|
The Unix Secure Programming FAQTips on security design principles, programming methods, and testing |
As a follow-up to April's Security column on designing secure software, Peter has put together a quick guide of must-do secure programming techniques along with advice on methods to avoid. He also includes a number of valuable online resources. (3,600 words)
Mail this article to a friend |
Due to the importance of secure programming, and its great interest to readers, we revisit the topic.
This month, we'll expand on April's column, with input from security experts Gene Spafford and Matt Bishop. This column attempts to collect the current wisdom into a complete Unix Secure Programming FAQ. We hope you'll find it useful, and that it will ease the task of writing secure code. As with all FAQs, comments, suggestions, and corrections are encouraged. Periodic updates will be published as changes warrant and interest demands.
0. Overview
1. When should these methods be applied?
2. Security design principles
3. Secure programming methods
4. Unsecure programming methods
5. Testing program security
Too many programs have security holes in them. In the current state of the industry, code is being released with too little testing and with little or no regard to secure programming techniques. This FAQ attempts to be a tool for programmers, easing the process of writing secure programs.
It is important to apply good programming techniques, even when your code is expected to be used in limited situations or for limited duration. Many programs are used beyond their originally planned scope. Ivan Krsul found, in studies he did for his Purdue University Ph.D. thesis, that the majority of security flaws (historically speaking) have been the result of programs operating in a different environment than the one their designer knew or imagined. For example, the programmer may have believed that certain system calls could never fail, or that the program could never be invoked using non-text arguments. Thus, one of the best things a programmer can do to code defensively is to question assumptions, thinking carefully about whether or not they are valid, and imagining conditions that might render them false.
This FAQ attempts to codify the thoughts, techniques, steps, and system calls that should be used for any program that could affect system security.
1. When should these methods be applied?
It would be nice if these secure programming methods were used on all programs. After all, most of them are simply good programming techniques, whether the program is security-related or not. However, implementing all of these techniques in every program would take more time and effort than not using them. Therefore, if it's impossible to use these methods everywhere, they should at least be used for "important" programs. Specifically, these methods should be applied to the following:
Regardless of the programming language used, the purpose of the program, and the techniques used to write it, the following principles can help assure the program is as bug-free as possible:
|
|
|
|
Implement the software following good programming practice and secure software guidelines. Appropriate information on which programming techniques, system calls, and library calls to use and avoid is not readily available. Chapter 23 of Practical Unix and Internet Security by Simson Garfinkle and Gene Spafford has quite a lot of valuable information on secure programming and unsecure programming techniques. Some of it is abstracted here.
4. Unsecure programming methods
Test the software using the same methods crackers use:
Implementation of these steps should improve the quality of software, and reduce bugs in code, especially security holes. (Be sure to check out the Resources below for more online information.)
Tools
A new release of the commercial version of tripwire is available. Details can be found at the visualcomputing home page.
Letters
In last month's column, I included an open letter asking for help in protecting the contents of a Web document hierarchy in a padded cell environment. Gene Spafford replied with the method used to protect the COAST archives. This seems like a great solution to the problem.
Peter,
I read your reply to the person asking about the document hierarchy under a padded cell server. You said you were unaware of a good solution.
Well, I have had good success with both loopback mounts and with NFS mounts into chrooted server environments (do the mounts before the chroot and they seem to be preserved).
For instance, if you do a loopback read-only mount of a filesystem to the server, it helps protect the files as well as making a limited set of the files available for export. Meanwhile, you can make the "real" files available to the maintainer via some other mechanism.
We've been maintaining the COAST archive this way for nearly four years now.
Cheers,
Gene Spafford
Gene notes that files on loopback mounted file systems aren't immutable. Sun has documented that processes with the proper privileges may modify files on loopback mounted file systems. The justification for this functionality is unknown. Therefore, while it provides another layer of protection for contents, it's not as secure as one would hope.
|
Resources
*The first seven of the security design principles are derived from Saltzer and Schroeder's paper The Protection of Information in Computer Systems, Proceedings of the IEEE, September 1975.
About the author
Peter Baer Galvin is chief technologist for Corporate Technologies Inc., a systems
integrator and VAR. He is also adjunct system planner for the Computer
Science Department at Brown University, and has been program chair for the
past four SUG/SunWorld conferences. As a consultant and trainer, he has given
talks and tutorials worldwide on the topics of system administration and
security. He has written articles for Byte and Advanced Systems
(SunWorld) magazines, and the newsletter Superuser. Peter is
co-author of the best-selling Operating Systems Concepts textbook.
If you have technical problems with this magazine, contact webmaster@sunworld.com
URL: http://www.sunworld.com/swol-08-1998/swol-08-security.html
Last modified: