Building Secure Software: How to Avoid Security Problems the Right Way

Product Author Bios

John Viega is the CTO of Secure Software Solutions (www.securesw.com) and a noted expert in the area of software security. He is responsible for numerous tools in this area, including code scanners (ITS4 and RATS), random number suites (EGADS), automated repair tools, and secure programming libraries. He is also the original author of Mailman, the GNU mailing list manager.

Gary McGraw, Cigital's CTO, is a leading authority on software security. Dr. McGraw is coauthor of the groundbreaking books Building Secure Software and Exploiting Software (both from Addison-Wesley). While consulting for major software producers and consumers, he has published over ninety peer-reviewed technical publications, and functions as principal investigator on grants from DARPA, the National Science Foundation, and NIST's Advanced Technology Program. He serves on the advisory boards of Authentica, Counterpane, and Fortify Software. He is also an advisor to the computer science departments at University of California, Davis, and the University of Virginia, as well as the School of Informatics at Indiana University.

Most organizations have a firewall, antivirus software, and intrusion detection systems, all of which are intended to keep attackers out. So why is computer security a bigger problem today than ever before? The answer is simple--bad software lies at the heart of all computer security problems. Traditional solutions simply treat the symptoms, not the problem, and usually do so in a reactive way. This book teaches you how to take a proactive approach to computer security.

Building Secure Software cuts to the heart of computer security to help you get security right the first time. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make their code behave. Written for anyone involved in software development and use—from managers to coders—this book is your first step toward building more secure software. Building Secure Software provides expert perspectives and techniques to help you ensure the security of essential software. If you consider threats and vulnerabilities early in the devel-opment cycle you can build security into your system. With this book you will learn how to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped.

Inside you'll find the ten guiding principles for software security, as well as detailed coverage of:

• Software risk management for security
• Selecting technologies to make your code more secure
• Security implications of open source and proprietary software
• How to audit software
• The dreaded buffer overflow
• Access control and password authentication
• Random number generation
• Applying cryptography
• Trust management and input
• Client-side security
• Dealing with firewalls

Only by building secure software can you defend yourself against security breaches and gain the confidence that comes with knowing you won't have to play the "penetrate and patch" game anymore. Get it right the first time. Let these expert authors show you how to properly design your system; save time, money, and credibility; and preserve your customers' trust.

Related Articles

Application Security for Visual C++.NET Developers

Mailman Mailing List Hacks

Author's Site

Click below for Web Resources related to this title:
Author's Web Site

Customer Reviews

28 of 30 people found the following review helpful Exposes top problems and gives a framework for closing them, April 10, 2002 By  Mike Tarrani "Jazz Drummer" (Deltona, FL USA) - See all my reviews             This review is from: Building Secure Software: How to Avoid Security Problems the Right Way (Hardcover) What makes this book so important is that the authors provide an analysis of the major problems with all software, and give a collection of techniques with which to address the recurring problems, such as buffer overflows, access control exposures, randomness flaws and other security-related defects. They do not attempt to provide specific solutions. Instead they raise an awareness of the common problems, discuss the underlying causes, and give a framework with which developers can use as the basis for developing secure software. Key points of this book that I found especially useful include: (1) Even treatment of commercial and open source software. I found this refreshing because there are two camps, Microsoft developers and open source advocates, each of which criticize the other. Yes, Microsoft has a bad reputation for security, but the open source faction has its own challenges, and the authors show the strengths and weaknesses of each in an objective manner... Read more Help other customers find the most helpful reviews  Was this review helpful to you?  Permalink  Comment 42 of 49 people found the following review helpful Comment from Preface author, October 15, 2001 By  Bruce Schneier (Minneapolis, MN USA) - See all my reviews This review is from: Building Secure Software: How to Avoid Security Problems the Right Way (Hardcover) As I say in the Preface of this book, "We wouldn't have to spend so much time, money, and effort on network security if we didn't have such bad software security." We all know that security is risk management. _Building Secure Software_ takes the same risk-management approach to security that I espouse in _Secrets and Lies_. But while my recent focus is on detection and response, this book focuses on prevention. Most importantly, it focuses on prevention where it should occur: during software design. _Building Secure Software_ is a critical tool in the understanding of secure software. Viega and McGraw have done an excellent job of laying out both the theory and practice of secure software design. Their book is useful, practical, understandable, and comprehensive. It won't magically turn you into a software security expert, but it will make you more sensitive to software security. And the more sensitive you are to the problem, the more likely you are to work toward a... Read more Help other customers find the most helpful reviews  Was this review helpful to you?  Permalink  Comment 19 of 22 people found the following review helpful My current choice for text in computer security, December 3, 2002 By  Charles Ashbacher (Marion, Iowa United States) - See all my reviews          This review is from: Building Secure Software: How to Avoid Security Problems the Right Way (Hardcover) Even IT professionals are not completely aware of how much our society relies on the effective use of computers. For if they did, security issues would always be foremost in our minds. Nearly all of us lock the doors to our houses when we leave and yet there are problems with computers that are equivalent to leaving the door open and posting a large sign as to where the valuables are located. I am just as guilty as most others in this area, but the heavy object has finally hit me over the head, so I am now deeply involved in learning all aspects of computer security. One of the best books that I have found that explains details rather than fluffy generalities is this one. In looking through books, there were so many that used the soapbox approach, proclaiming long and loud about the need for security, but never reaching the level of the designer in showing the specific ways in which security features can be implemented. This book does that. The specific code examples... Read more Help other customers find the most helpful reviews  Was this review helpful to you?  Permalink  Comment

Share your thoughts with other customers:

› See all 23 customer reviews...

Praise For Building Secure Software: How to Avoid Security Problems the Right Way

"A great book about secure software developing, that not only the developers should read, but also the managers and security experts. It's a must for any serious company that publishes its own software...I can only suggest reading it, and most of all, implementing the knowledge inside it. If you do, it could be a dawn of the very new era in software developing, an era of secure and almost bug-free software. To paraphrase an old saying, 'Bad software is the root of all evil'... A great book, and a mandatory reading material. More than two thumbs up!" - HelpNetSecurity 12/2001

Praise for Building Secure Software

"John and Gary offer a refreshing perspective on computer security. Do it right the first time and you won't have to fix it later. A radical concept in today's shovelware world! In an industry where major software vendors confuse beta testing with product release, this book is a voice of sanity. A must-read!"

--Marcus J. Ranum, Chief Technology Officer, NFR Security, Inc. and author of Web Security Sourcebook

"System developers: Defend thy systems by studying this book, and cyberspace will be a better place."

--Fred Schneider, Professor of Computer Science, Cornell University and author of Trust in Cyberspace

"Time and time again security problems that we encounter come from errors in the software. The more complex the system, the harder and more expensive it is to find the problem. Following the principles laid out in Building Secure Software will become more and more important as we aim to conduct secure and reliable transactions and continue to move from the world of physical identification to the world of digital identification. This book is well written and belongs on the shelf of anybody concerned with the development of secure software."

--Terry Stanley, Vice President, Chip Card Security, MasterCard International

"Others try to close the door after the intruder has gotten in, but Viega and McGraw begin where all discussions on computer security should start: how to build security into the system up front. In straightforward language, they tell us how to address basic security priorities."

"Application security problems are one of the most significant categories of security vulnerabilities hampering e-commerce today. This book tackles complex application security problems--such as buffer overflows, race conditions, and implementing cryptography--in a manner that is straightforward and easy to understand. This is a must-have book for any application developer or security professional."

"Viega and McGraw have finally written the book that the technical community has been clamoring for. This is a refreshing view of how to build secure systems from two of the world's leading experts. Their risk management approach to security is a central theme throughout the book. Whether it's avoiding buffer overflows in your code, or understanding component integration and interaction, this book offers readers a comprehensive, hype-free guide. The authors demonstrate that understanding and managing risks is an important component to any systems project. This well written book is a must read for anyone interested in designing, building, or managing systems."

"About Time!"

"For information security, doing it right seems to have become a lost art. This book recaptures the knowledge, wisdom, principles, and discipline necessary for developing secure systems, and also inspires similar efforts for reliability and good software engineering practice."

"John Viega and Gary McGraw have put together a tremendously useful handbook for anyone who is designing or implementing software and cares about security. In addition to explaining the concepts behind writing secure software, they've included lots of specific information on how to build software that can't be subverted by attackers, including extensive explanations of buffer overruns, the plague of most software. Great pointers to useful tools (freeware and otherwise) add to the practical aspects of the book. A must-read for anyone writing software for the Internet."

--Jeremy Epstein, Director, Product Security & Performance, webMethods

"Security is very simple: Only run perfect software. Perfection being infeasible, one must seek practical alternatives, or face chronic security vulnerabilities. Viega and McGraw provide a superb compendium of alternatives to perfection for the practical software developer."

"While the rest of the world seems to deal with symptoms, few have been able to go after the cause of most security problems: the design and development cycles. People are taught insecure coding styles in most major colleges. Many people have taken their understanding of writing software for personal single user systems and thrust their designs into networked interdependent environments. This is dangerous. These frameworks quickly undermine the nation's critical infrastructure as well as most commercial organizations, and place the individual citizen at risk. Currently most people need to be broken of their bad habits and re-taught. It is my sincere hope that books like this one will provide the attention and focus that this area deserves. After all, this area is where the cure can be embodied. Users will not always play nice with the system. Malicious attackers seldom do. Writing secure code to withstand hostile environments is the core solution."

"Programming is hard. Programmers are expensive. Good programmers are rare and expensive. We need all the help, all the tools, and all the discipline we can muster to make the job as easy and cheap as possible. We are not there yet, but this book should help."

--Bill Cheswick, Author of Firewalls and Internet Security

Online Sample Chapters

Building Secure Software: Race Conditions

Introduction to Software Security

Table of Contents

Foreword.


Preface.

Preface

"A book is a machine to think with."
--I.A. Richards PRINCIPLES OF LITERARY CRITICISM

This book exists to help people involved in the software development process learn the principles necessary for building secure software. The book is intended for anyone involved in software development, from managers to coders, although it contains the low-level detail that is most applicable to programmers. Specific code examples and technical details are presented in the second part of the book. The first part is more general and is intended to set an appropriate context for building secure software by introducing security goals, security technologies, and the concept of software risk management.

There are plenty of technical books that deal with computer security, but until now, none have applied significant effort to the topic of developing secure programs. If you want to learn how to set up a firewall, lock down a single host, or build a virtual private network, there are other resources to which to turn outside this book. Because most security books are intended to address the pressing concerns of network-level security practitioners, they tend to focus on how to promote secrecy and how to protect networked resources in a world in which software is chronically broken.

Unfortunately, many security practitioners have gotten used to a world in which having security problems in software is common, and even acceptable. Some people even assume that it is too hard to get developers to build secure software, so they don't raise the issue. Instead, they focus their efforts on "best-practice" network security solutions, erecting firewalls, and trying to detect intrusions and patch known security problems in a timely manner.

We are optimistic that the problem of bad software security can be addressed. The truth is, writing programs that have no security flaws in them is difficult. However, we assert that writing a "secure-enough" program is much easier than writing a completely bug-free program. Should people give up on removing bugs from software just because it's essentially impossible to eliminate them all? Of course not. By the same token, people shouldn't just automatically throw in the software security towel before they even understand the problem.

A little bit of education can go a long way. One of the biggest reasons why so many products have security problems is that many technologists involved in the development process have never learned very much about how to produce secure code. One problem is that until now there have been very few places to turn for good information. A goal of this book is to close the educational gap and to arm software practitioners with the basic techniques necessary to write secure programs.

This said, you should not expect to eradicate all security problems in your software simply by reading this book. Claiming that this book provides a silver bullet for security would ignore the realities of how difficult it is to secure computer software. We don't ignore reality--we embrace it, by treating software security as a risk management problem.

In the real world, your software will likely never be totally secure. First of all, there is no such thing as 100% security. Most software has security risks that can be exploited. It's a matter of how much money and effort are required to break the system in question. Even if your software is bug free and your servers are protected by firewalls, someone who wants to target you may get an insider to attack you. Or they may perform a "black bag" (break-in) operation. Because security is complicated and is a system-wide property, we not only provide general principles for secure software design, but we also focus on the most common risks, and how to mitigate them.

Organization

This book is divided into two parts. The first part focuses on the things you should know about software security before you even think about producing code. We focus on how to integrate security into your software engineering practice. Emphasis is placed on methodologies and principles that reduce security risk by getting started early in the development life cycle. Designing security into a system from the beginning is much easier and orders of magnitude cheaper than retrofitting a system for security later. Not only do we focus on requirements and design, we also provide significant emphasis on analyzing the security of a system, which we believe to be a critical skill. The first part of this book should be of general interest to anyone involved in software development at any level, from business-level leadership to developers in the trenches.

In the second part, we get our hands dirty with implementation-level issues. Even with a solid architecture, there is plenty of room for security problems to be introduced at development time. We show developers in gory detail how to recognize and to avoid common implementation-level problems such as buffer overflows and race conditions. The second part of the book is intended for those who feel comfortable around code.

We purposely cover material that we believe to be of general applicability. That is, unless a topic is security critical, we try to stay away from anything that is dependent on a particular operating system or programming language. For example, we do not discuss POSIX "capabilities" because they are not widely implemented. However, we devote an entire chapter to buffer overflows because they are a problem of extraordinary magnitude, even though a majority of buffer overflows are specific to C and C++.

Because our focus is on technologies that are applicable at the broadest levels, there are plenty of worthy technologies that we do not cover, including Kerberos, PAM (pluggable authentication modules), and mobile code sandboxing, to name a few. Many of these technologies merit their own books (although not all of them are adequately covered today). This book's companion Web site, http://www.buildingsecuresoftware.com/, provides links to information sources covering interesting security technologies that we left out.

Code Examples

Although we cover material that is largely language independent, most of our examples are written in C, mainly because it is so widely used, but also because it is harder to get things right in C than in other languages. Porting our example code to other programming languages is often a matter of finding the right calls or constructs for the target programming language. However, we do include occasional code examples in Python, Java, and Perl, generally in situations in which those languages are significantly different from C. All of the code in this book is available at

http://www.buildingsecuresoftware.com/.

There is a large UNIX bias to this book even though we tried to stick to operating system-independent principles. We admit that our coverage of specifics for other operating systems, particularly Windows, leaves something to be desired. Although Windows NT is loosely POSIX compliant, in reality Windows programmers tend not to use the POSIX application programming interface (API). For instance, we hear that most Windows programmers do not use the standard C string library, in favor of Unicode string-handling routines. As of this writing, we still don't know which common functions in the Windows API are susceptible to buffer overflow calls, so we can't provide a comprehensive list. If someone creates such a list in the future, we will gladly post it on the book's Web site.

The code we provide in this book has all been tested on a machine running stock Red Hat 6.2. Most of it has been tested on an OpenBSD machine as well. However, we provide the code on an "as-is" basis. We try to make sure that the versions of the code posted on the Web site are as portable as possible; but be forewarned, our available resources for ensuring portability are low. We may not have time to help people who can't get code to compile on a particular architecture, but we will be very receptive to readers who send in patches.

Contacting Us

We welcome electronic mail from anyone with comments, bug fixes, or other suggestions. Please contact us through

http://www.buildingsecuresoftware.com.

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
viegach1.pdf

Index

Index

Access control

basic description of, 187-208

buffer overflows and, 139, 155

compartmentalization and, 204-207

CORBA and, 55

database security and, 382-396

fine-grained privileges and, 207-208

flags, 155

JDB system for, 58-59

Lists (ACLs), 204

mandatory, 207

modifying ownership, 194-195

modifying file attributes, 190-193

programmatic interface and, 195-197

setuid programming and, 197-202

TOCTOU problems and, 222-225

UNIX and for, 187-202

using views for, 385-387

Windows NT and, 202-204

access() function, 215

ACLs (Access Control Lists), 204

Activation records, 153

ActiveX controls (Microsoft), 11, 272

AES, 276, 449-450

assessing the security of, 301

competition for, 449

cryptography libraries and, 272, 274, 277

database security and, 382

passwords authentication and, 375

Aggregate functions, 392-393

Aiken, Alexander, 184

Aleph One, 135, 180

Algorithms. See also specific algorithms

community resources and, 112-113

false advertising regarding, 112

open-source software and, 69-72, 74-75, 78

publishing, 82

proprietary, 450

Amazon.com, 18, 297, 455-456

American Express, 63. See also Credit cards

American Standard Code for Information Interchange (ASCII). See ASCII (American Standard Code for Information Interchange)

amkCrypt, 274

Analysis. See also Auditing

appropriate timing of, 117

architectural security, 118-126

auditing and, 118-126

as a creative activity, 33

findings, reporting, 125-126

implementation, 117-118, 126-133

security engineers and, 36-37

testing and, relationship of, 42

which goes astray, 41-43

Anna Kournikova worm, 1

Anonymity, as a security goal, 21-22

Anti-debugger measures, 416-418

AOL (America Online)

Instant Messenger for Netscape, 11

marketing techniques, 20

traffic monitoring, 20

APIs (application program interfaces), 52, 101-102, 106

auditing and, 127

in cryptography libraries, 274-280

firewalls and, 433

race conditions and, 214

random number generation and, 260

Applet(s). See also Java

attacks, types of, 91

enforcing protection when running, 53

untrusted, 52

Application proxies, 428

Applied Cryptography (Schneier), 256, 267, 439

Arbaugh, Bill, 16

argc() function, 167, 169

argv() function, 144, 169, 312

Arrays, 318

Art of Computer Programming, The (Knuth), 234

ASCII (American Standard Code for Information Interchange), 147, 171, 182-183, 293-294, 302

database security and, 388

digital signatures and, 464

text, encrypting, 388

ASF Software, 238, 241

"Asleep at the Wheel" (Lake), 3-4

ATH variable, 320

ATMs (automatic teller machines), 66

Attackers, use of the term, 25-27. See also Malicious hackers

Attack trees, 120-125

Attributes, modifying, 190-193

Audio players, 110

Auditing. See also Analysis; Monitoring

architectural security analysis and, 117, 118-126

attack trees and, 120-125

basic description of, 19-20, 115-133

implementation security analysis and, 126-133

logs, 20

open-source software and, 84-85

reports, 125-126

security scanners and, 132-133

security engineers and, 38

as a security goal, 19

tools, source-level, 128-130

using RATS for, 130-132

Authentication

biometric, 64-66

call-level, 57

connect, 57

CORBA and, 55

credit card, 97-98

cryptographic, 66

DCOM and, 56-58

default, 57

defense in depth and, 66-67

design for security and, 37

failure modes and, 97-98

host-based, 61-63

IP spoofing and, 62

levels, 56-58

packet integrity-level, 57

packet-level, 57-58

packet privacy-level, 58

password, 335-380

proxy-level, 432

remote execution and, 414-415

security goals and, 22-23, 440-441

technologies, 61-67

trust management and, 308

of untrusted clients, 415

using physical tokens, 63-65

AutoDesk, 421

AVG() function, 392, 393, 394

Axis Powers, 71. See also World War II

Backdoors, 105, 309-310

Back Orifice 2000, 178

Bacon, Francis, 187

base32 encoding, 402, 408-409

base64 encoding, 226, 349, 387, 401

Base pointers, 163, 169, 172

Battle plans, creating, 121

bcopy() function, 149, 153

Beizer, Boris, 15

Bellovin, Steven M., 1, 86, 427

Berra, Yogi, 267

Best-match policy, 189

Binaries, 192, 206

buffer overflow and, 140, 178-179

client-side security and, 401, 408, 425

extracting secrets from, 109-110

setting suid bits on, 140

trust management and, 307, 309

bind() function, 333

Biometric authentication, 64-66

Birthday attacks, 461

Bishop, Matt, 320

Bit(s), 295, 296-297

Blaze, Matt, 253, 297, 462

Blowfish, 272, 274

ciphers, 283

client-side security and, 408-409

using, in CBC mode, 282

Blumb-Blumb-Shub PRNG, 236-237, 241, 244

Boneh, Dan, 269

Boolean flags, 139

Bounds checking, 141, 148

Brainstorming sessions, 125

Brazil, 381

Brewer, Eric, 136

Browser(s)

attacks, 254-255

CAs and, 299

as consumer-ware, 17

cookies and, 21, 324

firewalls and, 433

license files and, 411

operating systems and, fuzzy boundaries between, 11-13

surfing data collected through, 21

untrusted applets and, 52

Brute-force attacks, 338, 461

BSAFE library, 277-278

BSS (block storage segment), 151

Buffer(s). See also Buffer overflows

attack code and, 177-185

input, 148-149

internal, 147-148

tamperproofing and, 420

UNIX and, 178-185

use of the term, 138

Windows and, 185

Buffer overflow(s), 24, 25, 87-88. See also Buffers

auditing and, 128, 131

basic description of, 135-186

defending against, 141-142

entropy handling and, 256-257

gotchas related to, 141-147

open-source software and, 79-81

securing the weakest link and, 93-94

selecting technologies and, 51, 52

smashing stacks and, 151-155

stack overflows and, 159-177

testing and, 39

tools which address, 150-151

trust management and, 309

Bugs. See also Debugging; Errors

announcing, 88-89

responding to misuse with, 419-420

Bugtraq mailing list, 6, 7

C (high-level language), 8, 50-51, 53, 274, 303

access control and, 201-202

auditing and, 129, 130

buffer overflows and, 94, 138-139, 141, 148-151, 154-156, 159-161, 164-165, 171-174, 177-179, 181

client-side security and, 421

firewalls and, 433

format string attacks and, 329-330

input validation and, 329

libraries, 141

open-source software and, 73-74, 84, 88

passwords authentication and, 339-350

popularity of, 84

race conditions and, 216, 222-223

random number generation and, 261-262

risks of using, 88

trust management and, 317-319

C++ (high-level language), 10, 50, 54

auditing and, 129

buffer overflow and, 137, 148, 154

cryptography libraries and, 275-276

risks of using, 88

Cache poisoning attacks, 63

Caches, 63, 417-418

Caesar, Julius, 231

Callbacks, 412

Cameras, 96, 244

Canada, 44, 46

Canadian Trusted Computer Products Evaluation Criteria, 44

Capabilities, 207-208

Capture/replay attacks, 26, 459

Carnegie Mellon University, 8

Carnivore system (FBI), 21

CAs (certificate authorities), 297-301, 455

Case-sensitivity, 363

CAST ciphers, 283

CBC (cipher block chaining) mode, 270, 282-284, 408, 446, 447

CDs (compact discs), 305, 398, 400-415

CERT/CC (CERT Coordination Center) advisories, 2, 8

regarding buffer overflows, 87, 135, 136-137

regarding character sets, 324

CFB (cipher feedback), 270, 283-284, 447

CGI (Common Gateway Interface), 320-325, 327-329, 333-334

CGI.pm module, 334

Challenge/response systems, 413-315

Character(s)

client-side security and, 402

length of passwords, 358

sets, 324-325, 402

trust management and, 321-322

chdir() function, 222, 224, 225, 333

CHECK option, 386-387

Checksums, 57, 418-420

basic description of, 457

hash functions and, 441, 457, 458

symmetric algorithms and, 447

Cheswick, William, 1, 427

Chipsets, 244-245

chmod() function, 190, 191-192, 195, 333

Choke points, 105

Chosen ciphertext attacks, 443

Chosen plaintext attacks, 443, 454

chown() function, 190, 193-196, 200, 333

chroot() function, 200, 204-207, 333

Cigital, 238, 239-240

Cipher(s), 236, 391

3DES, 283, 284

available, list of, 283-284

basic description of, 440

block, 270, 445-446, 448, 449

key length settings for, 284-285

PRNGs and, 233

reusing, 269-270

stream, 233, 269-270, 445-446

symmetric, 444-451

text attacks, 442-443

Civilized Engineer, The (Florman), 115

Class(es)

loading, 12, 91-92

nested, 53

Classifications, of information, 21

Client(s). See also Client/server models

passwords authentication and, 374

proxies, 430-432

-side security, 325-327, 397-426

untrusted, authenticating, 415

Client/server models, 22, 74. See also Clients; Servers

EJB and, 58-59

failure modes and, 99-100

firewalls and, 430

selecting technologies and, 54, 58-59

Clocks, 243, 411

Code

attack, 177-185

atomic, 212

auditing, 127-128

coverage, using, as a metric, 39

good-enough, 127

mobile, 10, 18, 91-92, 102, 107

obfuscation, 74-75, 399, 421-426

reuse of, disadvantages of, 12

reverse engineering, 73-74

untrusted, 127

user-level (user space), 59

Cold Fusion server, 86

Cold War, 397

"Command/response" protocols, 429

Comments

database security and, 388

for stack inspection code, 171-172

Common Criteria, 35, 43-46

Common Evaluation Methodology, 44-46

Community resources, 92, 112-113

Compartmentalization, principle of, 92, 102-104, 204-207

Compiling, 53, 150, 425

comp.lang.java.security newsgroup, 18

ComScire, 243, 257

concat_arguments function, 164-168, 172-176

concat.c, 166, 171, 174, 175-177

concat.s, 174-175

Confidentiality, as a security goal, 20, 440

Congress (United States), 463

connect() function, 333

Constants, 195

Consumer-ware, 17

Containers, 54

Cookies, 18, 62, 293-294, 324

Copy protection schemes, 400-415

CORBA (Common Object Request Broker Architecture), 54-56, 59

Corporate Espionage (Winkler), 25

Counter mode, 446-447

Counterpane Labs, 362

COUNT() function, 392, 393, 394

Crack (program), 356, 363, 367

Cracker, use of the term, 4

Crash(es)

dialog boxes, 72

file locking and, 227

as a sign of an exploitable vulnerability, 72

CREATE VIEW command, 386

Credit card(s)

failure modes and, 97-98

fraud, 40, 97-98

information, storage of, 392-395

password-based schemes and, 66

as physical tokens, 63-64

promoting privacy and, 107-108

Critical section, 213

CRLs (Certificate Revocation Lists), 299

CrypGenRandom() function, 260

Cryptanalysis, 441

crypt() function, 337-338, 343, 349, 351

Cryptix library, 278-279

Cryptlib library, 272-275, 279-280

Crypto++ library, 275-276

Cryptography. See also Public key cryptography

applying, 267-305

attacks on, 442-444

basic description of, 439-464

deriving requirements and, 34

during World War II, 71, 303-304

eavesdropping and, 25

export laws, 271

goals of, 440-442

libraries, 272-279

programming with, 279-295

random number generation and, 232-265

securing the weakest link and, 93-96

Spafford on, 2

types of, 444

writing your own, refraining from, 268-270

Cryptography Research, 444

C Traps and Pitfalls (Koenig), 78

ctx variable, 281

"Current time" technique, 235

Customer support, passwords procured through, 22-23, 94, 111, 355

Cut-and-paste attacks, 270

Daemen, John, 449

Dante, 434

Database(s)

access control for, 381-396

auditing and, 119, 125, 129-132

connection pooling, 54

field protection in, 387-391

password, adding users to, 339-350

promoting privacy and, 107-108

statistical attacks and, 391-395

trust management and, 308, 325-327

Database Security (Castano), 381

Data integrity, 87, 270

DCOM and, 56, 57-58

as a security goal, 21, 441

Data segment, of memory, 152

DCOM (Distributed Component Object Model), 54, 56-58

Debugging, 74, 416-419, 425. See also Bugs; Errors

antidebugger measures and, 416-418

buffer overflows and, 167, 171, 176, 179-180

tamperproofing and, 416-418

Decompilers, 73-74

Decoys, 421

Decryption, 280-286, 440, 451

Defense in depth, principle of, 92, 96-97

Delphi, 239, 272

Demographic data, 20, 392

Denial-of-service attacks, 10, 14-15, 50, 356

Department of Commerce (United States), 449

Department of Defense (United States), 43-44

Department of Defense Trusted Computer System Evaluation Criteria ("Orange Book"), 43-44

Dependability, overall importance of, 13

Depth, defense in, principle of, 92, 96-97

DES (Data Encryption Standard), 71, 74, 282-283, 448-450

passwords authentication and, 337-338

public keys and, 451

Design. See also Development

auditing and, 115, 120

implementation and, complex interrelation of, 18

for security, notion of, 13-14, 37-38

Design of Everyday Things, The (Norman), 106

DESX ciphers, 283

Determinism, 231-265

Development. See also Design

cryptography export laws and, 271

first-to-market pressures and, 17, 24, 29

penetrate-and-patch approach and, 15-16

spiral model of, 30-32

teams, rapid, 41

waterfall model of, 31-32

which goes astray, 41

Device drivers

basic description of, 60

calls to, 60-61

compartmentalization and, 103

Dialog boxes, effectiveness of, 106, 107

Dice rolling technique, for selecting passwords, 358-362, 363

Diceware, 363

Dictionary attacks, 338

DIEHARD, 257

Differential power analysis (DPA), 24, 443

Diffie-Hellman algorithm

cryptography libraries and, 273, 274, 276, 277

used with DSA, 454

Digital cameras. See Cameras

Digital signatures, 410, 413, 459

basic description of, 462-464

DSA (Digital Signature Algorithm) for, 269, 273, 274, 276, 410, 454

PKI and, 463

Directories

backward traversal of, 328

file locking and, 226-227

Disassemblers, 73

Disclosure, full, principle of, 5, 7, 81-82

Disgruntled employees, 110

Disraeli, Benjamin, 397

Distributed object platforms, choosing, 54-59

DLLs (Dynamically Linked Libraries), 185, 317

dlopen() function, 317

DMAC, 276

DNA, 66

DNS (Domain Name Service) names, 61-63

Doctor Faustus (Marlowe), 49

Documentation

auditing and, 120

cryptography libraries and, 273, 275, 276, 277, 278

failure to read, on the part of users, 106

Domain names, 61-63

Dongles, 414

DOS (Disk Operating System), 60

DoubleClick, 20

Double encryption, 449

DPA (differential power analysis), 21, 443

DSA (Digital Signature Algorithm), 269, 273, 274, 276, 410, 454. See also Digital signatures

DVD (digital video disc) viewers, 110

Dynamic allocation, 140

Eavesdropping

basic description of, 25

deriving requirements and, 34

key secrecy and, 109

ECB (electronic code book) mode, 270, 283-284, 447

ECC (elliptic curve cryptography), 273, 277, 279, 454

Echelon, 21

eEye, 72

Efficiency

C programming and, 148-149

cryptography libraries and, 273, 275, 276, 278

entropy handling and, 256

as the justification for a language choice, 50

as a key goal, 27, 29

EGADS (Entropy-Gathering and Distribution System), 225, 226, 256, 259-260, 264

EGID (effective GID), 188, 198

race conditions and, 220

trust management and, 317

EJB (Enterprise Java Beans), 54, 58-59

El Gamal algorithm, 273, 276, 454, 464

Electronic Privacy Information Center, 20

E-mail

announcing security bugs via, 88-89

distribution lists, 88-89

passwords, 70-72, 74

trust management and, 311-314

Employees. See also Personnel, security

disgruntled, 110

trust in, 110

Emulex Corporation, 21

Encryption. See also Cryptography; Keys

AES, 272, 274, 276-277, 301, 375, 382, 449-450

auditing and, 119

code obfuscation and, 74-75, 399, 421-426

DES (Data Encryption Standard) and, 71, 74, 282-283, 337-338, 448-451

disabling, 106

double, 449

of program parts, 423-426

security by obscurity and, 45, 69-75, 268, 336

Spafford on, 2

End-of-file (EOF) character, 141

Engineering

methods, 18

reverse, 73-74

Engineering of Software, The (Hamlet), 15

Engineers, security

role of, 32-39

use of the term hacker by, 3-5

Enigma machine, 71

Entropy

EGADS (Entropy-Gathering and Distribution System) and, 225, 226, 256, 259-260, 264

estimating, 241-255

gateways, 259-260

gathering, 225-226, 232, 235, 238, 241-255, 259-260, 264

handling, 255-258

secret Netscape messages and, 254-255

Environment variables, 316-318

Ethernet, 412

EUID (effective UID), 188, 190, 196-201

race conditions and, 215-216, 220

trust management and, 311, 317

Europe, 18, 44-46

eval() function, 333

EVP_bc_cfb() function, 283

EVP_bf_cbc() function, 282, 283

EVP_bf_ecb() function, 283

EVP_bf_ofb() function, 283

EVP_cast_cbc() function, 283

EVP_cast_cfb() function, 283

EVP_cast_ecb() function, 283

EVP_cast_ofb() function, 283

EVP_CIPHER_CTX_ctrl() function, 284-285

EVP_CIPHER_CTX_set_ key_length() function, 284

EVP_DecryptFinal() function, 292

EVP_DecryptInit() function, 286

EVP_DecryptUpdate() function, 286

EVP_des_cbc() function, 283

EVP_des_cfb() function, 283

EVP_des_ecb() function, 283

EVP_des_ede_cbc() function, 284

EVP_des_ede_cfb() function, 284

EVP_des_ede() function, 283

EVP_des_ede_ofb() function, 284

EVP_des_ofb() function, 283

EVP_desx_cbc() function, 283

EVP_DigestFinal() function, 287

EVP_DigestUpdate() function, 287

EVP_enc_null() function, 283

EVP_EncryptFinal() function, 285-286, 291

EVP_EncryptInit() function, 282

EVP_EncryptUpdate() function, 285-286, 291

EVP_idea_cbc() function, 284

EVP_idea_cfb() function, 284

EVP_idea_ecb() function, 284

EVP_idea_ofb() function, 284

EVP interface, 279-280

performing hashing with, 286-287

public key encryption with, 287-292

EVP_rc2_40_cbc() function, 284

EVP_rc2_64_cbc() function, 284

EVP_rc2_cbc() function, 284

EVP_rc2_cfb() function, 284

EVP_rc2_ecb() function, 284

EVP_rc2_ofb() function, 284

EVP_rc4_40() function, 284

EVP_rc4() function, 284

EVP_rc5_32_12_16_cbc() function, 284

EVP_rc5_32_12_16_cfb() function, 284

Exception handling, 50. See also Errors

Exclusive OR (XOR), 71, 181, 418, 424-425

applying cryptography and, 268, 270, 283, 302

data integrity and, 270

DES and, 283

one-time pads and, 302

random number generation and, 233, 255, 256

exec() function, 328-329, 332

execl() function, 145, 180-181

execve() function, 201, 312, 314

execv() function, 159, 321

Expiration dates, for licenses, 413

Export laws, 271

Extensible systems, 9, 10, 12-13

Facial features. See Biometric authentication

Factorization, 401-302

Failure

Florman on, 115

modes, 97-100, 196

planning for, 97-100

to read documentation, on the part of users, 106

Fallback schemes, 98-99

Fault trees, 121

FBI (Federal Bureau of Investigation), 18, 110

fchmod() function, 195, 196

fchown() function, 196

fcntl() function, 333

Federal Criteria (United States), 44

Feedback, soliciting, 120

Felten, Ed, 107

fgetc() function, 148, 152

fgets() function, 141-142, 149, 153

Field(s)

hidden input, 322-325

protection, 387-391

File(s). See also Filenames

attributes, modifying, 190-193

deleting, 140, 224-225

descriptors, 315

locking, 226-227

temporary, 225-226

Filename(s)

buffer overflows and, 144

patterns, input validation and, 332

prefixes, 226

restrictions on, 144

timestamps and, 197

FILE object, 220

Fine-grained privileges, 207-208

fingerd, 135

Fingerprints

biometric authentication and, 64-66

cryptographic, 457

FIPS standards, 241, 247, 260

Firewall(s), 2, 4, 56

auditing and, 119, 125

basic description of, 427-437

Common Criteria and, 44-45

defense in depth and, 97

open-source software and, 85

packet-filtering, 428-430, 434

peer-to-peer connectivity and, 435-437

promoting privacy and, 108-109

proxies and, 428-433, 436-437

securing the weakest link and, 94

SOCKS and, 433-435

strategies for, 427-430

toolkits, 85

Firewalls and Internet Security (Cheswick and Bellovin), 1, 427

FIST, 79

Fithen, Bill, 16

Flawfinder, 129

FlexLM, 413

foo, 192

foobar, 330

fopen() function, 226

fork() function, 201

Format string attacks, 329-330

FORTRAN, 50

Foster, Jeffrey, 136

France, 46. See also Europe

FrontPage (Microsoft), 105

Frost, Robert, 427

fscanf() function, 142, 146, 152

fstat() function, 220

FTP (File Transfer Protocol), 430, 458, 460

FUD (fear, uncertainty, and doubt), 62-63, 88, 112

Full disclosure, principle of, 5, 7, 81-82

Functionality

auditing and, 115-116, 117

CORBA and, 55

of cryptography libraries, 273

database security and, 387

as a key goal, 26, 29

mobile code and, 11

of Trojan horses, 39

passwords authentication and, 375-376

PRNGs and, 235

Functions

access() function, 215

argc() function, 168-169

argv() function, 144, 169, 312

AVG() function, 392, 393, 394

bcopy() function, 149, 153

bind() function, 333

chdir() function, 222, 224, 225, 333

chmod() function, 190, 191-192, 195, 333

chown() function, 190, 193-196, 200, 333

chroot() function, 200, 204-207, 333

concat_arguments function, 164-168, 172-177

connect() function, 333

COUNT() function, 392, 393, 394

CrypGenRandom() function, 260

crypt() function, 337-338, 343, 349, 351

dlopen() function, 317

eval() function, 333

EVP_bc_cfb() function, 283

EVP_bf_cbc() function, 282, 283

EVP_bf_ecb() function, 283

EVP_bf_ofb() function, 283

EVP_cast_cbc() function, 283

EVP_cast_cfb() function, 283

EVP_cast_ecb() function, 283

EVP_cast_ofb() function, 283

EVP_CIPHER_CTX_ ctrl() function, 284-285

EVP_CIPHER_CTX_ set_key_length() function, 284

EVP_DecryptFinal() function, 292

EVP_DecryptInit() function, 286

EVP_DecryptUpdate() function, 286

EVP_des_cbc() function, 283

EVP_des_cfb() function, 283

EVP_des_ecb() function, 283

EVP_des_ede_cbc() function, 284

EVP_des_ede_cfb() function, 284

EVP_des_ede() function, 283

EVP_des_ede_ofb() function, 284

EVP_des_ofb() function, 283

EVP_desx_cbc() function, 283

EVP_DigestFinal() function, 287

EVP_DigestUpdate() function, 287

EVP_enc_null() function, 283

EVP_EncryptFinal() function, 285-286, 291

EVP_EncryptInit() function, 282

EVP_EncryptUpdate() function, 285-286, 291

EVP_idea_cbc() function, 284

EVP_idea_cfb() function, 284

EVP_idea_ecb() function, 284

EVP_idea_ofb() function, 284

EVP_rc2_40_cbc() function, 284

EVP_rc2_64_cbc() function, 284

EVP_rc2_cbc() function, 284

EVP_rc2_cfb() function, 284

EVP_rc2_ecb() function, 284

EVP_rc2_ofb() function, 284

EVP_rc4_40() function, 284

EVP_rc4() function, 284

EVP_rc5_32_12_16_ cbc() function, 284

EVP_rc5_32_12_16_ cfb() function, 284

exec() function, 328-329, 332

execl() function, 144, 180-181

execve() function, 201, 312, 314

execv() function, 159, 321

fchmod() function, 195, 196

fchown() function, 196

fcntl() function, 333

fgetc() function, 148, 153

fgets() function, 142, 149, 153

fopen() function, 226

fork() function, 201

fscanf() function, 143, 144, 152

fstat() function, 220

generate_raw_response() function, 375

getc() function, 148, 153

getchar() function, 148, 153

getenv() function, 132, 149, 319

geteuid() function, 198, 223

getopt() function, 148, 153

getopt_long() function, 153

getpass() function, 148, 153

getrlimit() function, 316

gets() function, 136, 142, 148, 152

getuid() function, 198

glob() function, 332

ioctl() function, 333

kill() function, 206, 333

ksg() function, 391

link() function, 222, 333

lstat() function, 220

main() function, 152, 159-160, 162-163, 172, 176

malloc() function, 138, 140, 147, 154, 369, 375, 402

MAX() function, 392

memcpy() function, 149, 153

MIN() function, 392

mkdir() function, 222, 333

mknod() function, 222

munlock() function, 344

open() function, 220, 226-227, 327, 329, 328, 332, 333

popen() function, 206, 300, 318-319

printf() function, 157, 177, 330

print() function, 328

println() function, 211, 213

putenv() function, 319

Raccept() function, 434

rand() function, 234, 241, 303, 363

random() function, 231, 234-235

randomize() function, 239, 240

Rbind() function, 434

rc5_32_12_16_ofb() function, 284

Rconnect() function, 434

read() function, 148, 153

realpath() function, 148, 152

Rgetpeername() function, 434

Rgetsockname() function, 434

rmdir() function, 222, 333

Rread() function, 434

Rrecvfrom() function, 434

Rrecv () function, 434

Rsend() function, 434

Rsendmsg() function, 434

Rsendto() function, 434

Rwrite() function, 434

scanf() function, 136, 142, 146, 152

setpriority() function, 206, 333

setrlimit() function, 316

snprintf() function, 81, 145, 149, 153

socket() function, 333

socketpair() function, 333

sprintf() function, 81, 129, 136, 142, 144-145, 152

sscanf() function, 142, 146, 152

stat() function, 220

stderr function, 315

stdin function, 315

stdio function, 132

stdout function, 315

strcadd() function, 149, 153

strcat() function, 132, 137, 142, 144, 152

strccpy() function, 149, 153

strcpy() function, 77, 80, 128, 136, 141-143, 149, 152, 166, 168

streadd() function, 143, 146, 152

strecpy() function, 142-144, 146, 152

strlen() function, 143

strncat() function, 144

strncpy() function, 81, 143, 148, 153, 184

strtrns() function, 143, 147, 152

SUM() function, 392

symlink() function, 222, 333

syscall() function, 333

syslog() function, 148, 152

sysopen() function, 334

system() function, 206, 319-321, 332

test() function, 160, 161, 163

truncate() function, 333

unlink() function, 222, 224-226, 333

unmask() function, 333

unmount() function, 222

unsetenv() function, 319

utime() function, 197, 222

vfscanf() function, 143, 146, 152

vscanf() function, 143, 152

vsprintf() function, 142, 144, 152

vsscanf() function, 143, 152

FUZZ (program), 50

Gambling programs, 238-241

Game software, 397-398, 413-315

Garbage

collection, 253

input validation and, 330

trust management and, 314

Geiger counters, electronic, 243

generate_raw_response() function, 375

Genetics, 66

Germany, 46, 71. See also Europe

getc() function, 148, 153

getchar() function, 148, 153

getenv() function, 132, 149, 319

geteuid() function, 198, 223

getopt() function, 148, 153

getopt_long() function, 153

getpass() function, 147, 153

getrlimit() function, 316

gets() function, 136, 141-142, 148, 152

getuid() function, 198

GIDs (group IDs), 187-190, 196, 198

input validation and, 333

race conditions and, 222, 224

trust management and, 311, 317

Gilliam, Terry, 381

Global Identifier, 21

glob() function, 332

GNU

debuggers, 179

Mailman, 84-85

GNU C compilers, 150

Goals

project, 25-27, 40-41

security, 18-24, 40-41

Goldberg, Ian, 254

Government(s). See also Legislation

export laws, 271

intelligence secrets, 21

security clearance systems, 100-101

tracking systems, which degrade privacy, 20

U.S. Congress, 463

U.S. Department of Commerce, 449

U.S. Department of Defense, 43-44

U.S. Federal Bureau of Investigation, 18, 110

U.S. National Security Agency, 43, 448, 449

U.S. Securities and Exchange Commission, 19

GRANT command, 383-385

GUIs (graphical user interfaces), 55, 127, 240

Gutmann, Peter, 225, 246, 272, 400, 414

Hacker(s). See also Malicious hackers

open-source software and, 81-82

and the principle of full disclosure, 7, 27, 81-82

use of the term, 3-5

Hamlet, Dick, 15

Handsard (Disraeli), 397

Hanssen, Richard P., 110-111

Hardware

client-side security and, 414

solutions for entropy gathering, 242-245

Hash(es). See also Hashing algorithms

additional uses for, 295-297

basic description of, 441

cryptography libraries and, 272, 276, 278

database security and, 387-391

functions, 256-258, 457-462

passwords authentication and, 336-337, 350, 367

Hashing algorithms. See also Hashes; specific algorithms

basic description of, 286-287, 457-462

recommended types of, 461-462

Header files, 279-280

Heap(s)

allocation, 154

overflows, 139-140, 150, 155-159

Herd, following the, 111-112

Hiding secrets, difficulties involved with, 109-111

Hijacking attacks, 57, 63

basic description of, 26

passwords authentication and, 366

promoting privacy as a defense against, 107

HMAC (Hash Message Authentication Code), 270, 273, 274, 277, 278, 294-295. See also Hashes; Hashing algorithms

Hollebeek, Tim, 71

hostname command, 412

HP/UX, 217

HTML (HyperText Markup Language),

Errata

Click below for Errata related to this title.