468 lines
12 KiB
HTML
468 lines
12 KiB
HTML
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>Sources of Design and Implementation Guidelines</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Secure Programming for Linux and Unix HOWTO"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="UP"
|
||
|
TITLE="Background"
|
||
|
HREF="background.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="Why Did I Write This Document?"
|
||
|
HREF="why-write.html"><LINK
|
||
|
REL="NEXT"
|
||
|
TITLE="Other Sources of Security Information"
|
||
|
HREF="other-sources.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="SECT1"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
SUMMARY="Header navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Secure Programming for Linux and Unix HOWTO</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="why-write.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
>Chapter 2. Background</TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="other-sources.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="SECT1"
|
||
|
><H1
|
||
|
CLASS="SECT1"
|
||
|
><A
|
||
|
NAME="SOURCES-OF-GUIDELINES"
|
||
|
></A
|
||
|
>2.8. Sources of Design and Implementation Guidelines</H1
|
||
|
><P
|
||
|
>Several documents help describe how to write
|
||
|
secure programs (or, alternatively, how to find security problems in
|
||
|
existing programs), and were the basis for the guidelines highlighted
|
||
|
in the rest of this book. </P
|
||
|
><P
|
||
|
>For general-purpose servers and setuid/setgid programs, there are a number
|
||
|
of valuable documents (though some are difficult to find without
|
||
|
having a reference to them).</P
|
||
|
><P
|
||
|
>Matt Bishop [1996, 1997]
|
||
|
has developed several extremely valuable papers and presentations
|
||
|
on the topic, and in fact he has a web page dedicated to the topic at
|
||
|
<A
|
||
|
HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html"
|
||
|
TARGET="_top"
|
||
|
>http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A
|
||
|
>.
|
||
|
AUSCERT has released a programming checklist
|
||
|
<A
|
||
|
HREF="ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist"
|
||
|
TARGET="_top"
|
||
|
>[AUSCERT 1996]</A
|
||
|
>,
|
||
|
based in part on chapter 23 of Garfinkel and Spafford's book discussing how
|
||
|
to write secure SUID and network programs
|
||
|
<A
|
||
|
HREF="http://www.oreilly.com/catalog/puis"
|
||
|
TARGET="_top"
|
||
|
>[Garfinkel 1996]</A
|
||
|
>.
|
||
|
<A
|
||
|
HREF="http://www.sunworld.com/swol-04-1998/swol-04-security.html"
|
||
|
TARGET="_top"
|
||
|
>Galvin [1998a]</A
|
||
|
> described a simple process and checklist
|
||
|
for developing secure programs; he later updated the checklist in
|
||
|
<A
|
||
|
HREF="http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html"
|
||
|
TARGET="_top"
|
||
|
>Galvin [1998b]</A
|
||
|
>.
|
||
|
<A
|
||
|
HREF="http://www.pobox.com/~kragen/security-holes.html"
|
||
|
TARGET="_top"
|
||
|
>Sitaker [1999]</A
|
||
|
>
|
||
|
presents a list of issues for the ``Linux security audit'' team to search for.
|
||
|
<A
|
||
|
HREF="http://www.homeport.org/~adam/review.html"
|
||
|
TARGET="_top"
|
||
|
>Shostack [1999]</A
|
||
|
>
|
||
|
defines another checklist for reviewing security-sensitive code.
|
||
|
The NCSA
|
||
|
<A
|
||
|
HREF="http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming"
|
||
|
TARGET="_top"
|
||
|
>[NCSA]</A
|
||
|
>
|
||
|
provides a set of terse but useful secure programming guidelines.
|
||
|
Other useful information sources include the
|
||
|
<EM
|
||
|
>Secure Unix Programming FAQ</EM
|
||
|
>
|
||
|
<A
|
||
|
HREF="http://www.whitefang.com/sup/"
|
||
|
TARGET="_top"
|
||
|
>[Al-Herbish 1999]</A
|
||
|
>,
|
||
|
the
|
||
|
<EM
|
||
|
>Security-Audit's Frequently Asked Questions</EM
|
||
|
>
|
||
|
<A
|
||
|
HREF="http://lsap.org/faq.txt"
|
||
|
TARGET="_top"
|
||
|
>[Graham 1999]</A
|
||
|
>,
|
||
|
and
|
||
|
<A
|
||
|
HREF="http://www.clark.net/pub/mjr/pubs/pdf/"
|
||
|
TARGET="_top"
|
||
|
>Ranum [1998]</A
|
||
|
>.
|
||
|
Some recommendations must be taken with caution, for example,
|
||
|
the BSD setuid(7) man page
|
||
|
<A
|
||
|
HREF="http://www.homeport.org/~adam/setuid.7.html"
|
||
|
TARGET="_top"
|
||
|
>[Unknown]</A
|
||
|
>
|
||
|
recommends the use of access(3) without noting the dangerous race conditions
|
||
|
that usually accompany it.
|
||
|
Wood [1985] has some useful but dated advice
|
||
|
in its ``Security for Programmers'' chapter.
|
||
|
<A
|
||
|
HREF="http://www.research.att.com/~smb/talks"
|
||
|
TARGET="_top"
|
||
|
>Bellovin [1994]</A
|
||
|
>
|
||
|
includes useful guidelines and some specific examples, such as how to
|
||
|
restructure an ftpd implementation to be simpler and more secure.
|
||
|
FreeBSD provides some guidelines
|
||
|
<A
|
||
|
HREF="http://www.freebsd.org/security/security.html"
|
||
|
TARGET="_top"
|
||
|
>FreeBSD [1999]</A
|
||
|
>
|
||
|
<A
|
||
|
HREF="http://developer.gnome.org/doc/guides/programming-guidelines/book1.html"
|
||
|
TARGET="_top"
|
||
|
>[Quintero 1999]</A
|
||
|
>
|
||
|
is primarily concerned with GNOME programming guidelines, but it
|
||
|
includes a section on security considerations.
|
||
|
<A
|
||
|
HREF="http://www.fish.com/security/murphy.html"
|
||
|
TARGET="_top"
|
||
|
>[Venema 1996]</A
|
||
|
>
|
||
|
provides a detailed discussion (with examples) of some common errors
|
||
|
when programming secure programs (widely-known or predictable passwords,
|
||
|
burning yourself with malicious data, secrets in user-accessible data,
|
||
|
and depending on other programs).
|
||
|
<A
|
||
|
HREF="http://www.fish.com/security/maldata.html"
|
||
|
TARGET="_top"
|
||
|
>[Sibert 1996]</A
|
||
|
>
|
||
|
describes threats arising from malicious data.
|
||
|
Michael Bacarella's article
|
||
|
<A
|
||
|
HREF="http://m.bacarella.com/papers/secsoft/html"
|
||
|
TARGET="_top"
|
||
|
>The Peon's Guide To Secure System Development</A
|
||
|
>
|
||
|
provides a nice short set of guidelines.</P
|
||
|
><P
|
||
|
>There are many documents giving security guidelines for
|
||
|
programs using
|
||
|
the Common Gateway Interface (CGI) to interface with the web.
|
||
|
These include
|
||
|
<A
|
||
|
HREF="http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec"
|
||
|
TARGET="_top"
|
||
|
>Van Biesbrouck [1996]</A
|
||
|
>,
|
||
|
<A
|
||
|
HREF="http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html"
|
||
|
TARGET="_top"
|
||
|
>Gundavaram [unknown]</A
|
||
|
>,
|
||
|
<A
|
||
|
HREF="http://webreview.com/wr/pub/97/08/08/bookshelf"
|
||
|
TARGET="_top"
|
||
|
>[Garfinkle 1997]</A
|
||
|
>
|
||
|
<A
|
||
|
HREF="http://www.eekim.com/pubs/cgibook"
|
||
|
TARGET="_top"
|
||
|
>Kim [1996]</A
|
||
|
>,
|
||
|
<A
|
||
|
HREF="http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt"
|
||
|
TARGET="_top"
|
||
|
>Phillips [1995]</A
|
||
|
>,
|
||
|
<A
|
||
|
HREF="http://www.w3.org/Security/Faq/www-security-faq.html"
|
||
|
TARGET="_top"
|
||
|
>Stein [1999]</A
|
||
|
>,
|
||
|
<A
|
||
|
HREF="http://members.home.net/razvan.peteanu"
|
||
|
TARGET="_top"
|
||
|
>[Peteanu 2000]</A
|
||
|
>,
|
||
|
and
|
||
|
<A
|
||
|
HREF="http://advosys.ca/tips/web-security.html"
|
||
|
TARGET="_top"
|
||
|
>[Advosys 2000]</A
|
||
|
>.</P
|
||
|
><P
|
||
|
>There are many documents specific to a language, which are further
|
||
|
discussed in the language-specific sections of this book.
|
||
|
For example, the Perl distribution includes
|
||
|
<A
|
||
|
HREF="http://www.perl.com/pub/doc/manual/html/pod/perlsec.html"
|
||
|
TARGET="_top"
|
||
|
>perlsec(1)</A
|
||
|
>, which describes how to use Perl more securely.
|
||
|
The Secure Internet Programming site at
|
||
|
<A
|
||
|
HREF="http://www.cs.princeton.edu/sip"
|
||
|
TARGET="_top"
|
||
|
>http://www.cs.princeton.edu/sip</A
|
||
|
>
|
||
|
is interested in computer security issues in general, but focuses on
|
||
|
mobile code systems such as Java, ActiveX, and JavaScript; Ed Felten
|
||
|
(one of its principles) co-wrote a book on securing Java
|
||
|
(<A
|
||
|
HREF="http://www.securingjava.com"
|
||
|
TARGET="_top"
|
||
|
>[McGraw 1999]</A
|
||
|
>)
|
||
|
which is discussed in <A
|
||
|
HREF="java.html"
|
||
|
>Section 10.6</A
|
||
|
>.
|
||
|
Sun's security code guidelines provide some guidelines primarily
|
||
|
for Java and C; it is available at
|
||
|
<A
|
||
|
HREF="http://java.sun.com/security/seccodeguide.html"
|
||
|
TARGET="_top"
|
||
|
>http://java.sun.com/security/seccodeguide.html</A
|
||
|
>.</P
|
||
|
><P
|
||
|
>Yoder [1998] contains a collection of patterns to be used
|
||
|
when dealing with application security.
|
||
|
It's not really a specific set of guidelines, but a set of commonly-used
|
||
|
patterns for programming that you may find useful.
|
||
|
The Schmoo group maintains a web page linking to information on
|
||
|
how to write secure code at
|
||
|
<A
|
||
|
HREF="http://www.shmoo.com/securecode"
|
||
|
TARGET="_top"
|
||
|
>http://www.shmoo.com/securecode</A
|
||
|
>.</P
|
||
|
><P
|
||
|
>There are many documents describing the issue from
|
||
|
the other direction (i.e., ``how to crack a system'').
|
||
|
One example is McClure [1999], and there's countless amounts of material
|
||
|
from that vantage point on the Internet.
|
||
|
There are also more general documents on computer architectures on how
|
||
|
attacks must be developed to exploit them, e.g.,
|
||
|
[LSD 2001].
|
||
|
The Honeynet Project has been collecting information
|
||
|
(including statistics) on how attackers
|
||
|
actually perform their attacks; see their website at
|
||
|
<A
|
||
|
HREF="http://project.honeynet.org"
|
||
|
TARGET="_top"
|
||
|
>http://project.honeynet.org</A
|
||
|
>
|
||
|
for more information.</P
|
||
|
><P
|
||
|
>There's also a large body of information on vulnerabilities
|
||
|
already identified in existing programs.
|
||
|
This can be a useful set of
|
||
|
examples of ``what not to do,'' though it takes effort to extract more
|
||
|
general guidelines from the large body of specific examples.
|
||
|
There are mailing lists that discuss security issues; one of the most
|
||
|
well-known is
|
||
|
<A
|
||
|
HREF="http://SecurityFocus.com/forums/bugtraq/faq.html"
|
||
|
TARGET="_top"
|
||
|
>Bugtraq</A
|
||
|
>, which among other things develops a list of vulnerabilities.
|
||
|
The CERT Coordination Center (CERT/CC)
|
||
|
is a major reporting center for Internet security problems which
|
||
|
reports on vulnerabilities.
|
||
|
The CERT/CC occasionally produces advisories that
|
||
|
provide a description of a serious security problem
|
||
|
and its impact, along with
|
||
|
instructions on how to obtain a patch or details of a workaround; for
|
||
|
more information see
|
||
|
<A
|
||
|
HREF="http://www.cert.org"
|
||
|
TARGET="_top"
|
||
|
>http://www.cert.org</A
|
||
|
>.
|
||
|
Note that originally the CERT was
|
||
|
a small computer emergency response team, but officially
|
||
|
``CERT'' doesn't stand for anything now.
|
||
|
The Department of Energy's
|
||
|
<A
|
||
|
HREF="http://ciac.llnl.gov/ciac"
|
||
|
TARGET="_top"
|
||
|
>Computer
|
||
|
Incident Advisory Capability (CIAC)</A
|
||
|
> also reports on vulnerabilities.
|
||
|
These different groups may identify the same vulnerabilities but use different
|
||
|
names.
|
||
|
To resolve this problem,
|
||
|
MITRE supports the Common Vulnerabilities and Exposures (CVE) list
|
||
|
which creates a single unique identifier (``name'')
|
||
|
for all publicly known vulnerabilities and security exposures
|
||
|
identified by others; see
|
||
|
<A
|
||
|
HREF="http://www.cve.mitre.org"
|
||
|
TARGET="_top"
|
||
|
>http://www.cve.mitre.org</A
|
||
|
>.
|
||
|
NIST's ICAT
|
||
|
is a searchable catalog of computer vulnerabilities, categorizing
|
||
|
each CVE vulnerability so that they can be searched
|
||
|
and compared later; see
|
||
|
<A
|
||
|
HREF="http://csrc.nist.gov/icat"
|
||
|
TARGET="_top"
|
||
|
>http://csrc.nist.gov/icat</A
|
||
|
>.</P
|
||
|
><P
|
||
|
>This book is a summary of what I believe are the most
|
||
|
useful and important guidelines.
|
||
|
My goal is a book that
|
||
|
a good programmer can just read and then be fairly well prepared
|
||
|
to implement a secure program.
|
||
|
No single document can really meet this goal, but
|
||
|
I believe the attempt is worthwhile.
|
||
|
My objective is to strike a balance somewhere between a
|
||
|
``complete list of all possible guidelines''
|
||
|
(that would be unending and unreadable)
|
||
|
and the various ``short'' lists available on-line that are nice and short
|
||
|
but omit a large number of critical issues.
|
||
|
When in doubt, I include the guidance; I believe in that case it's better
|
||
|
to make the information
|
||
|
available to everyone in this ``one stop shop'' document.
|
||
|
The organization presented here is my own (every list has its own, different
|
||
|
structure), and some of the guidelines (especially the Linux-unique
|
||
|
ones, such as those on capabilities and the FSUID value) are also my own.
|
||
|
Reading all of the referenced documents listed above as well
|
||
|
is highly recommended, though I realize that for many it's impractical.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
SUMMARY="Footer navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="why-write.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
ACCESSKEY="H"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="other-sources.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>Why Did I Write This Document?</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="background.html"
|
||
|
ACCESSKEY="U"
|
||
|
>Up</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
>Other Sources of Security Information</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|