https://crocs.fi.muni.cz @CRoCS_MUNI
Łukasz Chmielewski chmielewski@fi.muni.cz
Centre for Research on Cryptography and Security, Masaryk University
PA193 - Secure coding principles and
practices
Security Code Review
Seminar
https://crocs.fi.muni.cz @CRoCS_MUNI
Outline
• Many simple exercises
– looking at common mistakes in pairs.
• Topics:
– Protecting Data, Preventing Cross-Site Scripting, Code Quality,
– Memory Best Practices, Parameterized Statements,
– Indirect Object References, and Input Validation…
• Explanation for the Assignment.
• That is all ☺
2 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
SIMPLE EXERCISES
3 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Simple Exercises
• Form pairs (e.g., with your neighbour)
• Look and code together (before ready to answer the question)
• Two roles:
– Educator – explains the answer to the given question to his/her pair
– Sceptic – tries to find any flaw or weak point in Educator’s reasoning
• Together try to find an answer on what is wrong in the code.
– What can be a root of the issue?
– Propose a correction.
• Switch roles after every question (from next slide)
4 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (1): what is wrong with this class?
5 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (2): what is wrong and how to improve it?
6 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (2): what is wrong and how to improve it?
7 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (3): what is wrong and how to improve it?
8 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (3): what is wrong and how to improve it?
9 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (4): what is wrong and how to improve it?
10 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (4): what is wrong and how to improve it?
11 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (5): what is wrong and how to improve it?
12 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (5): what is wrong and how to improve it?
13 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (6): what is wrong and how to improve it?
14 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (6): what is wrong and how to improve it?
15 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (7): what is wrong and how to improve it?
16 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (7): what is wrong and how to improve it?
17 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (8): what is wrong and how to improve it?
18 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (8): what is wrong and how to improve it?
19 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (9): what is wrong and how to improve it?
20 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (9): what is wrong and how to improve it?
21 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (10): what is wrong and how to improve it?
22 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (10): what is wrong and how to improve it?
23 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (11): what is wrong and how to improve it?
24 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (11): what is wrong and how to improve it?
25 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (12): usage of HTML encoding,
what is wrong and how to improve it?
26 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI27 | PA193 - Security Code Review
Exercise (12): usage of HTML encoding,
what is wrong and how to improve it?
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (13): HTML Encoding, output context,
what is wrong and how to improve it?
28 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI29 | PA193 - Security Code Review
Exercise (13): HTML Encoding, output context,
what is wrong and how to improve it?
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (14): what is wrong and how to improve it?
30 | PA193 - Security Code Review
• The application is implementing its own client side rendering of the
input instead of taking advantage of a JS framework.
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (14): what is wrong and how to improve it?
31 | PA193 - Security Code Review
• The application is implementing its own client side rendering of the
input instead of taking advantage of a JS framework.
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (15): JavaScript parameterized statement,
what is wrong and how to improve it?
32 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (15): JavaScript parameterized statement,
what is wrong and how to improve it?
33 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (16): what is wrong and how to improve it?
34 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (16): what is wrong and how to improve it?
35 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Intermission - CodeQL
• Installation process – not pleasant
– https://codeql.github.com/docs/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code/
– https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-databases
• Tricky for C and C++
– Heavy Computationally, I would recommend a strong machine (>16Gb RAM, etc.)
– GitHub Actions do not work by default
• Still a very useful tool!
• DEMO
36 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (17): what is wrong with the design and how to
improve it?
37 | PA193 - Security Code Review
Start up
Boot
ROM
Compute
Hash of
data in
NOR ROM
Data in
NOR
Flash
Computation
in small
SRAM
Authenticate
signature
Incorrect
Signature
Start up
Run
from
NOR
https://crocs.fi.muni.cz @CRoCS_MUNI
Exercise (17): what is wrong with the design and how to
improve it?
38 | PA193 - Security Code Review
Start up
Boot
ROM
Compute
Hash of
data in
NOR ROM
Data in
NOR
Flash
Computation
in small
SRAM
Authenticate
signature
Incorrect
Signature
Start up
Run
from
NOR
Change
NOR
here
https://crocs.fi.muni.cz @CRoCS_MUNI
Future reading / Exercise (18):
what is wrong and how to improve it?
39 | PA193 - Security Code Review
• In load nitro firmware memory in:
• https://github.com/OP-TEE/optee_os/blob/3.14.0/core/pta/bcm/elog.c
https://crocs.fi.muni.cz @CRoCS_MUNI
Future reading / Exercise (18):
what is wrong and how to improve it?
40 | PA193 - Security Code Review
• Solution:
• https://github.com/OP-TEE/optee_os/security/advisories/GHSA-hhrc-h9xj-hppv
• Real issue that was found recently.
• What is the impact?
https://crocs.fi.muni.cz @CRoCS_MUNI
ASSIGNMENT – CODE REVIEW
41 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Assignment 6: Source Code Review
• 2 sub-exercises
• pin.c
– Incomplete 32-bit SIM smartcard application in C in the JavaCard style.
• Exposed functions are being called directly from the APDU handler. That code sets all the lengths and offsets correctly.
• The APDU handler and the main functions are skipped here since they are not relevant from the security point of view.
– Find all the possible bugs. Scope: logical and side-channel issues
– 5 points.
• server_articles.c, server_setup.sh
– Find all the possible bugs. Scope: concentrate on logical issues
– 5 points.
• For found issues: asses severity, risk, etc. like in the lecture; also give recommendations
how to improve.
• There is no need to use automatic tooling but you can do it if you would like to.
42 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI
Assignment 6 – what to submit
• Report found issues in the format presented in the lecture.
• Try to be compact but clear!
• Specify which editor or IDE you use. Also if any static analysis tools you used
(for the second exercise).
• Submit before 15.5. 23:59am into IS HW vault
– Soft deadline: -3 points for every started 24 hours
• Good luck!!!
• Consultation
– Regular consultation on Friday 09.30 – 11.00 in my office: A406.
– Email me to make an appointment: chmielewski@fi.muni.cz.
43 | PV204 TE, Side-channels LAB 17.3.2022
https://crocs.fi.muni.cz @CRoCS_MUNI
Conclusions
• A lot of different topics for source code review
• Just a shallow glance
• Many topics not touched, like boot loaders, crypto libraries, etc.
• Good luck with the exercise!
44 | PA193 - Security Code Review
https://crocs.fi.muni.cz @CRoCS_MUNI45 | PA193 - Security Code Review
Questions