Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Secure Programming Techniques
From: patrick @ oes . amdahl . com (Patrick Horgan)
Date: Fri, 11 Nov 1994 09:50:37 +0800
To: jeromie @ mmp . com, matt @ uts . EDU . AU
Cc: firewalls @ greatcircle . com

> From: matt @
 uts .
 EDU .
 AU (Jas (Matthew K))
> Subject: Re: Secure Programming Techniques
> > 
> Jeromie,
> 	C in and of itself is neither secure nor insecure. what makes "C
> programming" (in)secure is a combination of the OS you are running and the
> libraries you use to do things within that OS.

Matt, this certainly wasn't very helpful, if there wasn't insecure C programming
techniques, how happy we would all be:)  What about avoiding the use of
system and popen in setuid applications (or at least making sure you push
an intelligent PATH and IFS into the environment first?)  If you have to 
use system or popen and the string you use is derived from user input, how
about scanning for the first ';' and replacing it with '\0'?  What about making
sure that you guard against fixed size buffers being overwritten by user input?
I could go on and on.

I'd also be curious about whether anyone's collected all these wisdoms in
one place?  If you know of good C/C++ programming techniques for a secure
environment, (which would also be the things to look for in evaluating 
software to live on your firewall,) please send them to me, I'll summarize,
and make sure that the information is available somewhere.  Perhaps the ftp site would be an appropriate place.


     These opinions are mine, and not Amdahl's (except by coincidence;).

    ~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~  
  /                        |                           | (\               \
 |  Patrick J. Horgan      |  Amdahl Corporation       |  \\    Have       |
 |  patrick @
 oes .
 amdahl .
 com |  1250 East Arques Avenue  |   \\  _ Sword     |
 |  Phone : (408)992-2779  |  P.O. Box 3470 M/S 316    |    \\/    Will    |
 |  FAX   : (408)773-0833  |  Sunnyvale, CA 94088-3470 |   _/\\     Travel |
  \                        |  O16-2294                 |      \)          /
   ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~

Indexed By Date Previous: Re: your mail
From: "Mark A. Fullmer" <maf @ net . ohio-state . edu>
Next: Re: SUN's new firewall product? (fwd)
From: jeromie @ mmp . com (jeromie)
Indexed By Thread Previous: Re: Secure Programming Techniques
From: matt @ uts . EDU . AU (Jas (Matthew K))
Next: Re: Secure Programming Techniques
From: dhami @ mdd . comm . mot . com (Mandeep S Dhami)

Search Internet Search