[sf-lug] Prince Ciao & Master Sun

Rick Moen rick at linuxmafia.com
Sun Jul 22 21:29:14 PDT 2007 

Quoting Alex Kleider (a_kleider at yahoo.com):

> Rick: I read the content of
> http://www.ranum.com/security/computer_security/editorials/master-tzu/
> per your recommendation. It's cleverly written and it does make the
> point that not exposing oneself is the best approach. I didn't find
> that there were any useful suggestions in the context of our
> discussions.

True.

There's a story about Ptolemy I, the ruler of Egypt in Hellenistic times,
having hired Euclid as his tutor.  Ptolemy tried ordering Euclid to find
some faster and easier way to teach him mathematics than using Euclid's
famous book _The Elements_ as a textbook.  Euclid replied: "There's no
royal road to geometry."

We have the advantage over Ptolemy of 2300 year of further experience. 
Further, books are a whole lot more convenient to read than scrolls.
As mentioned, you could do a whole lot worse than starting with Cheswick 
and Bellovin's book.  Ranum's Web page is just a little essay that he
wrote in response to encountering a bit too much computer-security
bullshit.  ;->  As I said, the point of Ranum's essay as a starting
point is to put you in the right frame of mind.

> "Don't use crappy software" certainly sounds like good advice but not
> being (yet?) able to write software of my own, I can only hope that
> something coming from Debian (substitute your favorite distro) is as
> safe as it can be.

Oh dear me, no.  As I just got through saying, I got bitten in early
2005 when my Web server was defaced because I credulously assumed that
Debian's AWstats package must be "as safe as it can be".  It's not --
even though a different configuration of AWstats, not used by the Debian
package, would have been.  As I believe I was just saying, and am quite
sure I said in my Lupper analysis (alluded to earlier), the problem is
lack of input validation.

Now, you might wonder, why does a Web-statistics package need input
validation?  Good question.  The default operating mode of AWstats,
which is a Perl script, is as a Web CGI process.  In that operating
mode, AWstats is obliged to parse the URL fed to it by the remote user 
who is seeking to view Web-site statistics via his/her Web browser.

If you're the author of a network-oriented software package, you need to
take great care to validate (or "sanitise") any data received from
public networks, to make sure it cannot call unplanned local processes,
or overflow buffers, or pass unplanned commands to SQL databases via
encoding tricks, and so on.  You cannot assume that a URL, for instance, 
will not be deliberately misshapen in order to cause havoc -- especially
not on the public Internet.

It happens that the Perl language has long included an excellent tool
for dealing with that problem, called taint mode ("-T" flag -- see
http://search.cpan.org/~nwclark/perl-5.8.8/pod/perlsec.pod).  When
running in taint mode, the Perl interpreter will treat any data
originating from outside the program as dangerous, and oblige you to 
"launder" it through vetting technique such as matching substrings in
the untrusted input against hash tables of known-OK possible values, and
using the matched values instead.

The author of AWstats takes no such precautions, and just blithely 
use public data (parsed from the URL, when running in CGI mode) directly
in the program without checking -- which means that the program will
remain a hopeless basket case (in that operating mode) permanently,
suffering an endless string of security compromises, unless and until
the author rewrites its fundamental code.  Which doesn't seem likely.

Now, Debian _could_ package the program differently, so that it runs as
a cronjob to generate static pages, which consequently would no longer
require CGI processing of the URL.  Back in '05, I did file a bug
against the package, making that suggestion -- but I don't think the
package maintainer did so.


So, no, you cannot safely assume that your distro will not offer unsafe
software.  Unfortunately, they often do -- though as my Lupper analysis
points out, they tend to omit most of the worst examples.

Like Ptolemy, you have little option but to try to learn some of the
fundamentals, so you can spot trouble on your own.  In your shoes,
that's what I'd do.  In fact, in your shoes, that's what I did.

> So again, thanks for your input (which I am slowly processing- there
> is a lot there to process!)

You're most welcome!

-- 
Cheers,                Re-elect Gore in '08.
Rick Moen              http://www.hyperorg.com/blogger/misc/gorespeech.html
rick at linuxmafia.com

More information about the sf-lug mailing list