Chapter 6. Structure Program Internals and Approach

 

Like a city whose walls are broken down is a man who lacks self-control.

 Proverbs 25:28 (NIV)
Table of Contents
6.1. Secure the Interface
6.2. Minimize Privileges
6.2.1. Minimize the Privileges Granted
6.2.2. Minimize the Time the Privilege Can Be Used
6.2.3. Minimize the Time the Privilege is Active
6.2.4. Minimize the Modules Granted the Privilege
6.2.5. Consider Using FSUID To Limit Privileges
6.2.6. Consider Using Chroot to Minimize Available Files
6.3. Avoid Creating Setuid/Setgid Scripts
6.4. Configure Safely and Use Safe Defaults
6.5. Fail Safe
6.6. Avoid Race Conditions
6.6.1. Sequencing Problems
6.6.2. Locking
6.7. Trust Only Trustworthy Channels
6.8. Use Internal Consistency-Checking Code
6.9. Self-limit Resources

6.1. Secure the Interface

Interfaces should be minimal (simple as possible), narrow (provide only the functions needed), and non-bypassable. Trust should be minimized. Applications and data viewers may be used to display files developed externally, so in general don't allow them to accept programs unless you're willing to do the extensive work necessary to create a secure sandbox. The most dangerous kind is an auto-executing macro that executes when the application is loaded; from a security point-of-view this is a disaster waiting to happen unless you have extremely strong control over what the macro can do (a ``sandbox''), and past experience has shown that real sandboxes are hard to implement.