Writing Secure Privileged Programs 795Even where a system call succeeds, it may be necessary to check its result. For
example, where it matters, a privileged program should check that a successful
open() has not returned one of the three standard file descriptors: 0, 1, or 2.
Finally, if a privileged program encounters an unexpected situation, then the
appropriate behavior is usually either to terminate or, in the case of a server, to
drop the client request. Attempting to fix unexpected problems typically requires
making assumptions that may not be justified in all circumstances and may lead to
the creation of security loopholes. In such situations, it is safer to have the program
terminate, or to have the server log a message and discard the client’s request.38.12 Summary
Privileged programs have access to system resources that are not available to ordinary
users. If such programs can be subverted, then the security of the system can be
compromised. In this chapter, we presented a set of guidelines for writing privi-
leged programs. The aim of these guidelines is twofold: to minimize the chances of
a privileged program being subverted, and to minimize the damage that can be
done in the event that a privileged program is subverted.Further information
[Viega & McGraw, 2002] covers a broad range of topics relating to the design and
implementation of secure software. General information about security on UNIX
systems, as well as a chapter on secure-programming techniques can be found in
[Garfinkel et al., 2003]. Computer security is covered at some length in [Bishop,
2005], and at even greater length by the same author in [Bishop, 2003]. [Peikari &
Chuvakin, 2004] describes computer security with a focus on the various means by
which system may be attacked. [Erickson, 2008] and [Anley, 2007] both provide a
thorough discussion of various security exploits, providing enough detail for wise
programmers to avoid these exploits. [Chen et al., 2002] is a paper describing and
analyzing the UNIX set-user-ID model. [Tsafrir et al., 2008] revises and enhances
the discussion of various points in [Chen et al., 2002]. [Drepper, 2009] provides a
wealth of tips on secure and defensive programming on Linux.
Several sources of information about writing secure programs are available
online, including the following:z Matt Bishop has written a range of security-related papers, which are available
online at http://nob.cs.ucdavis.edu/~bishop/secprog. The most interesting of these is
“How to Write a Setuid Program,” (originally published in ;login: 12(1) Jan/Feb
1986 ). Although somewhat dated, this paper contains a wealth of useful tips.
z The Secure Programming for Linux and Unix HOWTO, written by David Wheeler,
is available at http://www.dwheeler.com/secure-programs/.
z A useful checklist for writing set-user-ID programs is available online at http://
http://www.homeport.org/~adam/setuid.7.html.