175 lines
3.6 KiB
HTML
175 lines
3.6 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Fail Safe</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Secure Programming for Linux and Unix HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Structure Program Internals and Approach"
|
|
HREF="internals.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Load Initialization Values Safely"
|
|
HREF="init-safe.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Avoid Race Conditions"
|
|
HREF="avoid-race.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Secure Programming for Linux and Unix HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="init-safe.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 7. Structure Program Internals and Approach</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="avoid-race.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="FAIL-SAFE"
|
|
></A
|
|
>7.9. Fail Safe</H1
|
|
><P
|
|
>A secure program should always ``fail safe'', that is,
|
|
it should be designed so that if the program does fail, the safest
|
|
result should occur.
|
|
For security-critical programs, that usually means that
|
|
if some sort of misbehavior is detected (malformed input,
|
|
reaching a ``can't get here'' state, and so on), then the program
|
|
should immediately deny service and stop processing that request.
|
|
Don't try to ``figure out what the user wanted'': just deny the service.
|
|
Sometimes this can decrease reliability or useability
|
|
(from a user's perspective), but it increases security.
|
|
There are a few cases where this might not be desired (e.g., where denial of
|
|
service is much worse than loss of confidentiality or integrity), but
|
|
such cases are quite rare.</P
|
|
><P
|
|
>Note that I recommend ``stop processing the request'', not ``fail altogether''.
|
|
In particular, most servers should not completely halt when given malformed
|
|
input, because that creates a trivial opportunity for a denial of service
|
|
attack (the attacker just sends garbage bits to prevent you from using the
|
|
service).
|
|
Sometimes taking the whole server down is necessary, in particular,
|
|
reaching some ``can't get here'' states may signal a problem so drastic
|
|
that continuing is unwise.</P
|
|
><P
|
|
>Consider carefully what error message you send back when a failure is detected.
|
|
if you send nothing
|
|
back, it may be hard to diagnose problems, but sending back too much
|
|
information may unintentionally aid an attacker.
|
|
Usually the best approach is to reply with ``access denied'' or
|
|
``miscellaneous error encountered'' and then
|
|
write more detailed information to an audit log (where you can have more
|
|
control over who sees the information).</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="init-safe.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="avoid-race.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Load Initialization Values Safely</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="internals.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Avoid Race Conditions</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |