples are OSes the .NET Framework and the online web services: MSN, Live , etc..) and go to a model where each application and component is developed, executed and sold separately (note that online services need even MORE security than normal software packaged applications).

For this to work, Microsoft would need to ‘really’ embrace open standards and multi-layer application models where each layer (or component) is 100% independent and the only communication channels between layers are simple, open and well documented.

Economical

It must make commercial sense to write managed/verifiable code (in both Windows and ASP.NET worlds). Which means that the paying clients that are purchasing software/applications/services MUST demand such code (and MUST reward the companies that write them)

It also must make commercial sense (and be realistic) for companies to provide ‘Application security verification services’ . And this is a big opportunity for security vendors: “give me a service that checks and certifies applications and I will pay for it (as a monthly subscription).”

Social

We have to stop blaming the users for using our products the way they where supposed to be used. The current security model where the user is expected to make a major security decision on every prompt doesn’t work (and will not hold much longer).

It is not the User’s responsibility to restrict malicious code execution, it is the OS (and application audit security teams) responsibility.

Also remember that the browser is becoming the target, and for example:

• the users will not care if their OS (or kernel) is not compromized if they just lost their assets
• the attackers will not care if their exploit doesn’t survive a reboot if they are able to steal/exploit the user’s assets

Educational

There will need to be a big push on how to program for Partial Trust environments, and there must be a special focus in teaching the Network and Infrastructure teams since they should be the ones that define the CAS policies (not the developers)

• Aspect-Oriented Service Architecture: “Built Inâ€? or “Bolted Onâ€? Security?
• I Hate to Admit It, but Those Network Guys Are Pretty Smart
• Penetration Testing
• Darn the SOX, We Need More Security Ahead
• Keeping up with the Jones’ Security Initiatives
• Welcome

[update: the exploit code is here: http://www.securityfocus.com/archive/1/461794/30/0/threaded (how come I am still one of the few that think that we need Sandboxes?)]

nice, the business model is evolving.

But this is still a very ‘inefficient’ attack since:

  

 a) the final binaries were the ones infected (very easy to detect (imagine if the infected code was actually from ‘real’ SVN source code and made from a ‘trusted’ developer))

 b) by the speed this was detected the exploit (and the blog page didn’t give a lot of details about it) must have been a very ‘HEY I AM A BACKDOOR!!!!’ kind of code.  A real exploit would be one that (using a .NET example) used a type confusion attack to insert a buffer overflow on a remotely accessible method (which would be inserted in day X and only used a couple months later).

but it’s evolving…..

Can everybody that writes code and has a Browser window open under the same user account (even if non admin) raise their hand? … nice so many hands (including mine)…. guess what, if your browser is 0wned, so will be your code..

And OWASP uses WordPress (although Mike tells me that we were not affected) for our blogs (blogs.owasp.org), nice

I am still waiting for the day that we will be maliciously hacked for commercial reasons since that will be another step in the evolution of the malicious guy’s business model

Dinis in San Jose

Here Windows Presentation Foundation Security Sandbox is a presentation on WPF partial trust enviroments, where it gives details on what (from the WPF) will work in Partial Trust and what will not.

• This is from Sep 2005 so it might be a bit out of date
• I wonder how many real-world, usable and ‘buyable’ apps we will see that will work in WPF Partial trust
• There seemed to be a more in depth paper here Windows Presentation Foundation Security Whitepaper but this document doesn’t seem to be online

And on the subject of safely handling potential malicious adds, here is an interresting Framework (need to look more into it, has anybody used this stuff?) from MS

• MAF (Managed AddIn Framework)
• Let Users Customize Your Apps With Visual Studio Tools For Applications
• VSTO Embraces MAF
• VSTA and Generics

And on the Java camp here is an interresting tool: Java Explorer A tool to easily explore the java sandbox from javascript, for the purpose of better understanding what java makes available to web applications nowadays.