Protecting Insecure Programs

In most computer systems used today, programs are run that come from a variety of sources: the computer vendor, third-party vendors, open-source projects, consultants, and employees. In some cases, source code is available, but it is more often not. These programs often implement services that are made available to the general public, or listen on networks where all the participants are not trusted. Program flaws, such as buffer overflows, heap overflows, format bugs, and input validation bugs, enable attacks upon computing resources and a subversion of control. It is difficult to see how data integrity or availability can be maintained in such an environment. In order to mitigate the risks associated with the loss of control of computer programs, administrators of computer systems can apply defenses intended to limit damage and alert staff to trouble as early as possible. This document will examine several strategies to protect programs from malicious input, so that they will, in the worst case, abort processing rather than cause malicious code to be executed. Only host-based defenses are under consideration in this document. Particular attention will be spent on defenses appropriate to the Sun Solaris, Linux, and OpenBSD operating systems.