mirror of https://github.com/tLDP/LDP
766 lines
34 KiB
Plaintext
766 lines
34 KiB
Plaintext
2002-02-18 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Clarified more about GUI applications.
|
|
* Updated my picture, now it actually looks more like me.
|
|
* Changed URL for libsafe.
|
|
* Renamed LCLint to splint.
|
|
* Mentioned dreamland.
|
|
|
|
2002-02-16 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 3.007.
|
|
|
|
2002-02-02 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Noted Shamir and Tromir's paper on Factoring Large Numbers with
|
|
the TWIRL device (a draft paper at this time) - the paper basically
|
|
suggests that 1024-bit RSA isn't secure either.
|
|
|
|
2002-01-23 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Clarified that HttpOnly on cookies is a useful secondary defense,
|
|
but don't count on it as primary. I wrote it that way before,
|
|
but recent papers on "breaks" because some people thought
|
|
HttpOnly was sufficient as a primary defense made me decide
|
|
to state this even more clearly.
|
|
|
|
2002-01-16 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Expanded the discussion on crypto protocols,
|
|
in part based on some suggestions from
|
|
Pawel Krawczyk (kravietz, at echelon ,dot pl).
|
|
|
|
2002-01-16 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Referenced Quixote's interesting approach to XSS.
|
|
* Mentioned RMAC.
|
|
* Expanded the Tcl section significantly.
|
|
Thanks to Wojciech Kocjan (wojciech, at kocjan dot org),
|
|
who asked me to update the Tcl section and gave me some
|
|
wrong/right examples of Tcl use that helped clarify the discussion,
|
|
as well as noting that Tcl 8.0 implements other data types
|
|
internally and is really more robust than older versions.
|
|
|
|
2002-01-15 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Clarified that you should not use "nobody" for your own
|
|
programs (unless you're writing a webserver) - instead, use the
|
|
same IDEA of creating pseudousers and groups to isolate
|
|
programs from each other. Thanks to Martijn Vernooij
|
|
tinus, at, win (dot) tue (dot) nl for asking me about this.
|
|
|
|
2002-12-31 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added note about Ada's Inspection_Point. The idea of mentioning
|
|
Inspection_Point was suggested by Florian Weimer
|
|
(Weimer, at, CERT dot Uni-Stuttgart, dot DE) - thanks! -
|
|
but the text as usual is my own.
|
|
|
|
2002-12-30 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Version 3.005. Adds major new text on handling tmp files
|
|
where there are tmp cleaners running (true on most real systems),
|
|
notes on avoiding buffer overflow in FD_SET/FD_CLR(), and
|
|
a long discussion on a new attack against web-based systems:
|
|
session fixation. I also added text about
|
|
protecting secrets in memory.
|
|
|
|
2002-12-26 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Made major modifications to the tmp file section based on
|
|
Michal Zalewski's (lcamtuf, at, coredump, dot cx)
|
|
very nice article titled "[RAZOR] Problems with mkstemp()".
|
|
In this paper, posted on Bugtraq but also sent directly to me
|
|
by him (THANK YOU!), he notes the problems of tmp cleaners and
|
|
how they introduce races to otherwise non-racy safe uses.
|
|
|
|
Thankfully, it appears that my earlier suggestion on how to do
|
|
this in C is fine, since it's file descriptor based.
|
|
HOWEVER, before I had suggested NOT using temp files in shell,
|
|
but if you had to, use mktemp(1). It turns out my intuition was
|
|
correct - you really can't do it safely in shell at all,
|
|
even with mktemp(1), in tmp cleaning environments where an
|
|
attacker can influence /tmp. Since this describes a number
|
|
of environments (and sometimes environments change INTO this
|
|
circumstance), it's much safer to just not do it.
|
|
|
|
* Expanded the discussion of OpenWall, and gave the specific
|
|
rules used in the LSM version of OpenWall. That way,
|
|
people can write their code to run correctly in OpenWall-protected
|
|
systems running the LSM version of OpenWall.
|
|
|
|
* Added a note about FD_SET() and FD_CLR() thanks to the
|
|
Timo Sirainen (tss, at, iki dot fi), who very helpfully noted:
|
|
Just occured to me a while ago that FD_SET() and FD_CLR() don't
|
|
do any buffer size checks. After a bit of googleing I didn't
|
|
see this mentioned pretty anywhere else than
|
|
in recent pppd vulnerability, which exploited exactly this problem.
|
|
I don't think it's obvious to most people that the
|
|
check should be done, especially because fd_set isn't even
|
|
defined to be an array. Linux's select() man page doesn't even
|
|
say anything about FD_SETSIZE.
|
|
|
|
|
|
2002-12-19 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added long discussion on session fixation.
|
|
|
|
2002-11-19 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Significant additional discussion about protecting secrets
|
|
in memory, in particular mlock() and scrubbing secrets in memory.
|
|
In particular, added discussion about what you need to do to
|
|
avoid having the C/C++ compiler optimize away memory overwrites
|
|
(this is an old & well-known issue, but the recent Bugtraq
|
|
discussion jogged my memory and realized that I hadn't specifically
|
|
discussed it in the book).
|
|
* Noted Perl's File::Temp. My thanks to Steven M. Christey,
|
|
coley (at, linus.mitre.org), for pointing this out.
|
|
|
|
2002-10-29 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 3.000.
|
|
|
|
2002-8-13 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added long discussion about security requirements, in particular
|
|
emphasizing the Common Criteria.
|
|
* Noted that SQL metacharacter insertion is often called
|
|
"SQL injection".
|
|
|
|
2002-7-13 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Various small improvements.
|
|
|
|
2002-4-29 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Thanks to Bastian Kleineidam, who noted that Java's clone()
|
|
returns Object, not void.
|
|
|
|
2002-4-10 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Mentioned "Mastering Regular Expressions"... he has a
|
|
regular expression for checking email addresses.. and it's
|
|
so long that it SHOWS how hard it is to really check
|
|
email addresses.
|
|
|
|
2002-4-10 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Updated slides slightly, and re-posted.
|
|
|
|
2002-4-09 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added link to Crypto Law Survey.
|
|
|
|
2002-4-02 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added note about Openwall temp directory policy.
|
|
|
|
2002-3-28 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to http://www.enseirb.fr/~glaume/indexen.html
|
|
(buffer overflow study)
|
|
|
|
2002-3-25 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Recommend 2048-bit, not 1024-bit, keys for RSA.
|
|
Recent factoring algorithm improvements make it possible for
|
|
well-funded organizations to break in 1024-bit quickly.
|
|
See Bugtraq, 23 Mar 2002, "1024-bit RSA keys in danger of compromise"
|
|
by "Lucky Green" <shamrock@cypherpunks.to>.
|
|
Bruce Scheier has a countering opinion, but frankly, why risk it?
|
|
This is an area where using a few more bits is usually easy,
|
|
so just do it.
|
|
|
|
2002-3-18 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Noted perl users want people to use sudo, not suidperl.
|
|
* Noted ORDB as another anti-spam service.
|
|
|
|
2002-3-14 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Release version 2.963 to internal website.
|
|
* Modified my local document generation process.
|
|
It turns out that the version numbers weren't printing on
|
|
the copies I was generating!! That's fixed now.
|
|
* Fixed date of zlib bug (it's 2002, not 2001).
|
|
My thanks to Colin Simmonds (Nortel Networks), who noticed this
|
|
mistake only two days after I released my book.
|
|
And wow - there must be a lot of people looking at my book, to
|
|
so quickly notice a minor error in an update in the middle
|
|
of the book!
|
|
* Mentioned Valgrind and Electric Fence, two tools that can help
|
|
counter double-free()ing problems like zlib's.
|
|
|
|
2002-3-11 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 2.961.
|
|
* Added note about double-free'ing, and the environment variables
|
|
that can be used to counter the problem.
|
|
* Added note about avoiding off-by-one bugs. That's really
|
|
a general "avoid bugs" issue, but I thought it'd be
|
|
worth mentioning.
|
|
* Spelling error fixed ("relased" -> "released").
|
|
|
|
2002-3-8 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added info about spam.
|
|
* Added note on CRT Eavesdropping.
|
|
|
|
2002-3-7 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Mentioned NSA's nsa1.www.conxion.com website.
|
|
|
|
2002-3-4 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Expanded slightly on the "mutually untrusting programs" description.
|
|
This was hinted at in Qmail's discussion, though I didn't use
|
|
any text other than that phrase. I added a note that I need
|
|
to go back to the Qmail text to really deal with it further.
|
|
* Fixed two small typos noted by Thomas Klausner
|
|
|
|
2002-3-2 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 2.95.
|
|
* Fixed URL (securingjava.com), which had a side-effect of
|
|
creating a minor plucker error.
|
|
|
|
2002-2-26 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 2.94 (to my website).
|
|
* addition->additional, noted by Pat Gunn.
|
|
* std:string in C++ doesn't auto-convert to char*, my bad.
|
|
The problem is that some OTHER string libraries do so.
|
|
Thanks to Per Mellstrand for pointing this out.
|
|
* Made a MAJOR change on my local website in the tools I use.
|
|
I now primarily use the LDP tools. As a result, the PDF is
|
|
better (with hyperlinks and a nicer TOC), the HTML has
|
|
section numbers, MUCH better ASCII text, a one-page HTML,
|
|
and plucker format. Thus, my website's results are nicer,
|
|
and I can be more certain about the results that the LDP gives too.
|
|
|
|
2002-2-21 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Mentioned Fenris.
|
|
* Modified URL to Kirch's paper; unix-vs-nt.org appears to have
|
|
permanently gone down, and I can't get hold of John Kirch,
|
|
so I now link to the Internet Archive copy.
|
|
|
|
2002-2-9 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 2.93.
|
|
* Added text about semantic attacks.
|
|
* More discussion about shells and their problems.
|
|
|
|
2002-2-6 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added note from David deVitry - in some circumstances
|
|
web browsers can be fooled into automatically POSTing form data.
|
|
It's still a good idea to ignore GET and require POST for
|
|
some operations, as discussed in the text.
|
|
|
|
2002-2-1 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added warnings about strncpy() and seteuid(), based on
|
|
comments from Philip Hazel.
|
|
* Added notes on SQL metacharacters, based on
|
|
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
|
|
|
|
2002-1-7 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Fixed UTF-8 table format.
|
|
|
|
2002-1-7 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 2.91.
|
|
|
|
2002-1-3 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Changed the UTF-8 legal values table. The original table
|
|
was WRONG, ack!! This stuff is quite tricky; many
|
|
didn't notice the problem earlier. Thanks to
|
|
Peter Astrand who noted the problem, and who pointed me to
|
|
http://www.unicode.org/unicode/uni2errata/UTF-8_Corrigendum.html
|
|
which has a correct table.
|
|
|
|
2002-1-3 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added more about checking URIs; the idea was suggested by
|
|
John Levon.
|
|
|
|
2001-12-28 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added more text about PHP, based on some suggestions by
|
|
Richard Lynch.
|
|
|
|
2001-12-17 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a reference to Cyclone, including Viega's review.
|
|
* I haven't added a "why write secure programs" section.
|
|
If I do, I'll probably mention gems like this one
|
|
titled "Cyberattacks increase after Sept. 11"
|
|
by Dibya Sarkar:
|
|
"In Orlando, Florida, there has been a nearly 300-fold
|
|
increase in cyberattacks, and most IP addresses show they're
|
|
from the Middle East and Pakistan, said John, Matelski, Orlando's
|
|
deputy CIO, who advises the mayor.
|
|
Before Sept. 11, he said the city averaged about 50 intrusion
|
|
attacks per month. After the attacks, the city has
|
|
averaged about 14,000 per month.
|
|
"Many of these intrusion attempts are not volatile.
|
|
They're merely probes to find deficiencies and perhaps do harm,"
|
|
Matelski said.
|
|
Federal Computer Week, December 3, 2001, page S19.
|
|
|
|
|
|
2001-12-11 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added discussion of new PHP (4.1.0), which makes it easier to
|
|
write PHP software with register_globals off, and
|
|
warns that this will become the default.
|
|
|
|
2001-10-15 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to Kurt Seifried's paper on web authentication.
|
|
|
|
2001-10-10 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Incorporated many suggestions from Bill Brykczynski.
|
|
* Switched to DocBook version 4.1 (from 3.1).
|
|
* Began using a stylesheet.
|
|
* Switched to a different spelling checker (aspell), which found
|
|
a number of speeling priblems.
|
|
* Added a lot of material about web authentication.
|
|
* Added a long discussion on cryptography, including suggestions
|
|
on recommended algorithms.
|
|
|
|
2001-7-24 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added link to [LSD 2001].
|
|
|
|
2001-7-16 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* New link to BFBTester, and it now works on Linux (yay!).
|
|
|
|
2001-7-6 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a new section on PHP. This is based on Clowes' work,
|
|
though many of the actual recommendations are my own.
|
|
* Fixed a number of grammer and typo errors - my thanks to
|
|
Moritz Jodeit, who sent me a nice long set of fixes!
|
|
|
|
2001-7-5 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Noted PyChecker.
|
|
|
|
2001-6-14 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Noted that to really drop privileges you may also need to
|
|
reset the supplemental groups.
|
|
|
|
2001-6-08 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Fixed typo, 'fileystem'.
|
|
|
|
2001-6-04 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to Geodsoft's hardening OpenBSD info.
|
|
|
|
2001-5-31 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to Zalewski's "Delivering Signals for Fun and
|
|
Profit", and some more material on signals based on it.
|
|
|
|
2001-5-30 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Fixed grammatical error in the open source security section.
|
|
* Released version 2.87.
|
|
|
|
2001-5-24 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Updated the description of ITS4, added references to
|
|
RATS and flawfinder.
|
|
* Local release as version 2.86.
|
|
|
|
2001-5-16 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to Cox 2000 (Windows 2000 secure configuration).
|
|
|
|
2001-5-10 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to Murhammer as a general TCP/IP reference.
|
|
|
|
2001-5-09 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Mentioned the Entropy Gathering Daemon.
|
|
|
|
2001-5-07 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Mentioned Jerry Connolly's http://heap.nologin.net/aspsec.html
|
|
web page for ASP input issues.
|
|
* Mentioned inconsistent strlcat semantics when size==0 or there
|
|
are no embedded NIL characters.
|
|
* Mentioned GID==0 - it's VERY special on some Unix-like systems,
|
|
and it's all-powerful on most anyway.
|
|
|
|
2001-4-23 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Extended discussion on persistent cookies, in particular noting
|
|
that they are illegal on U.S. government sites (with a reference).
|
|
|
|
2001-4-23 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Mentioned linux-security-module
|
|
* Referenced "Vulnerability Assessment Scanners" by Forristal.
|
|
|
|
2001-4-05 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Expanded discussion of trusted path and trustworthy channels.
|
|
* Noted that when fixing a vulnerability, log later attempts.
|
|
|
|
2001-3-30 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added cross-references and other information noting that, at
|
|
installation time, you should check your system assumptions
|
|
necessary for security.
|
|
|
|
2001-3-22 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Noted the problem with globbing.
|
|
|
|
2001-3-20 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to Halvar Flake's slides on disassembling closed
|
|
source programs.
|
|
|
|
2001-3-06 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to http://www-syntim.inria.fr/fractales/Staff/
|
|
Raynal/LinuxMag/SecProg/Art4/index.html
|
|
* Added note about rfork().
|
|
|
|
2001-2-28 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Noted that you need to load initialization values from a trusted
|
|
location (based on recent problems with Joe)
|
|
* Added reference to IETF RFC 1750 (Randomness Recommendations
|
|
for Security).
|
|
* Noted that Mandrake 7.1 includes libsafe.
|
|
|
|
2001-2-27 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Fixed many minor typos - thanks to John Levon who identified them.
|
|
* Noted various security extensions, such as FreeBSD's jail(2)
|
|
and the huge numbers of research efforts for Linux (Janus,
|
|
Subterfugue, NSA Linux/Flask, RSBAC, etc.). Sometime I'll have to
|
|
add the information on Trusted Solaris, etc., but for the moment
|
|
I refer to NSA's "Evaluated Product List" which has specific
|
|
information on the security approaches of some of them.
|
|
* Noted "fuzz".
|
|
* Added a reference to William Stalling's excellent collection
|
|
of papers, "Practical Cryptography for Data Internetworks."
|
|
|
|
2001-2-8 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Noted other shell special characters, in particular the whitespace
|
|
characters that separate parameters.
|
|
|
|
2001-1-12 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 2.75.
|
|
* Moved from DocBook 3.0 to DocBook 3.1. I tried doing this
|
|
earlier, but I forgot to change "Davenport" to "OASIS" and got
|
|
lots of error messages. The right header obviously matters!
|
|
* Added a figure ("program") showing my abstract view of programs;
|
|
it's not deep, but it helps to logically keep things straight.
|
|
The master file is "program.dia", which is editable with the
|
|
open source (GPL'ed) program "Dia" available at
|
|
http://www.lysator.liu.se/~alla/dia (and in many distributions).
|
|
It's not beautiful (I'm no artist), but hopefully it helps
|
|
explain the idea.
|
|
* Switched to distributing a tarball, so the figure is included.
|
|
* Modified the random number section, after
|
|
Jordan Dimov <jdimov@cis.clarion.edu> rightly complained that my
|
|
phrase 'truly random numbers' was somewhat misleading.
|
|
Fair enough, I was glossing over the details (which I knew) -
|
|
hopefully this version gives the bigger picture.
|
|
I ended up basically rewriting the section.
|
|
* Added section about "Open Source" and security.
|
|
|
|
2001-1-1 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released the book as version 2.70.
|
|
Seriously extended and modified the book, adding lengthy
|
|
discussions about cross-site malicious content, verifying
|
|
HTML and URIs, and creating temporary files.
|
|
Did a number of clean-ups and various additions, too.
|
|
|
|
2000-12-4 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a section, "prevent-include-access".
|
|
I was reminded of this issue by the Bugtraq posting of 1 Dec 2000
|
|
by Mads Bach (bach@INDER.NET), with the subject line
|
|
"Web based apps and include files".
|
|
* Added a section about not including comments in returned data.
|
|
|
|
2000-11-10 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added information about Java not enforcing "private" etc.
|
|
from null/trusted Classloaders, my thanks to
|
|
John Steven who noted this!
|
|
* Added reference to sci.crypt and their FAQ.
|
|
* Modified the definition of "Availability" due to a
|
|
comment by Alan Santos.
|
|
* Fixed discussion about sprintf().. you _can_ use sprintf()
|
|
to avoid buffer overflows, but its use is tricky.
|
|
|
|
2000-10-30 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a reference to the GLB Act (a new U.S. law)
|
|
|
|
2000-10-26 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a note that you should only call to programs intended for
|
|
calling by another program.
|
|
|
|
2000-10-26 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Michael Kerrisk mentioned that #defining
|
|
_SVID_SOURCE or _BSD_SOURCE, then #include <features.h>,
|
|
will cause __USE_MISC to be defined (and allow clearenv).
|
|
|
|
2000-10-24 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a discussion about vfork. John Levon pointed me to the
|
|
issue, which was written up by Solar Designer.
|
|
|
|
2000-10-03 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Company name change; RST became "Cigital".
|
|
|
|
2000-09-05 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a note about web bugs.
|
|
|
|
2000-09-03 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a number of internal cross-references (29 currently).
|
|
Now that I've given all sections an "id", I can use the
|
|
"xref" tag effectively. This should really help readers
|
|
follow the text in some places... now you can easily jump
|
|
to related material in the text.
|
|
* Added "Free Software" to some titles as well as
|
|
"Open Source Software", and pointed to the FSF for more
|
|
such information. Also fixed a typo.
|
|
|
|
2000-09-01 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Modified Conclusions and "atomic" section to emphasize the
|
|
problems with /tmp and /var/tmp directories (especially
|
|
how attackers create symbolic links in them to cause trouble).
|
|
* Modified the SGML so that all <sectX> (as well as all chapters)
|
|
have a reasonable "id" attached. Now all HTML filenames have
|
|
meaningful filenames, as well as the sections inside.
|
|
This will make it easier for people to externally link to
|
|
specific sections of the document.
|
|
* Added note that glibc _does_ filter the LANG setting for
|
|
setuid/setgid, but that it's been buggy (Red Hat released a fix
|
|
on September 1, 2000).
|
|
|
|
2000-08-28 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added the note that MD5 is rumored to be broken (& referenced
|
|
the 22 August 2000 posting in Bugtraq that raised this).
|
|
I don't want to be a rumormonger, but since MD5 has already been
|
|
shown to be partly broken, this seems quite plausible; besides,
|
|
a better algorithm is available, so this is yet another reason
|
|
to switch.
|
|
|
|
2000-08-21 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added information that strlcpy/strlcat are being added to glib
|
|
(I'm the one that implemented & recommended the patch, based
|
|
on the original BSD work).
|
|
* Added "id" entries for chapters - it improves HTML filenames
|
|
and begins to add usable internal links.
|
|
|
|
2000-07-31 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Moved filtering locale information into the "input" section,
|
|
since that's where it logically went. Expanded it, since
|
|
many may not know about i18n.
|
|
* Released version 2.31.
|
|
|
|
2000-07-27 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added more information about formatting strings and
|
|
internationalization (i18n).
|
|
* Released version 2.30.
|
|
|
|
2000-07-23 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added in some information (and an example) from the GNOME
|
|
Programming guidelines.
|
|
* Added a note and reference to Byte, April 1986, which discusses
|
|
some of the issues with terminal escape codes.
|
|
|
|
2000-07-18 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added warnings about formatting characters to printf()
|
|
and family, including %n, as well as other formatting systems
|
|
like syslog(). My thanks to John Levon for reminding
|
|
me to do this, and for reviewing my early drafts.
|
|
* The bugtraq message about safely using sprintf with the width
|
|
modifier didn't sound right to me, so I double-checked it.
|
|
I found that in fact it is completely unsafe!
|
|
Not all bugtraq posters check their claims, that's for sure!
|
|
So, modified the text to note that this is UNsafe.
|
|
* Modified BFBTester reference, noting that it's GPLed. I also worked
|
|
with the BFBTester author to get it ported to Linux; turns out
|
|
a subtlety with threads made waitpid() not work the way he
|
|
expected (because threads are Linux processes, and an "uncle"
|
|
cannot wait on its "nephew").
|
|
* Moved tools to be under "Miscellaneous", instead of C-centric;
|
|
many tools aren't C/C++-centric, and even those that are might
|
|
change later, so may as well put them in a place that they'll stay.
|
|
It's easier to compare tools if similar kinds are all in one place.
|
|
* Added warnings about protecting the output of syslog().
|
|
|
|
2000-07-03 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added example of "safe" use of sprintf (length option)
|
|
from bugtraq posting. [but see 2000-07-18]
|
|
|
|
2000-06-29 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to BFBTester.
|
|
|
|
2000-06-28 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added warning about signed char.
|
|
|
|
2000-06-22 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Expanded the section on race conditions.
|
|
|
|
2000-06-07 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added text about ITS4 and LClint. Mentioned Shmoo and made sure
|
|
that I had everything they did.
|
|
* Added info from Martin Douda on other problematic shell characters.
|
|
* Added a few nuggets on Java and C from
|
|
http://java.sun.com/security/seccodeguide.html
|
|
* Added many more references to related security information.
|
|
* Explained more about shell scripting languages &
|
|
why they're a problem.
|
|
|
|
2000-06-02 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to the Python Restricted Environment stuff.
|
|
Added my own warning about only copying in references
|
|
(I didn't see such a warning in any material I have).
|
|
|
|
2000-05-24 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Switched to GNU Free Documentation License (FDL), which is
|
|
designed for documents (the GPL really wasn't).
|
|
|
|
2000-05-22 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Began adding more language-specific information, such as Perl
|
|
info from perlsec(1) and perlopentut(1), moving C
|
|
compiler flags into its own section, etc.
|
|
* Significantly extended the Java-specific section, based on
|
|
the two leading Java security books.
|
|
|
|
2000-05-18 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Received several suggestions from Doug Kilpatrick: extend UTF-8
|
|
description, mention that the Linux kernel writers use the term
|
|
"task" not "process", talk more about not depending on
|
|
stdin/stdout/stderr being open (I mentioned it before though),
|
|
add "-O2" to the recommended gcc flag list (some dataflow
|
|
checks require this).
|
|
|
|
2000-04-25 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Minor grammar fixes.
|
|
* Marc Welz pointed out that in Linux 2.2 you can determine the
|
|
pid, uid and gid using:
|
|
getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &cl)
|
|
|
|
2000-04-22 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added discussion on Lucent's libsafe.
|
|
While writing this discussion, I sent Lucent several notes on
|
|
issues in libsafe. In particular, they failed to discuss in their
|
|
documentation the fact that depending on LD_PRELOAD
|
|
to enable libsafe makes it possible for evil local users to
|
|
disable libsafe on programs they run! Also, I sent them
|
|
a list of other "dangerous" functions that they didn't cover.
|
|
* Added more comments of "things I want to cover". Okay, that's
|
|
not the same as actually discussing them, but it's a start.
|
|
|
|
2000-04-21 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Version 2.00 released, dated 21 April 2000. This version is
|
|
identical to version 1.60 in content, but switches format
|
|
from the Linuxdoc DTD to the DocBook DTD.
|
|
Thanks to Jorge Godoy for helping me perform the transition.
|
|
There are a few rough spots; DocBook experts are welcome to give
|
|
me a hand. I now generate RTF. The ASCII text file format is
|
|
quite poor; I can't help that, the tools aren't ready yet.
|
|
|
|
2000-04-04 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Version 1.60 released.
|
|
* Changed so that it now covers BOTH Linux and Unix. Since most
|
|
of the guidelines covered both, and many/most app developers want
|
|
their apps to run on both, it made sense to cover both.
|
|
Much of the detail still only discusses Linux, which I intend to
|
|
fix over time; suggestions on what to add would be great!
|
|
* This meant adding some history about Unix (as well as Linux),
|
|
discussing in a few places variations (more discussion needed), etc.
|
|
|
|
2000-03-08 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* It's too long, so I changed the type from "article" to "book".
|
|
That meant that sect became chapt, sect1 became sect, etc.
|
|
* Added Biblical quotations to head every chapter, for the
|
|
enjoyment of the reader.
|
|
|
|
2000-03-06 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added more information on using strlcpy and strlcat.
|
|
* Expanded conclusions so it actually summarizes the key points.
|
|
* Various minor improvements. Well, I _hope_ they're improvements!
|
|
|
|
2000-03-05 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added a brief discussion of confidentiality, integrity, and
|
|
availability. Anybody who knows about security should know about
|
|
this, but since it's assumed elsewhere in the text I thought it's
|
|
worth mentioning.
|
|
* Added more information about signals, locking, etc. I don't want
|
|
this to be a general-purpose programming primer, but some things
|
|
seem worth summarizing.
|
|
|
|
2000-03-03 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added reference to "Applied Cryptography" and the
|
|
"Linux Encryption HOWTO".
|
|
* Added a note about ext2's reserved space for root (as a
|
|
preventative for denial-of-service attacks), with a reference
|
|
to mke2fs(8).
|
|
* Added a new "Credits" section in the document itself to give
|
|
people credit. See the ChangeLog file (this one) for the details.
|
|
And, responded to many suggestions, as noted below.
|
|
* Eric S. Raymond <thanks.esr@snark.thyrsus.com> said "Nice work,
|
|
in general.. but I believe you have "fail open" and
|
|
"fail closed" reversed." Fair enough. I decided that I really meant
|
|
"fail safe" instead of either term, and I added a discussion
|
|
about that.
|
|
* Paul Millar <thanks.paulm@astro.gla.ac.uk> found I'd used
|
|
/var/log/ where I meant /var/lock/; corrected, I added
|
|
reference to the FHS for more information, and added some material
|
|
from the FHS in the hopes that people will use standard conventions
|
|
when they apply!
|
|
* John Levon <thanks.moz@compsoc.man.ac.uk> suggested noting that
|
|
you should drop privs while parsing input, describe digest
|
|
passwords, mention "safer" users (like "nobody"), and mention
|
|
rate-limiting audit trails. I knew about these, but I didn't
|
|
call them out. So, I wrote text to cover those points.
|
|
* A (user who prefers to be anonymous) asked how to set the
|
|
global environment to NULL, noting that # unset environ; set
|
|
or # environ='' set don't work. As far as I know, you need
|
|
to put a small "wrapper" program around sh scripts to do this,
|
|
so I've added that note to the document.
|
|
* Ryan McCabe <thanks.odin@numb.org> gave a really GOOD note that
|
|
fixed-length strings have a built-in weakness; you can exploit
|
|
them by providing information around their length and cause
|
|
some routines to silently fail to append data.
|
|
* Chuck Phillips <thanks.cdp@peakpeak.com> noted a more efficient
|
|
way to use strncpy, which I added. He also couldn't believe
|
|
that strncpy NIL-filled, and sent me a long note explaining why
|
|
it shouldn't. I agree that it shouldn't, but in spite of all
|
|
rational reasons for why it shouldn't, it DOES! So, I added
|
|
references to K&R 2nd edition (page 249), and the man pages for
|
|
Solaris, Linux, and FreeBSD, to show that this horrible thing
|
|
is actually true, logic to the contrary.
|
|
* Scott Ingram <thanks.scott@silver.jhuapl.edu> mentioned that
|
|
configuration is the number one problem. I agreed, and in fact I
|
|
already noted that in the text, but that got me thinking that I
|
|
should specifically recommend making things easy to configure (as well
|
|
as using safe defaults). If more programs did that, we'd have
|
|
a lot fewer cracked machines.
|
|
* Martin Pool <thanks.mbp@humbug.org.au> suggested noting that
|
|
sometimes scripting languages can do a setenv() and affect its
|
|
caller. He also suggested mentioning dynamically linked libraries,
|
|
but I'd already planned to do that.
|
|
He also suggested mentioning the ideas on breaking out of chroot
|
|
in http://www.suid.edu/source/breakchroot.c; I actually summarized
|
|
it in the text, it's just yet another example of why having root
|
|
privileges is enough to break out of chroot jails.
|
|
* Chuck Phillips <thanks.cdp@peakpeak.com>,
|
|
Neil Brown <thanks.neilb@cse.unsw.edu.au>, and
|
|
Eric Werme USG <thanks.werme@alpha.zk3.dec.com> discussed NFS issues
|
|
with me which yielded the insight that, although NFS version 2
|
|
is "broken as described," version 3 _does_ support exclusive
|
|
file creation. Sadly, there are still many NFS version 2 users,
|
|
so we can't depend on this, but the discussion did
|
|
suggest to me some enhancements to the text on creating locks
|
|
using files.
|
|
|
|
|
|
2000-02-09 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Noted that the document is now part of the Linux Documentation
|
|
Project (LDP).
|
|
* Added more references, such as [Mudge 1995], [McClure 1999],
|
|
[Bellovin 1989], and Nathan P. Smith's
|
|
"Stack Smashing Security Vulnerabilities" website.
|
|
|
|
2000-01-06 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Grammo: in section "Library Solutions", s/requires/require/
|
|
|
|
2000-01-05 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Released version 1.24; announced to http://lwn.net and
|
|
http://www.securityportal.com.
|
|
|
|
2000-01-05 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added information on "why did you write your own document"?
|
|
* Added information on more per-process attributes, in particular
|
|
limits and the filesystem root.
|
|
* Noted that filesystem quotas can be per-group as well as per-user.
|
|
* Fixed a ~, which in this DTD must be written as ˜.
|
|
* Fixed a few typos, thanks to review by Clyde Roby <croby@ida.org>
|
|
|
|
1999-12-30 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added some information on POSIX capabilities & the bounding set.
|
|
* Added information explaining rwx permissions on directories.
|
|
|
|
1999-12-23 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Now at version 1.20.
|
|
* Added major new section, section 2, that describes the Linux
|
|
programming model for security (e.g., file attributes, etc.).
|
|
I determined that there really isn't a single good place that has
|
|
this kind of information, and where better than to include it in
|
|
information on how to write secure programs?
|
|
* Moved the "buffer overflow" section out into its own section, since
|
|
it's so important. Added more information about StackGuard, etc.
|
|
* Mentions glib in the buffer overflow section; if anyone wishes to
|
|
analyze the implementation to determine which glib functions protect
|
|
against buffer overflow I'd like to know about them.
|
|
* Added some references to PAM.
|
|
* Various other fixes.
|
|
|
|
1999-12-03 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Fixed minor grammar error in CGI section, added PDF format.
|
|
* Added "favicon.ico" so Internet Explorer users, should they bookmark
|
|
this site, will get Tux as a logo. Seems fair :-).
|
|
|
|
1999-11-30 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Added GPL license, reference to http://www.dwheeler.com.
|
|
|
|
|
|
1999-11-29 David A. Wheeler <dwheeler@dwheeler.com>
|
|
* Initial version (1.0) completed.
|
|
|