• • • • • Table of Contents Index Reviews Reader Reviews Errata Secure Coding: Principles & Practices By Mark G Graff, Kenneth R van Wyk Publisher : O'Reilly Pub Date : June 2003 ISBN : 0-596-00242-4 Pages : 224 Slots : 1 Despite their myriad manifestations and different targets, nearly all attacks on computer systems have one fundamental cause: the code used to run far too many systems today is not secure Flaws in its design, implementation, testing, and operations allow attackers all-too-easy access Secure Coding: Principles & Practices looks at the problem of bad code in a new way Packed with advice based on the authors' decades of experience in the computer security field, this concise and highly readable book explains why so much code today is filled with vulnerabilities, and tells readers what they must do to avoid writing code that can be exploited by attackers • • • • • Table of Contents Index Reviews Reader Reviews Errata Secure Coding: Principles & Practices By Mark G Graff, Kenneth R van Wyk Publisher : O'Reilly Pub Date : June 2003 ISBN : 0-596-00242-4 Pages : 224 Slots : 1 Dedication Copyright Preface Objectives of This Book Structure of This Book What This Book Does Not Cover About the Examples Acknowledgments Conventions Used in This Book Comments and Questions Chapter 1 No Straight Thing Section 1.1 The Vulnerability Cycle Section 1.2 What Is an Attack? Section 1.3 Why Good People Write Bad Code Section 1.5 Summary Section 1.4 A Call to Arms Chapter 2 Architecture Section 2.1 What Is Security Architecture? Section 2.2 Principles of Security Architecture Section 2.4 Summary Section 2.3 Case Study: The Java Sandbox Chapter 3 Design Section 3.1 Why Does Good Design Matter? Section 3.2 Secure Design Steps Section 3.3 Special Design Issues Section 3.5 Case Studies Section 3.4 Bad Practices Section 3.6 Summary Chapter 4 Implementation Section 4.1 Good Practices Section 4.2 Bad Practices Section 4.3 Case Studies Section 4.4 Summary Chapter 5 Operations Section 5.1 Security Is Everybody's Problem Section 5.2 Good Practices Section 5.3 Bad Practices Section 5.5 Summary Section 5.4 Case Studies Chapter 6 Automation and Testing Section 6.1 Why Test? Section 6.2 Good General Practices Section 6.3 Good Practices Through the Lifecycle Section 6.5 Case Studies Section 6.4 Risk Assessment Methodologies Section 6.6 Summary Appendix A Resources Section A.1 Books Section A.2 Papers and Articles Section A.3 Web Sites and Online Resources Section A.4 A Final Note on Resources Colophon Index Dedication We dedicate this work to our late friend, Jim Ellis The world knew him as James T Ellis (or jte@cert.org), coinventor of Usenet and one of the early members of the team at CERT/CC He taught each of us a lot about secure coding, too Working off the karmic debt we owe to this generous genius is one of our main motivations for writing this book Mark G Graff and Kenneth R van Wyk Copyright © 2003 O'Reilly & Associates, Inc Printed in the United States of America Published by O'Reilly & Associates, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O'Reilly & Associates books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://safari.oreilly.com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly & Associates, Inc Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O'Reilly & Associates, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps The association between the image of a bridge and the topic of secure coding is a trademark of O'Reilly & Associates, Inc While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein Preface Learn all you can from the mistakes of others You won't have time to make them all yourself Alfred P Sheinwold, Author of Five Weeks to Winning Bridge What's so hard about writing secure code? These days, we consumers get a few dozen security patch notices per week from the world's software product vendors and watchdog teams such as the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University Terms such as buffer overflow and race condition foam out of the bulletins like poisonous vapors Explore those terms a bit, and you'll find whole categories of mistakes that are possible to makeeasy, in factwhile developing a piece of software In this book, we take you on a virtual tour through the software development process, from inception to deployment We focus on four broad stagesinitial architecture, detailed design, implementation ("coding"), and operationand discuss the security issues a developer faces at each stage We also explore, of course, many of the specific software flaws we've studied and cataloged during our careers We present expert technical advice, too, based on our decades of hands-on experience and tempered by some of our more notable failures And while we invite you to learn from our mistakes, we also invite you to think with usthink hardabout why security vulnerabilities exist to begin with and why they seem impossible to stamp out In this book, we try to shed new light on the variety of reasons we can see And we explain in detail how developers, compensating for these factors with appropriate techniques and processes, can produce software "just secure enough" for the needs of their enterprises, users, and customers Objectives of This Book Our principal goal for this book is to articulate clearly the fundamental security concepts and practices that apply to each phase of software development We hope to teach others to think about security vulnerabilities in a new way In matters of style, we have sought to lay an exposition of ideas on a foundation of clear technical examples (and tried to keep it crisp enough that you could work through it over the course of several evenings) We want this book to be read In the long run we hope to move the proverbial ball down the field so the next generation of engineers can make the score After all, a secure Internet is probably not even a singlegeneration achievement! It may well be (for the same reason that the great Dr Edgar Dijkstra[1] refused to work with any graduate student who had ever programmed in FORTRAN) that engineers with our experience are not qualified to design a secure Internet and its appliances from the ground up [1] In addition to being the recipient of the 1972 ACM Turing Award, Dr Dijkstra is one of the "grandfathers" of modern programming A secure Internet is important When miscreants perpetrate (and the media plays up) frequent virulent attacks, the result is undermined trust in our information systems This effect decreases our willingness to deploy Internet technology in business processes and societal settings where it could be of use We all are deprived of the potential benefits: a sounder economy, more humane prisons, safer roads, even an expansion of personal liberty (for liberty flows from security, as citizens who have little to fear grant their neighbors more freedom) Who can say which admirable human accomplishments are being held back, in part, by the unreliability and skeptical public perception of this technology? How about you, the reader? What, specifically, will this book help you do? Understand the holistic nature of an application's security All too often, software security is treated as prophylaxis It's a test that gets run prior to the deployment of an application or the installation of a firewall that guards an application's environment We believe that this notion is dangerously outdated In its place we present a clearly articulated model and rationale as to why security needs to be an integral component of every phase of an application's life Security, to be truly successful, can never be an add-on feature of software Apply sound security practices Regardless of the process that you or your organization use in developing software, this book will help you better understand the security decisions and the ramifications of those decisions during the development of software Learn about available resources In elucidating the practices we endorse and describe in this book, we suggest tools you can use to automate many of the actual steps you'll undertake in developing secure software We talk about old-fashioned checklists, too, and make other procedural recommendations you will be able to apply immediately to software development in the real world [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] quality assurance (QA) questions to consider 2nd 3rd 4th 5th 6th [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] race condition attack Rain Forest Puppy RAND/DARPA study on critical infrastructure protection issues random number vulnerability web site random numbers, pseudo-random and Ranum, Marcus J Reason, James 2nd reconstructing events reliance upon concealment of design replay attack Reshef, Eran resource consumption, limiting resources books online papers and articles retrofitting an application reviews, periodic and independent risk analyses assessment 2nd assumption avoidance limitation management options managing mitigation mitigation strategy planning research and acknowledgment transference Ritchie, Dennis M runtime code checkers 2nd [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] Saltzer, J.H 2nd Santayana, George Schroeder, M D Schwartz, Alan scorecards Secure Coding web site 2nd 3rd Secure Programming for Linux and Unix HOWTO web site Secure Unix Programming FAQ web site Secure, Efficient, and Easy C Programming web site SecuriTeam security architecture complexity and deploying multiple layers design [See security design] education and events history of holistic nature of human resources and implementation [See security implementation] importance just enough mental models and metaphors used in design metrics and multilevel off-the-shelf software and operations patches, installing questions to consider resources risk assessment and sound practices standards and testing and automation vulnerability cycle web sites Security Adequacy Review (SAR) security architecture architectural document common sense and principles of Security At a Glance (SAG) Security Attribute Evaluation Method (SAEM) security design assessing risks bad practices case studies costs versus benefits design flaws evaluating mental model process steps risk mitigation strategy selecting implementation measures settling high-level technical issues special issues why it matters security implementation bad practices case studies checklists good practices Sendmail 2nd 3rd 4th 5th restricted shell case study session hijacking attack killing attack tracking setuid, avoiding Sheinwold, Alfred shells escapes filtering and restricted Shostack, Adam Sibert, W Olin simplicity Sitaker, Kragen smrsh Unix utility sniffer attack software jail Software Operationally Critical Threat, Asset, and Vulnerability Evaluations (OCTAVE) web site Soo Hoo, Kevin source code Spafford, Eugene H 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th standard engineering techniques standards security and state 2nd stateless static code checkers Steidl, Jeff Stein, Lincoln D Stephenson, Peter 2nd Stewart, John N storing sensitive data Strickland, Karl 2nd structured development methodology, necessity for Sudbury, Andrew W Sun Microsystems Swanson, Marianne SYN flag SYN flood attacks 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th 13th 14th 15th 16th 17th 18th 19th 20th 21st Systems Security EngineeringÑCapability Maturity Model web site [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] tape backups tarball defined Sun Solaris 2.0 security issue TCP (Transmission Control Protocol) 2nd 3rd 4th 5th 6th 7th 8th 9th 10th 11th 12th 13th 14th 15th 16th 17th 18th 19th 20th TCP reset packet TCP SYN flood [See SYN flood] TCP Wrappers, case study temporary employees temporary fixes testing and automation case studies good practices methodologies risk assessment test plans third-party code, applying standards Thompson, Ken threat and risk analyses tragedy of the commons Tripunitara, Mahesh trust, limitations of [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] unauthorized activity, monitoring users and accounts, managing users, malicious [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] Van Biesbrouck, Michael Venema, Wietse 2nd 3rd 4th 5th web site verification and validation (IV&V) vertical layers Viega, John 2nd Vmware Voas, Jeffrey [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] Wagle, Perry Walpole, Jonathan Walthinsen, Erik weak keying cryptographic errors weak links, eliminating web content, cautions web cookies, cautions web URLs, cautions Weinberg, Gerald 2nd white noise source misuse, case study Windows Security web site Wired Equivalence Protocol (WEP) World Wide Web Security FAQ web site world-writable storage, avoiding wrappers 2nd Wrights versus Montgolfiers Writing Safe Setuid Programs web site [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] Y2K Yoder, Joseph [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [Y] [Z] Z language ... Table of Contents Index Reviews Reader Reviews Errata Secure Coding: Principles & Practices By Mark G Graff, Kenneth R van Wyk Publisher : O'Reilly Pub Date : June 2003 ISBN : 0-596-00242-4 Pages : 224 Slots... available for most titles (http://safari .oreilly. com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate @oreilly. com Nutshell Handbook, the Nutshell Handbook logo, and the... It also covers static code checkers and suggests ways to implement automated application security scorecards and other simple tools Each chapter focuses on recommended secure coding practices during a particular stage of development (as well as practices