LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Secure-Programs-HOWTO/sources-of-guidelines.html

468 lines
12 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Sources of Design and Implementation Guidelines</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Secure Programming for Linux and Unix HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Background"
HREF="background.html"><LINK
REL="PREVIOUS"
TITLE="Why Did I Write This Document?"
HREF="why-write.html"><LINK
REL="NEXT"
TITLE="Other Sources of Security Information"
HREF="other-sources.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Secure Programming for Linux and Unix HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="why-write.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 2. Background</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="other-sources.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="SOURCES-OF-GUIDELINES"
></A
>2.8. Sources of Design and Implementation Guidelines</H1
><P
>Several documents help describe how to write
secure programs (or, alternatively, how to find security problems in
existing programs), and were the basis for the guidelines highlighted
in the rest of this book.&#13;</P
><P
>For general-purpose servers and setuid/setgid programs, there are a number
of valuable documents (though some are difficult to find without
having a reference to them).</P
><P
>Matt Bishop [1996, 1997]
has developed several extremely valuable papers and presentations
on the topic, and in fact he has a web page dedicated to the topic at
<A
HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html"
TARGET="_top"
>http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A
>.
AUSCERT has released a programming checklist
<A
HREF="ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist"
TARGET="_top"
>[AUSCERT 1996]</A
>,
based in part on chapter 23 of Garfinkel and Spafford's book discussing how
to write secure SUID and network programs
<A
HREF="http://www.oreilly.com/catalog/puis"
TARGET="_top"
>[Garfinkel 1996]</A
>.
<A
HREF="http://www.sunworld.com/swol-04-1998/swol-04-security.html"
TARGET="_top"
>Galvin [1998a]</A
> described a simple process and checklist
for developing secure programs; he later updated the checklist in
<A
HREF="http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html"
TARGET="_top"
>Galvin [1998b]</A
>.
<A
HREF="http://www.pobox.com/~kragen/security-holes.html"
TARGET="_top"
>Sitaker [1999]</A
>
presents a list of issues for the ``Linux security audit'' team to search for.
<A
HREF="http://www.homeport.org/~adam/review.html"
TARGET="_top"
>Shostack [1999]</A
>
defines another checklist for reviewing security-sensitive code.
The NCSA
<A
HREF="http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming"
TARGET="_top"
>[NCSA]</A
>
provides a set of terse but useful secure programming guidelines.
Other useful information sources include the
<EM
>Secure Unix Programming FAQ</EM
>
<A
HREF="http://www.whitefang.com/sup/"
TARGET="_top"
>[Al-Herbish 1999]</A
>,
the
<EM
>Security-Audit's Frequently Asked Questions</EM
>
<A
HREF="http://lsap.org/faq.txt"
TARGET="_top"
>[Graham 1999]</A
>,
and
<A
HREF="http://www.clark.net/pub/mjr/pubs/pdf/"
TARGET="_top"
>Ranum [1998]</A
>.
Some recommendations must be taken with caution, for example,
the BSD setuid(7) man page
<A
HREF="http://www.homeport.org/~adam/setuid.7.html"
TARGET="_top"
>[Unknown]</A
>
recommends the use of access(3) without noting the dangerous race conditions
that usually accompany it.
Wood [1985] has some useful but dated advice
in its ``Security for Programmers'' chapter.
<A
HREF="http://www.research.att.com/~smb/talks"
TARGET="_top"
>Bellovin [1994]</A
>
includes useful guidelines and some specific examples, such as how to
restructure an ftpd implementation to be simpler and more secure.
FreeBSD provides some guidelines
<A
HREF="http://www.freebsd.org/security/security.html"
TARGET="_top"
>FreeBSD [1999]</A
>
<A
HREF="http://developer.gnome.org/doc/guides/programming-guidelines/book1.html"
TARGET="_top"
>[Quintero 1999]</A
>
is primarily concerned with GNOME programming guidelines, but it
includes a section on security considerations.
<A
HREF="http://www.fish.com/security/murphy.html"
TARGET="_top"
>[Venema 1996]</A
>
provides a detailed discussion (with examples) of some common errors
when programming secure programs (widely-known or predictable passwords,
burning yourself with malicious data, secrets in user-accessible data,
and depending on other programs).
<A
HREF="http://www.fish.com/security/maldata.html"
TARGET="_top"
>[Sibert 1996]</A
>
describes threats arising from malicious data.
Michael Bacarella's article
<A
HREF="http://m.bacarella.com/papers/secsoft/html"
TARGET="_top"
>The Peon's Guide To Secure System Development</A
>
provides a nice short set of guidelines.</P
><P
>There are many documents giving security guidelines for
programs using
the Common Gateway Interface (CGI) to interface with the web.
These include
<A
HREF="http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec"
TARGET="_top"
>Van Biesbrouck [1996]</A
>,
<A
HREF="http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html"
TARGET="_top"
>Gundavaram [unknown]</A
>,
<A
HREF="http://webreview.com/wr/pub/97/08/08/bookshelf"
TARGET="_top"
>[Garfinkle 1997]</A
>
<A
HREF="http://www.eekim.com/pubs/cgibook"
TARGET="_top"
>Kim [1996]</A
>,
<A
HREF="http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt"
TARGET="_top"
>Phillips [1995]</A
>,
<A
HREF="http://www.w3.org/Security/Faq/www-security-faq.html"
TARGET="_top"
>Stein [1999]</A
>,
<A
HREF="http://members.home.net/razvan.peteanu"
TARGET="_top"
>[Peteanu 2000]</A
>,
and
<A
HREF="http://advosys.ca/tips/web-security.html"
TARGET="_top"
>[Advosys 2000]</A
>.</P
><P
>There are many documents specific to a language, which are further
discussed in the language-specific sections of this book.
For example, the Perl distribution includes
<A
HREF="http://www.perl.com/pub/doc/manual/html/pod/perlsec.html"
TARGET="_top"
>perlsec(1)</A
>, which describes how to use Perl more securely.
The Secure Internet Programming site at
<A
HREF="http://www.cs.princeton.edu/sip"
TARGET="_top"
>http://www.cs.princeton.edu/sip</A
>
is interested in computer security issues in general, but focuses on
mobile code systems such as Java, ActiveX, and JavaScript; Ed Felten
(one of its principles) co-wrote a book on securing Java
(<A
HREF="http://www.securingjava.com"
TARGET="_top"
>[McGraw 1999]</A
>)
which is discussed in <A
HREF="java.html"
>Section 10.6</A
>.
Sun's security code guidelines provide some guidelines primarily
for Java and C; it is available at
<A
HREF="http://java.sun.com/security/seccodeguide.html"
TARGET="_top"
>http://java.sun.com/security/seccodeguide.html</A
>.</P
><P
>Yoder [1998] contains a collection of patterns to be used
when dealing with application security.
It's not really a specific set of guidelines, but a set of commonly-used
patterns for programming that you may find useful.
The Schmoo group maintains a web page linking to information on
how to write secure code at
<A
HREF="http://www.shmoo.com/securecode"
TARGET="_top"
>http://www.shmoo.com/securecode</A
>.</P
><P
>There are many documents describing the issue from
the other direction (i.e., ``how to crack a system'').
One example is McClure [1999], and there's countless amounts of material
from that vantage point on the Internet.
There are also more general documents on computer architectures on how
attacks must be developed to exploit them, e.g.,
[LSD 2001].
The Honeynet Project has been collecting information
(including statistics) on how attackers
actually perform their attacks; see their website at
<A
HREF="http://project.honeynet.org"
TARGET="_top"
>http://project.honeynet.org</A
>
for more information.</P
><P
>There's also a large body of information on vulnerabilities
already identified in existing programs.
This can be a useful set of
examples of ``what not to do,'' though it takes effort to extract more
general guidelines from the large body of specific examples.
There are mailing lists that discuss security issues; one of the most
well-known is
<A
HREF="http://SecurityFocus.com/forums/bugtraq/faq.html"
TARGET="_top"
>Bugtraq</A
>, which among other things develops a list of vulnerabilities.
The CERT Coordination Center (CERT/CC)
is a major reporting center for Internet security problems which
reports on vulnerabilities.
The CERT/CC occasionally produces advisories that
provide a description of a serious security problem
and its impact, along with
instructions on how to obtain a patch or details of a workaround; for
more information see
<A
HREF="http://www.cert.org"
TARGET="_top"
>http://www.cert.org</A
>.
Note that originally the CERT was
a small computer emergency response team, but officially
``CERT'' doesn't stand for anything now.
The Department of Energy's
<A
HREF="http://ciac.llnl.gov/ciac"
TARGET="_top"
>Computer
Incident Advisory Capability (CIAC)</A
> also reports on vulnerabilities.
These different groups may identify the same vulnerabilities but use different
names.
To resolve this problem,
MITRE supports the Common Vulnerabilities and Exposures (CVE) list
which creates a single unique identifier (``name'')
for all publicly known vulnerabilities and security exposures
identified by others; see
<A
HREF="http://www.cve.mitre.org"
TARGET="_top"
>http://www.cve.mitre.org</A
>.
NIST's ICAT
is a searchable catalog of computer vulnerabilities, categorizing
each CVE vulnerability so that they can be searched
and compared later; see
<A
HREF="http://csrc.nist.gov/icat"
TARGET="_top"
>http://csrc.nist.gov/icat</A
>.</P
><P
>This book is a summary of what I believe are the most
useful and important guidelines.
My goal is a book that
a good programmer can just read and then be fairly well prepared
to implement a secure program.
No single document can really meet this goal, but
I believe the attempt is worthwhile.
My objective is to strike a balance somewhere between a
``complete list of all possible guidelines''
(that would be unending and unreadable)
and the various ``short'' lists available on-line that are nice and short
but omit a large number of critical issues.
When in doubt, I include the guidance; I believe in that case it's better
to make the information
available to everyone in this ``one stop shop'' document.
The organization presented here is my own (every list has its own, different
structure), and some of the guidelines (especially the Linux-unique
ones, such as those on capabilities and the FSUID value) are also my own.
Reading all of the referenced documents listed above as well
is highly recommended, though I realize that for many it's impractical.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="why-write.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="other-sources.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Why Did I Write This Document?</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="background.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Other Sources of Security Information</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink