1 / 19

Failure to handle errors correctly

Failure to handle errors correctly. Team 1 Bhupjit Singh Dan Blaguiescu Lars Lindgren Nikolay Nikolov. Introduction. Even though a software project is well planned and constructed, errors can and will occur as a result of the complexity of software creation.

hila
Download Presentation

Failure to handle errors correctly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Failure to handle errors correctly Team 1 Bhupjit Singh Dan Blaguiescu Lars Lindgren NikolayNikolov

  2. Introduction • Even though a software project is well planned and constructed, errors can and will occur as a result of the complexity of software creation. • Unexpected errors can be causing the application to crash or misbehave, opening up the possibility of misuse from a hacker.

  3. Introduction • If the application can be crashed and it is running on a server, it opens up the possibility of denial of service attacks. • Therefore the designer needs to think about which actions to perform in case of errors.

  4. Sin explained •       Yielding too much information •       Ignoring errors •       Misinterpreting return values

  5. Sin explained Improper error handling gives attackers opportunity to compromise: • Availability • Integrity • Confidentiality

  6. How sin affects your systems Information leakage • Login information - username / Passwords

  7. How sin affects your systems Information leakage • Version and Path information

  8. How sin affects your systems Information leakage • Stack Layout information.

  9. How sin affects your systems Information leakage Sample code

  10. How sin affects your systems Ignoring errors • does not solve any problem – application will crash at some point (successful DoS attack) • helps error to propagate further in the application • makes it difficult to spot origin of the error • catching the errors whithout proper handling does not help much.

  11. How sin affects your systems Ignoring errors Catching exceptions. public static void main(String args[]){try {    // Your code goes here..}catch (Exception e){System.out.println ("Err - " + e );}

  12. How sin affects your systems • Misinterpreting return values • Some functions /methods return NULL on error, some -1.

  13. How sin affects your systems • Using useless return values

  14. Remedy • How to avoiddoing the same mistakes over and over again

  15. Select a goodarchitecture • KISS principle (Keep It Simple Stupid)

  16. Think as a hacker • Collect as much information as possible • Delibrately try to make the system crash. • Try to find weakness in thr application by by entering invalid data

  17. Check everyreturnedvalue • Do check the return value of all security-related function. • Do make every attempt to recover from error conditions gracefully, to help avoid denial of service problems. • Do not leak error information to untrusted users – have a strict privilege policy. • Use encryption with proper key management to protect sensitive data.

  18. Methods to achieve the goal • Code review • Use tools that are capable of finding inconsistences.

  19. Conclusion • Errors will occur at some stage and we need to be aware and take appropriate meassures. • Therefore the project should have built in an comprehensive and holistic error handling strategy. • The error handling strategy should be implemented in all stages of the development project: design, code generation, testing, deployment and patching.

More Related