Register your product to gain access to bonus material or receive a coupon.
Building Secure Software: How to Avoid Security Problems the Right Way
- By John Viega, Gary R. McGraw
- Published Sep 24, 2001 by Addison-Wesley Professional. Part of the Addison-Wesley Professional Computing Series series.
Book
- Sorry, this book is no longer in print.
Description
- Copyright 2002
- Edition: 1st
- Book
- ISBN-10: 0-201-72152-X
- ISBN-13: 978-0-201-72152-2
Most organizations have a firewall, antivirus software, and intrusion detection systems, all of which are intended to keep attackers out. So why is computer security a bigger problem today than ever before? The answer is simple--bad software lies at the heart of all computer security problems. Traditional solutions simply treat the symptoms, not the problem, and usually do so in a reactive way. This book teaches you how to take a proactive approach to computer security.
Building Secure Software cuts to the heart of computer security to help you get security right the first time. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make their code behave. Written for anyone involved in software development and use—from managers to coders—this book is your first step toward building more secure software. Building Secure Software provides expert perspectives and techniques to help you ensure the security of essential software. If you consider threats and vulnerabilities early in the devel-opment cycle you can build security into your system. With this book you will learn how to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped.
Inside you'll find the ten guiding principles for software security, as well as detailed coverage of:
- Software risk management for security
- Selecting technologies to make your code more secure
- Security implications of open source and proprietary software
- How to audit software
- The dreaded buffer overflow
- Access control and password authentication
- Random number generation
- Applying cryptography
- Trust management and input
- Client-side security
- Dealing with firewalls
Only by building secure software can you defend yourself against security breaches and gain the confidence that comes with knowing you won't have to play the "penetrate and patch" game anymore. Get it right the first time. Let these expert authors show you how to properly design your system; save time, money, and credibility; and preserve your customers' trust.
Extras
Related Articles
Application Security for Visual C++.NET Developers
Author's Site
Click below for Web Resources related to this title:
Author's Web Site
Sample Content
Online Sample Chapters
Building Secure Software: Race Conditions
Introduction to Software Security
Downloadable Sample Chapter
Click below for Sample Chapter related to this title:
viegach1.pdf
Table of Contents
Foreword.
Preface.
Organization.
Code Examples.
Contacting Us.
Acknowledgments.
1. Introduction to Software Security.
It's All about the Software.
Dealing with Widespread Security Failures.
Bugtraq.
CERT Advisories.
RISKS Digest.
Technical Trends Affecting Software Security.
The 'ilities.
What Is Security?.
Isn't That Just Reliability?
Penetrate and Patch Is Bad.
On Art and Engineering.
Security Goals.
Prevention.
Traceability and Auditing.
Monitoring.
Privacy and Confidentiality.
Multilevel Security.
Anonymity.
Authentication.
Integrity.
Know Your Enemy: Common Software Security Pitfalls.
Software Project Goals.
Conclusion.
2. Managing Software Security Risk.
An Overview of Software Risk Management for Security.
The Role of Security Personnel.
Software Security Personnel in the Life Cycle.
Deriving Requirements.
Risk Assessment.
Design for Security.
Implementation.
Security Testing.
A Dose of Reality.
Getting People to Think about Security.
Software Risk Management in Practice.
When Development Goes Astray.
When Security Analysis Goes Astray.
The Common Criteria.
Conclusion.
3. Selecting Technologies.
Choosing a Language.
Choosing a Distributed Object Platform.
CORBA.
DCOM.
EJB and RMI.
Choosing an Operating System.
Authentication Technologies.
Host-Based Authentication.
Physical Tokens.
Biometric Authentication.
Cryptographic Authentication.
Defense in Depth and Authentication.
Conclusion.
4. On Open Source and Closed Source.
Security by Obscurity.
Reverse Engineering.
Code Obfuscation.
Security for Shrink-Wrapped Software.
Security by Obscurity Is No Panacea.
The Flip Side: Open-Source Software.
Is the “Many-Eyeballs Phenomenon<170) Real?
Why Vulnerability Detection Is Hard.
Other Worries.
On Publishing Cryptographic Algorithms.
Two More Open-Source Fallacies.
The Microsoft Fallacy.
The Java Fallacy.
An Example: GNU Mailman Security.
More Evidence: Trojan Horses.
To Open Source or Not to Open Source.
Another Security Lesson from Buffer Overflows.
Beating the Drum.
Conclusion.
5. Guiding Principles for Software Security.
Principle 1: Secure the Weakest Link.
Principle 2: Practice Defense in Depth.
Principle 3: Fail Securely.
Principle 4: Follow the Principle of Least Privilege.
Principle 5: Compartmentalize.
Principle 6: Keep It Simple.
Principle 7: Promote Privacy.
Principle 8: Remember That Hiding Secrets Is Hard.
Principle 9: Be Reluctant to Trust.
Principle 10: Use Your Community Resources.
Conclusion.
6. Auditing Software.
Architectural Security Analysis.
Attack Trees.
Reporting Analysis Findings.
Implementation Security Analysis.
Auditing Source Code.
Source-level Security Auditing Tools.
Using RATS in an Analysis.
The Effectiveness of Security Scanning of Software.
Conclusion.
7. Buffer Overflows.
What Is a Buffer Overflow?
Why Are Buffer Overflows a Security Problem?
Defending against Buffer Overflow.
Major Gotchas.
Internal Buffer Overflows.
More Input Overflows.
Other Risks.
Tools That Can Help.
Smashing Heaps and Stacks.
Heap Overflows.
Stack Overflows.
Decoding the Stack.
To Infinity and Beyond!
Attack Code.
A UNIX Exploit.
What About Windows?
Conclusion.
8. Access Control.
The UNIX Access Control Model.
How UNIX Permissions Work.
Modifying File Attributes.
Modifying Ownership.
The umask.
The Programmatic Interface.
Setuid Programming.
Access Control in Windows NT.
Compartmentalization.
Fine-Grained Privileges.
Conclusion.
9. Race Conditions.
What Is a Race Condition?
Time-of-Check, Time-of-Use.
Broken passwd.
Avoiding TOCTOU Problems.
Secure File Access.
Temporary Files.
File Locking.
Other Race Conditions.
Conclusion.
10. Randomness and Determinism.
Pseudo-random Number Generators.
Examples of PRNGs.
The Blum-Blum-Shub PRNG.
The Tiny PRNG.
Attacks Against PRNGs.
How to Cheat in On-line Gambling.
Statistical Tests on PRNGs.
Entropy Gathering and Estimation.
Hardware Solutions.
Software Solutions.
Poor Entropy Collection: How to Read “Secret” Netscape Messages.
Handling Entropy.
Practical Sources of Randomness.
Tiny.
Random Numbers for Windows.
Random Numbers for Linux.
Random Numbers in Java.
Conclusion.
11. Applying Cryptography.
General Recommendations.
Developers Are Not Cryptographers.
Data Integrity.
Export Laws.
Common Cryptographic Libraries.
Cryptlib.
OpenSSL.
Crypto++.
BSAFE.
Cryptix.
Programming with Cryptography.
Encryption.
Hashing.
Public Key Encryption.
Threading.
Cookie Encryption.
More Uses for Cryptographic Hashes.
SSL and TLS (Transport Layer Security.
Stunnel.
One-Time Pads.
Conclusion.
12. Trust Management and Input Validation.
A Few Words on Trust.
Examples of Misplaced Trust.
Trust Is Transitive.
Protection from Hostile Callers.
Invoking Other Programs Safely.
Problems from the Web.
Client-side Security.
Perl Problems.
Format String Attacks.
Automatically Detecting Input Problems.
Conclusion.
13. Password Authentication.
Password Storage.
Adding Users to a Password Database.
Password Authentication.
Password Selection.
More Advice.
Throwing Dice.
Passphrases.
Application-Selected Passwords.
One-Time Passwords.
Conclusion.
14. Database Security.
The Basics.
Access Control.
Using Views for Access Control.
Field Protection.
Security against Statistical Attacks.
Conclusion.
15. Client-side Security.
Copy Protection Schemes.
License Files.
Thwarting the Casual Pirate.
Other License Features.
Other Copy Protection Schemes.
Authenticating Untrusted Clients.
Tamperproofing.
Antidebugger Measures.
Checksums.
Responding to Misuse.
Decoys.
Code Obfuscation.
Basic Obfuscation Techniques.
Encrypting Program Parts.
Conclusion.
16. Through the Firewall.
Basic Strategies.
Client Proxies.
Server Proxies.
SOCKS.
Peer to Peer.
Conclusions.
Appendix A. Cryptography Basics.
The Ultimate Goals of Cryptography.
Attacks on Cryptography.
Types of Cryptography.
Symmetric Cryptography.
Types of Symmetric Algorithms.
Security of Symmetric Algorithms.
Public Key Cryptography.
Cryptographic Hashing Algorithms.
Other Attacks on Cryptographic Hashes.
What's a Good Hash Algorithm to Use?
Digital Signatures.
Conclusions.
References.
Index.
Preface
"A book is a machine to think with."
--I.A. Richards PRINCIPLES OF LITERARY CRITICISM
This book exists to help people involved in the software development process learn the principles necessary for building secure software. The book is intended for anyone involved in software development, from managers to coders, although it contains the low-level detail that is most applicable to programmers. Specific code examples and technical details are presented in the second part of the book. The first part is more general and is intended to set an appropriate context for building secure software by introducing security goals, security technologies, and the concept of software risk management.
There are plenty of technical books that deal with computer security, but until now, none have applied significant effort to the topic of developing secure programs. If you want to learn how to set up a firewall, lock down a single host, or build a virtual private network, there are other resources to which to turn outside this book. Because most security books are intended to address the pressing concerns of network-level security practitioners, they tend to focus on how to promote secrecy and how to protect networked resources in a world in which software is chronically broken.
Unfortunately, many security practitioners have gotten used to a world in which having security problems in software is common, and even acceptable. Some people even assume that it is too hard to get developers to build secure software, so they don't raise the issue. Instead, they focus their efforts on "best-practice" network security solutions, erecting firewalls, and trying to detect intrusions and patch known security problems in a timely manner.
We are optimistic that the problem of bad software security can be addressed. The truth is, writing programs that have no security flaws in them is difficult. However, we assert that writing a "secure-enough" program is much easier than writing a completely bug-free program. Should people give up on removing bugs from software just because it's essentially impossible to eliminate them all? Of course not. By the same token, people shouldn't just automatically throw in the software security towel before they even understand the problem.
A little bit of education can go a long way. One of the biggest reasons why so many products have security problems is that many technologists involved in the development process have never learned very much about how to produce secure code. One problem is that until now there have been very few places to turn for good information. A goal of this book is to close the educational gap and to arm software practitioners with the basic techniques necessary to write secure programs.
This said, you should not expect to eradicate all security problems in your software simply by reading this book. Claiming that this book provides a silver bullet for security would ignore the realities of how difficult it is to secure computer software. We don't ignore reality--we embrace it, by treating software security as a risk management problem.
In the real world, your software will likely never be totally secure. First of all, there is no such thing as 100% security. Most software has security risks that can be exploited. It's a matter of how much money and effort are required to break the system in question. Even if your software is bug free and your servers are protected by firewalls, someone who wants to target you may get an insider to attack you. Or they may perform a "black bag" (break-in) operation. Because security is complicated and is a system-wide property, we not only provide general principles for secure software design, but we also focus on the most common risks, and how to mitigate them.
Organization
This book is divided into two parts. The first part focuses on the things you should know about software security before you even think about producing code. We focus on how to integrate security into your software engineering practice. Emphasis is placed on methodologies and principles that reduce security risk by getting started early in the development life cycle. Designing security into a system from the beginning is much easier and orders of magnitude cheaper than retrofitting a system for security later. Not only do we focus on requirements and design, we also provide significant emphasis on analyzing the security of a system, which we believe to be a critical skill. The first part of this book should be of general interest to anyone involved in software development at any level, from business-level leadership to developers in the trenches.
In the second part, we get our hands dirty with implementation-level issues. Even with a solid architecture, there is plenty of room for security problems to be introduced at development time. We show developers in gory detail how to recognize and to avoid common implementation-level problems such as buffer overflows and race conditions. The second part of the book is intended for those who feel comfortable around code.
We purposely cover material that we believe to be of general applicability. That is, unless a topic is security critical, we try to stay away from anything that is dependent on a particular operating system or programming language. For example, we do not discuss POSIX "capabilities" because they are not widely implemented. However, we devote an entire chapter to buffer overflows because they are a problem of extraordinary magnitude, even though a majority of buffer overflows are specific to C and C++.
Because our focus is on technologies that are applicable at the broadest levels, there are plenty of worthy technologies that we do not cover, including Kerberos, PAM (pluggable authentication modules), and mobile code sandboxing, to name a few. Many of these technologies merit their own books (although not all of them are adequately covered today). This book's companion Web site, http://www.buildingsecuresoftware.com/, provides links to information sources covering interesting security technologies that we left out.
Code Examples
Although we cover material that is largely language independent, most of our examples are written in C, mainly because it is so widely used, but also because it is harder to get things right in C than in other languages. Porting our example code to other programming languages is often a matter of finding the right calls or constructs for the target programming language. However, we do include occasional code examples in Python, Java, and Perl, generally in situations in which those languages are significantly different from C. All of the code in this book is available at
http://www.buildingsecuresoftware.com/.
There is a large UNIX bias to this book even though we tried to stick to operating system-independent principles. We admit that our coverage of specifics for other operating systems, particularly Windows, leaves something to be desired. Although Windows NT is loosely POSIX compliant, in reality Windows programmers tend not to use the POSIX application programming interface (API). For instance, we hear that most Windows programmers do not use the standard C string library, in favor of Unicode string-handling routines. As of this writing, we still don't know which common functions in the Windows API are susceptible to buffer overflow calls, so we can't provide a comprehensive list. If someone creates such a list in the future, we will gladly post it on the book's Web site.
The code we provide in this book has all been tested on a machine running stock Red Hat 6.2. Most of it has been tested on an OpenBSD machine as well. However, we provide the code on an "as-is" basis. We try to make sure that the versions of the code posted on the Web site are as portable as possible; but be forewarned, our available resources for ensuring portability are low. We may not have time to help people who can't get code to compile on a particular architecture, but we will be very receptive to readers who send in patches.
Contacting Us
We welcome electronic mail from anyone with comments, bug fixes, or other suggestions. Please contact us through
http://www.buildingsecuresoftware.com.
020172152XP09242001
Index
Index
- Access control
- basic description of, 187-208
- buffer overflows and, 139, 155
- compartmentalization and, 204-207
- CORBA and, 55
- database security and, 382-396
- fine-grained privileges and, 207-208
- flags, 155
- JDB system for, 58-59
- Lists (ACLs), 204
- mandatory, 207
- modifying ownership, 194-195
- modifying file attributes, 190-193
- programmatic interface and, 195-197
- setuid programming and, 197-202
- TOCTOU problems and, 222-225
- UNIX and for, 187-202
- using views for, 385-387
- Windows NT and, 202-204
- access() function, 215
- ACLs (Access Control Lists), 204
- Activation records, 153
- ActiveX controls (Microsoft), 11, 272
- AES, 276, 449-450
- assessing the security of, 301
- competition for, 449
- cryptography libraries and, 272, 274, 277
- database security and, 382
- passwords authentication and, 375
- Aggregate functions, 392-393
- Aiken, Alexander, 184
- Aleph One, 135, 180
- Algorithms. See also specific algorithms
- community resources and, 112-113
- false advertising regarding, 112
- open-source software and, 69-72, 74-75, 78
- publishing, 82
- proprietary, 450
- Amazon.com, 18, 297, 455-456
- American Express, 63. See also Credit cards
- American Standard Code for Information Interchange (ASCII). See ASCII (American Standard Code for Information Interchange)
- amkCrypt, 274
- Analysis. See also Auditing
- appropriate timing of, 117
- architectural security, 118-126
- auditing and, 118-126
- as a creative activity, 33
- findings, reporting, 125-126
- implementation, 117-118, 126-133
- security engineers and, 36-37
- testing and, relationship of, 42
- which goes astray, 41-43
- Anna Kournikova worm, 1
- Anonymity, as a security goal, 21-22
- Anti-debugger measures, 416-418
- AOL (America Online)
- Instant Messenger for Netscape, 11
- marketing techniques, 20
- traffic monitoring, 20
- APIs (application program interfaces), 52, 101-102, 106
- auditing and, 127
- in cryptography libraries, 274-280
- firewalls and, 433
- race conditions and, 214
- random number generation and, 260
- Applet(s). See also Java
- attacks, types of, 91
- enforcing protection when running, 53
- untrusted, 52
- Application proxies, 428
- Applied Cryptography (Schneier), 256, 267, 439
- Arbaugh, Bill, 16
- argc() function, 167, 169
- argv() function, 144, 169, 312
- Arrays, 318
- Art of Computer Programming, The (Knuth), 234
- ASCII (American Standard Code for Information Interchange), 147, 171, 182-183, 293-294, 302
- database security and, 388
- digital signatures and, 464
- text, encrypting, 388
- ASF Software, 238, 241
- "Asleep at the Wheel" (Lake), 3-4
- ATH variable, 320
- ATMs (automatic teller machines), 66
- Attackers, use of the term, 25-27. See also Malicious hackers
- Attack trees, 120-125
- Attributes, modifying, 190-193
- Audio players, 110
- Auditing. See also Analysis; Monitoring
- architectural security analysis and, 117, 118-126
- attack trees and, 120-125
- basic description of, 19-20, 115-133
- implementation security analysis and, 126-133
- logs, 20
- open-source software and, 84-85
- reports, 125-126
- security scanners and, 132-133
- security engineers and, 38
- as a security goal, 19
- tools, source-level, 128-130
- using RATS for, 130-132
- Authentication
- biometric, 64-66
- call-level, 57
- connect, 57
- CORBA and, 55
- credit card, 97-98
- cryptographic, 66
- DCOM and, 56-58
- default, 57
- defense in depth and, 66-67
- design for security and, 37
- failure modes and, 97-98
- host-based, 61-63
- IP spoofing and, 62
- levels, 56-58
- packet integrity-level, 57
- packet-level, 57-58
- packet privacy-level, 58
- password, 335-380
- proxy-level, 432
- remote execution and, 414-415
- security goals and, 22-23, 440-441
- technologies, 61-67
- trust management and, 308
- of untrusted clients, 415
- using physical tokens, 63-65
- AutoDesk, 421
- AVG() function, 392, 393, 394
- Axis Powers, 71. See also World War II
- Backdoors, 105, 309-310
- Back Orifice 2000, 178
- Bacon, Francis, 187
- base32 encoding, 402, 408-409
- base64 encoding, 226, 349, 387, 401
- Base pointers, 163, 169, 172
- Battle plans, creating, 121
- bcopy() function, 149, 153
- Beizer, Boris, 15
- Bellovin, Steven M., 1, 86, 427
- Berra, Yogi, 267
- Best-match policy, 189
- Binaries, 192, 206
- buffer overflow and, 140, 178-179
- client-side security and, 401, 408, 425
- extracting secrets from, 109-110
- setting suid bits on, 140
- trust management and, 307, 309
- bind() function, 333
- Biometric authentication, 64-66
- Birthday attacks, 461
- Bishop, Matt, 320
- Bit(s), 295, 296-297
- Blaze, Matt, 253, 297, 462
- Blowfish, 272, 274
- ciphers, 283
- client-side security and, 408-409
- using, in CBC mode, 282
- Blumb-Blumb-Shub PRNG, 236-237, 241, 244
- Boneh, Dan, 269
- Boolean flags, 139
- Bounds checking, 141, 148
- Brainstorming sessions, 125
- Brazil, 381
- Brewer, Eric, 136
- Browser(s)
- attacks, 254-255
- CAs and, 299
- as consumer-ware, 17
- cookies and, 21, 324
- firewalls and, 433
- license files and, 411
- operating systems and, fuzzy boundaries between, 11-13
- surfing data collected through, 21
- untrusted applets and, 52
- Brute-force attacks, 338, 461
- BSAFE library, 277-278
- BSS (block storage segment), 151
- Buffer(s). See also Buffer overflows
- attack code and, 177-185
- input, 148-149
- internal, 147-148
- tamperproofing and, 420
- UNIX and, 178-185
- use of the term, 138
- Windows and, 185
- Buffer overflow(s), 24, 25, 87-88. See also Buffers
- auditing and, 128, 131
- basic description of, 135-186
- defending against, 141-142
- entropy handling and, 256-257
- gotchas related to, 141-147
- open-source software and, 79-81
- securing the weakest link and, 93-94
- selecting technologies and, 51, 52
- smashing stacks and, 151-155
- stack overflows and, 159-177
- testing and, 39
- tools which address, 150-151
- trust management and, 309
- Bugs. See also Debugging; Errors
- announcing, 88-89
- responding to misuse with, 419-420
- Bugtraq mailing list, 6, 7
- C (high-level language), 8, 50-51, 53, 274, 303
- access control and, 201-202
- auditing and, 129, 130
- buffer overflows and, 94, 138-139, 141, 148-151, 154-156, 159-161, 164-165, 171-174, 177-179, 181
- client-side security and, 421
- firewalls and, 433
- format string attacks and, 329-330
- input validation and, 329
- libraries, 141
- open-source software and, 73-74, 84, 88
- passwords authentication and, 339-350
- popularity of, 84
- race conditions and, 216, 222-223
- random number generation and, 261-262
- risks of using, 88
- trust management and, 317-319
- C++ (high-level language), 10, 50, 54
- auditing and, 129
- buffer overflow and, 137, 148, 154
- cryptography libraries and, 275-276
- risks of using, 88
- Cache poisoning attacks, 63
- Caches, 63, 417-418
- Caesar, Julius, 231
- Callbacks, 412
- Cameras, 96, 244
- Canada, 44, 46
- Canadian Trusted Computer Products Evaluation Criteria, 44
- Capabilities, 207-208
- Capture/replay attacks, 26, 459
- Carnegie Mellon University, 8
- Carnivore system (FBI), 21
- CAs (certificate authorities), 297-301, 455
- Case-sensitivity, 363
- CAST ciphers, 283
- CBC (cipher block chaining) mode, 270, 282-284, 408, 446, 447
- CDs (compact discs), 305, 398, 400-415
- CERT/CC (CERT Coordination Center) advisories, 2, 8
- regarding buffer overflows, 87, 135, 136-137
- regarding character sets, 324
- CFB (cipher feedback), 270, 283-284, 447
- CGI (Common Gateway Interface), 320-325, 327-329, 333-334
- CGI.pm module, 334
- Challenge/response systems, 413-315
- Character(s)
- client-side security and, 402
- length of passwords, 358
- sets, 324-325, 402
- trust management and, 321-322
- chdir() function, 222, 224, 225, 333
- CHECK option, 386-387
- Checksums, 57, 418-420
- basic description of, 457
- hash functions and, 441, 457, 458
- symmetric algorithms and, 447
- Cheswick, William, 1, 427
- Chipsets, 244-245
- chmod() function, 190, 191-192, 195, 333
- Choke points, 105
- Chosen ciphertext attacks, 443
- Chosen plaintext attacks, 443, 454
- chown() function, 190, 193-196, 200, 333
- chroot() function, 200, 204-207, 333
- Cigital, 238, 239-240
- Cipher(s), 236, 391
- 3DES, 283, 284
- available, list of, 283-284
- basic description of, 440
- block, 270, 445-446, 448, 449
- key length settings for, 284-285
- PRNGs and, 233
- reusing, 269-270
- stream, 233, 269-270, 445-446
- symmetric, 444-451
- text attacks, 442-443
- Civilized Engineer, The (Florman), 115
- Class(es)
- loading, 12, 91-92
- nested, 53
- Classifications, of information, 21
- Client(s). See also Client/server models
- passwords authentication and, 374
- proxies, 430-432
- -side security, 325-327, 397-426
- untrusted, authenticating, 415
- Client/server models, 22, 74. See also Clients; Servers
- EJB and, 58-59
- failure modes and, 99-100
- firewalls and, 430
- selecting technologies and, 54, 58-59
- Clocks, 243, 411
- Code
- attack, 177-185
- atomic, 212
- auditing, 127-128
- coverage, using, as a metric, 39
- good-enough, 127
- mobile, 10, 18, 91-92, 102, 107
- obfuscation, 74-75, 399, 421-426
- reuse of, disadvantages of, 12
- reverse engineering, 73-74
- untrusted, 127
- user-level (user space), 59
- Cold Fusion server, 86
- Cold War, 397
- "Command/response" protocols, 429
- Comments
- database security and, 388
- for stack inspection code, 171-172
- Common Criteria, 35, 43-46
- Common Evaluation Methodology, 44-46
- Community resources, 92, 112-113
- Compartmentalization, principle of, 92, 102-104, 204-207
- Compiling, 53, 150, 425
- comp.lang.java.security newsgroup, 18
- ComScire, 243, 257
- concat_arguments function, 164-168, 172-176
- concat.c, 166, 171, 174, 175-177
- concat.s, 174-175
- Confidentiality, as a security goal, 20, 440
- Congress (United States), 463
- connect() function, 333
- Constants, 195
- Consumer-ware, 17
- Containers, 54
- Cookies, 18, 62, 293-294, 324
- Copy protection schemes, 400-415
- CORBA (Common Object Request Broker Architecture), 54-56, 59
- Corporate Espionage (Winkler), 25
- Counter mode, 446-447
- Counterpane Labs, 362
- COUNT() function, 392, 393, 394
- Crack (program), 356, 363, 367
- Cracker, use of the term, 4
- Crash(es)
- dialog boxes, 72
- file locking and, 227
- as a sign of an exploitable vulnerability, 72
- CREATE VIEW command, 386
- Credit card(s)
- failure modes and, 97-98
- fraud, 40, 97-98
- information, storage of, 392-395
- password-based schemes and, 66
- as physical tokens, 63-64
- promoting privacy and, 107-108
- Critical section, 213
- CRLs (Certificate Revocation Lists), 299
- CrypGenRandom() function, 260
- Cryptanalysis, 441
- crypt() function, 337-338, 343, 349, 351
- Cryptix library, 278-279
- Cryptlib library, 272-275, 279-280
- Crypto++ library, 275-276
- Cryptography. See also Public key cryptography
- applying, 267-305
- attacks on, 442-444
- basic description of, 439-464
- deriving requirements and, 34
- during World War II, 71, 303-304
- eavesdropping and, 25
- export laws, 271
- goals of, 440-442
- libraries, 272-279
- programming with, 279-295
- random number generation and, 232-265
- securing the weakest link and, 93-96
- Spafford on, 2
- types of, 444
- writing your own, refraining from, 268-270
- Cryptography Research, 444
- C Traps and Pitfalls (Koenig), 78
- ctx variable, 281
- "Current time" technique, 235
- Customer support, passwords procured through, 22-23, 94, 111, 355
- Cut-and-paste attacks, 270
- Daemen, John, 449
- Dante, 434
- Database(s)
- access control for, 381-396
- auditing and, 119, 125, 129-132
- connection pooling, 54
- field protection in, 387-391
- password, adding users to, 339-350
- promoting privacy and, 107-108
- statistical attacks and, 391-395
- trust management and, 308, 325-327
- Database Security (Castano), 381
- Data integrity, 87, 270
- DCOM and, 56, 57-58
- as a security goal, 21, 441
- Data segment, of memory, 152
- DCOM (Distributed Component Object Model), 54, 56-58
- Debugging, 74, 416-419, 425. See also Bugs; Errors
- antidebugger measures and, 416-418
- buffer overflows and, 167, 171, 176, 179-180
- tamperproofing and, 416-418
- Decompilers, 73-74
- Decoys, 421
- Decryption, 280-286, 440, 451
- Defense in depth, principle of, 92, 96-97
- Delphi, 239, 272
- Demographic data, 20, 392
- Denial-of-service attacks, 10, 14-15, 50, 356
- Department of Commerce (United States), 449
- Department of Defense (United States), 43-44
- Department of Defense Trusted Computer System Evaluation Criteria ("Orange Book"), 43-44
- Dependability, overall importance of, 13
- Depth, defense in, principle of, 92, 96-97
- DES (Data Encryption Standard), 71, 74, 282-283, 448-450
- passwords authentication and, 337-338
- public keys and, 451
- Design. See also Development
- auditing and, 115, 120
- implementation and, complex interrelation of, 18
- for security, notion of, 13-14, 37-38
- Design of Everyday Things, The (Norman), 106
- DESX ciphers, 283
- Determinism, 231-265
- Development. See also Design
- cryptography export laws and, 271
- first-to-market pressures and, 17, 24, 29
- penetrate-and-patch approach and, 15-16
- spiral model of, 30-32
- teams, rapid, 41
- waterfall model of, 31-32
- which goes astray, 41
- Device drivers
- basic description of, 60
- calls to, 60-61
- compartmentalization and, 103
- Dialog boxes, effectiveness of, 106, 107
- Dice rolling technique, for selecting passwords, 358-362, 363
- Diceware, 363
- Dictionary attacks, 338
- DIEHARD, 257
- Differential power analysis (DPA), 24, 443
- Diffie-Hellman algorithm
- cryptography libraries and, 273, 274, 276, 277
- used with DSA, 454
- Digital cameras. See Cameras
- Digital signatures, 410, 413, 459
- basic description of, 462-464
- DSA (Digital Signature Algorithm) for, 269, 273, 274, 276, 410, 454
- PKI and, 463
- Directories
- backward traversal of, 328
- file locking and, 226-227
- Disassemblers, 73
- Disclosure, full, principle of, 5, 7, 81-82
- Disgruntled employees, 110
- Disraeli, Benjamin, 397
- Distributed object platforms, choosing, 54-59
- DLLs (Dynamically Linked Libraries), 185, 317
- dlopen() function, 317
- DMAC, 276
- DNA, 66
- DNS (Domain Name Service) names, 61-63
- Doctor Faustus (Marlowe), 49
- Documentation
- auditing and, 120
- cryptography libraries and, 273, 275, 276, 277, 278
- failure to read, on the part of users, 106
- Domain names, 61-63
- Dongles, 414
- DOS (Disk Operating System), 60
- DoubleClick, 20
- Double encryption, 449
- DPA (differential power analysis), 21, 443
- DSA (Digital Signature Algorithm), 269, 273, 274, 276, 410, 454. See also Digital signatures
- DVD (digital video disc) viewers, 110
- Dynamic allocation, 140
- Eavesdropping
- basic description of, 25
- deriving requirements and, 34
- key secrecy and, 109
- ECB (electronic code book) mode, 270, 283-284, 447
- ECC (elliptic curve cryptography), 273, 277, 279, 454
- Echelon, 21
- eEye, 72
- Efficiency
- C programming and, 148-149
- cryptography libraries and, 273, 275, 276, 278
- entropy handling and, 256
- as the justification for a language choice, 50
- as a key goal, 27, 29
- EGADS (Entropy-Gathering and Distribution System), 225, 226, 256, 259-260, 264
- EGID (effective GID), 188, 198
- race conditions and, 220
- trust management and, 317
- EJB (Enterprise Java Beans), 54, 58-59
- El Gamal algorithm, 273, 276, 454, 464
- Electronic Privacy Information Center, 20
- announcing security bugs via, 88-89
- distribution lists, 88-89
- passwords, 70-72, 74
- trust management and, 311-314
- Employees. See also Personnel, security
- disgruntled, 110
- trust in, 110
- Emulex Corporation, 21
- Encryption. See also Cryptography; Keys
- AES, 272, 274, 276-277, 301, 375, 382, 449-450
- auditing and, 119
- code obfuscation and, 74-75, 399, 421-426
- DES (Data Encryption Standard) and, 71, 74, 282-283, 337-338, 448-451
- disabling, 106
- double, 449
- of program parts, 423-426
- security by obscurity and, 45, 69-75, 268, 336
- Spafford on, 2
- End-of-file (EOF) character, 141
- Engineering
- methods, 18
- reverse, 73-74
- Engineering of Software, The (Hamlet), 15
- Engineers, security
- role of, 32-39
- use of the term hacker by, 3-5
- Enigma machine, 71
- Entropy
- EGADS (Entropy-Gathering and Distribution System) and, 225, 226, 256, 259-260, 264
- estimating, 241-255
- gateways, 259-260
- gathering, 225-226, 232, 235, 238, 241-255, 259-260, 264
- handling, 255-258
- secret Netscape messages and, 254-255
- Environment variables, 316-318
- Ethernet, 412
- EUID (effective UID), 188, 190, 196-201
- race conditions and, 215-216, 220
- trust management and, 311, 317
- Europe, 18, 44-46
- eval() function, 333
- EVP_bc_cfb() function, 283
- EVP_bf_cbc() function, 282, 283
- EVP_bf_ecb() function, 283
- EVP_bf_ofb() function, 283
- EVP_cast_cbc() function, 283
- EVP_cast_cfb() function, 283
- EVP_cast_ecb() function, 283
- EVP_cast_ofb() function, 283
- EVP_CIPHER_CTX_ctrl() function, 284-285
- EVP_CIPHER_CTX_set_ key_length() function, 284
- EVP_DecryptFinal() function, 292
- EVP_DecryptInit() function, 286
- EVP_DecryptUpdate() function, 286
- EVP_des_cbc() function, 283
- EVP_des_cfb() function, 283
- EVP_des_ecb() function, 283
- EVP_des_ede_cbc() function, 284
- EVP_des_ede_cfb() function, 284
- EVP_des_ede() function, 283
- EVP_des_ede_ofb() function, 284
- EVP_des_ofb() function, 283
- EVP_desx_cbc() function, 283
- EVP_DigestFinal() function, 287
- EVP_DigestUpdate() function, 287
- EVP_enc_null() function, 283
- EVP_EncryptFinal() function, 285-286, 291
- EVP_EncryptInit() function, 282
- EVP_EncryptUpdate() function, 285-286, 291
- EVP_idea_cbc() function, 284
- EVP_idea_cfb() function, 284
- EVP_idea_ecb() function, 284
- EVP_idea_ofb() function, 284
- EVP interface, 279-280
- performing hashing with, 286-287
- public key encryption with, 287-292
- EVP_rc2_40_cbc() function, 284
- EVP_rc2_64_cbc() function, 284
- EVP_rc2_cbc() function, 284
- EVP_rc2_cfb() function, 284
- EVP_rc2_ecb() function, 284
- EVP_rc2_ofb() function, 284
- EVP_rc4_40() function, 284
- EVP_rc4() function, 284
- EVP_rc5_32_12_16_cbc() function, 284
- EVP_rc5_32_12_16_cfb() function, 284
- Exception handling, 50. See also Errors
- Exclusive OR (XOR), 71, 181, 418, 424-425
- applying cryptography and, 268, 270, 283, 302
- data integrity and, 270
- DES and, 283
- one-time pads and, 302
- random number generation and, 233, 255, 256
- exec() function, 328-329, 332
- execl() function, 145, 180-181
- execve() function, 201, 312, 314
- execv() function, 159, 321
- Expiration dates, for licenses, 413
- Export laws, 271
- Extensible systems, 9, 10, 12-13
- Facial features. See Biometric authentication
- Factorization, 401-302
- Failure
- Florman on, 115
- modes, 97-100, 196
- planning for, 97-100
- to read documentation, on the part of users, 106
- Fallback schemes, 98-99
- Fault trees, 121
- FBI (Federal Bureau of Investigation), 18, 110
- fchmod() function, 195, 196
- fchown() function, 196
- fcntl() function, 333
- Federal Criteria (United States), 44
- Feedback, soliciting, 120
- Felten, Ed, 107
- fgetc() function, 148, 152
- fgets() function, 141-142, 149, 153
- Field(s)
- hidden input, 322-325
- protection, 387-391
- File(s). See also Filenames
- attributes, modifying, 190-193
- deleting, 140, 224-225
- descriptors, 315
- locking, 226-227
- temporary, 225-226
- Filename(s)
- buffer overflows and, 144
- patterns, input validation and, 332
- prefixes, 226
- restrictions on, 144
- timestamps and, 197
- FILE object, 220
- Fine-grained privileges, 207-208
- fingerd, 135
- Fingerprints
- biometric authentication and, 64-66
- cryptographic, 457
- FIPS standards, 241, 247, 260
- Firewall(s), 2, 4, 56
- auditing and, 119, 125
- basic description of, 427-437
- Common Criteria and, 44-45
- defense in depth and, 97
- open-source software and, 85
- packet-filtering, 428-430, 434
- peer-to-peer connectivity and, 435-437
- promoting privacy and, 108-109
- proxies and, 428-433, 436-437
- securing the weakest link and, 94
- SOCKS and, 433-435
- strategies for, 427-430
- toolkits, 85
- Firewalls and Internet Security (Cheswick and Bellovin), 1, 427
- FIST, 79
- Fithen, Bill, 16
- Flawfinder, 129
- FlexLM, 413
- foo, 192
- foobar, 330
- fopen() function, 226
- fork() function, 201
- Format string attacks, 329-330
- FORTRAN, 50
- Foster, Jeffrey, 136
- France, 46. See also Europe
- FrontPage (Microsoft), 105
- Frost, Robert, 427
- fscanf() function, 142, 146, 152
- fstat() function, 220
- FTP (File Transfer Protocol), 430, 458, 460
- FUD (fear, uncertainty, and doubt), 62-63, 88, 112
- Full disclosure, principle of, 5, 7, 81-82
- Functionality
- auditing and, 115-116, 117
- CORBA and, 55
- of cryptography libraries, 273
- database security and, 387
- as a key goal, 26, 29
- mobile code and, 11
- of Trojan horses, 39
- passwords authentication and, 375-376
- PRNGs and, 235
- Functions
- access() function, 215
- argc() function, 168-169
- argv() function, 144, 169, 312
- AVG() function, 392, 393, 394
- bcopy() function, 149, 153
- bind() function, 333
- chdir() function, 222, 224, 225, 333
- chmod() function, 190, 191-192, 195, 333
- chown() function, 190, 193-196, 200, 333
- chroot() function, 200, 204-207, 333
- concat_arguments function, 164-168, 172-177
- connect() function, 333
- COUNT() function, 392, 393, 394
- CrypGenRandom() function, 260
- crypt() function, 337-338, 343, 349, 351
- dlopen() function, 317
- eval() function, 333
- EVP_bc_cfb() function, 283
- EVP_bf_cbc() function, 282, 283
- EVP_bf_ecb() function, 283
- EVP_bf_ofb() function, 283
- EVP_cast_cbc() function, 283
- EVP_cast_cfb() function, 283
- EVP_cast_ecb() function, 283
- EVP_cast_ofb() function, 283
- EVP_CIPHER_CTX_ ctrl() function, 284-285
- EVP_CIPHER_CTX_ set_key_length() function, 284
- EVP_DecryptFinal() function, 292
- EVP_DecryptInit() function, 286
- EVP_DecryptUpdate() function, 286
- EVP_des_cbc() function, 283
- EVP_des_cfb() function, 283
- EVP_des_ecb() function, 283
- EVP_des_ede_cbc() function, 284
- EVP_des_ede_cfb() function, 284
- EVP_des_ede() function, 283
- EVP_des_ede_ofb() function, 284
- EVP_des_ofb() function, 283
- EVP_desx_cbc() function, 283
- EVP_DigestFinal() function, 287
- EVP_DigestUpdate() function, 287
- EVP_enc_null() function, 283
- EVP_EncryptFinal() function, 285-286, 291
- EVP_EncryptInit() function, 282
- EVP_EncryptUpdate() function, 285-286, 291
- EVP_idea_cbc() function, 284
- EVP_idea_cfb() function, 284
- EVP_idea_ecb() function, 284
- EVP_idea_ofb() function, 284
- EVP_rc2_40_cbc() function, 284
- EVP_rc2_64_cbc() function, 284
- EVP_rc2_cbc() function, 284
- EVP_rc2_cfb() function, 284
- EVP_rc2_ecb() function, 284
- EVP_rc2_ofb() function, 284
- EVP_rc4_40() function, 284
- EVP_rc4() function, 284
- EVP_rc5_32_12_16_ cbc() function, 284
- EVP_rc5_32_12_16_ cfb() function, 284
- exec() function, 328-329, 332
- execl() function, 144, 180-181
- execve() function, 201, 312, 314
- execv() function, 159, 321
- fchmod() function, 195, 196
- fchown() function, 196
- fcntl() function, 333
- fgetc() function, 148, 153
- fgets() function, 142, 149, 153
- fopen() function, 226
- fork() function, 201
- fscanf() function, 143, 144, 152
- fstat() function, 220
- generate_raw_response() function, 375
- getc() function, 148, 153
- getchar() function, 148, 153
- getenv() function, 132, 149, 319
- geteuid() function, 198, 223
- getopt() function, 148, 153
- getopt_long() function, 153
- getpass() function, 148, 153
- getrlimit() function, 316
- gets() function, 136, 142, 148, 152
- getuid() function, 198
- glob() function, 332
- ioctl() function, 333
- kill() function, 206, 333
- ksg() function, 391
- link() function, 222, 333
- lstat() function, 220
- main() function, 152, 159-160, 162-163, 172, 176
- malloc() function, 138, 140, 147, 154, 369, 375, 402
- MAX() function, 392
- memcpy() function, 149, 153
- MIN() function, 392
- mkdir() function, 222, 333
- mknod() function, 222
- munlock() function, 344
- open() function, 220, 226-227, 327, 329, 328, 332, 333
- popen() function, 206, 300, 318-319
- printf() function, 157, 177, 330
- print() function, 328
- println() function, 211, 213
- putenv() function, 319
- Raccept() function, 434
- rand() function, 234, 241, 303, 363
- random() function, 231, 234-235
- randomize() function, 239, 240
- Rbind() function, 434
- rc5_32_12_16_ofb() function, 284
- Rconnect() function, 434
- read() function, 148, 153
- realpath() function, 148, 152
- Rgetpeername() function, 434
- Rgetsockname() function, 434
- rmdir() function, 222, 333
- Rread() function, 434
- Rrecvfrom() function, 434
- Rrecv () function, 434
- Rsend() function, 434
- Rsendmsg() function, 434
- Rsendto() function, 434
- Rwrite() function, 434
- scanf() function, 136, 142, 146, 152
- setpriority() function, 206, 333
- setrlimit() function, 316
- snprintf() function, 81, 145, 149, 153
- socket() function, 333
- socketpair() function, 333
- sprintf() function, 81, 129, 136, 142, 144-145, 152
- sscanf() function, 142, 146, 152
- stat() function, 220
- stderr function, 315
- stdin function, 315
- stdio function, 132
- stdout function, 315
- strcadd() function, 149, 153
- strcat() function, 132, 137, 142, 144, 152
- strccpy() function, 149, 153
- strcpy() function, 77, 80, 128, 136, 141-143, 149, 152, 166, 168
- streadd() function, 143, 146, 152
- strecpy() function, 142-144, 146, 152
- strlen() function, 143
- strncat() function, 144
- strncpy() function, 81, 143, 148, 153, 184
- strtrns() function, 143, 147, 152
- SUM() function, 392
- symlink() function, 222, 333
- syscall() function, 333
- syslog() function, 148, 152
- sysopen() function, 334
- system() function, 206, 319-321, 332
- test() function, 160, 161, 163
- truncate() function, 333
- unlink() function, 222, 224-226, 333
- unmask() function, 333
- unmount() function, 222
- unsetenv() function, 319
- utime() function, 197, 222
- vfscanf() function, 143, 146, 152
- vscanf() function, 143, 152
- vsprintf() function, 142, 144, 152
- vsscanf() function, 143, 152
- FUZZ (program), 50
- Gambling programs, 238-241
- Game software, 397-398, 413-315
- Garbage
- collection, 253
- input validation and, 330
- trust management and, 314
- Geiger counters, electronic, 243
- generate_raw_response() function, 375
- Genetics, 66
- Germany, 46, 71. See also Europe
- getc() function, 148, 153
- getchar() function, 148, 153
- getenv() function, 132, 149, 319
- geteuid() function, 198, 223
- getopt() function, 148, 153
- getopt_long() function, 153
- getpass() function, 147, 153
- getrlimit() function, 316
- gets() function, 136, 141-142, 148, 152
- getuid() function, 198
- GIDs (group IDs), 187-190, 196, 198
- input validation and, 333
- race conditions and, 222, 224
- trust management and, 311, 317
- Gilliam, Terry, 381
- Global Identifier, 21
- glob() function, 332
- GNU
- debuggers, 179
- Mailman, 84-85
- GNU C compilers, 150
- Goals
- project, 25-27, 40-41
- security, 18-24, 40-41
- Goldberg, Ian, 254
- Government(s). See also Legislation
- export laws, 271
- intelligence secrets, 21
- security clearance systems, 100-101
- tracking systems, which degrade privacy, 20
- U.S. Congress, 463
- U.S. Department of Commerce, 449
- U.S. Department of Defense, 43-44
- U.S. Federal Bureau of Investigation, 18, 110
- U.S. National Security Agency, 43, 448, 449
- U.S. Securities and Exchange Commission, 19
- GRANT command, 383-385
- GUIs (graphical user interfaces), 55, 127, 240
- Gutmann, Peter, 225, 246, 272, 400, 414
- Hacker(s). See also Malicious hackers
- open-source software and, 81-82
- and the principle of full disclosure, 7, 27, 81-82
- use of the term, 3-5
- Hamlet, Dick, 15
- Handsard (Disraeli), 397
- Hanssen, Richard P., 110-111
- Hardware
- client-side security and, 414
- solutions for entropy gathering, 242-245
- Hash(es). See also Hashing algorithms
- additional uses for, 295-297
- basic description of, 441
- cryptography libraries and, 272, 276, 278
- database security and, 387-391
- functions, 256-258, 457-462
- passwords authentication and, 336-337, 350, 367
- Hashing algorithms. See also Hashes; specific algorithms
- basic description of, 286-287, 457-462
- recommended types of, 461-462
- Header files, 279-280
- Heap(s)
- allocation, 154
- overflows, 139-140, 150, 155-159
- Herd, following the, 111-112
- Hiding secrets, difficulties involved with, 109-111
- Hijacking attacks, 57, 63
- basic description of, 26
- passwords authentication and, 366
- promoting privacy as a defense against, 107
- HMAC (Hash Message Authentication Code), 270, 273, 274, 277, 278, 294-295. See also Hashes; Hashing algorithms
- Hollebeek, Tim, 71
- hostname command, 412
- HP/UX, 217
- HTML (HyperText Markup Language),
More Information
Other Things You Might Like
- About
- Affiliates
- Cookies
- FAQ
- Legal Notice
- Ordering Information
- Pearson+
- Privacy Notice
- Do Not Sell My Personal Information
- Press
- Promotions
- Support
- Write for Us