Saturday, November 17, 2007

"Some thoughts on security after ten years of qmail 1.0"

There's a paper "Some thoughts on security after ten years of qmail 1.0" written by qmail's author, Daniel J. Bernstein. (I found it though Bruce Schneier's weblog). The paper is well worth reading because Daniel is extremely security-conscious. As he says:

In March 1997, I took the unusual step of publicly offering $500 to the first person to publish a verifiable security hole in the latest version of qmail: for example, a way for a user to exploit qmail to take over another account. My offer still stands. Nobody has found any security holes in qmail. I hereby increase the offer to $1000.
He actually gives lots of practical advice on how to make your code more secure: security holes are bugs, so you should strive to eliminate bugs in general. Also, you should strive to eliminate code (as number of bugs is usually proportional to number of bugs). Finally, you should minimize the amount of trusted code and have all untrusted code run in a sandbox (using his words, a "prison").

Now, to reflect a bit on sandboxing myself from a Java point of view, Java is fortunately quite well suited for minimizing trusted code. When you run a Java program under a security manager, code gains privileges based on where it came from, and the privileges of the current stack frame are the intersection of privileges of its code and all of its callers down the call stack.
There's a facility for privileged execution, SecurityController.doPrivileged(), where the code within the privileged block will run with full set of its own privileges, and not get narrowed down further with security restrictions placed on its callers. It can be a dangerous feature, and must be used judiciously lest you create an exploit vector through it. I.e. if your code accepts a file path from its callers, reads the file in a privileged block, and returns the file content to the caller, then a caller can potentially exploit this to gain access to contents of files it would otherwise not be able to see.
I'm actually quite conscious to enable easy integration with Java security manager in software I write - you will find a PolicySecurityController class in Rhino, as well as a SecureTemplateLoader in FreeMarker, both allowing running JavaScript code or FreeMarker templates, respectively, with their own set of privileges defined in the effective JVM-wide security policy based on where they're loaded from or whether they're digitally signed (same aspects are used to assign privileges to Java code). FreeMarker also uses SecurityController.doPrivileged() in few places judiciously.

Anyway, back to Daneil's paper: there's a wealth of food-for-thought for any practicing software developer: how we often sacrifice security for speed, how hidden data flow (global variables and singletons, people!) leads to security issues, and how this can be fixed by further decoupling of components with explicit narrow communication (i.e. message passing across processes), and so on.
A section entitled "Avoiding parsing" also speaks very closely to my heart.
So, recommended reading.

No comments: