Defensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. The idea can be viewed as reducing or eliminating the prospect of Murphy's Law having effect. Defensive programming techniques come into their own when a piece of software could be misused mischievously or inadvertently to catastrophic effect. Defensive design is the practice of planning for contingencies in the design stage of a project or undertaking. ... Computer software (or simply software) refers to one or more computer programs and data held in the storage of a computer for some purpose. ... Wikiquote has a collection of quotations related to: Murphys Law Murphys law (also known as Finagles law or Sods law) is a popular adage in Western culture, which broadly states that things will go wrong in any given situation in which error is possible. ...

Defensive programming is an approach to improve software and source code, in terms of:

• General quality - Reducing the number of software bugs and problems.
• Making the source code comprehensive - the source code should be readable and understandable so it is approved in a code audit.
• Making the software behave in a predictable manner.

A software bug is an error, flaw, mistake, failure, or fault in a computer program that prevents it from working as intended, or produces an incorrect result. ... A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. ...

Secure Programming

Defensive programming is sometimes referred to as Secure programming. This is because many software bugs can be potentially used by a cracker for a code injection, denial-of-service attack or other attack. A software bug is an error, flaw, mistake, failure, or fault in a computer program that prevents it from working as intended, or produces an incorrect result. ... It has been suggested that this article or section be merged into black hat. ... To meet Wikipedias quality standards, this article or section may require cleanup. ... This article or section is in need of attention from an expert on the subject. ...

A difference between Defensive programming and normal practices is that nothing is assumed. All error states are accounted for and handled. In short, the programmer never assumes a particular function call or library will work as advertised, and so handles it in the code. An example follows:

 int low_quality_programming (char *input) { char str[256]; strcpy ( str, input ); // copy input ... ... } 

The function will crash on very long input. Many mainstream programmers may not feel that this is a problem, because "no one would enter that long input!". A programmer practicing Defensive programming would not allow the bug, because if the application contains a known bug, Murphy's Law dictates that the bug will occur in use. And actually, this particular bug demonstrates a vulnerability which enables Buffer Overflow security exploits. Wikiquote has a collection of quotations related to: Murphys Law Murphys law (also known as Finagles law or Sods law) is a popular adage in Western culture, which broadly states that things will go wrong in any given situation in which error is possible. ... In computer security and programming, a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a buffer. ... ...

Some Defensive programming techniques

Here are some hints on defensive programming techniques to avoid creating security problems and software bugs. Many of these techniques also improve general quality of code. A software bug is an error, flaw, mistake, failure, or fault in a computer program that prevents it from working as intended, or produces an incorrect result. ...

Note that the techniques below are not sufficient to ensure security: see the articles computer insecurity and secure computing for more information. Many current computer systems have limited security precautions in place. ... Computer security is the effort to create a secure computing platform, designed so that agents (users or programs) cannot perform actions that they are not allowed to perform, but can perform the actions that they are allowed to. ...

Reduce source code complexity

Never make code more complex than necessary. Complexity breeds bugs, including security problems.

Source code reviews

Either leave the code available to everyone on the Net (see Free software or Open Source Definition) or hire someone who will perform a code audit or conduct an inexpensive do-it-yourself security audit. This article is about Free Software as defined by the sociopolitical Free Software movement; for information on software distributed without charge, see freeware. ... The Open Source Definition is used by the Open Source Initiative to determine whether or not a software license can be considered open source. ... A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. ... This article needs to be cleaned up to conform to a higher standard of quality. ...

Software testing

Software testing should include both whether the software works as intended, and what is supposed to happen when deliberately bad input is supplied. Software testing is the process used to help identify the correctness, completeness, security and quality of developed computer software. ...

Testing tools can capture keystrokes associated with normal operations, then the captured keystroke strings can be copied and edited to try out all permutations of combinations, then extended for later tests after any modifications. (Make sure that the people whose keystrokes are being captured are aware of this, and for what purpose, to avoid accusations of privacy violation.) This article is about permutation, a mathematical concept. ... Modification is the act of applying change to an original. ... Privacy is the ability of an individual or group to keep their lives and personal affairs out of public view, or to stop information about themselves from becoming known to people other than those whom they choose to give the information. ...

Intelligent source code re-use

If possible, reuse code instead of writing from scratch. The idea is to capture the benefits of well written and well tested source code, instead of creating unnecessary bugs.

However, re-using code is not always the best way to go forward.

The legacy problems

Before reusing old source code, libraries, APIs, configurations etc, it must be considered if the old work is valid for re-use, or if it is likely to be prone to the legacy problems. A legacy system is an existing computer system or application program which continues to be used because the user (typically an organization) does not want to replace or redesign it. ...

Legacy problems are problems inherent when old designs are expected to work with today's requirements, especially when the old designs were not developed or tested with those requirements in mind.

Many software products have experienced problems with old legacy source code, for example:

• Legacy code may not have been designed under a Defensive programming initiative, and might therefore be of much lower quality than newly designed source code.
• Legacy code may have been written and tested under conditions which no longer apply. The old quality assurance tests may have no validity any more. Example 1: legacy code may have been designed for ASCII input but now the input is UTF-8. Example 2: legacy code may have been compiled and tested on 32-bit architectures, but when compiled on 64-bit architectures new arithmetic problems may occur (e.g. invalid signedness tests, invalid type casts, etc.). Example 3: legacy code may have been targeted for offline machines, but becomes vulnerable once network connectivity is added.
• Legacy code is not written with new problems in mind. For example, source code written about 1990 is likely to be prone to many Code injection vulnerabilities, because most such problems were not widely understood at that time.

Notable examples of the legacy problem: To meet Wikipedias quality standards, this article or section may require cleanup. ...

• BIND 9, presented by Paul Vixie and David Conrad as "BINDv9 is a complete rewrite", "Security was a key consideration in design" [1], naming security, robustness, scalability and new protocols as key concerns for rewriting old legacy code.
• Microsoft Windows suffered from "the" Windows Metafile vulnerability and other exploits related to the WMF format. Microsoft Security Response Center describes the WMF-features as "Around 1990, WMF support was added... This was a different time in the security landscape... were all completely trusted" *, not being developed under the securiy initivies at Microsoft.
• Oracle is combating legacy problems, such as old source code written without addressing concerns of SQL Injection and privilege escalation, resulting in many security vulnerabilities which has taken time to fix and also generated incomplete fixes. This has given rise to heavy criticism from security experts such as David Litchfield, Alexander Kornbrust, Cesar Cerrudo (1,2,3). An additional criticism is that default installations (largely a legacy from old versions) are not aligned with their own security recommendations, such as Oracle Database Security Checklist, which is hard to amend as many applications require the less secure legacy settings to function correctly.

It has been suggested that Geodns be merged into this article or section. ... ‹ The template below has been proposed for deletion. ... The Windows Metafile vulnerability is a security vulnerability in Microsoft Windows which has been used in a variety of exploits since late December 2005. ... Oracle Corporation (NASDAQ: ORCL) is one of the major companies developing database management systems, tools for database development, enterprise resource planning software, customer relationship management software (CRM) and supply chain planning (SCM) software. ... SQL injection is a security vulnerability that occurs in the database layer of an application. ... Privilege escalation is the act of exploiting a bug in an application to gain access to resources which normally would have been protected from an application or user. ...

Secure Input / Output Handling

Managing input is a hard problem, which is detailed in Secure input and output handling. Secure input (and output) handling are Secure programming techniques designed to prevent vulnerabilities or the exploitation of them. ...

Canonicalization

Crackers are likely to invent new kinds of representations of incorrect data.

For example, if you checked if a requested file is not "/etc/passwd", a cracker might pass another variant of this file name, like "/etc/./passwd". passwd is a tool on most Unix and Linux systems used to change a users password. ...

To avoid bugs due to non-canonical input, employ Canonicalization API's. Canonical is an adjective derived from canon. ... Canonicalization is the process of converting data that has more than one possible representation into a standard canonical representation. ...

Principle of least privilege

Employ Principle of least privilege. Avoid having software running in a privileged mode if possible; In computer science and other fields the principle of minimal privilege, also known as principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (which can be for example, a process, a user or a program on the basis...

• Never make UNIX programs setuid unless you're really sure they are secure.
• Never make Windows programs run as Local System service unless you're really sure they are secure.
• Don't grant more permissions than necessary to large user groups or public/everyone.
• Don't grant more permissions than necessary to small user groups or specific users.
• Prefer granting permissions to small user groups or specific users, rather than granting permissions to large user groups or public/everyone. It is better if a few users have high permissions, rather than many users having high permissions.

Setuid is a UNIX term, and is short for Set User ID. Setuid, also sometimes referred to as suid, is an access right flag that can be assigned to files and directories on a UNIX based operating system. ... On many computer operating systems, superuser is the term used for the special user account that is controlled by the system administrator. ... In economics and marketing, a service is the non-material equivalent of a good. ...

Low tolerance against "potential" bugs

Assume that code constructs that appear to be problem prone (similar to known vulnerabilities, etc.) are bad bugs and probably a security flaw. The basic rule is: "I never know of all types of security exploits. I must protect against those I do not know of as well, and then I must be proactive!". ...

Other techniques

• One of the most common problems is unchecked use of constant-size structures and functions for dynamic-size data (the buffer overflow problem). This is especially common for string data in C. C library functions like gets should never be used since the maximum size of the input buffer is not passed as an argument. C library functions like scanf can be used safely, but require the programmer to take care with the selection of safe format strings, by sanitising it before using it.
• Encrypt/authenticate all important data transmitted over networks. Do not attempt to implement your own encryption scheme, but use a proven one instead.
• All data is important until proven otherwise.
• All code is insecure until proven otherwise.
• If data are checked for correctness, verify that they are correct, not that they are incorrect.

Preconditions, postconditions and invariants validation are also part of defensive programming. This may involve checking arguments to a function or method for validity before execution of the body of the function. After the body of a function, doing a check of object state (in Object-oriented programming languages) or other held data and the return value before exits (break/return/throw/error code) is also wise. In computer security and programming, a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a buffer. ... In computer programming and some branches of mathematics, strings are sequences of various simple objects. ... The C Programming Language, Brian Kernighan and Dennis Ritchie, the original edition that served for many years as an informal specification of the language The C programming language (often, just C) is a general-purpose, procedural, imperative computer programming language developed in the early 1970s by Dennis Ritchie for use... In logic a precondition is a condition that has to be met, before a main argument can have any value. ... A postcondition is a fact that must always be true just after the execution of some section of code. ... Invariant may have meanings invariant (computer science), such as a combination of variables not altered in a loop invariant (mathematics), something unaltered by a transformation invariant (music) invariant (physics) conserved by system symmetry This is a disambiguation page — a navigational aid which lists other pages that might otherwise share the... In computer science, object-oriented programming, OOP for short, is a computer programming paradigm. ...

Within functions, you may want to check that you are not referencing something that is not valid (i.e., null) and that array lengths are valid before referencing elements, especially on all temporary/local instantiations. A good heuristic is to not trust the libraries you did not write either. So any time you call them, check what you get back from them. It often helps to create a small library of "asserting" and "checking" functions to do this along with a logger so you can trace your path and reduce the need for extensive debugging cycles in the first place. With the advent of logging libraries and Aspect Oriented Programming, many of the tedious aspects of defensive programming are mitigated. Debugging is a methodical process of finding and reducing the number of bugs, or defects, in a computer program or a piece of electronic hardware thus making it behave as expected. ... In software engineering, the programming paradigm of aspect-oriented programming (AOP), also called aspect-oriented software development (AOSD), attempts to aid programmers in the separation of concerns, or the breaking down of a program into distinct parts that overlap in functionality as little as possible. ...

Generally speaking then, it is preferable to throw intelligible exception messages that enforce part of your API contract and guide the client programmer instead of returning values that a client programmer is likely to be unprepared for and hence minimize their complaints and increase robustness and security of your software. An application programming interface (API) is the interface that a computer system, library or application provides in order to allow requests for service to be made of it by other computer programs, and/or to allow data to be exchanged between them. ... A programmer or software developer is someone who programs computers, i. ...

References

• William R. Cheswick and Steven M. Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker ISBN 0201633574 http://www.wilyhacker.com/

Bill Cheswick is a co-founder and Chief Scientist of Lumeta Corp. ... Steven M. Bellovin is a researcher on networks, security and why the two do not get along. ...

See also

• Computer Security

Computer security is a field of computer science concerned with the control of risks related to computer use. ...

External links

• "Secure Programming for Linux and Unix HOWTO" by David A. Wheeler
• "Proactive Debugging" article by Jack Ganssle 2001-02-26
• Rules for Defensive C Programming by Dinu Madau 1999
• "Defensive programming" article by Rob Manderson 2004-08-06
• "The art of defensive programming: Or how to write code that will be easy to maintain" article by Jonathan West