Writing Secure Privileged Programs
|Time:||10:30 - 12:15|
|Day:||Friday 22 January 2010|
|Location:||Civic Suites 1 and 2 (Town Hall)|
|Wiki Page:||Writing Secure Privileged Programs|
Privileged programs (set-user-ID, programs, set-group-ID programs, and programs such as network servers that run under privileged IDs) have access to features and resources (files, devices, databases, and so on) that are not available to ordinary users. If a privileged program contains bugs, or can be subverted by a malicious user, then the security of the system or an application can be compromised.
From a security viewpoint, we should write programs so as to minimize both the chance of a compromise and the damage that can be done if a compromise does occur. In this tutorial, I present a checklist of common security problems (with examples) and ways in which they can be avoided.
Among the topics I'll cover are:
- Avoid writing set-user-ID and set-group-ID programs
- Consider using capabilities
- Hold privileges only while they are required
- Drop privileges permanently when they will never again be required
- Drop privileges permanently before exec()
- File descriptors and exec()
- Erase sensitive information from memory
- Core dumps
- Signals and race conditions
- Pitfalls when performing file operations and file I/O
- Environment variables
- Handle untrusted user inputs defensively
- Buffer overruns
- Denial-of-service attacks
- Avoiding unreliable run-time assumptions
- Always check the return status of system calls and library functions
- When the unexpected happens, fail safely
This tutorial is primarily aimed at developers. A reading knowledge of the C programming language will be useful.
Michael Kerrisk first started programming on Unix systems in 1987. He has been involved with the Linux man-pages project, which documents the Linux kernel-userspace and the glibc APIs, since 2000, and has been the project maintainer since 2004. He is the sole author of nearly 100, and the co-author of another 115, of the around 900 pages in the man-pages package (and has made changes to nearly all of the other pages). (See http://www.kernel.org/doc/man-pages/ and http://linux-man-pages.blogspot.com/.) During 2008, he undertook a fellowship with the Linux Foundation to work full time on the man-pages project and related work. A New Zealander, Michael currently lives in Munich, Germany. His 1500-page book, which provides a detailed description of the Linux kernel-userspace API, is to be published by No Starch Press in early 2010 (its ongoing progress is blogged at http://blog.man7.org/).