The end of a matter is better than its beginning, and patience is better than pride. | |
Ecclesiastes 7:8 (NIV) |
Designing and implementing a truly secure program is actually a difficult task on Unix-like systems such as Linux and Unix. The difficulty is that a truly secure program must respond appropriately to all possible inputs and environments controlled by a potentially hostile user. Developers of secure programs must deeply understand their platform, seek and use guidelines (such as these), and then use assurance processes (such as peer review) to reduce their programs' vulnerabilities.
In conclusion, here are some of the key guidelines from this paper:
Validate all your inputs, including command line inputs, environment variables, CGI inputs, and so on. Don't just reject ``bad'' input; define what is an ``acceptable'' input and reject anything that doesn't match.
Avoid buffer overflow. This is the primary programmatic error at this time.
Structure Program Internals. Secure the interface, minimize privileges, make the initial configuration and defaults safe, and fail safe. Avoid race conditions and trust only trustworthy channels (e.g., most servers must not trust their clients for security checks).
Carefully call out to other resources. Limit their values to valid values (in particular be concerned about metacharacters), and check all system call return values.
Reply information judiciously. In particular, minimize feedback, and handle full or unresponsive output to an untrusted user.