The underlying security model of the Unix operating system is brittle. The Unix security model—a privileged kernel, user processes, and the superuser who can perform any system management function—is certainly a workable framework. But it is a framework in which even minor bugs or implementation errors can be subverted by an attacker to provide him with system-wide control.

Most security flaws in Unix arise from bugs and design errors in programs that run as root or with other privileges, from SUID programs or network servers that are incorrectly configured, and from unanticipated interactions among such programs.

It is exceptionally important to use secure programming techniques when writing software that is used in a network server. By definition, servers receive connections and data from unknown and possibly hostile hosts on a network. Attackers are frequently able to use bugs in these programs as a point of entry into otherwise secure systems.

This chapter contains a collection of secure programming techniques that we have developed for use on Unix systems. Much of the emphasis is on writing secure servers using the C programming language. However, most of the concepts apply to any other language, including C++ and Java. If you are writing a web-based application, you may wish to review Chapter 16, Securing Web Applications, of our book Web Security, Privacy and Commerce (O’Reilly). That chapter discusses many additional issues that come ...