Essay: With the rapid development of the Internet industry, the Internet industry can be described as changing with each passing day. However, behind the prosperity, most Internet companies still pay no attention to network security and do nothing. As a programmer, if you also turn a blind eye to information security If so, it will be a nightmare for the company, bringing huge hidden risks to the company. Since the new company has already suffered this kind of risk, as a programmer, looking back, we have to pay attention to what we usually don’t agree with. Information security, a good programmer should not only type code, but also minimize threats and risks as much as possible, so there is this section, because of the first understanding of security, so I will share with you when I look back. Looking back on the learning content, I hope to make progress with everyone, let more people pay attention to network security, and make a modest contribution to the Internet industry.
Disclaimer: This article is excerpted from the book "White Hat Talks Web Security" by Mr. Wang Jian, Chief Architect of Alibaba Group. This article does not do any commercial activities, and aims to promote Mr. Wang Jian's security spirit. Most of the content is simplified in this article. , only some condensed clips are taken. If you want to learn from scratch, please buy this book by yourself. The book is rich and interesting, and it deeply reflects the security attack and defense behind China's Internet industry. It is fascinating and worth reading.
Three elements of safety:
Confidentiality, Integrity, Availability.
Confidentiality requires the protection of data content from disclosure, and encryption is a common means of achieving confidentiality.
Integrity requires the protection of data content to be complete and not tampered with. A common technical means of maintaining consistency is digital signatures.
Availability requires protected resources to be available on demand.
Assuming that there are 100 parking spaces in a parking lot, under normal circumstances, 100 cars can be parked. But one day, a bad guy moved 100 large rocks and occupied every parking space, and the parking lot could no longer provide normal service. In the security field, this kind of attack is called a denial of service attack, or DOS (Denial of Service). What a denial of service attack destroys is the availability of security.
How to perform a security assessment:
Security assessment can be simply divided into four stages: asset classification, threat analysis, risk analysis, and confirmation of solutions. The implementation process is progressive layer by layer, and there is a causal relationship between before and after.
Asset class division:
The core issue of Internet security is the issue of data security! ! ! .
To classify the assets owned by Internet companies is to classify the data, to clarify what the most important assets of the company are, and what data each department values the most. Only through interviews can the security department become familiar with and understand the company's business. , the data owned by the company, and the importance of different data, indicate the direction for the subsequent security assessment process. After completing the division of asset registration, you have a general understanding of the target to be protected, and the next step is to divide the trust domain and trust boundary. Usually the simplest way to divide is to divide it logically from the network.
Threat Analysis:
In the field of security, we call the source of possible harm a threat (Threat), and the loss that may occur is called a risk (Risk). Risk must be associated with loss.
What is threat analysis? Threat analysis is to find out all the threats. Brainstorming is generally used, or a model is used to help us think about where there may be threats. This process can avoid omissions. This is threat modeling.
The STRIDE model was first proposed by Microsoft. STRIDE is an acronym for 6 words, which tells us that we can consider these 6 aspects.
Risk Analysis:
Risk consists of the following factors:
Risk = Probability * Damage Potential
Factors affecting the level of risk, in addition to the size of the loss, also need to consider the possibility of occurrence.
The DREAD model, which is also proposed by Microsoft, DREAD is also an acronym for several words, which guides us from which aspects to judge the risk level of a threat level.
Grade: High(3) Medium(2) Low(1)
In the DREAD model, each factor can be divided into three levels: high, medium, and low. In the above table, the three levels of high, medium and low represent their weight values with scores of 3, 2, and 1, respectively, so we can specifically calculate the risk value of a certain threat.
Galway: 12 - 15 points Midway: 8 - 11 points Low: 0 - 7 points
Safety design scheme:
The output of the security assessment is the security solution. The solution must be targeted, which is given by the results of the asset registration division, threat analysis, risk analysis and other stages.
A good security solution should have the following characteristics:
White hat tactics:
When designing a security solution, the most basic and important principle is "Secure by Default". Keep this principle in mind when doing any security design. The principle of "Secure by Default" can also be summarized as the idea of whitelist and blacklist. If more whitelists are used, the system becomes more secure.
Blacklist, Whitelist:
For example, when formulating the network access control policy of the firewall, if the website only provides web services, the correct approach is to allow only ports 80 and 443 of the website server to provide services to the outside world, and block other ports. This is a "whitelist" approach: for
another example, on the production environment server of the website, the installation of software at will should be restricted, and a unified software version specification should be formulated to prevent some problems caused by the installation of unfamiliar software. vulnerabilities, thereby expanding the attack surface.
For another example, in Web security, when processing rich text submitted by users, considering the problem of XSS, security checks are required. The common XSS Filter is generally to make HTML Parse for the original HTML input by the user, parse it into a tag object, and then match the XSS rules for the tag. This list of rules is a black and white list. If you choose the idea of a white list, you can avoid this problem, such as only allowing users to input a tag such as a feature, img tag, etc.
The idea of choosing a whitelist and designing a security solution based on a whitelist is actually to trust that the whitelist is good and safe, but once this trust foundation does not exist, then security will disappear.
In the Flash cross-domain access request, the crossdomain.xml file on the server side of the target resource is checked to verify whether the client's Flash cross-domain request is allowed. It uses the idea of a whitelist. It is specified that only the Flash of the specific domain is allowed to initiate a request to this domain. But if the domains on this trust list become untrustworthy, then the problem ensues. for example:
<cross-domain-policy>
<allow-access-from domain="*">
</cross-domain-policy>
The wildcard "*" means that Flash from any domain can access the data in this domain, thus causing a security risk. Therefore, when choosing to use a whitelist, you need to pay attention to avoid problems like wildcard "*".
Another meaning of the principle of least privilege
Secure By Default is the "principle of least privilege". The principle of least privilege is also one of the basic principles of security design. The principle of least privilege requires the system to only grant unnecessary privileges to the subject, rather than excessive authorization, which can effectively reduce the chance of errors in the system, network, application, and database.
For example, in a Linux system, a good operating habit is to log in with a common account, and use the sudo command to perform operations that require root privileges. This can minimize the risks caused by some misoperations; at the same time, after the ordinary account is stolen, the consequences caused by the theft of the root account are completely different.
When using the principle of least privilege, it is necessary to carefully sort out the privileges required by the business. In many cases, developers do not realize that the privileges authorized by the business are too high. When learning about the business through interviews, you can set up more rhetorical questions, such as: Are you sure that your program must access the Internet? Questions like these are used to determine the minimum permissions required for the business.
Defense in Depth Principle
Like Secure by Defalut, Defense in Depth (defense in depth) is also an important guiding ideology when designing security solutions.
Defense in depth includes two meanings : first, to implement security plans at different levels and aspects to avoid oversights, and different security plans need to cooperate with each other to form a whole; second, to do the right thing in the right place , both: Implement targeted security solutions where the problem is fundamentally solved.
In common intrusion cases, most exploit the vulnerabilities of WEB applications, the attacker first obtains a low-privileged webshell, then uploads more files through the low-privileged webshell, and tries to execute higher-privileged system commands, trying to log on the server. Elevate the privilege to root; then the attacker will further attempt to penetrate the intranet, such as the network segment where the database server is located.
In such cases of intrusion, if effective defense measures are set in any part of the attack process, the intrusion process may fall short. However, there is no panacea in the world, and no single solution can solve all problems. There is a need to spread risk across all levels of the system. As far as intrusion prevention is concerned, we may need to consider Web application security, OS system security, database security, and network environment security. The security solutions designed at these different levels will together form a defense system, which is the idea of defense in depth.
The second meaning of defense in depth is to do the right thing in the right place. It requires us to deeply understand the nature of the threat in order to make the right response.
During the development of XSS defense technology, there have been several different solutions. It is only in recent years that the XSS defense ideas have gradually matured and unified. For example, from the earliest filtering of special symbols in the input, to distinguishing between rich text and non-rich text, encoding non-rich text, and then starting to perform syntax tree analysis on rich text to know the final comprehensive solution.
Data and code separation principle
Another important principle is the data and code separation principle. This principle is broadly applicable to a variety of scenarios where "injection" raises security issues.
In fact, buffer overflow can also be considered as the result of the program violating this principle - the program executes user data as code in the stack or heap, confusing the boundary between code and data, resulting in security problems.
In Web security, there are many problems caused by "injection", such as XSS, SQL Injection, CRLF Injection, X-Path Injection, etc. Such problems can be designed according to the "principle of separation of data and code", because this principle captures the essential reasons for the formation of vulnerabilities.
unpredictable principle
The principles introduced earlier: Secure By Default is a general rule to keep in mind at all times; defense in depth is to look at the problem more comprehensively and correctly; the separation of data and code is to look at the problem from the cause of the vulnerability; what to talk about next The principle of "unpredictability" is to look at the problem from the perspective of customer service attack methods.
Microsoft's Windows system users have suffered from buffer overflows for many years, so Microsoft has added many functions to combat memory attacks such as buffer overflows in the new version of Windows. Microsoft can't require software running on a system to be free of vulnerabilities, so its approach is to disable exploits. For example, DEP is used to ensure that the stack is not executable, and ASLR is used to randomly change the stack base address of the process, so that the attack program cannot accurately guess the memory address, which greatly increases the threshold of the attack. After practice tests, it has been proved that this idea of Microsoft is indeed effective-even if the code cannot be repaired, if it can make the attack method invalid, then it can be regarded as a successful defense.
The ASLR technology used by Microsoft is also supported in newer versions of the Linux kernel. Under the control of ALSR, each time a program is started, the stack base address of its process is different and has a certain randomness. For attackers, this is "unpredictable".
Unpredictable (Unpredictable), can effectively resist attacks based on tampering and forgery. Let's look at the following scenario:
Suppose the serial numbers of articles in a memory management system are arranged in ascending numerical order, such as ID = 1000, ID = 1002, ID = 1003...
This order makes it easy for the attacker to traverse all the article numbers in the system: find an integer and increase it sequentially. If an attacker wants to delete these articles in bulk, write a simple script:
for(i=0;i<100000;i++){
Delete(url +"?id="+i);
}
can easily achieve the goal. But what if the content management system uses the "unpredictability" principle to make the value of the ID unpredictable?
id=asdasdasdasd,id=dasdasdasdasdas,id=asdasdasdasdasda...
The value of id has become completely unpredictable. If the attacker wants to delete articles in batches, he can only grab all the page IDs through the crawler, and then Analyzed one by one, thereby raising the threshold of attack.
The principle of unpredictability can be cleverly used for some sensitive data. For example, in CSRF defense technology, a token is usually used for effective defense. This token can successfully defend against CSRF because the attacker cannot advance the token value in advance in the process of implementing CSRF attack. Therefore, when the token is required to be complex enough, it cannot be guessed by the attacker.
The realization of unpredictability often requires the use of encryption algorithms, random number algorithms, and hash algorithms. If you use this principle well, you will often get twice the result with half the effort when designing a security solution.
summary:
This chapter summarizes the author Mr. Wang Jian's understanding and thinking about the security world, reveals the nature of security issues, and how to carry out security work, and finally summarizes several ideas and principles for designing security solutions. In the following chapters, we will continue to reveal all aspects of web security and gain a deep understanding of the attack principle and the correct way to solve it - we will face all kinds of attacks, why should the solution be designed this way, and why is this the most appropriate? The starting point of all this can be seen in the follow-up study notes.
Safety is a simple science and an art of balance. Whether it is traditional security or Internet security, the underlying principles are the same. We only need to grasp the essence of the security problem, and no matter what security problem (not just limited to web security or Internet security) we encounter, we will be invincible, because we have really understood how to look at this with strict security management. world!