Secure Programmer: Keep an Eye on Inputs

An anonymous reader writes "This article discusses various ways data gets into your program, emphasizing how to deal appropriately with them; you might not even know about them all! It first discusses how to design your program to limit the ways data can get into your program, and how your design influences what is an input. It then discusses various input channels and what to do about them, including environment variables, files, file descriptors, the command line, the graphical user interface (GUI), network data, and miscellaneous inputs."

If you input ever displays as HTML

You'd be wise to add Cross Site Scripting attacks to your list of things to protect against.

Re:If you input ever displays as HTML

[borkus]

A big issue for many web programmers is failure to realize that forms and web interfaces that you provide the user aren't the only way to interact with your application. A lot of them pay attention to JavaScript validation and maxlength attributes rather than check the data on the server.

New developers working on applications open to the internet often aren't used to developing in an evironment where programmers that don't work for their employer can access their app. All it takes for one dishonet person who knows slightly more than you to hack your app.

And code reviews, code reviews, code reviews

[Brahmastra]

I believe code reviews with a large enough group of people to be extremely useful. Yeah, it takes time and you get some irritating comments from a few people about how there is a space between something or comma between something, but when multiple eyes look at it, someone always catches something you didn't. A few hours of extra pain on the side of programmers can prevent pain for millions in the form of blaster viruses, etc.

The more things change....

[billstewart]

One of the first lessons we learned in CS100 was to always validate the input, assuming that it might be bogus or actively malicious. I've been appalled over the last 25 years at the number of products, developers, and companies that don't understand that. Most of the internet security problems we've seen have been from inadequate handling of input data, typically the buffer overruns that are so easy to program in C if you're not paying attention.

The article's worth reading, and really does justify it's "Level: Intermediate" label. Unlike when I was learning to program, there are lots of sources of input beyond your deck of punch cards (:-), and the author does a good job of explaining many of them, such as evil things that environment variables and file descriptors can be used for.

Re:The more things change....

[agslashdot]

While I agree with you from a theoretical standpoint, I'm sure you are aware why things like this get overlooked in day-to-day corporate IT programming tasks.
eg. Manager says, write a UI that accepts username & account, and then spits out user transactions . During design phase, you invariably make the code hack-able so its easy to test. ie. I could put in "*" for account and it would spit out transactions of ALL users, regardless of the username. This is a useful backdoor, especially in development time when your UI has to interact with somebody else's data repository in some compplicated fashion.
Ofcourse, its a given that the input validation logic must be modified and backdoor must be taken out when the UI is actually deployed. But corporate practices being what they are, someone else takes ownership of the code at that stage, and either doesn't understand the "star-feature" ( *) , or thinks its cool to have this in case of emergency debugging, so leaves it there. Soon, this stupid program that should have been running standalone on someone's box, gets a facelift and is shoved on the internet. Some cracker comes along and puts in a star for account & gets all the transactions, & pretty soon, register.co.uk gets wind of this and reports it on front page. by then, original programmer has moved on to some other task, requiring a new back-door :)

Re:The more things change....

[fermion]

And the second thing I learned was to do things once and do it right. This means that input should happen in one place, the function should make sure the input will fit in the allocated space and contain only the proper data, and may even take an argument for the maximum size the calling fuction expects.

What amazes me is that people try to optimize thier code by carefully minimizes thier input fuction. It is input. Input is slow. Go somewhere else to optimize. Create a good input fuction and leave it alone.

The third thing I learned was to write a good validitating layer for memory allocation in C. Used as debug tool, it discover all most of the little memory problems that inevitable creep into C, as well as some buffer overflows. I know people bitch about how screwed up C is, but with the proper debug tools I had few problems.

Re:Windows & Belkin

[AuMatar]

There are no controls on Windows inputs. Any process can send any message to any other process. Talk about insecure.

You could probably majorly screw up a progoram by sending it random message numbers. It'd react as if you were sending random menu and other commands. Hmm, that sounds like a fun prank to play...

Murphy's Law strikes again.

[Dr.+Bent]

It is a widely accepted engineering maxim that systems should be designed so that it is difficult to use them improperly. This is why (for example) a 110 volt plug will not fit in a 220 volt outlet. Developers who are concerned about the quality of the software they make would do well to follow this rule, and not just for security reasons. You should verify input data as early and as rigorously as possible wherever you can. Take advantage of things like XML validation and text box constraints to make it hard for users to enter bad data. And always follow the Fail-Fast principle...if something goes wrong: Complain! Loudly!. Don't let the user continue working if something has gone wrong. It's better to crash than to produce an erronous result.

Just a little advice from a developer who's made enough mistakes to know better.

Re:Murphy's Law strikes again.

[Tim+C]

Take advantage of things like... ext box constraints to make it hard for users to enter bad data

That's good and necessary advice, but it's not sufficient, depending on your environment. If you're programming for the web, then you absolutely cannot rely on such things. Of course you should always set such constraints in the HTML where possible, but you *still* have to validate the inputs fully in your code.

In case the reason why isn't obvious, it's because URLs are very easy to hand craft. There's no way you can stop me from sending 500 chars of data as the value of a field that you thought you'd constrained to be 10 chars. Even if you treat POST and GET differently, I can just whip up a little app to do POSTs for me if I'm so inclined.

Front-end constraints and sanity checking (eg javascript that checks to make sure that all required fields have a value before submitting the form) are an invaluable part of the user experience, but they're no substitute for securely written code. The two things serve entirely different purposes.

More generally speaking, you should santiy-check all input data, at all stages in the code.

Re:Murphy's Law strikes again.

[Rich0]

Keep in mind that the 110 and 220 plugs are designed to defeat accidental mixups. Computer input validation is generally designed to do the same. Hardening software against an attack is more analagous to giving your engineer the task of designing a plug and outlet such that it is physically impossible to plug anything but that one particular plug into the outlet, with the understanding that somebody with a good knowledge of engineering will try to defeat the design.

Software is required to do a lot more than any physical security measure in existance. Your webserver could come under attack by any electronic measures that you could conceive of by a host of trained software engineers in another country. Chances are that the most a bank vault is designed to handle is a dozen guys with small arms, rudimentary safe-cracking gear, and some small explosives. If the US Army showed up with an M1 tank and 1000 tons of C4, the safe wouldn't last long. However, such a large-scale intrusion is unlikely to escape the watch of the police for long. On the other hand, a remote attack against a webserver can run for months without much being done to the attackers if they're in a rogue nation.

hardly surprised that we have to go through this..

[hotrodman]

And why should anyone be surprised? In this age of "I read a book on VB last week and now I'm a software engineer!" type environment?
I am not surprised that simple things like this are rehashed over and over. This is more suited to the programmer group of people who will sort data based on string comparisons, instead of learning how to use a real algorithm to do it, or keep writing static forms, instead of learning how to use a loop with a db backend - because they don't understand true programming concepts. In other words, about 80% of the current crop of overpaid, undereducated programmers that built corporate apps.

- Eric

What seems obvious to some...

[Slick_Snake]

Is news to others. Many "Programmers" out there write code that does not do any error checking or catching and the result is all the crapware that we see today. We were all warned in our programming classes about memory leaks and buffer overflows, but they are still very prevalent in today's software. Perhaps we should all look harder at our code before selling off one it as a final product.

Very good writer!

Another excellent article by David... oddly enough, I was reading his Program Library HOWTO (http://www.dwheeler.com/program-library/) just the other day to learn about dynamic loading libraries in Linux.

This was well documented in the 1970's

[pcause]

The Kernighan & Plauger book "Elements of Programming Style" dated 1979 talked extensively about the need to validate all inputs to subroutines and from the user. This is *not* new, it is just that few programmers have the discipline to follow the rules.

The issue is making *no* assumptions about anything. The programmer *thinks* the file will be written be another piece of code that a team member is writing. But that program has a bug. or three years from now, other programs are creating the file and don't know abut some verbal discussion about field data. It takes great dligence and paranoia and management that allows you the time in the schedule to do this.

What about BIOS? Do you have to trust something?

[G4from128k]

Somewhere along the line every application must trust something. At the very least, BIOS settings and environment variables that are owned by deeper layers of the OS must be trusted because they are inaccessible or indecipherable at the application layer. Reaching too far would break encapsulation and create brittle dependencies. An application can only check the variables and direct inputs that it has access to.

I don't argue against validating inputs. Certainly all of the direct inputs to an application should be assumed to be untrustworthy unless a secure checksum validates that the inputs are indentical to some previously validated inputs. Checking inputs (or environmental variables) of immediately adjacent processes is probably also warranted (as a redundant "brother's keeper" policy).

The real problem comes if the OS has a faulty validation methods. (And I won't get into the neccessity of trusting the hardware or bugs such as those that plagued the early Intel 586.00001 processors) If I check the validity of a user, filename, or geographically localized data format (e.g., a date), then my application is dependent on the quality of the OS's validator (and a lack of intervening malware).

Re:Keep an eye on buffer overruns

[jilles]

No buffer overflows come from using flawed 1970's technology. Modern computer languages are immune to the worlds largest security problem: (i.e. buffer overflows) because they do something automatically that C programmers are supposed to do manually.

Eliminate the buffer overflow and malicious input becomes invalid data which can be dealt with in a controlled fashion rather than executable gibberish.

Re:No inputs = useless?

[sir99]

Your examples don't take user input, but most of them do take input of a different sort. The point of the article was that input can come from unexpected sources like environment variables, and that an attacker can sometimes subvert these inputs. The cpu meter, bg, fg, ps, top, logout, and clock programs all take input, in the form of system and library calls. Some of them also read input from configuration files.

OK, what do you do when you validate it?

[Latent+Heat]

Yes, I am a believer in defensive programming, but I am not sure that defensive programming is the golden hammer. Verity Stob made a remark about taking a sick program and filling it with try-catch blocks to try to recover from every possible error condition -- I believe she called it "nailing a corpse on a tree" or some such thing. And her other remark was "the only place we seem to get exceptions is in destructors, so what's the point?" That had me on the ground in tears of laughter because destructors (freeing up resource in the right order) is one of the hardest things to get right.

Ok, every last subroutine validates every last input. Then what do you do? Suppose an input is invalid -- do you halt? Throw and exception? Patch the input and keep going? Keep going but make an entry in a log file?

It is excellent policy to be ultra paranoid about user input and to put "firewalls" between major program modules. But for every last subroutine to have its own error checks -- what if you have a top level subroutine that performs error checks and than passes validated results to helper subroutines? Do the helper subroutines need to repeat the checks?

I think there has to be some analysis of the data flows and designation of raw and filtered data flows, who does the filtering, and what assumptions or assertions can be made about filtered flows, and assignment of responsibility to do the checking.

In summary 1) defensive programming is not a substitute for good overall design, 2) there is a place for delegating responsibility for error checking and not chronically worrying about checked data.

Re:Windows & Belkin

There are no controls on Windows inputs. Any process can send any message to any other process.

Well, not quite. There are ways of isolating programs, but it's very rarely useful. (In fact, I've never done it, but I know it's possible.)

But why bother with all that when you can just install a system-wide hook? It's quite easy to actually inject code into another process. Once you've got that you can muck with data or intercept system calls to your heart's delight.

What it comes down to is that if you don't want a user to be able to screw up a machine, don't let them install applications and don't give them write access to critical bits of the machine. Untrusted programs should be quarantined.

You could probably majorly screw up a progoram by sending it random message numbers. It'd react as if you were sending random menu and other commands.

If you can mess up a program doing that then you've got bigger problems. If the user can crash it then what difference does it make than an external program can as well? It can be crashed, deliberately if given the opportunity.

Re:Problem: Hacker Languages

[BattleTroll]

"But almost nothing else should be written in C/C++"

What world are you living in? Blaming poor technique on the tool used is moronic. There are ample examples of poorly written, poorly secured Java code the invalidate all of the premises in this rant. I've seen hard coded passwords baked into java source that were visible through a 'strings' call. Someone forgets to obfuscate his or her classes, and the entire structure of the program is available through a reverse compiler. Sure, the JVM protects one from buffer overruns and the like but don't for one minute think that programming in Java prevents stupid errors from exposing you to vulnerabilities.

Not to mention there are areas where java is not the silver-bullet you describe. If you need precise control over your memory allocation, java is not the tool to use. If your application requires precise timing, java is not the tool to use. Need to control over the placement of allocated memory? Writing your own transport layer? Need hooks into the kernel?

The prime directive still holds true - use the correct tool for the job at hand. Follow the lemmings of "this tool is the only one you need" at your peril.

Re:Have a no-front-end-checking mode

[sjames]

That's a good point. I have seen developers mistake javascript for sufficient input validation. The proper use of validation in javascript is to simply give a legitimate user a proper error message quickly without actually needint to perform a transaction with the server that will fail. The server must still re-validate the input.

Re:Problem: Hacker Languages

But almost nothing else should be written in C/C++.

Write a kernel in Java. Write drivers in Java. Write init in Java. Then you can say that.