Hyper Text Transfer Protocol Server EFT/ECT
Prepared by Eric Knight
1.0 Description
This document covers the introduction of new faults and their perspective consequences in the implementation of a simple Hyper Text Transfer Protocol (HTTP) server. This document covers only the effect of the server, and not the influences that other components have upon it.
2.0 Environment Fault Taxonomy
This section of the document outlines the possibilities of faults which implementing this system will have on the host environment. The presented taxonomy of problems effects only this system, and does not document the environment that it will be implemented with.
2.1 Coding Faults
This section describes the new faults that new to be documented that are based on coded security changes which exist in the new system.
2.1.1 Failure to Change Root
Should the change root function fail for any reason, the system that the software is implemented in will lose integrity.
2.1.2 Failure To Log Activity
If the system fails to log activities, the system that the software is implemented will lose integrity.
2.2 Eminent Faults
This section describes new faults that need to be documented that are based on long term usage of the new system.
2.2.1 Performance Failure
If the software cannot perform according to the accepted workload, the system the software is implemented will lose integrity.
2.2.2 Preventive Maintenance
The log files of the software must be routinely examined if the security measures implemented are to be of any use.
3.0 Environment Consequence Taxonomy
This section of the document outlines three possible security consequences of implementing this system: reading of a specific restricted file, one time execution of code, and bypassing of logs. These consequences detail the potential hazards of using this software on any environment.
3.1 Reading of a specific restricted file
The potential exists for files to be read that are not expected to be accessed, known, or discovered by specific individuals. The system doesn't allow for access controls, so everyone on the system is vulnerable to being attacked in this way. A control was implemented that prevents this consequence from being labeled as "reading of any file" because of two security measures: the software does not run with root privilege, and the "change root" function was implemented to prevent access outside of the web software execution space.
3.2 One Time Execution of Code
The CGI interface in the server allows for a program to execute a single time. If the logic in the CGI interface breaks, it is possible to run a an arbitrary command on the host. Process ownership and the change root directory function limit the effect of this command.
3.3 Bypassing of Logs
Due to the nature of the "change root" implementation, the logs may be tampered with if the program logic were interrupted. Also, it is possible that the logging mechanisms may be bypassed by poorly written code.
No comments:
Post a Comment