LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/howto/docbook/Secure-Programs-HOWTO/ChangeLog

766 lines
34 KiB
Plaintext
Raw Permalink Blame History

2002-02-18 David A. Wheeler <dwheeler@dwheeler.com>
* Clarified more about GUI applications.
* Updated my picture, now it actually looks more like me.
* Changed URL for libsafe.
* Renamed LCLint to splint.
* Mentioned dreamland.
2002-02-16 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 3.007.
2002-02-02 David A. Wheeler <dwheeler@dwheeler.com>
* Noted Shamir and Tromir's paper on Factoring Large Numbers with
the TWIRL device (a draft paper at this time) - the paper basically
suggests that 1024-bit RSA isn't secure either.
2002-01-23 David A. Wheeler <dwheeler@dwheeler.com>
* Clarified that HttpOnly on cookies is a useful secondary defense,
but don't count on it as primary. I wrote it that way before,
but recent papers on "breaks" because some people thought
HttpOnly was sufficient as a primary defense made me decide
to state this even more clearly.
2002-01-16 David A. Wheeler <dwheeler@dwheeler.com>
* Expanded the discussion on crypto protocols,
in part based on some suggestions from
Pawel Krawczyk (kravietz, at echelon ,dot pl).
2002-01-16 David A. Wheeler <dwheeler@dwheeler.com>
* Referenced Quixote's interesting approach to XSS.
* Mentioned RMAC.
* Expanded the Tcl section significantly.
Thanks to Wojciech Kocjan (wojciech, at kocjan dot org),
who asked me to update the Tcl section and gave me some
wrong/right examples of Tcl use that helped clarify the discussion,
as well as noting that Tcl 8.0 implements other data types
internally and is really more robust than older versions.
2002-01-15 David A. Wheeler <dwheeler@dwheeler.com>
* Clarified that you should not use "nobody" for your own
programs (unless you're writing a webserver) - instead, use the
same IDEA of creating pseudousers and groups to isolate
programs from each other. Thanks to Martijn Vernooij
tinus, at, win (dot) tue (dot) nl for asking me about this.
2002-12-31 David A. Wheeler <dwheeler@dwheeler.com>
* Added note about Ada's Inspection_Point. The idea of mentioning
Inspection_Point was suggested by Florian Weimer
(Weimer, at, CERT dot Uni-Stuttgart, dot DE) - thanks! -
but the text as usual is my own.
2002-12-30 David A. Wheeler <dwheeler@dwheeler.com>
* Version 3.005. Adds major new text on handling tmp files
where there are tmp cleaners running (true on most real systems),
notes on avoiding buffer overflow in FD_SET/FD_CLR(), and
a long discussion on a new attack against web-based systems:
session fixation. I also added text about
protecting secrets in memory.
2002-12-26 David A. Wheeler <dwheeler@dwheeler.com>
* Made major modifications to the tmp file section based on
Michal Zalewski's (lcamtuf, at, coredump, dot cx)
very nice article titled "[RAZOR] Problems with mkstemp()".
In this paper, posted on Bugtraq but also sent directly to me
by him (THANK YOU!), he notes the problems of tmp cleaners and
how they introduce races to otherwise non-racy safe uses.
Thankfully, it appears that my earlier suggestion on how to do
this in C is fine, since it's file descriptor based.
HOWEVER, before I had suggested NOT using temp files in shell,
but if you had to, use mktemp(1). It turns out my intuition was
correct - you really can't do it safely in shell at all,
even with mktemp(1), in tmp cleaning environments where an
attacker can influence /tmp. Since this describes a number
of environments (and sometimes environments change INTO this
circumstance), it's much safer to just not do it.
* Expanded the discussion of OpenWall, and gave the specific
rules used in the LSM version of OpenWall. That way,
people can write their code to run correctly in OpenWall-protected
systems running the LSM version of OpenWall.
* Added a note about FD_SET() and FD_CLR() thanks to the
Timo Sirainen (tss, at, iki dot fi), who very helpfully noted:
Just occured to me a while ago that FD_SET() and FD_CLR() don't
do any buffer size checks. After a bit of googleing I didn't
see this mentioned pretty anywhere else than
in recent pppd vulnerability, which exploited exactly this problem.
I don't think it's obvious to most people that the
check should be done, especially because fd_set isn't even
defined to be an array. Linux's select() man page doesn't even
say anything about FD_SETSIZE.
2002-12-19 David A. Wheeler <dwheeler@dwheeler.com>
* Added long discussion on session fixation.
2002-11-19 David A. Wheeler <dwheeler@dwheeler.com>
* Significant additional discussion about protecting secrets
in memory, in particular mlock() and scrubbing secrets in memory.
In particular, added discussion about what you need to do to
avoid having the C/C++ compiler optimize away memory overwrites
(this is an old & well-known issue, but the recent Bugtraq
discussion jogged my memory and realized that I hadn't specifically
discussed it in the book).
* Noted Perl's File::Temp. My thanks to Steven M. Christey,
coley (at, linus.mitre.org), for pointing this out.
2002-10-29 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 3.000.
2002-8-13 David A. Wheeler <dwheeler@dwheeler.com>
* Added long discussion about security requirements, in particular
emphasizing the Common Criteria.
* Noted that SQL metacharacter insertion is often called
"SQL injection".
2002-7-13 David A. Wheeler <dwheeler@dwheeler.com>
* Various small improvements.
2002-4-29 David A. Wheeler <dwheeler@dwheeler.com>
* Thanks to Bastian Kleineidam, who noted that Java's clone()
returns Object, not void.
2002-4-10 David A. Wheeler <dwheeler@dwheeler.com>
* Mentioned "Mastering Regular Expressions"... he has a
regular expression for checking email addresses.. and it's
so long that it SHOWS how hard it is to really check
email addresses.
2002-4-10 David A. Wheeler <dwheeler@dwheeler.com>
* Updated slides slightly, and re-posted.
2002-4-09 David A. Wheeler <dwheeler@dwheeler.com>
* Added link to Crypto Law Survey.
2002-4-02 David A. Wheeler <dwheeler@dwheeler.com>
* Added note about Openwall temp directory policy.
2002-3-28 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to http://www.enseirb.fr/~glaume/indexen.html
(buffer overflow study)
2002-3-25 David A. Wheeler <dwheeler@dwheeler.com>
* Recommend 2048-bit, not 1024-bit, keys for RSA.
Recent factoring algorithm improvements make it possible for
well-funded organizations to break in 1024-bit quickly.
See Bugtraq, 23 Mar 2002, "1024-bit RSA keys in danger of compromise"
by "Lucky Green" <shamrock@cypherpunks.to>.
Bruce Scheier has a countering opinion, but frankly, why risk it?
This is an area where using a few more bits is usually easy,
so just do it.
2002-3-18 David A. Wheeler <dwheeler@dwheeler.com>
* Noted perl users want people to use sudo, not suidperl.
* Noted ORDB as another anti-spam service.
2002-3-14 David A. Wheeler <dwheeler@dwheeler.com>
* Release version 2.963 to internal website.
* Modified my local document generation process.
It turns out that the version numbers weren't printing on
the copies I was generating!! That's fixed now.
* Fixed date of zlib bug (it's 2002, not 2001).
My thanks to Colin Simmonds (Nortel Networks), who noticed this
mistake only two days after I released my book.
And wow - there must be a lot of people looking at my book, to
so quickly notice a minor error in an update in the middle
of the book!
* Mentioned Valgrind and Electric Fence, two tools that can help
counter double-free()ing problems like zlib's.
2002-3-11 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 2.961.
* Added note about double-free'ing, and the environment variables
that can be used to counter the problem.
* Added note about avoiding off-by-one bugs. That's really
a general "avoid bugs" issue, but I thought it'd be
worth mentioning.
* Spelling error fixed ("relased" -> "released").
2002-3-8 David A. Wheeler <dwheeler@dwheeler.com>
* Added info about spam.
* Added note on CRT Eavesdropping.
2002-3-7 David A. Wheeler <dwheeler@dwheeler.com>
* Mentioned NSA's nsa1.www.conxion.com website.
2002-3-4 David A. Wheeler <dwheeler@dwheeler.com>
* Expanded slightly on the "mutually untrusting programs" description.
This was hinted at in Qmail's discussion, though I didn't use
any text other than that phrase. I added a note that I need
to go back to the Qmail text to really deal with it further.
* Fixed two small typos noted by Thomas Klausner
2002-3-2 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 2.95.
* Fixed URL (securingjava.com), which had a side-effect of
creating a minor plucker error.
2002-2-26 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 2.94 (to my website).
* addition->additional, noted by Pat Gunn.
* std:string in C++ doesn't auto-convert to char*, my bad.
The problem is that some OTHER string libraries do so.
Thanks to Per Mellstrand for pointing this out.
* Made a MAJOR change on my local website in the tools I use.
I now primarily use the LDP tools. As a result, the PDF is
better (with hyperlinks and a nicer TOC), the HTML has
section numbers, MUCH better ASCII text, a one-page HTML,
and plucker format. Thus, my website's results are nicer,
and I can be more certain about the results that the LDP gives too.
2002-2-21 David A. Wheeler <dwheeler@dwheeler.com>
* Mentioned Fenris.
* Modified URL to Kirch's paper; unix-vs-nt.org appears to have
permanently gone down, and I can't get hold of John Kirch,
so I now link to the Internet Archive copy.
2002-2-9 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 2.93.
* Added text about semantic attacks.
* More discussion about shells and their problems.
2002-2-6 David A. Wheeler <dwheeler@dwheeler.com>
* Added note from David deVitry - in some circumstances
web browsers can be fooled into automatically POSTing form data.
It's still a good idea to ignore GET and require POST for
some operations, as discussed in the text.
2002-2-1 David A. Wheeler <dwheeler@dwheeler.com>
* Added warnings about strncpy() and seteuid(), based on
comments from Philip Hazel.
* Added notes on SQL metacharacters, based on
http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
2002-1-7 David A. Wheeler <dwheeler@dwheeler.com>
* Fixed UTF-8 table format.
2002-1-7 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 2.91.
2002-1-3 David A. Wheeler <dwheeler@dwheeler.com>
* Changed the UTF-8 legal values table. The original table
was WRONG, ack!! This stuff is quite tricky; many
didn't notice the problem earlier. Thanks to
Peter Astrand who noted the problem, and who pointed me to
http://www.unicode.org/unicode/uni2errata/UTF-8_Corrigendum.html
which has a correct table.
2002-1-3 David A. Wheeler <dwheeler@dwheeler.com>
* Added more about checking URIs; the idea was suggested by
John Levon.
2001-12-28 David A. Wheeler <dwheeler@dwheeler.com>
* Added more text about PHP, based on some suggestions by
Richard Lynch.
2001-12-17 David A. Wheeler <dwheeler@dwheeler.com>
* Added a reference to Cyclone, including Viega's review.
* I haven't added a "why write secure programs" section.
If I do, I'll probably mention gems like this one
titled "Cyberattacks increase after Sept. 11"
by Dibya Sarkar:
"In Orlando, Florida, there has been a nearly 300-fold
increase in cyberattacks, and most IP addresses show they're
from the Middle East and Pakistan, said John, Matelski, Orlando's
deputy CIO, who advises the mayor.
Before Sept. 11, he said the city averaged about 50 intrusion
attacks per month. After the attacks, the city has
averaged about 14,000 per month.
"Many of these intrusion attempts are not volatile.
They're merely probes to find deficiencies and perhaps do harm,"
Matelski said.
Federal Computer Week, December 3, 2001, page S19.
2001-12-11 David A. Wheeler <dwheeler@dwheeler.com>
* Added discussion of new PHP (4.1.0), which makes it easier to
write PHP software with register_globals off, and
warns that this will become the default.
2001-10-15 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to Kurt Seifried's paper on web authentication.
2001-10-10 David A. Wheeler <dwheeler@dwheeler.com>
* Incorporated many suggestions from Bill Brykczynski.
* Switched to DocBook version 4.1 (from 3.1).
* Began using a stylesheet.
* Switched to a different spelling checker (aspell), which found
a number of speeling priblems.
* Added a lot of material about web authentication.
* Added a long discussion on cryptography, including suggestions
on recommended algorithms.
2001-7-24 David A. Wheeler <dwheeler@dwheeler.com>
* Added link to [LSD 2001].
2001-7-16 David A. Wheeler <dwheeler@dwheeler.com>
* New link to BFBTester, and it now works on Linux (yay!).
2001-7-6 David A. Wheeler <dwheeler@dwheeler.com>
* Added a new section on PHP. This is based on Clowes' work,
though many of the actual recommendations are my own.
* Fixed a number of grammer and typo errors - my thanks to
Moritz Jodeit, who sent me a nice long set of fixes!
2001-7-5 David A. Wheeler <dwheeler@dwheeler.com>
* Noted PyChecker.
2001-6-14 David A. Wheeler <dwheeler@dwheeler.com>
* Noted that to really drop privileges you may also need to
reset the supplemental groups.
2001-6-08 David A. Wheeler <dwheeler@dwheeler.com>
* Fixed typo, 'fileystem'.
2001-6-04 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to Geodsoft's hardening OpenBSD info.
2001-5-31 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to Zalewski's "Delivering Signals for Fun and
Profit", and some more material on signals based on it.
2001-5-30 David A. Wheeler <dwheeler@dwheeler.com>
* Fixed grammatical error in the open source security section.
* Released version 2.87.
2001-5-24 David A. Wheeler <dwheeler@dwheeler.com>
* Updated the description of ITS4, added references to
RATS and flawfinder.
* Local release as version 2.86.
2001-5-16 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to Cox 2000 (Windows 2000 secure configuration).
2001-5-10 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to Murhammer as a general TCP/IP reference.
2001-5-09 David A. Wheeler <dwheeler@dwheeler.com>
* Mentioned the Entropy Gathering Daemon.
2001-5-07 David A. Wheeler <dwheeler@dwheeler.com>
* Mentioned Jerry Connolly's http://heap.nologin.net/aspsec.html
web page for ASP input issues.
* Mentioned inconsistent strlcat semantics when size==0 or there
are no embedded NIL characters.
* Mentioned GID==0 - it's VERY special on some Unix-like systems,
and it's all-powerful on most anyway.
2001-4-23 David A. Wheeler <dwheeler@dwheeler.com>
* Extended discussion on persistent cookies, in particular noting
that they are illegal on U.S. government sites (with a reference).
2001-4-23 David A. Wheeler <dwheeler@dwheeler.com>
* Mentioned linux-security-module
* Referenced "Vulnerability Assessment Scanners" by Forristal.
2001-4-05 David A. Wheeler <dwheeler@dwheeler.com>
* Expanded discussion of trusted path and trustworthy channels.
* Noted that when fixing a vulnerability, log later attempts.
2001-3-30 David A. Wheeler <dwheeler@dwheeler.com>
* Added cross-references and other information noting that, at
installation time, you should check your system assumptions
necessary for security.
2001-3-22 David A. Wheeler <dwheeler@dwheeler.com>
* Noted the problem with globbing.
2001-3-20 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to Halvar Flake's slides on disassembling closed
source programs.
2001-3-06 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to http://www-syntim.inria.fr/fractales/Staff/
Raynal/LinuxMag/SecProg/Art4/index.html
* Added note about rfork().
2001-2-28 David A. Wheeler <dwheeler@dwheeler.com>
* Noted that you need to load initialization values from a trusted
location (based on recent problems with Joe)
* Added reference to IETF RFC 1750 (Randomness Recommendations
for Security).
* Noted that Mandrake 7.1 includes libsafe.
2001-2-27 David A. Wheeler <dwheeler@dwheeler.com>
* Fixed many minor typos - thanks to John Levon who identified them.
* Noted various security extensions, such as FreeBSD's jail(2)
and the huge numbers of research efforts for Linux (Janus,
Subterfugue, NSA Linux/Flask, RSBAC, etc.). Sometime I'll have to
add the information on Trusted Solaris, etc., but for the moment
I refer to NSA's "Evaluated Product List" which has specific
information on the security approaches of some of them.
* Noted "fuzz".
* Added a reference to William Stalling's excellent collection
of papers, "Practical Cryptography for Data Internetworks."
2001-2-8 David A. Wheeler <dwheeler@dwheeler.com>
* Noted other shell special characters, in particular the whitespace
characters that separate parameters.
2001-1-12 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 2.75.
* Moved from DocBook 3.0 to DocBook 3.1. I tried doing this
earlier, but I forgot to change "Davenport" to "OASIS" and got
lots of error messages. The right header obviously matters!
* Added a figure ("program") showing my abstract view of programs;
it's not deep, but it helps to logically keep things straight.
The master file is "program.dia", which is editable with the
open source (GPL'ed) program "Dia" available at
http://www.lysator.liu.se/~alla/dia (and in many distributions).
It's not beautiful (I'm no artist), but hopefully it helps
explain the idea.
* Switched to distributing a tarball, so the figure is included.
* Modified the random number section, after
Jordan Dimov <jdimov@cis.clarion.edu> rightly complained that my
phrase 'truly random numbers' was somewhat misleading.
Fair enough, I was glossing over the details (which I knew) -
hopefully this version gives the bigger picture.
I ended up basically rewriting the section.
* Added section about "Open Source" and security.
2001-1-1 David A. Wheeler <dwheeler@dwheeler.com>
* Released the book as version 2.70.
Seriously extended and modified the book, adding lengthy
discussions about cross-site malicious content, verifying
HTML and URIs, and creating temporary files.
Did a number of clean-ups and various additions, too.
2000-12-4 David A. Wheeler <dwheeler@dwheeler.com>
* Added a section, "prevent-include-access".
I was reminded of this issue by the Bugtraq posting of 1 Dec 2000
by Mads Bach (bach@INDER.NET), with the subject line
"Web based apps and include files".
* Added a section about not including comments in returned data.
2000-11-10 David A. Wheeler <dwheeler@dwheeler.com>
* Added information about Java not enforcing "private" etc.
from null/trusted Classloaders, my thanks to
John Steven who noted this!
* Added reference to sci.crypt and their FAQ.
* Modified the definition of "Availability" due to a
comment by Alan Santos.
* Fixed discussion about sprintf().. you _can_ use sprintf()
to avoid buffer overflows, but its use is tricky.
2000-10-30 David A. Wheeler <dwheeler@dwheeler.com>
* Added a reference to the GLB Act (a new U.S. law)
2000-10-26 David A. Wheeler <dwheeler@dwheeler.com>
* Added a note that you should only call to programs intended for
calling by another program.
2000-10-26 David A. Wheeler <dwheeler@dwheeler.com>
* Michael Kerrisk mentioned that #defining
_SVID_SOURCE or _BSD_SOURCE, then #include <features.h>,
will cause __USE_MISC to be defined (and allow clearenv).
2000-10-24 David A. Wheeler <dwheeler@dwheeler.com>
* Added a discussion about vfork. John Levon pointed me to the
issue, which was written up by Solar Designer.
2000-10-03 David A. Wheeler <dwheeler@dwheeler.com>
* Company name change; RST became "Cigital".
2000-09-05 David A. Wheeler <dwheeler@dwheeler.com>
* Added a note about web bugs.
2000-09-03 David A. Wheeler <dwheeler@dwheeler.com>
* Added a number of internal cross-references (29 currently).
Now that I've given all sections an "id", I can use the
"xref" tag effectively. This should really help readers
follow the text in some places... now you can easily jump
to related material in the text.
* Added "Free Software" to some titles as well as
"Open Source Software", and pointed to the FSF for more
such information. Also fixed a typo.
2000-09-01 David A. Wheeler <dwheeler@dwheeler.com>
* Modified Conclusions and "atomic" section to emphasize the
problems with /tmp and /var/tmp directories (especially
how attackers create symbolic links in them to cause trouble).
* Modified the SGML so that all <sectX> (as well as all chapters)
have a reasonable "id" attached. Now all HTML filenames have
meaningful filenames, as well as the sections inside.
This will make it easier for people to externally link to
specific sections of the document.
* Added note that glibc _does_ filter the LANG setting for
setuid/setgid, but that it's been buggy (Red Hat released a fix
on September 1, 2000).
2000-08-28 David A. Wheeler <dwheeler@dwheeler.com>
* Added the note that MD5 is rumored to be broken (& referenced
the 22 August 2000 posting in Bugtraq that raised this).
I don't want to be a rumormonger, but since MD5 has already been
shown to be partly broken, this seems quite plausible; besides,
a better algorithm is available, so this is yet another reason
to switch.
2000-08-21 David A. Wheeler <dwheeler@dwheeler.com>
* Added information that strlcpy/strlcat are being added to glib
(I'm the one that implemented & recommended the patch, based
on the original BSD work).
* Added "id" entries for chapters - it improves HTML filenames
and begins to add usable internal links.
2000-07-31 David A. Wheeler <dwheeler@dwheeler.com>
* Moved filtering locale information into the "input" section,
since that's where it logically went. Expanded it, since
many may not know about i18n.
* Released version 2.31.
2000-07-27 David A. Wheeler <dwheeler@dwheeler.com>
* Added more information about formatting strings and
internationalization (i18n).
* Released version 2.30.
2000-07-23 David A. Wheeler <dwheeler@dwheeler.com>
* Added in some information (and an example) from the GNOME
Programming guidelines.
* Added a note and reference to Byte, April 1986, which discusses
some of the issues with terminal escape codes.
2000-07-18 David A. Wheeler <dwheeler@dwheeler.com>
* Added warnings about formatting characters to printf()
and family, including %n, as well as other formatting systems
like syslog(). My thanks to John Levon for reminding
me to do this, and for reviewing my early drafts.
* The bugtraq message about safely using sprintf with the width
modifier didn't sound right to me, so I double-checked it.
I found that in fact it is completely unsafe!
Not all bugtraq posters check their claims, that's for sure!
So, modified the text to note that this is UNsafe.
* Modified BFBTester reference, noting that it's GPLed. I also worked
with the BFBTester author to get it ported to Linux; turns out
a subtlety with threads made waitpid() not work the way he
expected (because threads are Linux processes, and an "uncle"
cannot wait on its "nephew").
* Moved tools to be under "Miscellaneous", instead of C-centric;
many tools aren't C/C++-centric, and even those that are might
change later, so may as well put them in a place that they'll stay.
It's easier to compare tools if similar kinds are all in one place.
* Added warnings about protecting the output of syslog().
2000-07-03 David A. Wheeler <dwheeler@dwheeler.com>
* Added example of "safe" use of sprintf (length option)
from bugtraq posting. [but see 2000-07-18]
2000-06-29 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to BFBTester.
2000-06-28 David A. Wheeler <dwheeler@dwheeler.com>
* Added warning about signed char.
2000-06-22 David A. Wheeler <dwheeler@dwheeler.com>
* Expanded the section on race conditions.
2000-06-07 David A. Wheeler <dwheeler@dwheeler.com>
* Added text about ITS4 and LClint. Mentioned Shmoo and made sure
that I had everything they did.
* Added info from Martin Douda on other problematic shell characters.
* Added a few nuggets on Java and C from
http://java.sun.com/security/seccodeguide.html
* Added many more references to related security information.
* Explained more about shell scripting languages &
why they're a problem.
2000-06-02 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to the Python Restricted Environment stuff.
Added my own warning about only copying in references
(I didn't see such a warning in any material I have).
2000-05-24 David A. Wheeler <dwheeler@dwheeler.com>
* Switched to GNU Free Documentation License (FDL), which is
designed for documents (the GPL really wasn't).
2000-05-22 David A. Wheeler <dwheeler@dwheeler.com>
* Began adding more language-specific information, such as Perl
info from perlsec(1) and perlopentut(1), moving C
compiler flags into its own section, etc.
* Significantly extended the Java-specific section, based on
the two leading Java security books.
2000-05-18 David A. Wheeler <dwheeler@dwheeler.com>
* Received several suggestions from Doug Kilpatrick: extend UTF-8
description, mention that the Linux kernel writers use the term
"task" not "process", talk more about not depending on
stdin/stdout/stderr being open (I mentioned it before though),
add "-O2" to the recommended gcc flag list (some dataflow
checks require this).
2000-04-25 David A. Wheeler <dwheeler@dwheeler.com>
* Minor grammar fixes.
* Marc Welz pointed out that in Linux 2.2 you can determine the
pid, uid and gid using:
getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cr, &cl)
2000-04-22 David A. Wheeler <dwheeler@dwheeler.com>
* Added discussion on Lucent's libsafe.
While writing this discussion, I sent Lucent several notes on
issues in libsafe. In particular, they failed to discuss in their
documentation the fact that depending on LD_PRELOAD
to enable libsafe makes it possible for evil local users to
disable libsafe on programs they run! Also, I sent them
a list of other "dangerous" functions that they didn't cover.
* Added more comments of "things I want to cover". Okay, that's
not the same as actually discussing them, but it's a start.
2000-04-21 David A. Wheeler <dwheeler@dwheeler.com>
* Version 2.00 released, dated 21 April 2000. This version is
identical to version 1.60 in content, but switches format
from the Linuxdoc DTD to the DocBook DTD.
Thanks to Jorge Godoy for helping me perform the transition.
There are a few rough spots; DocBook experts are welcome to give
me a hand. I now generate RTF. The ASCII text file format is
quite poor; I can't help that, the tools aren't ready yet.
2000-04-04 David A. Wheeler <dwheeler@dwheeler.com>
* Version 1.60 released.
* Changed so that it now covers BOTH Linux and Unix. Since most
of the guidelines covered both, and many/most app developers want
their apps to run on both, it made sense to cover both.
Much of the detail still only discusses Linux, which I intend to
fix over time; suggestions on what to add would be great!
* This meant adding some history about Unix (as well as Linux),
discussing in a few places variations (more discussion needed), etc.
2000-03-08 David A. Wheeler <dwheeler@dwheeler.com>
* It's too long, so I changed the type from "article" to "book".
That meant that sect became chapt, sect1 became sect, etc.
* Added Biblical quotations to head every chapter, for the
enjoyment of the reader.
2000-03-06 David A. Wheeler <dwheeler@dwheeler.com>
* Added more information on using strlcpy and strlcat.
* Expanded conclusions so it actually summarizes the key points.
* Various minor improvements. Well, I _hope_ they're improvements!
2000-03-05 David A. Wheeler <dwheeler@dwheeler.com>
* Added a brief discussion of confidentiality, integrity, and
availability. Anybody who knows about security should know about
this, but since it's assumed elsewhere in the text I thought it's
worth mentioning.
* Added more information about signals, locking, etc. I don't want
this to be a general-purpose programming primer, but some things
seem worth summarizing.
2000-03-03 David A. Wheeler <dwheeler@dwheeler.com>
* Added reference to "Applied Cryptography" and the
"Linux Encryption HOWTO".
* Added a note about ext2's reserved space for root (as a
preventative for denial-of-service attacks), with a reference
to mke2fs(8).
* Added a new "Credits" section in the document itself to give
people credit. See the ChangeLog file (this one) for the details.
And, responded to many suggestions, as noted below.
* Eric S. Raymond <thanks.esr@snark.thyrsus.com> said "Nice work,
in general.. but I believe you have "fail open" and
"fail closed" reversed." Fair enough. I decided that I really meant
"fail safe" instead of either term, and I added a discussion
about that.
* Paul Millar <thanks.paulm@astro.gla.ac.uk> found I'd used
/var/log/ where I meant /var/lock/; corrected, I added
reference to the FHS for more information, and added some material
from the FHS in the hopes that people will use standard conventions
when they apply!
* John Levon <thanks.moz@compsoc.man.ac.uk> suggested noting that
you should drop privs while parsing input, describe digest
passwords, mention "safer" users (like "nobody"), and mention
rate-limiting audit trails. I knew about these, but I didn't
call them out. So, I wrote text to cover those points.
* A (user who prefers to be anonymous) asked how to set the
global environment to NULL, noting that # unset environ; set
or # environ='' set don't work. As far as I know, you need
to put a small "wrapper" program around sh scripts to do this,
so I've added that note to the document.
* Ryan McCabe <thanks.odin@numb.org> gave a really GOOD note that
fixed-length strings have a built-in weakness; you can exploit
them by providing information around their length and cause
some routines to silently fail to append data.
* Chuck Phillips <thanks.cdp@peakpeak.com> noted a more efficient
way to use strncpy, which I added. He also couldn't believe
that strncpy NIL-filled, and sent me a long note explaining why
it shouldn't. I agree that it shouldn't, but in spite of all
rational reasons for why it shouldn't, it DOES! So, I added
references to K&R 2nd edition (page 249), and the man pages for
Solaris, Linux, and FreeBSD, to show that this horrible thing
is actually true, logic to the contrary.
* Scott Ingram <thanks.scott@silver.jhuapl.edu> mentioned that
configuration is the number one problem. I agreed, and in fact I
already noted that in the text, but that got me thinking that I
should specifically recommend making things easy to configure (as well
as using safe defaults). If more programs did that, we'd have
a lot fewer cracked machines.
* Martin Pool <thanks.mbp@humbug.org.au> suggested noting that
sometimes scripting languages can do a setenv() and affect its
caller. He also suggested mentioning dynamically linked libraries,
but I'd already planned to do that.
He also suggested mentioning the ideas on breaking out of chroot
in http://www.suid.edu/source/breakchroot.c; I actually summarized
it in the text, it's just yet another example of why having root
privileges is enough to break out of chroot jails.
* Chuck Phillips <thanks.cdp@peakpeak.com>,
Neil Brown <thanks.neilb@cse.unsw.edu.au>, and
Eric Werme USG <thanks.werme@alpha.zk3.dec.com> discussed NFS issues
with me which yielded the insight that, although NFS version 2
is "broken as described," version 3 _does_ support exclusive
file creation. Sadly, there are still many NFS version 2 users,
so we can't depend on this, but the discussion did
suggest to me some enhancements to the text on creating locks
using files.
2000-02-09 David A. Wheeler <dwheeler@dwheeler.com>
* Noted that the document is now part of the Linux Documentation
Project (LDP).
* Added more references, such as [Mudge 1995], [McClure 1999],
[Bellovin 1989], and Nathan P. Smith's
"Stack Smashing Security Vulnerabilities" website.
2000-01-06 David A. Wheeler <dwheeler@dwheeler.com>
* Grammo: in section "Library Solutions", s/requires/require/
2000-01-05 David A. Wheeler <dwheeler@dwheeler.com>
* Released version 1.24; announced to http://lwn.net and
http://www.securityportal.com.
2000-01-05 David A. Wheeler <dwheeler@dwheeler.com>
* Added information on "why did you write your own document"?
* Added information on more per-process attributes, in particular
limits and the filesystem root.
* Noted that filesystem quotas can be per-group as well as per-user.
* Fixed a ~, which in this DTD must be written as &tilde;.
* Fixed a few typos, thanks to review by Clyde Roby <croby@ida.org>
1999-12-30 David A. Wheeler <dwheeler@dwheeler.com>
* Added some information on POSIX capabilities & the bounding set.
* Added information explaining rwx permissions on directories.
1999-12-23 David A. Wheeler <dwheeler@dwheeler.com>
* Now at version 1.20.
* Added major new section, section 2, that describes the Linux
programming model for security (e.g., file attributes, etc.).
I determined that there really isn't a single good place that has
this kind of information, and where better than to include it in
information on how to write secure programs?
* Moved the "buffer overflow" section out into its own section, since
it's so important. Added more information about StackGuard, etc.
* Mentions glib in the buffer overflow section; if anyone wishes to
analyze the implementation to determine which glib functions protect
against buffer overflow I'd like to know about them.
* Added some references to PAM.
* Various other fixes.
1999-12-03 David A. Wheeler <dwheeler@dwheeler.com>
* Fixed minor grammar error in CGI section, added PDF format.
* Added "favicon.ico" so Internet Explorer users, should they bookmark
this site, will get Tux as a logo. Seems fair :-).
1999-11-30 David A. Wheeler <dwheeler@dwheeler.com>
* Added GPL license, reference to http://www.dwheeler.com.
1999-11-29 David A. Wheeler <dwheeler@dwheeler.com>
* Initial version (1.0) completed.
View Git Blame Copy Permalink