Click on our Sponsors to help Support SunWorld
Security: Pete's Wicked World by Peter Galvin

Trials and tribulations of building an e-commerce server

In part two, we take an in-depth evaluation of the design and implementation of a secure Internet commerce facility. Plus Bug of the Month focuses on eject and password bugs

April  1997
[Next story]
[Table of Contents]
Subscribe to SunWorld, it's free!

The secure Internet commerce facility project continues. This month's column includes design decisions made, the implementation (the good, the bad, and the ugly), and the valuable lessons that working on such a project imparts.

Also in Pete's Wicked World this month: the bookstore has information on a hot new newsletter, an Internet privacy consortium, and an article on the future of Internet security. In the buglist, more buffer-overflow-causes-root-execution bugs. Also, word of interesting conferences and potentially-interesting products. And, if you have Solaris security questions, visit the newly-updated Pete's Security FAQ. (2,600 words)

Mail this
article to
a friend

Dedication: To Skip Rochford. We miss you.

Last month I described a proposal my company received from a major East Coast bank and our response to that proposal. The proposal was for the implementation of a secure Internet facility that would allow bank customers to retrieve private information, well, privately. Included in last month's column was our proposed architecture and discussion of its features. The column generated some interesting reader were worried about me. Worried about my legal status and how I'd survive impending lawsuits. The lawsuits would occur, of course, when the facility was cracked and bad things happened to customer accounts and the bank's money.

This month I hope to assuage your fears. I'll describe the final architecture that we implemented and the steps we took to assure that it was "uncrackable." We also hit some roadblocks that are worth discussing, and learned a little about project management.

The road to hell is paved with works-in-progress.

--Philip Roth

The bank decided that my company would do the architecture and integration. We also brought in a subcontractor to do the application development and database implementation. The application work consisted of writing CGI scripts and SQL code. This code was needed to maintain the state of each customer's interaction with the facility, among other things. More details on the application later.

After several meetings with the bank (including product, marketing, and security personnel), the marketing company, the subcontractor, V-One, and Xenos, we hammered out an architecture that everyone could live with. Figure 1 shows the final architecture.

A comparison with the original proposed architecture in Figure 2 shows quite a few changes.

These were the major changes, and their reasons:

The application itself was quite complicated. It ended up including the following major pieces:

To finish a work? To finish a picture? What nonsense! To finish it means to be through with it, to kill it, to rid it of its soul, to give it its final blow . . . the coup de grāce for the painter as well as for the picture.

--Pablo Picasso


Ah, the delays
In the introduction I mentioned that I would discuss the "ugly" parts of the project. Unfortunately, the project went over budget and was late. Although this is not uncommon on large integration projects, it also did not make anyone happy. The reasons for the delays were many, including:

While the project was being implemented, I wrote the facility security policy in conjunction with the bank's security personnel. The policy laid out the details of access to the facility, management of the facility, problem escalation, and change management. The facility was independently audited by SAIC (as described in a previous column) and found to be among the most secure they had seen.

Every man is the son of his own works.

--Miguel de Cervantes

Overall, the project took more time and money than expected because we had underestimated the effort needed to bring multiple, new technologies online and the difficulties involved in rolling out a first-of-its-kind facility. The facility was brought online in February with little fanfare. Because the bank is merging with an even larger bank, and because this is a new offering to customers, it has lower priority than other bank projects. The banks are merging their computing facilities, and this project will be forced to shut down during the merger. It will be brought back online after the main systems are merged. Until that merger completes, the bank won't advertise this facility. Nevertheless, through Web-based ads, this facility already has 4,000 customers, and that number is growing at the rate of 150 per day. On the whole, everyone is pleased with the state of the facility and the project that implemented it.

Bug of the Month

The time is right for a program scanner. This scanner would search through C source code and watch for code that improperly allocates memory without guarding against overflow. Unfortunately, I don't know of any tools that provide this feature. I've reached the conclusion about the need for such a tool based on bugs reported in eject and passwd. Yes, eject is the program that simply ejects the floppy or CD-ROM from its drive. This program is set-uid root to enable any user to be able to eject the media (eject does a umount). Unfortunately, it doesn't check its buffer allocation in the media_find routine. This routine is used to check command-line arguments and determine which media it is that the user wants to eject. By overflowing this buffer, eject can be made to execute an arbitrary program, as root.

Cristian Schipor, on the Computer Science Faculty in Bucharest, Romania, discovered the problem and has written exploits for Solaris 2.4 and 2.5.X. The quick fix is to disable the set-uid bit on eject. To regain the eject functionality, you can write a quick set-uid root C program that invokes eject with the proper arguments. This information and more is included in the eject bug report.

The passwd bug, similarly, results from a lack of bounds checking within the program. The result is the arbitrary execution of programs, as root, on any Solaris 2.3, 2.4, or 2.5 system. The bug report, and fix information, is included in AusCERT report 97.09

CERT is getting very antsy about INN. INN is a common news server, and version 1.5 of it is actively being attacked via well-published techniques. The solution is to upgrade to INN 1.5.1 as soon as possible. The details are in the CERT advisory.

The Bookstore
If you're like most systems people -- too little time and too many interests -- then you should know about the SANS Network Security Digest. What this column does for Sun computers (in case you didn't know, it tries to keep you informed of everything Sun security related), the SANS digest does for computer security in general.

The March issue includes information on Microsoft Internet Explorer bugs, Solaris passwd buffer overruns, and bugs in 4.4BSD, FreeBSD, INN, httpd, among other useful information. Here's the info:

The SANS Network Security Digest is published via e-mail approximately eight times a year. Its purpose is to help busy sysadmins and security professionals gain confidence that they are aware of the important security vulnerabilities and what can be done to resolve them. Subscriptions are always free for all who attend SANS and Network Security conferences. Others may also subscribe at no cost as long as their subscriptions are received before April 30, 1997. Free subscriptions entered before April 30 are effective through the end of next year (1998).

To subscribe, send e-mail to In the Subject: SANS Network Security Digest. In the Body: name, title, organization, preferred e-mail address, and, if you also want an updated network security roadmap wall poster, your surface mailing address.

If you are concerned (as I am) with the rampant, uncontrolled exchange of private information on the Internet, then you'll be pleased to hear about ETrust. ETrust is a global initiative to create consumer confidence in electronic information exchange. It's set to roll out, in mid-1997, a set of seals-of-approval. The seals will be given to sites that abide by ETrust's rules of privacy. For more information, check out the ETrust home page (see Resources below).

The January 1997 issue of IEEE Computer includes several interesting articles on the Internet and security. Perhaps the most interesting to readers of this column is the article by Randall Atkinson, of Cisco, entitled Toward a More Secure Internet. This article spends a little time analyzing current Internet protocol security threats (ICMP, ARP, DNS, and IP itself). The rest of the article describes techniques, methods, and protocols that are being implemented to solve the security weaknesses of these protocols. Required reading.

April brings with it a conference that should not be missed by security professionals (and systems people with a security interest): SANS '97 promises to be better than ever. This year the conference is concentrating on case studies. If fact, I'll be presenting the secure bank facility described in this column in a talk there. I'll also be presenting a couple of sections of the "Security in a Melting Pot" workshop, which is designed to help people who work on security on multiple platforms keep those systems under control and secure.

If you're interested in Sun computers and their security, then you should add The Sun User Group Conference and Expo to your calendar (it's June 2-4, in Boston, MA). This conference will have tracks on security, system administration, the Internet, and one for developers. It will also have exhibits. I'll be teaching my Solaris Administration tutorial there and giving a couple of talks about Sun security. Hope to see you then.

Potentially interesting
Single sign-on continues to be one of the holy grails for systems managers. Every year, we hear that the perfect product is a year away. Well, there's another product that is taking a shot at solving the problem. The product is FirstStep SSO by Millennium Computer Corporation. I haven't tried it, but if you're looking for a single sign-on solution, this one looks worth checking out.

Click on our Sponsors to help Support SunWorld


About the author
[Peter Galvin's photo] Peter Galvin is chief technologist for Corporate Technologies, Inc., a systems integrator and VAR. He is also adjunct system planner for the Computer Science Department at Brown University, a member of the board of directors of the Sun User Group, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials world-wide on the topics of system administration and security. He has written articles for Byte and Advanced Systems (SunWorld) magazines, and the Superuser newsletter. Peter is coauthor of the best-selling Operating Systems Concepts textbook. Reach Peter at

What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Subscribe to SunWorld, it's free!
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: