LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gferg 2003-02-18 22:11:52 +00:00
parent 907cb70400
commit 3dcbe47888
7 changed files with 719 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
LDP/howto/docbook/HOWTO-INDEX/adminSect.sgml
View File

@ -410,7 +410,7 @@ partition images to and from a TFTP server. </Para>
Linux-Complete-Backup-and-Recovery-HOWTO</ULink>,
<CiteTitle>Linux Complete Backup and Recovery HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: September 2002</CiteTitle>.
<CiteTitle>Updated: February 2003</CiteTitle>.
A step-by-step tutorial on how to back up a Linux
computer so as to be able to make a bare metal recovery, and how
to make that bare metal recovery. Includes some related scripts.
@ -472,7 +472,7 @@ Discusses methods to recover from Linux system failures. </Para>
Linux-Complete-Backup-and-Recovery-HOWTO</ULink>,
<CiteTitle>Linux Complete Backup and Recovery HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: September 2002</CiteTitle>.
<CiteTitle>Updated: February 2003</CiteTitle>.
A step-by-step tutorial on how to back up a Linux
computer so as to be able to make a bare metal recovery, and how
to make that bare metal recovery. Includes some related scripts.

16
LDP/howto/docbook/HOWTO-INDEX/howtoChap.sgml
View File

@ -1547,7 +1547,7 @@ Describes Linmodem (winmodem hardware) support under Linux. </Para>
Linux-Complete-Backup-and-Recovery-HOWTO</ULink>,
<CiteTitle>Linux Complete Backup and Recovery HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: September 2002</CiteTitle>.
<CiteTitle>Updated: February 2003</CiteTitle>.
A step-by-step tutorial on how to back up a Linux
computer so as to be able to make a bare metal recovery, and how
to make that bare metal recovery. Includes some related scripts.
@ -2524,7 +2524,7 @@ SCSI-Generic-HOWTO</ULink> for more current information.</emphasis> </Para>
Secure-Programs-HOWTO</ULink>,
<CiteTitle>Secure Programming for Linux and Unix HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: December 2002</CiteTitle>.
<CiteTitle>Updated: February 2003</CiteTitle>.
Provides a set of design and implementation guidelines for writing
secure programs for Linux and Unix systems. </Para>
</ListItem>
@ -2876,6 +2876,18 @@ operation and administration of Adaptive Server Anywhere
databases. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../Tamil-Linux-HOWTO/index.html">
Tamil-Linux-HOWTO</ULink>,
<CiteTitle>Tamil Linux HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: February 2003</CiteTitle>.
Helps you to set up a working Tamil Linux environment. It describes
setting up fonts, keyboard drivers, editing and printing
Tamil/bilingual documents, and working with the X Window system. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../Tango-HOWTO.html">

12
LDP/howto/docbook/HOWTO-INDEX/miniChap.sgml
View File

@ -1475,6 +1475,18 @@ Directions for squeezing your Linux installation into
the least possible space. Particularly aimed at notebook users. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../mini/Secure-CVS-Pserver/index.html">
Secure-CVS-Pserver</ULink>, <CiteTitle>
Secure CVS Pserver Mini-HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>
Updated: February 2003</CiteTitle>.
Will help you set up a more secure CVS Pserver for
anonymous CVS access. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../mini/Secure-POP+SSH.html">

12
LDP/howto/docbook/HOWTO-INDEX/otherLangSect.sgml
View File

@ -252,6 +252,18 @@ software with Spanish support or how to get in touch with the Linux
community in Spain (written in Spanish). </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../Tamil-Linux-HOWTO/index.html">
Tamil-Linux-HOWTO</ULink>,
<CiteTitle>Tamil Linux HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: February 2003</CiteTitle>.
Helps you to set up a working Tamil Linux environment. It describes
setting up fonts, keyboard drivers, editing and printing
Tamil/bilingual documents, and working with the X Window system. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../Thai-HOWTO.html">

14
LDP/howto/docbook/HOWTO-INDEX/programmSect.sgml
View File

@ -489,7 +489,7 @@ operating systems with XML-RPC support. </Para>
Secure-Programs-HOWTO</ULink>,
<CiteTitle>Secure Programming for Linux and Unix HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: December 2002</CiteTitle>.
<CiteTitle>Updated: February 2003</CiteTitle>.
Provides a set of design and implementation guidelines for writing
secure programs for Linux and Unix systems. </Para>
</ListItem>
@ -622,6 +622,18 @@ Covers basic installation and usage of RCS, the GNU Revision
Control System, under Linux. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../mini/Secure-CVS-Pserver/index.html">
Secure-CVS-Pserver</ULink>, <CiteTitle>
Secure CVS Pserver Mini-HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>
Updated: February 2003</CiteTitle>.
Will help you set up a more secure CVS Pserver for
anonymous CVS access. </Para>
</ListItem>
</ItemizedList>
</para>

40
LDP/howto/docbook/Secure-Programs-HOWTO/ChangeLog
View File

@ -1,3 +1,43 @@
2002-02-02 David A. Wheeler <dwheeler@dwheeler.com>
* Noted Shamir and Tromir's paper on Factoring Large Numbers with
the TWIRL device (a draft paper at this time) - the paper basically
suggests that 1024-bit RSA isn't secure either.
2002-01-23 David A. Wheeler <dwheeler@dwheeler.com>
* Clarified that HttpOnly on cookies is a useful secondary defense,
but don't count on it as primary. I wrote it that way before,
but recent papers on "breaks" because some people thought
HttpOnly was sufficient as a primary defense made me decide
to state this even more clearly.
2002-01-16 David A. Wheeler <dwheeler@dwheeler.com>
* Expanded the discussion on crypto protocols,
in part based on some suggestions from
Pawel Krawczyk (kravietz, at echelon ,dot pl).
2002-01-16 David A. Wheeler <dwheeler@dwheeler.com>
* Referenced Quixote's interesting approach to XSS.
* Mentioned RMAC.
* Expanded the Tcl section significantly.
Thanks to Wojciech Kocjan (wojciech, at kocjan dot org),
who asked me to update the Tcl section and gave me some
wrong/right examples of Tcl use that helped clarify the discussion,
as well as noting that Tcl 8.0 implements other data types
internally and is really more robust than older versions.
2002-01-15 David A. Wheeler <dwheeler@dwheeler.com>
* Clarified that you should not use "nobody" for your own
programs (unless you're writing a webserver) - instead, use the
same IDEA of creating pseudousers and groups to isolate
programs from each other. Thanks to Martijn Vernooij
tinus, at, win (dot) tue (dot) nl for asking me about this.
2002-12-31 David A. Wheeler <dwheeler@dwheeler.com>
* Added note about Ada's Inspection_Point. The idea of mentioning
Inspection_Point was suggested by Florian Weimer
(Weimer, at, CERT dot Uni-Stuttgart, dot DE) - thanks! -
but the text as usual is my own.
2002-12-30 David A. Wheeler <dwheeler@dwheeler.com>
* Version 3.005. Adds major new text on handling tmp files
where there are tmp cleaners running (true on most real systems),

716
LDP/howto/docbook/Secure-Programs-HOWTO/Secure-Programs-HOWTO.sgml
View File

@ -1,7 +1,7 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<!-- "Secure Programming for Linux and Unix HOWTO",
Copyright (C) 1999-2002 David A. Wheeler
Copyright (C) 1999-2003 David A. Wheeler
http://www.dwheeler.com/secure-programs -->
<!-- WARNING!!! This book is MUCH LARGER than the tiny little HOWTO's
@ -134,20 +134,21 @@ http://www.gocsi.com/press/20020407.html
<firstname>David</firstname> <othername role="mi">A.</othername><surname>Wheeler</surname>
</author>
<address><email>dwheeler@dwheeler.com</email></address>
<pubdate>v3.005, 30 December 2002</pubdate>
<edition>v3.005</edition>
<pubdate>v3.007, 16 February 2003</pubdate>
<edition>v3.007</edition>
<!-- FYI: The LDP claims they don't use the "edition" tag. -->
<copyright>
<year>1999</year>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>David A. Wheeler</holder>
</copyright>
<legalnotice>
<para>
This book is Copyright (C) 1999-2002 David A. Wheeler.
This book is Copyright (C) 1999-2003 David A. Wheeler.
Permission is granted to copy, distribute and/or modify
this book under the terms of the GNU Free Documentation License (GFDL),
Version 1.1 or any later version published by the Free Software Foundation;
@ -168,8 +169,11 @@ guidelines for writing secure programs for Linux and Unix systems.
Such programs include application programs used as viewers of remote data,
web applications (including CGI scripts),
network servers, and setuid/setgid programs.
Specific guidelines for C, C++, Java, Perl, PHP, Python, TCL,
Specific guidelines for C, C++, Java, Perl, PHP, Python, Tcl,
and Ada95 are included.
For a current version of the book, see
<ulink url="http://www.dwheeler.com/secure-programs">
http://www.dwheeler.com/secure-programs</ulink>
</para>
</abstract>
@ -200,7 +204,7 @@ and Ada95 are included.
<keyword>Perl</keyword>
<keyword>PHP</keyword>
<keyword>Python</keyword>
<keyword>TCL</keyword>
<keyword>Tcl</keyword>
<keyword>Ada</keyword>
<keyword>Ada95</keyword>
</keywordset>
@ -237,7 +241,7 @@ These guidelines were developed as a survey of
(along with additional observations by the author),
reorganized into a set of larger principles.
This book includes specific guidance for a number of languages,
including C, C++, Java, Perl, PHP, Python, TCL, and Ada95.
including C, C++, Java, Perl, PHP, Python, Tcl, and Ada95.
</para>
<para>
@ -1044,8 +1048,12 @@ http://www.dwheeler.com/secure-programs</ulink>.
<title>View of Various Experts</title>
<para>
Here are a few quotes from people who have examined the topic.
Bruce Schneier argues that smart engineers should ``demand
First, let's exampine what security experts have to say.
</para>
<para>
Bruce Schneier is a well-known expert on computer security and cryptography.
He argues that smart engineers should ``demand
open source code for anything related to security'' [Schneier 1999],
and he also discusses some of the preconditions which must be met to make
open source software secure.
@ -1076,7 +1084,12 @@ to spot and fix, ``Not only because more people can look at it, but,
more importantly, because the model forces people to write more clear
code, and to adhere to standards. This in turn facilitates security review''
[Rijmen 2000].
Elias Levy (Aleph1) discusses some of the problems in making open source
</para>
<para>
Elias Levy (Aleph1) is the former moderator of one of the most
popular security discussion groups - Bugtraq.
He discusses some of the problems in making open source
software secure in his article
<ulink url="http://www.securityfocus.com/commentary/19">"Is Open Source
Really More Secure than Closed?"</ulink>.
@ -1090,6 +1103,49 @@ than its closed source counterpart.
But make no mistake, simply being open source is no guarantee of security.
</para>
</blockquote>
</para>
<para>
Whitfield Diffie is the
co-inventor of public-key cryptography (the basis of all Internet security)
and chief security officer and senior staff engineer at Sun Microsystems.
In his 2003 article
<ulink url="http://zdnet.com.com/2100-1107-980938.html">
Risky business: Keeping security a secret</ulink>,
he argues that proprietary vendor's claims that their software
is more secure because it's secret is nonsense.
He identifies and then counters two main claims made by proprietary vendors:
(1) that release of code benefits attackers more than anyone else because
a lot of hostile eyes can also look at open-source code, and
that (2) a few expert eyes are better than several random ones.
He first notes that while giving programmers access to a piece of software
doesn't guarantee they will study it carefully,
there is a group of programmers who can be expected to care deeply:
Those who either use the software personally or work for an
enterprise that depends on it.
"In fact, auditing the programs on which an enterprise depends for
its own security is a natural function of the enterprise's own
information-security organization."
He then counters the second argument, noting that
"As for the notion that open source's usefulness to opponents
outweighs the advantages to users, that argument flies in
the face of one of the most important principles in security:
A secret that cannot be readily changed should be regarded as a vulnerability."
He closes noting that
<blockquote>
<para>
"It's simply unrealistic to depend on secrecy for security in
computer software.
You may be able to keep the exact workings of the program out of general
circulation, but can you prevent the code from being
reverse-engineered by serious opponents? Probably not."
</para>
</blockquote>
</para>
<para>
John Viega's article
<ulink url="http://dev-opensourceit.earthweb.com/news/000526_security.html">"The Myth of Open Source Security"</ulink> also discusses
issues, and summarizes things this way:
@ -1103,8 +1159,12 @@ for and fix security holes -- can also lull people into a false
sense of security.
</para>
</blockquote>
<ulink url="http://www.linuxworld.com/linuxworld/lw-1998-11/lw-11-ramparts.html">Michael H. Warfield's "Musings on open source security"</ulink> is much
more positive about the impact of open source software on security.
</para>
<para>
<ulink url="http://www.linuxworld.com/linuxworld/lw-1998-11/lw-11-ramparts.html">Michael H. Warfield's "Musings on open source security"</ulink> is
very positive about the impact of open source software on security.
In contrast,
Fred Schneider doesn't believe that open source helps security, saying
``there is no reason to believe that the many eyes inspecting (open)
source code would be successful in identifying bugs that allow
@ -1146,6 +1206,7 @@ metrics that can reflect security delivered to the customer.''
</para>
</blockquote>
</para>
<para>
Scott A. Hissam and Daniel Plakosh's
<ulink url="http://www.ics.uci.edu/~wscacchi/Papers/New/IEE_hissam.pdf">
@ -1167,6 +1228,9 @@ and attackers correctly surmised that a similar problem might be still be in
Windows (and it was).
Unless OSS/FS programs are forbidden, this kind of learning is difficult
to prevent.
Therefore, the existance of an OSS/FS program can reveal the vulnerabilities
of both the OSS/FS and proprietary program performing the same function -
but at in this example, the OSS/FS program was fixed first.
</para>
</sect2>
@ -3563,7 +3627,7 @@ harder to understand; hopefully the text in this section will help you
Note that, in some circumstances, software cannot be used unless it
has undergone a CC evaluation by an accredited laboratory.
This includes certain kinds of uses in the U.S. Department of Defense
(as specified by NSTISP Number 11, which requires that before some
(as specified by NSTISSP Number 11, which requires that before some
products can be used they must be evaluated or enter evaluation),
and in the future such a requirement may
also include some kinds of uses for software in the U.S. federal government.
@ -7568,9 +7632,10 @@ his or her protection goals.
</para>
<para>
A good overview of various desing principles for security is available in
<ulink url="http://www.csl.sri.com/neumann/chats2.html">
Peter Neumann's CHATS Principles</ulink>
A good overview of various design principles for security is available in
Peter Neumann's
<ulink url="http://www.csl.sri.com/users/neumann/chats.html#4">
Principled Assuredly Trustworthy Composable Architectures</ulink>.
<!--
???: Add:
http://www.csl.sri.com/neumann/chats2.pdf
@ -7690,17 +7755,37 @@ then they might be able to gain control of a user who ran the game.
<para>
If creating a new group isn't sufficient, consider creating a
new pseudouser (really, a special role) to manage a set of resources.
new pseudouser (really, a special role) to manage a set of resources -
often a new pseudogroup (again, a special role) is also created just
to run a program.
Web servers typically do this; often web servers are set up with a special
user (``nobody'') so that they can be isolated from other users.
Indeed, web servers are instructive here: web servers typically need
root privileges to start up (so they can attach to port 80), but once
started they usually shed all their privileges and
run as the user ``nobody''.
Again, usually the pseudouser doesn't own the primary program it runs,
so breaking into the account doesn't allow for changing the program itself.
As a result, breaking into a running web server normally does not
automatically break the whole system's security.
started they usually shed all their privileges and run as the user ``nobody''.
However, don't use the ``nobody'' account (unless you're writing a
webserver); instead, create your own pseudouser or new group.
The purpose of this approach is to isolate different programs,
processes, and data from each other,
by exploiting the operating system's ability to keep users and groups separate.
If different programs shared the same account, then breaking into one program
would also grant privileges to the other.
Usually the pseudouser should not own the programs it runs;
that way, an attack who breaks into the account cannot change
the program it runs.
By isolating different parts of the system into running separate users
and groups, breaking one part will not necessarily break the
whole system's security.
<!--
Martijn Vernooij noted http://httpd.apache.org/docs/mod/core.html#user :
The user should have no privileges which result in it being able to
access files which are not intended to be visible to the outside world,
and similarly, the user should not be able to execute code which is not
meant for httpd requests. It is recommended that you set up a new user
and group specifically for running the server. Some admins use user nobody,
but this is not always possible or desirable.
-->
</para>
<para>
@ -10131,6 +10216,14 @@ Mozilla/Netscape to implement this soon too.
You should set HttpOnly on for any cookie you send, unless you have
scripts that need the cookie, to counter certain kinds of cross-site
scripting (XSS) attacks.
However, the HttpOnly flag can be circumvented in a variety of ways,
so using as your primary defense is inappropriate.
Instead, it's a helpful secondary defense that may help save you in
case your application is written incorrectly.
<!-- See http://www.whitehatsec.com/news.html
http://www.extremetech.com/article2/0,3973,841047,00.asp
and the Bugtraq discussion, 23 Jan 2003.
-->
</para>
<para>
@ -10287,14 +10380,14 @@ to remove just those characters:
</sect3>
<sect3>
<title>Encoding</title>
<title>Encoding (Quoting)</title>
<para>
An alternative to removing the special characters is to encode them
so that they don't have any special meaning.
This has several advantages over filtering the characters,
in particular, it prevents data loss.
If the data is "mangled" by the process from the user's point of view,
at least with encoding it's possible to reconstruct the
at least when the data is encoded it's possible to reconstruct the
data that was originally sent.
</para>
@ -10312,10 +10405,40 @@ As noted above, although in theory '&gt;' doesn't need to be quoted,
because some browsers act on it (and fill in a '&lt;') it needs to be quoted.
There's a minor complexity with the double-quote character,
because '&amp;quot;' only needs to be
used inside attributes, and some old browsers don't properly render it.
used inside attributes, and some extremely old browsers don't
properly render it.
If you can handle the additional complexity, you can try to encode '&quot;'
only when you need to, but it's easier to simply encode it and ask
users to upgrade their browsers.
Few users will use such ancient browsers, and the double-quote character
encoding has been a standard for a long time.
</para>
<para>
Scripting languages may consider implementing specialized auto-quoting types,
the interesting approach developed in the web application framework
<ulink url="http://www.mems-exchange.org/software/quixote">Quixote</ulink>.
Quixote includes a "template" feature which allows easy mixing of HTML text
and Python code; text generated by a template is passed back to the web browser
as an HTML document.
As of version 0.6, Quixote has two kinds of text (instead of a single
kind as most such languages).
Anything which appears in a literal, quoted string is of type "htmltext,"
and it is assumed to be exactly as the programmer wanted it to be
(this is reasoble, since the programmer wrote it).
Anything which takes the form of an ordinary Python string, however,
is automatically quoted as the template is executed.
As a result, text from a database or other external source is
automatically quoted, and cannot be used for a cross-site scripting attack.
Thus, Quixote implements a safe default -
programmers no longer need to worry about quoting every bit of text
that passes through the application (bugs involving too much quoting
are less likely to be a security problem, and will be obvious in testing).
Quixote uses an open source software license, but because of its
venue identification it is probably GPL-incompatible, and is used by
organizations such as the
<ulink url="http://lwn.net">Linux Weekly News</ulink>.
<!-- See http://lwn.net/Articles/19552/ -->
</para>
<para>
@ -10389,6 +10512,7 @@ the codes to UTF-8, and then encode it.
See <xref linkend="Validating-uris"> for more about validating URIs.
</para>
</sect3>
</sect2>
@ -12185,12 +12309,17 @@ use correctly).
<para>
In Ada95, the Unbounded_String type is often more flexible than the
String type because it is automatically resized as necessary.
However, don't store especially sensitive values such as passwords
However, don't store especially sensitive secret values such as passwords
or secret keys in an Unbounded_String, since core dumps and page areas
might still hold them later.
Instead, use the String type for this data, lock it into memory
while it's used, and overwrite the data as
soon as possible with some constant value such as (others => ' ').
Use the Ada pragma Inspection_Point on the object holding the secret
after erasing the memory.
That way, you can be certain that
the object containing the secret will really be erased
(and that the the overwriting won't be optimized away).
</para>
<para>
@ -12209,10 +12338,10 @@ various supports for full formal proof of the code if desired.
<ulink url="http://www.sparkada.com">See the SPARK website for more
information</ulink>.
To my knowledge, there are no OSS/FS SPARK tools.
SPARK doesn't permit use of the Unbounded_String type, but still,
if you're storing passwords and private keys you should lock them into memory
(if appropriate - SPARK is often used in environments where
paging does not occur) and overwrite them as soon as possible.
If you're storing passwords and private keys you should still
lock them into memory if appropriate
and overwrite them as soon as possible.
Note that SPARK is often used in environments where paging does not occur.
</para>
</sect1>
@ -12540,54 +12669,288 @@ Code obfuscation doesn't really hide the code from serious attackers.
</sect1>
<sect1 id="tcl">
<title>TCL</title>
<title>Tcl</title>
<para>
Tcl stands for ``tool command language'' and is pronounced ``tickle.''
TCL is divided into two parts: a language and a library.
The language is a simple text language, intended for issuing commands
Tcl is divided into two parts: a language and a library.
The language is a simple language, originally intended for issuing commands
to interactive programs and including basic programming capabilities.
The library can be embedded in application programs.
You can find more information about Tcl at sites such as the
<ulink url="http://www.tcl.tk/">Tcl.tk</ulink> and the
<ulink url="http://www.sco.com/Technology/tcl/Tcl.html">Tcl WWW Info</ulink>
web page and the comp.lang.tcl FAQ launch page at
<ulink url="http://www.tclfaq.wservice.com/tcl-faq">http://www.tclfaq.wservice.com/tcl-faq</ulink>.
My thanks go to Wojciech Kocjan for providing some of this detailed
information on using Tcl in secure applications.
</para>
<para>
You can find more information about TCL at sites such as the
<ulink url="http://www.sco.com/Technology/tcl/Tcl.html">TCL WWW Info</ulink>
web page.
Probably of most interest are Safe-TCL (which creates a sandbox in TCL)
and Safe-TK (which implements a sandboxed portable GUI for Safe-TCL), as
well as the WebWiseTclTk Toolkit permits TCL packages to be automatically
For some security applications, especially interesting components of Tcl
are Safe-Tcl (which creates a sandbox in Tcl)
and Safe-TK (which implements a sandboxed portable GUI for Safe Tcl), as
well as the WebWiseTclTk Toolkit which permits Tcl packages to be automatically
located and loaded from anywhere on the World Wide Web.
You can find more about the latter from
<ulink url="http://www.cbl.ncsu.edu/software/WebWiseTclTk">http://www.cbl.ncsu.edu/software/WebWiseTclTk</ulink>.
It's not clear to me how much code review this has received.
More useful information is available from the comp.lang.tcl FAQ launch
page at
<ulink url="http://www.tclfaq.wservice.com/tcl-faq">http://www.tclfaq.wservice.com/tcl-faq</ulink>.
However, it's worth noting that TCL's desire to be a small, ``simple''
language results in a language that can be rather limiting;
see
</para>
<para>
Tcl's original design goal to be a small, simple
language resulted in a language that was originally somewhat limiting
and slow.
For an example of the limiting weaknesses in the original language, see
<ulink url="http://sdg.lcs.mit.edu/~jchapin/6853-FT97/Papers/stallman-tcl.html">
Richard Stallman's ``Why You Should Not Use TCL''</ulink>.
For example, TCL's notion that there is essentially
only one data type (string) can
make many programs harder to write (as well as making them slow).
Also, when I've written TCL programs
I've found that it's easy to accidentally create TCL programs where
malicious input strings can cause untoward and unexpected behavior.
For example, an attackers may be able to cause your TCL program
to do unexpected things by sending characters with special meaning to TCL
such as embedded spaces, double-quote, curly braces,
dollar signs, or brackets (or create input
Richard Stallman's ``Why You Should Not Use Tcl''</ulink>.
For example, Tcl was originally designed to really support only
one data type (string).
Thankfully, these issues have been addressed over time.
In particular, version 8.0 added support for more data types
(integers are stored internally as integers, lists as lists and so on).
This improves its capabilities, and in particular improves its speed.
</para>
<para>
As with essentially all scripting languages,
Tcl has an "eval" command that parses and executes arbitrary Tcl commands.
And like all such scripting languages, this eval command needs to be
used especially carefully, or an attacker could insert
characters in the input to cause malicious things to occur.
For example, an attackers may be able insert characters
with special meaning to Tcl
such as embedded whitespace (including space and newline),
double-quote, curly braces, square brackets,
dollar signs, backslash, semicolon, or pound sign (or create input
to cause these characters to be created during processing).
Thus, I don't recommend TCL for writing programs which must
This also applies to any function that passes data to eval as well
(depending on how eval is called).
</para>
<para>
Here is a small example that may make this concept clearer;
first, let's define a small function and then interactively invoke it
directly - note that these uses are fine:
<programlisting width="65">
<![CDATA[
proc something {a b c d e} {
puts "A='$a'"
puts "B='$b'"
puts "C='$c'"
puts "D='$d'"
puts "E='$e'"
}
% # This works normally:
% something "test 1" "test2" "t3" "t4" "t5"
A='test 1'
B='test2'
C='t3'
D='t4'
E='t5'
% # Imagine that str1 is set by an attacker:
% set str1 {test 1 [puts HELLOWORLD]}
% # This works as well
% something $str1 t2 t3 t4 t5
A='test 1 [puts HELLOWORLD]'
B='t2'
C='t3'
D='t4'
E='t5'
]]>
</programlisting>
However, continuing the example, let's see how "eval"
can be incorrectly and correctly called.
If you call eval in an incorrect (dangerous) way, it
allows attackers to misuse it.
However, by using commands like list or lrange to correctly
group the input, you can avoid this problem:
<programlisting width="65">
<![CDATA[
% # This is the WRONG way - str1 is interpreted.
% eval something $str1 t2 t3
HELLOWORLD
A='test'
B='1'
C=''
D='t2'
E='t3'
% # Here's one solution, using "list".
% eval something [list $str1 t2 t3 t4 t5]
A='test 1 [puts HELLOWORLD]'
B='t2'
C='t3'
D='t4'
E='t5'
% # Here's another solution, using lrange:
% eval something [lrange $str1 0 end] t2
A='test'
B='1'
C='[puts'
D='HELLOWORLD]'
E='t2'
]]>
</programlisting>
Using lrange is useful when concatenating arguments to a called
function, e.g., with more complex libraries using callbacks.
In Tcl, eval is often used to create a one-argument version of a function
that takes a variable number of arguments, and you need to be careful
when using it this way.
Here's another example (presuming that you've defined a "printf" function):
<programlisting width="65">
<![CDATA[
proc vprintf {str arglist} {
eval printf [list $str] [lrange $arglist 0 end]
}
% printf "1+1=%d 2+2=%d" 2 4
% vprintf "1+1=%d 2+2=%d" {2 4}
]]>
</programlisting>
</para>
<para>
Fundamentally, when passing a command that will be eventually
evaluated, you must pass Tcl commands as a properly built list,
and not as a (possibly concatentated) string.
For example, the "after" command runs a Tcl command after a given
number of milliseconds; if the data in $param1 can be controlled by
an attacker, this Tcl code is dangerously wrong:
<programlisting width="65">
<![CDATA[
# DON'T DO THIS if param1 can be controlled by an attacker
after 1000 "someCommand someparam $param1"
]]>
</programlisting>
This is wrong, because if an attacker can control the value of $param1,
the attacker can control the program.
For example, if the attacker can cause $param1 to have
'[exit]', then the program will exit.
Also, if $param1 would be '; exit', it would also exit.
</para>
<para>
Thus, the proper alternative would be:
<programlisting width="65">
<![CDATA[
after 1000 [list someCommand someparam $param1]
]]>
</programlisting>
Even better would be something like the following:
<programlisting width="65">
<![CDATA[
set cmd [list someCommand someparam]
after 1000 [concat $cmd $param1]
]]>
</programlisting>
</para>
<para>
Here's another example showing what you shouldn't do,
pretending that $params is data controlled by possibly malicious user:
<programlisting width="65">
<![CDATA[
set params "%-20s TESTSTRING"
puts "'[eval format $params]'"
]]>
</programlisting>
will result in:
<programlisting width="65">
<![CDATA[
'TESTSTRING '
]]>
</programlisting>
But, when if the untrusted user sends data with an embedded newline,
like this:
<programlisting width="65">
<![CDATA[
set params "%-20s TESTSTRING\nputs HELLOWORLD"
puts "'[eval format $params]'"
]]>
</programlisting>
The result will be this (notice that the attacker's code was executed!):
<programlisting width="65">
<![CDATA[
HELLOWORLD
'TESTINGSTRING '
]]>
</programlisting>
Wojciech Kocjan suggests that the
simplest solution in this case is to convert this to a list using
lrange, doing this:
<programlisting width="65">
<![CDATA[
set params "%-20s TESTINGSTRING\nputs HELLOWORLD"
puts "'[eval format [lrange $params 0 end]]'"
]]>
</programlisting>
The result would be:
<programlisting width="65">
<![CDATA[
'TESTINGSTRING '
]]>
</programlisting>
Note that this solution presumes that the potentially malicious
text is concatenated to the end of the text; as with all languages,
make sure the attacker cannot control the format text.
</para>
<para>
As a matter of style always use curly braces
when using if, while, for, expr, and any other command which
parses an argument using expr/eval/subst.
Doing this will avoid
a common error when using Tcl called unintended double substitution
(aka double substitution).
This is best explained by example; the following code is incorrect:
<programlisting width="65">
<![CDATA[
while ![eof $file] {
set line [gets $file]
}
]]>
</programlisting>
The code is incorrect because the "![eof $file]" text will be evaluated
by the Tcl parser when the while command is executed the first time,
and not re-evaluated in every iteration as it should be.
Instead, do this:
<programlisting width="65">
<![CDATA[
while {![eof $file]} {
set line [gets $file]
}
]]>
</programlisting>
Note that both the condition, and the action to be performed,
are surrounded by curly braces.
Although there are cases where the braces are redundant, they never hurt,
and when you fail to include the curly braces where they're needed
(say, when making a minor change) subtle and hard-to-find
errors often result.
</para>
<para>
More information on good Tcl style can be found in documents such as
<ulink url="http://www.tcl.tk/doc/styleGuide.pdf">
Ray Johnson's Tcl Style Guide</ulink>.
</para>
<para>
In the past, I have stated that
I don't recommend Tcl for writing programs which must
mediate a security boundary.
If you do choose to do so, be especially careful to ensure that user
input cannot ``fool'' the program.
On the other hand, I know of no strong reason (other than
insufficient review) that TCL programs can't be used to implement mobile code.
There are certainly TCL advocates who will advocate more use than I do,
and TCL is one of the few languages with
a ready-made sandbox implementation.
Tcl seems to have improved since that time, so while I cannot guarantee
Tcl will work for your needs, I can't guarantee that any other language
will work for you either.
Again, my thanks to Wojciech Kocjan who provided some
of these suggestions on how to
write Tcl code for secure applications.
</para>
</sect1>
@ -13599,6 +13962,9 @@ immutable (they will not be overwritten until garbage-collected and
then reused, possibly a far time in the future).
Instead, in Java use char[] to store a password, so it can be
immediately overwritten.
In Ada, use type String (an array of characters),
and not type Unbounded_String, to make sure
that you have control over the contents.
</para>
<para>
@ -13610,6 +13976,10 @@ to stores that are no longer used - this is often referred to as
"dead store removal."
Unfortunately, if the write is really to overwrite the value of a secret,
this means that code that appears to be correct will be silently discareded.
Ada provides the pragma Inspection_Point; place this after the
code erasing the memory, and that way you can be certain that
the object containing the secret will really be erased
(and that the the overwriting won't be optimized away).
</para>
<para>
@ -13622,7 +13992,7 @@ the C/C++ compilers gcc version 3 or higher, SGI MIPSpro, and the Microsoft
compilers eliminated simple inlined calls to memset
intended to overwrite secrets.
This is allowed by the C and C++ standards.
Other compilers (such as gcc less than version 3) preserved the inlined
Other C/C++ compilers (such as gcc less than version 3) preserved the inlined
call to memset at all optimization levels, showing that the issue
is compiler-specific.
Simply declaring that the destination data is volatile doesn't
@ -13716,8 +14086,14 @@ A survey of legal issues is available at the ``Crypto Law Survey'' site,
Often, your software should provide a way to
reject ``too small'' keys, and let the user set what ``too small'' is.
For RSA keys, 512 bits is too small for use.
Some believe that 1024 bits for RSA keys are not enough either, based
on recent work by Bernstein; you may want to
There is increasing evidence that
1024 bits for RSA keys is not enough either;
Bernstein has suggested techniques that simplify brute-forcing RSA, and
other work based on it
(such as Shamir and Tromer's "Factoring Large Numbers with the TWIRL device")
now suggests that 1024 bit keys can be broken in a year
by a $10 Million device.
You may want to
make 2048 bits the minimum for RSA if you really want a secure system,
and you should certainly do so if you plan to use those keys after 2015.
For more about RSA specifically, see
@ -13732,30 +14108,136 @@ cryptographic algorithm issues, see
<title>Cryptographic Protocols</title>
<para>
For protocols, try to use standard-conforming protocols
such as SSL (soon to be TLS), SSH, IPSec, GnuPG/PGP, and Kerberos.
Many of these overlap somewhat in functionality, but each has
a ``specialty'' niche.
SSL (soon to be TLS) is the primary method for protecting http (web)
transactions.
PGP-compatible protocols (implemented in PGP and GnuPG) are a primary
method for securing email end-to-end.
When you need a security protocol, try to use standard-conforming protocols
such as IPSec, SSL (soon to be TLS), SSH, S/MIME, OpenPGP/GnuPG/PGP,
and Kerberos.
Each has advantages and disadvantages;
many of them overlap somewhat in functionality, but each tends to be
used in different areas:
<itemizedlist>
<listitem>
<para>
Internet Protocol Security (IPSec).
IPSec provides encryption and/or authentication at the IP packet level.
However, IPSec is often used in a way that
only guarantees authenticity of two
communicating hosts, not of the users.
As a practical matter, IPSec usually requires low-level support
from the operating system (which not all implement) and
an additional keyring server that must be configured.
Since IPSec can be used as a "tunnel" to secure packets belonging to
multiple users and multiple hosts, it is especially useful for
building a Virtual Private Network (VPN) and connecting a remote machine.
As of this time, it is much less often used to secure communication
from individual clients to servers.
The new version of the Internet Protocol, IPv6, comes with
IPSec ``built in,'' but IPSec also works with the more common IPv4 protocol.
Note that if you use IPSec, don't use the encryption mode without the
authentication, because the authentication also acts as
integrity protection.
</para>
</listitem>
<listitem>
<para>
Secure Socket Layer (SSL) / TLS.
SSL/TLS works over TCP and tunnels other protocols using TCP, adding
encryption, authentication of the server, and optional authentication
of the client (but authenticating clients using SSL/TLS requires
that clients have configured X.509 client certificates, something
rarely done).
SSL version 3 is widely used; TLS is a later adjustment to SSL that
strengthens its security and improves its flexibility.
Currently there is a slow transition going on from SSLv3 to TLS, aided
because implementations can easily try to use TLS and then back off to SSLv3
without user intervention.
Unfortunately, a few bad SSLv3 implementations cause problems with the
backoff, so you may need a preferences setting to allow users to skip
using TLS if necessary.
Don't use SSL version 2, it has some serious security weaknesses.
</para>
<para>
SSL/TLS is the primary method for protecting http (web) transactions.
Any time you use an "https://" URL, you're using SSL/TLS.
Other protocols that often use SSL/TLS include POP3 and IMAP.
SSL/TLS usually use a separate TCP/IP port
number from the unsecured port, which the IETF is a little unhappy about
(because it consumes twice as many ports; there are solutions to this).
SSL is relatively easy to use in programs, because
most library implementations allow programmers to use operations
similar to the operations on standard sockets like
SSL_connect(), SSL_write(), SSL_read(), etc.
A widely used OSS/FS implementation of SSL (as well as other capabilities)
is OpenSSL, available at
<ulink url="http://www.openssl.org">http://www.openssl.org</ulink>.
</para>
</listitem>
<listitem>
<para>
OpenPGP and S/MIME.
There are two competing, essentially incompatible standards for
securing email: OpenPGP and S/MIME.
OpenPHP is based on the PGP application; an OSS/FS implementation is
GNU Privacy Guard from
<ulink url="http://www.gnupg.org">http://www.gnupg.org</ulink>.
Currently, their certificates are often not interchangeable;
work is ongoing to repair this.
</para>
</listitem>
<listitem>
<para>
SSH.
SSH is the primary method of securing ``remote terminals'' over an
internet, and it also includes methods for
tunelling X Windows sessions.
However, it's been extended to support single sign-on and
general secure tunelling for TCP streams, so it's often
used for securing other data streams too (such as CVS accesses).
The most popular implementation of SSH is OpenSSH
<ulink url="http://www.openssh.com">http://www.openssh.com</ulink>,
which is OSS/FS.
Typical uses of SSH allows the client to authenticate that the
server is truly the server, and
then the user enters a password to authenticate the user
(the password is encrypted and sent to the other system for verification).
Current versions of SSH can store private keys, allowing users to not
enter the password each time.
To prevent man-in-the-middle attacks, SSH records keying information
about servers it talks to; that means that typical use of
SSH is vulnerable to a man-in-the-middle attack during the
very first connection, but it can detect problems afterwards.
In contrast, SSL generally uses a certificate authority, which eliminates
the first connection problem but requires special setup (and payment!) to
the certificate authority.
</para>
</listitem>
<listitem>
<para>
Kerberos.
Kerberos is a protocol for single sign-on and authenticating users
against a central authentication and key distribution server. Kerberos
works by giving authenticated users "tickets", granting them access to
various services on the network.
When clients then contact servers, the servers can verify the tickets.
Kerberos is a primary method for securing and supporting authentication
on a LAN, and for establishing shared secrets (thus, it needs to be
used with other algorithms for the actual protection of communication).
SSH is the primary method of securing ``remote terminals'' over an
internet, e.g., telnet-like and X windows connections, though it's often
used for securing other data streams too (such as CVS accesses).
Note that there are two major versions of the SSH protocol, and there
are several choices for key types and so on; see its documentation
for more information.
OpenSSH is an open source implementation of SSH.
IPSec is the primary method for securing lower-level packets and
``all'' packets, so it's particularly useful for securing
virtual private networks and remote machines.
The new version of the Internet Protocol, IPv6, comes with
IPSec ``built in,'' but IPSec also works with the more common IPv4 protocol.
Note that to use Kerberos, both the client and server have to include
code to use it, and since not everyone has a Kerberos setup, this has
to be optional - complicating the use of Kerberos in some programs.
However, Kerberos is widely used.
</para>
</listitem>
</itemizedlist>
</para>
<para>
Many of these protocols allow you to select a number of different
@ -14026,6 +14508,44 @@ for most environments isn't necessary.
</sect2>
<sect2 id="rmac">
<title>Randomized Message Authentication Mode (RMAC)</title>
<para>
<ulink url="http://csrc.nist.gov/CryptoToolkit/modes">
NIST has developed and proposed
a new mode</ulink> for using cryptographic algorithms called
<ulink url="http://www.counterpane.com/crypto-gram-0301.html">
Randomized Message Authentication Code (RMAC)</ulink>.
RMAC is intended for use as a message authentication code technique.
</para>
<para>
Although there's a formal proof showing that RMAC is secure, the
proof depends on the highly questionable assumption that
the underlying cryptographic algorithm
meets the "ideal cipher model" - in particular, that the algorithm is
secure against a variety of specialized attacks, including related-key attacks.
Unfortunately, related-key attacks are poorly studied for many algorithms;
this is not the kind of property or attack that most people worry about
when analyzing with cryptographic algorithms.
It's known triple-DES doesn't have this properly, and it's unclear if
other widely-accepted algorithms like AES have this property
(it appears that AES is at least weaker against related key attacks than
usual attacks).
</para>
<para>
The best advice right now is "don't use RMAC".
There are other ways to do message authentication, such as HMAC
combined with a cryptographic hash algorithm (e.g., HMAC-SHA1).
HMAC isn't the same thing (e.g., technically it doesn't include a
nonce, so you should rekey sooner), but the theoretical weaknesses
of HMAC are merely theoretical, while the problems in RMAC seem far
more important in the real world.
</para>
</sect2>
<sect2 id="crypto-other">
<title>Other Cryptographic Issues</title>
@ -14271,9 +14791,11 @@ This tool isn't really specific to security.
<ulink url="http://www.immunitysec.com/spike.html">SPIKE</ulink>
is a "fuzzer creation kit", i.e., it's a toolkit designed to
create "random" tests to find security problems.
The SPIKE toolkit is particularly designed for protocol analysis by
simulating network protocol clients, and SPIKE proXy is a tool built on
SPIKE to test web applications.
SPIKE includes a few pre-canned tests.
As of version 2.7 its documentation is weak (the author knows this
is a problem and plans to fix it).
SPIKE is licensed under the GPL.
</para></listitem>
</itemizedlist>
@ -14594,6 +15116,20 @@ getting constantly subverted for years at a time.
<!-- ??? maybe someday add Logging discussion -->
<para>
Follow best practices and common conventions when leading a
software development project.
If you are leading an open source software / free software project,
some useful guidelines can be found in
<ulink url="http://www.tldp.org/HOWTO/Software-Proj-Mgmt-HOWTO/index.html">
Free Software Project Management HOWTO</ulink> and
<ulink url="http://www.tldp.org/HOWTO/Software-Release-Practice-HOWTO/index.html">
Software Release Practice HOWTO</ulink>;
you should also read
<ulink url="http://www.tuxedo.org/~esr/writings/cathedral-bazaar">
The Cathedral and the Bazaar</ulink>.
</para>
<para>
Every once in a while, review security guidelines like this one.
At least re-read the conclusions in <xref linkend="conclusion">,