From: "Steven M. Christey" <coleyat_private> > Dana Epp asked: > > >Would anyone like to share the sort of materials that resulted from > >education in their workplace? Anyone interested in sharing generic > >security tests they may have developed? Guidelines for code audits and > >reviews (past Fagan-style type inspection)? > This list is quite incomplete, as reflected in the version number and It's quite handy but could do with an example in each section. Some faults could be categorised in a number of ways and it's hard to be sure the same fault doesn't appear twice under a different title. Also the list of titles may not help much - does "3e. Missing/repeated/extra separator or delimiter" mean things like a PGP 2 fingerprint having different interpretations depending on key size ? 3. Syntax/grammar violation Inadequate recognition of side-effects. > Process/Command Execution > ------------------------- > > 11. Shell metacharacters > > 12. Malicious search path execution (search path can be modified by > untrusted user to point to malicious program, e.g. UNIX PATH > environment variable) IFS, LD_*, MALLOC_CHECK_ ... odd resource limits, CWD - perhaps aimed at the large subject of Unchecked Return Codes resource-related failures like process slots/E2BIG => execve() failed but program proceeds in incorrect state > 19. Information Leak unknown usernames being logged > 54. Insufficient Randomness entropy doses added to a pool are too small > 24a. Signal handler race condition TOCTOU - signal sent to wrong process because of termination and PID reuse. What I'd like to see is one of: 1) PIDs lockable while you test (and perhaps signal) them 2) PIDs not promptly reused (These ideas might involve per-user quotas on number or rate.) If either of these exists and I'm unaware of it clobber me with APUE or something. The best I know how to do now is: 1) Try to get the parent to do the killing. (The parent can get to know about termination through SIGCHLD.) (Instead of getting the correct PID and root access the problem now mostly consists of cimmunucating with the parent.) 2) Be non-root - send the signal from the same UID as the target process. (You might have to vary this if the other process is hostile and might try to kill you.) Code for this is shown - what do people think ? #!/usr/bin/perl -w use IO::Handle; use Fcntl; # This is a wrapper to apply to services where termination # is to be delegated to other users. # # The service starts and writes a file to $startfile. It # treats the presence of a file with the same name in the # $stop_signs directory as an indication it should stop. # Write permission to that directory can easily be given to # a number of user accounts without the need for setuid code # to run kill(2) or the opportunity to kill processes outside # this scheme. # # I envisage the filemodes like this. # drwxr-xr-x 5 donut donut 3072 Nov 12 08:48 /opt/donut # drwxr-xr-x 2 donut donut 3072 Nov 12 08:48 /opt/donut/are_go # drwxrwxr-x 2 donut donut 3072 Nov 12 08:48 /opt/donut/stop_signs # The donut account will clear out old files from these periodically # by other means such as cron. # # This is vulnerable to disruptive behaviour by the users who have write # permission to the $stop_signs directory. You might combine this with # logging via a setgid program that writes the entries to $stop_signs. # definitions of control directories # $appdir="/opt/donut"; $are_go="$appdir/are_go"; $stop_signs="$appdir/stop_signs"; $tmpfile=sprintf("%d_%04d_%d", scalar time, rand(1000), $$); $startfile=sprintf("%s/%s", $are_go, $tmpfile); $stopfile=sprintf("%s/%s", $stop_signs, $tmpfile); # create a file to enroll the process in this scheme # sysopen (FH,"$startfile",O_RDWR|O_CREAT|O_EXCL,0644) or die("open $startfile $!"); # $startfile has adequate uniqueness for a directory writable by only owner. $ppid=$$; if ($pid = fork) { # parent # This parent will quit if the (only) child has quit. # Might be expanded to start (and count) multiple child processes. local $SIG{CHLD}=sub{exit(0)}; # if (0==kill(0,$pid)) { # child dead already ? exit(0); } $signum=15; for (;;) { if (-f "$stopfile") { kill($signum,$pid); $signum=9; # in case we loop again } sleep(10); } } else { die("fork !$") if ($$ == $ppid); # Writing the PID to the file helps users who know the PID they want # to kill (perhaps from ps) and want to find the name of the right # control file. printf(FH "%d\n", $$); close(FH); # or whatever service you want to run .... exec("sar","5"); die("exec $!"); } -- ############################################################## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ##############################################################
This archive was generated by hypermail 2b30 : Fri Dec 06 2002 - 10:17:04 PST