Conclusions & Resources

Secure programs must check every untrusted input channel, and doing so can eliminate a lot of problems. But that's not enough. Sometimes, even just reading data can be a security vulnerability -- before the data is even checked! And processing the data can cause the program to fail in horrific ways. We're talking about the #1 security vulnerability today -- the buffer overflow. My next installment will discuss what this vulnerability is, how to counter it, and why there's hope that this will become less of a problem in the future.

• Read all of the installments in David's Secure programmer column. "Developing secure programs" covers terminology and other basics, and "Validating input discusses checking various data types.
  
  
• David's book Secure Programming for Linux and Unix HOWTO (Wheeler, March 2003) gives a detailed account of how to develop secure software. Chapter 7 discusses setuid and limiting privileges in detail.
  
  
• "SAP R/3 Web Application Server Demo for Linux: root exploit" by Jochen Hein (Bugtraq, 29 April 2001) discusses the SAP vulnerability. This vulnerability is Bugtraq id 2662 and CVE vulnerability CVE-2001-0366. Run chmod u-s as a workaround to disable it.
  
  
• "VIM statusline Text-Embedded Command Execution Vulnerability" (Bugtraq, 26 March 2001), Bugtraq id 2510, discusses the vim vulnerability. This vulnerability is CVE vulnerability CVE-2001-0408 and was originally revealed as Red Hat RHSA-2001:008-04. You can disable it by turning off the statusline or stl option in .vimrc.
  
  
• "Multiple Vendor Web Shopping Cart Hidden Form Field Vulnerability" (Bugtraq, 1 Feb 2000), Bugtraq id 1237, discusses why blindly accepting product price values from users is a bad idea and the large number of Web applications with this error.
  
  
• "Well Known Flaw in Web Cart Software Remains Wide Open" by Beyond-Security's SecuriTeam.com notes that not only do some shopping carts fail to check product prices, some check product prices but not shipping prices (so negative shipping prices give an unjustified discount).
  
  
• David's article "Program Library HOWTO" (Wheeler, 11 April 2003) discusses how libraries (including shared libraries) are handled in GNU/Linux.
  
  
• "Why GTK_MODULES is not a security hole" by Owen Taylor (GTK.org, 2 January 2000) explains why "writing setuid and setgid programs using GTK+ is bad idea and will never be supported by the GTK+ team," and notes that current versions of GTK+ will not run setuid at all.
  
  
• Adam Shostack has posted a copy of the setuid(7) man page.
  
  
• A copy of the environ(5) man page is posted at Princeton's Computer Science department.
  
  
• Some nice discussion is included in the classic Practical Unix & Internet Security, 3rd Edition by Simson Garfinkel, Gene Spafford, and Alan Schwartz (O'Reilly & Associates, 2003). Chapter 11 discusses the IFS environment variable.
  
  
• Cameron Laird discusses server security in "Server clinic: Practical Linux security" on developerWorks.
  
  
• Gary McGraw and John Viega offer 10 points to keep in mind when building a secure system in the "Software security principles" series on developerWorks. In "Building secure software: Selecting technologies," Gary and John explore common choices faced by designers and programmers.
  
  
• Read more about Linux in the IBM developerWorks Linux section.
  
  
• IBM Research Security group has a number of security-related projects, including Internet security, Java security, cryptography, and data hiding.
  
  
• The IBM white paper "Secure Internet Applications on the AS/400 system" primarily discusses the Secure Sockets Layer (SSL) protocol.
  
  
• The AS/400 Security pages on Internet Security are a good starting point for learning more about network security.