• 錯誤處理的資訊安全風險

    這篇文章主要說明系統發生錯誤時,通常會顯示一些錯誤訊息給使用者或是給系統管理員參考,

    這些系統或是應用程式的錯誤訊息有助於未來除錯使用,

    但是駭客也會利用這些錯誤訊息獲取應用系統相關的資訊與弱點,

    因此,錯誤訊息所帶來的前在資訊安全風險為何、如何防護、個案討論等就是這篇文章要討論的議題。

    錯誤訊息處理的原則

    處理非預期的行為:Expect the unexpected – your data won’t always be what you assume

    遇到錯誤狀況時:When you hit an error condition – log, cleanup, and STOP

    思考送什麼資訊到用戶端與如何傳送Think carefully about what you send to the client and how you send it

    避免不必要揭漏的資訊Don’t disclose information that should remain private

     

     

    CWE-200: Information Exposure

    An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

    範例1: 網頁錯誤資訊

    範例2: SQL Injection

     

    錯誤處理程式範例

    錯誤的寫法

    駭客可以透過嘗試各種帳號知道是使用者名稱打錯還是密碼打錯,嘗試到一組有效的使用者名稱之後,接下來就可以進行其他攻擊行為。

     1     my $username = param('username');
     2     my $password = param('password');
     3 
     4     if (IsValidUsername($username) == 1)
     5     {
     6        if (IsValidPassword($username, $password) == 1)
     7        {
     8           print "Login Successful";
     9        }
    10        else
    11        {
    12           print "Login Failed - incorrect password";
    13        }
    14     }
    15     else
    16     {
    17        print "Login Failed - unknown username";
    18     }

    正確的寫法

    不管是使用者名稱錯誤或是密碼錯誤都統一回覆一樣的錯誤訊息

    “Login Failed – incorrect username or password”

    1     my $username = param('username');
     2     my $password = param('password');
     3
     4     my $result = 0;
     5 
    6     if (IsValidUsername($username) == 1)
     7     {
     8        if (IsValidPassword($username, $password) == 1)
     9        {
    10           $result = 1;
    11           print "Login Successful";
    12        }
    13     }
    14
    15     if ($result != 1)
    16     {
    17        print "Login Failed - incorrect username or password";
    18     }

     

    Information Leakage 討論

    到底哪些資訊內容給使用者算是合理的範圍,哪些算是過多的資訊內容會造成資訊安全風險呢?

    讓我們看下列三個例子:

    • User account does not have sufficient funds to perform this transaction.

     

    • Minimum required balance is $5,000. User password must be a minimum of 8 characters.

     

    • Failed validation – username must not contain the characters < > ‘ “ ( ) ;

    CWE-460: Improper Cleanup on Thrown Exception

    實際個案:CVE-2008-4302

     

    錯誤個案程式範例

    該函數在未 unlock時,就回傳。

     1    boolean DoStuff ()
     2    {
     3       try
     4       {
     5          while (condition == true)
     6          {
     7             ThreadLock(TRUE);
     8             // do some stuff
     9             // an exception may be thrown
    10             ThreadLock(FALSE);
    11          }
    12       }
    13       catch (Exception e)
    14       {
    15          System.err.println("Something bad happened!");
    16          return (FAILURE);
    17       }
    18       return (SUCCESS);
    19    }

    正確個案程式範例

    針對 isThreadLocked 的部分特別處理。看看是否因為程式Error 有沒有資源釋沒有被釋放掉的。

     1    boolean DoStuff ()
     2    {
     3       try
     4       {
     5          while (condition == true)
     6          {
     7             ThreadLock(TRUE);
     8             // do some stuff
     9             // an exception may be thrown
    10             ThreadLock(FALSE);
    11          }
    12       }
    13       catch (Exception e)
    14       {
    15
    16          if (isThreadLocked == TRUE) ThreadLock(FALSE);
    17
    18          System.err.println("Something bad happened!");
    19          return (FAILURE);
    20       }
    21       return (SUCCESS);
    22    }

     

    PS. 這篇文章案例改編來源 MITRE教材

     

     

    Posted by Tony @ 12:16 pm

  • Leave a Reply

    Your email address will not be published.