Every developers need to be trained in secure coding practices. I don’t actively code in my day-to-day work anymore, but I don’t want to loose the skill. As a recommendation, Stanford’s secure coding course is interesting. I learnt C during the under graduation. We progressed from Fortran to Cobol and finally C, the magical language that let you manipulate the system memory. I had not used C after I joined work force, but I always had an admiration to that family of programming languages. That was the prime reason I chose to focus on C# when it’s initially launched in 2002.
Anyway, back to the topic. Learning secure coding techniques is interesting and I had never heard this problem of underflow and overflow. Well, maybe I forgot!
Here is the issue:
What is the issue with this code?
The provided C code initializes an unsigned integer variable a to the value 4, subtracts 3 from it (a = a - 3), and then prints the result of subtracting 2 from a. Let’s evaluate the code step by step:
Initialize a to 4.
Subtract 3 from a: a = 4 - 3, resulting in a = 1.
Print the result of subtracting 2 from a: printf("%u\n", 1 - 2).
Now, evaluating the expression inside printf:
The result is -1. However, since a is declared as an unsigned integer (%u in the printf format specifier), the value will be interpreted as an unsigned integer. In C, under the rules of unsigned integer arithmetic, subtracting a larger value from a smaller value result in wrapping around the maximum value representable by the data type.
The maximum representable value for an unsigned 32-bit integer is 4294967295.
Therefore, the output of the code will be:
This is the result of interpreting the arithmetic underflow as an unsigned value within the specified data type.
Modern languages such as Java and .NET will avoid this issue and provide type safety. Rust is another interesting language that could replace C, C++ mitigating the issues around type safety and all.
I previously maintained a blog with the domain name securestring.net. Why “secure string”? Well, if you’ve ever encountered Static Application Security Testing (SAST) tools like Checkmarx, you may have come across warnings about storing credentials in string variables. Particularly in the context of .NET languages, the common recommendation was to use SecureStrings. Given my involvement in authentication-related projects, addressing issues flagged by SAST tools was a routine expectation for vulnerability resolution.
But SecureString is not the solution. First of all SecureString is available only in .NET Framework, not in the latest .NET versions since the first .NET core. The wiki page for the class SecureString Class (System.Security) | Microsoft Learn has an information block as below.
We recommend that you don’t use the SecureString class for new development on .NET (Core) or when you migrate existing code to .NET (Core). For more information, see SecureString shouldn’t be used.
What is SecureString?
SecureString class attempts to avoid storing sensitive data in memory as plain text. String is immutable hence it’s value cannot be altered once it’s created. However, this does not provide security to store sensitive data. SecureString stores the data in encrypted format making it more resistant to memory inspection attacks. Unlike String, it’s mutable, i.e: you can change the value once it’s created (Yes, there is a method MakeReadOnly that can be called once the variable is populated with the data which kind of gives the perception of immutability).
The purpose of SecureString is to avoid having secrets stored in the process memory as plain text.
However, even on Windows, SecureString doesn’t exist as an OS concept.
It just makes the window getting the plain text shorter; it doesn’t fully prevent it as .NET still has to convert the string to a plain text representation.
The benefit is that the plain text representation doesn’t hang around as an instance of System.String — the lifetime of the native buffer is shorter.
The contents of the array is unencrypted except on .NET Framework.
In .NET Framework, the contents of the internal char array is encrypted. .NET doesn’t support encryption in all environments, either due to missing APIs or key management issues.
So, what is the solution?
Well, Microsoft seems to be suggested not to use credentials instead move to alternatives such as certificate-based authentication. Not practical always is it not?
Let’s take a look at what other frameworks do in this case? In Java, we don’t have a SecureString equivalent class. Instead, the recommendation is to use a character array to store passwords and zeroize it after use.
In Python, it’s suggested to use getPass. But getPass also does not store the problem of having the sensitive data stored in the memory. If the attacker can get access to the running python process, may be using some memory forensic tools, they can access the sensitive data.
Often, developers tend to address suggested vulnerabilities as indicated by the tools. However, security is a layered concept, and adopting a defense-in-depth strategy is crucial. It’s essential to go beyond merely fixing identified vulnerabilities. Consider avoiding the use of sensitive data in code whenever possible. Explore alternative authentication mechanisms that don’t rely on passwords (note that passwords are not the only form of sensitive data). Additionally, ensure the immediate disposal of variables, implement proper authorization for critical component access, and transition towards a zero-trust architecture, among other measures.
Conclusion
Why did I decide to acquire the domain SecureString.Net? During that period, I invested effort in educating both leaders and the security team about the importance of not blindly adhering to every recommendation provided by tools. It is crucial to comprehend the reasons behind the tool’s suggestions and then implement solutions based on a thoughtful rationale. I believed this philosophy would make for a great theme for my blog. However, I didn’t end up writing anything, and the domain eventually expired. This time around, I am determined not to face the same fate. I will be sharing engaging content related to this field. Stay tuned!
I enrolled in Neil Daswani’s foundational Information Security course at Stanford, and it was there that I first encountered the intriguing concept of “tortoise design.” This analogy likens a system to a tortoise with a robust outer shell but a comparatively weaker inner core. It’s a metaphor that resonates, particularly in the realm of cybersecurity.
Often, our security infrastructure mirrors this tortoise design. We invest heavily in formidable walls and perimeter defense mechanisms, creating an illusion of impregnability. However, within the internal network, vulnerabilities can persist—an open window through which a determined attacker can effortlessly infiltrate. I’ve witnessed instances where organizations boast robust external security measures but leave their internal networks seemingly exposed, relying heavily on employee trust to the point where terms like “insider threat” appear fictional.
The turtle design, as I perceive it, establishes a formidable outer shell that proves challenging to breach. It diligently fulfills its duty of safeguarding the inner core. It serves as an initial step in our ongoing security journey. Throughout my exploration, I plan to delve into the best practices within the information technology landscape. Every system design I undertake now incorporates this turtle concept, a constant reminder of the importance of fortifying our digital perimeters.
In the future, I envision giving a name to my turtle—a symbolic embodiment of the diligence and resilience essential in securing our digital ecosystems.
I have had few blogs in the past. Last blog that I had written would be at least 12 years before. There was this great blogging platform called Geekswithblogs and that’s where I have documented the initial problems and solutions of my career. The whole platform has been vanished! Like many, then work and other priorities kicked in, there were no easy popular blogging platforms like the blogspot. The decade from 200 to 2010 was an era of blogging, at least in India. There were quite a few popular blogs out there, especially on blogspot. Many of those blog writers have grown on to become popular authors. I too had a blog on the blog spot, it also helped to connect with some famous writers, all connections lost in time! Why did I start blogging? Well, I always liked to write, but my English was not good. So for me, the objective was both, improve the language at the same time leave some mark in the internet timeline. Then facebook became hugely popular (Ah..miss those Orkut days), good writers started writing directly in facebook abandoning the blogsphere. Few years passed by, and I realized, no ..I was wrong. There are still people who write great blogs. There are platforms like the medium, where many people write really cool contents. It took me couple of years again to finally start this one. Would anyone read my blog? I don’t know. Do I care? I don’t. For me, this is a journal that I would like to maintain. A personal space which provides some compulsion to think. Let’s see where it goes!
Over a decade has elapsed since I last ventured into the realm of blogging. Back then, Geekswithblogs was my canvas, a platform where I meticulously chronicled the challenges and triumphs of my burgeoning career. Regrettably, this once-vibrant platform has faded into obscurity.
Life’s demands and professional pursuits took precedence, and the blogosphere underwent a transformation. The golden era of blogging in India, from 2000 to 2010, witnessed a surge in popularity, with platforms like Blogspot fostering a community of prolific writers. I, too, contributed to this landscape, forging connections with fellow writers who have since become acclaimed authors. Alas, those connections have dissolved with the passage of time.
Why did I plunge into blogging? My penchant for writing was undeniable, although my command of the English language left much to be desired. Thus, my objective was dual-fold: to refine my language skills and etch a mark on the internet’s timeline. The rise of Facebook, overshadowing the erstwhile Orkut days, marked a shift. Many adept writers migrated to the social media giant, leaving the blogosphere somewhat dormant.
Years rolled by, and I came to a realization—I was mistaken. The blogging community persisted, flourishing on platforms like Medium, where insightful content abounded. It took me a couple more years to gather the courage to embark on this journey anew. Would anyone read my blog? Uncertain. Do I concern myself with readership metrics? Not in the least.
For me, this blog is a personal journal, a sacred space that compels introspection. It’s an avenue for thought and reflection, and I’m eager to witness its evolution. Let’s see where this journey takes us!
The Turtle Design 