There's a lot of Perl code out there and more being written all the time. Ian Kluft presented current advice on secure coding in Perl, including language-specific guidelines from the Perl documentation, CMU Software Engineering Institute Perl Coding Standard, Common Weakness Enumeration(CWE) and general advice from OWASP Top 10.
1. 03/04/2021 1
Secure Coding in Perl
Silicon Valley Perl
March 4, 2021 monthly meeting
presented by Ian Kluft
San Jose, California
2. 03/04/2021 Secure Coding in Perl
by Ian Kluft
2
Why secure coding matters
●
Any software or hardware can be under attack today
●
True for any and all coding - this presentation applies to Perl
●
Vulnerabilities in code often result from carelessness
●
We can prevent vulnerabilities by making ourselves aware of
●
what to avoid in new code
●
what to look for in existing code
●
There is a lot of Perl code on servers all over the Internet
●
This presentation overviews available Perl security resources
3. 03/04/2021 Secure Coding in Perl
by Ian Kluft
3
PERLSEC in the Perl Documentation
●
every Perl installation comes with the “perlsec” doc page
●
you can read it with the command “perldoc perlsec”
●
on Unix/Linux/BSD systems, “man perlsec” reads it as a manual page
●
on CPAN: https://metacpan.org/pod/distribution/perl/pod/perlsec.pod
●
It’s a good place to start but not the only resource you’ll need
●
If you haven’t read it before (or lately), it’s worth a review
●
Upcoming slides have an overview of PERLSEC
4. 03/04/2021 Secure Coding in Perl
by Ian Kluft
4
PERLSEC: Vulnerability Reporting
●
What if you find a security vulnerability in Perl?
●
reporting contact address: mailto:perl-security@perl.org
●
perlsecpolicy doc page says what is considered a security issue
https://metacpan.org/pod/distribution/perl/pod/perlsecpolicy.pod
●
The Perl security team’s scope covers
●
Perl interpreter
●
Perl modules shipped with the interpreter and from the core repository
●
CLI tools shipped with the interpreter and from the core repository
5. 03/04/2021 Secure Coding in Perl
by Ian Kluft
5
PERLSECPOLICY: Not a Perl core security issue
●
Feeding untrusted code to the
interpreter
●
Stack overflows due to excessive
recursion
●
Out of memory errors
●
Escape from a Safe compartment
●
Use of the p and P pack templates
●
Stack not reference-counted issues
●
Thawing attacker-supplied data with
Storable
●
Using attacker supplied SDBM_File
databases
●
Badly encoded UTF-8 flagged scalars
●
Issues that exist only in blead, or in a
release candidate
●
CPAN modules or other Perl project
resources
●
Emulated POSIX behaviors on Windows
systems
Contact appropriate authors for non-core
modules or other software!
6. 03/04/2021 Secure Coding in Perl
by Ian Kluft
6
PERLSECPOLICY: Special cases
●
Special cases are described in perlsecpolicy doc page for...
●
Regular expressions
●
DB_File, ODBM_File, or GDBM_File databases
●
Algorithmic complexity attacks
7. 03/04/2021 Secure Coding in Perl
by Ian Kluft
7
PERLSECPOLICY: Vulnerability remediation
When reporting a vulnerability, see
perlsecpolicy to review details on the
process.
●
Initial contact
●
Initial triage
●
Issue ID assignment
●
Development of patches
●
CVE ID assignment
●
Pre-release notifications
●
Pre-release testing
●
Release of fixes and
announcements
●
Zero-day security issues
(vulnerabilities under active attack)
●
Credits in vulnerability
announcements
8. 03/04/2021 Secure Coding in Perl
by Ian Kluft
8
PERLSEC: Security mechanisms and concerns
taint mode
●
detecting tainted data
●
switches on #! line
●
in taint mode, @INC ignores
environment variables
securing $PATH
●
also remove IFS CDPATH ENV
BASH_ENV
protecting programs with licensing terms
(serves only as a foundation)
Unicode issues - from perlunicode doc page
"Security Implications of Unicode"
●
malformed UTF-8
●
regex surprises with Unicode
●
"Unicode Security Considerations"
https://www.unicode.org/reports/tr36
●
"Unicode Security FAQ"
http://www.unicode.org/faq/security.html
9. 03/04/2021 Secure Coding in Perl
by Ian Kluft
9
PERLSEC: Algorithmic complexity attacks
●
Hash algorithm
●
Perl 5.18 (2013) and above are
considered hardened for hash
collision attacks
●
Perl does not guarantee any
ordering of hash keys
●
hash key ordering changes
sometimes between releases
●
Regular expressions
●
Regex engine is not resistant
to denial of service (DoS)
attacks
●
don’t feed unsanitized strings
to the regex compiler
●
Sorting
●
Perl 5.8 (2002) switched from
quicksort to mergesort to
prevent DoS attacks
10. 03/04/2021 Secure Coding in Perl
by Ian Kluft
10
PERLSEC: Pros and cons of using sudo
Any setting of user or group ID is a
place to direct extra security attention!
Benefits of sudo
●
sanitizes execution environment
●
avoids shebang race condition
●
more convenient than set-id scripts
Drawbacks of sudo
●
sudo sets real uid/gid
●
Perl can’t detect it was run by sudo
●
won’t automatically turn on taint
●
use -T option to control taint in
scripts launched by sudo
11. 03/04/2021 Secure Coding in Perl
by Ian Kluft
11
Static analysis tools for Perl
●
Perl::Critic https://metacpan.org/pod/Perl::Critic
●
PerlTidy https://metacpan.org/pod/perltidy
●
Padre IDE http://padre.perlide.org/
Do you have others to suggest?
12. 03/04/2021 Secure Coding in Perl
by Ian Kluft
12
SEI CERT Perl Coding Standard
●
A project of Carnegie Mellon University (CMU) Software Engineering Institute
(SEI)
●
SEI hosts Secure Coding standards for C, C++, Perl, Oracle and Android
●
Each standard is a community-based group effort
●
The Perl standard was last updated in 2018
●
The Perl community should take this as a hint it needs more volunteers
https://wiki.sei.cmu.edu/confluence/display/perl/SEI+CERT+Perl+Coding+Standard
13. 03/04/2021 Secure Coding in Perl
by Ian Kluft
13
SEI CERT Perl Coding Standard (cont’d)
●
The standard is organized into rules (mandatory) and recommendations
●
8 subject areas
●
Input Validation and Data Sanitization (IDS)
●
Declarations and Initialization (DCL)
●
Expressions (EXP)
●
Integers (INT)
●
Strings (STR)
●
Object-Oriented Programming (OOP)
●
File Input and Output (FIO)
●
Miscellaneous (MSC)
14. 03/04/2021 Secure Coding in Perl
by Ian Kluft
14
Input Validation and Data Sanitization (IDS)
Rules
●
IDS30-PL. Exclude user input from
format strings
●
IDS31-PL. Do not use the two-argument
form of open()
●
IDS32-PL. Validate any integer that is
used as an array index
●
IDS33-PL. Sanitize untrusted data
passed across a trust boundary
●
IDS34-PL. Do not pass untrusted,
unsanitized data to a command
interpreter
●
IDS35-PL. Do not invoke the eval form
with a string argument
Recommendations
●
IDS00-PL. Canonicalize path names
before validating them
●
IDS01-PL. Use taint mode while being
aware of its limitations
15. 03/04/2021 Secure Coding in Perl
by Ian Kluft
15
Declarations and Initialization (DCL)
Rules
●
DCL30-PL. Do not import deprecated
modules
●
DCL31-PL. Do not overload reserved
keywords or subroutines
●
DCL33-PL. Declare identifiers before
using them
Recommendations
●
DCL00-PL. Do not use subroutine
prototypes
●
DCL01-PL. Do not reuse variable names
in subscopes
●
DCL02-PL. Any modified punctuation
variable should be declared local
●
DCL03-PL. Do not read a foreach
iterator variable after the loop has
completed
●
DCL04-PL. Always initialize local
variables
●
DCL05-PL. Prohibit Perl4 package
names
16. 03/04/2021 Secure Coding in Perl
by Ian Kluft
16
Expressions (EXP) Rules
●
EXP30-PL. Do not use deprecated or obsolete functions or modules
●
EXP31-PL. Do not suppress or ignore exceptions
●
EXP32-PL. Do not ignore function return values
●
EXP33-PL. Do not invoke a function in a context for which it is not defined
●
EXP34-PL. Do not modify $_ in list or sorting functions
●
EXP35-PL. Use the correct operator type for comparing values
●
EXP37-PL. Do not use the one-argument form of select()
17. 03/04/2021 Secure Coding in Perl
by Ian Kluft
17
Expressions (EXP) Recommendations
●
EXP00-PL. Do not return undef
●
EXP01-PL. Do not depend on the return value of functions that lack a return statement
●
EXP03-PL. Do not diminish the benefits of constants by assuming their values in expressions
●
EXP04-PL. Do not mix the early-precedence logical operators with late-precedence logical
operators
●
EXP06-PL. Do not use an array in an implicit scalar context
18. 03/04/2021 Secure Coding in Perl
by Ian Kluft
18
Integers (INT)
Rules:
●
none
Recommendations:
●
INT00-PL. Do not prepend leading zeroes to integer literals
●
INT01-PL. Use small integers when precise computation is required
19. 03/04/2021 Secure Coding in Perl
by Ian Kluft
19
Strings (STR)
Rules:
●
STR30-PL. Capture variables should be read only immediately after a
successful regex match
●
STR31-PL. Do not pass string literals to functions expecting regexes
Recommendations
●
none
20. 03/04/2021 Secure Coding in Perl
by Ian Kluft
20
Object-Oriented Programming (OOP)
Rules:
●
OOP31-PL. Do not access private variables or subroutines in other packages
●
OOP32-PL. Prohibit indirect object call syntax
Recommendations:
●
OOP00-PL. Do not signify inheritence at runtime
21. 03/04/2021 Secure Coding in Perl
by Ian Kluft
21
File Input and Output (FIO)
Rules:
●
FIO30-PL. Use compatible character encodings when performing network or
file I/O
Recommendations:
●
FIO00-PL. Do not use bareword file handles
●
FIO01-PL. Do not operate on files that can be modified by untrusted users
22. 03/04/2021 Secure Coding in Perl
by Ian Kluft
22
Miscellaneous (MSC)
Rules:
●
MSC30-PL. Do not use comma to separate statements
●
MSC31-PL. Do not embed global statements
●
MSC32-PL. Do not provide a module's version value from outside the module
Recommendations:
●
MSC00-PL. Detect and remove dead code
●
MSC01-PL. Detect and remove unused variables
●
MSC02-PL. Run programs with full warnings and strict checking
23. 03/04/2021 Secure Coding in Perl
by Ian Kluft
23
Common Weakness Enumeration (CWE)
●
Community-maintained database of known causes of
vuilnerabilities
●
Think of it as a lessons learned knowledge base
●
It’s huge
●
It covers many languages including Perl
https://cwe.mitre.org/
24. 03/04/2021 Secure Coding in Perl
by Ian Kluft
24
Common Weakness Enumaeraion (CWE) links
●
Top 25 Most Dangerous Software Weaknesses
https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
●
- Weaknesses Addressed by the SEI CERT Perl Coding Standard
https://cwe.mitre.org/data/definitions/1178.html
●
and many others – have a looke around
25. 03/04/2021 Secure Coding in Perl
by Ian Kluft
25
●
OWASP Top 10 Web Application Security Risks
●
Maintained by OWASP Open Web Application Security Project
●
list updated occasionally on multiple-year cycle
●
2017 edition is current as of March 2021
●
Not specific to any programming language
●
Specific to web applications
●
often applicable to networking beyond just web applications
https://owasp.org/www-project-top-ten/
https://owasp.org/www-project-top-ten/2017/
26. 03/04/2021 Secure Coding in Perl
by Ian Kluft
26
OWASP Top 10
●
A1:2017-Injection
●
A2:2017-Broken Authentication
●
A3:2017-Sensitive Data Exposure
●
A4:2017-XML External Entities
(XXE)
●
A5:2017-Broken Access Control
●
A6:2017-Security Misconfiguration
●
A7:2017-Cross-Site Scripting (XSS)
●
A8:2017-Insecure Deserialization
●
A9:2017-Using Components with
Known Vulnerabilities
●
A10:2017-Insufficient Logging &
Monitoring
27. 03/04/2021 Secure Coding in Perl
by Ian Kluft
27
Conclusion
●
These were some useful resources for
●
writing new code
●
maintaining existing code
●
code reviews
●
There are many more resources out there
●
Remember: implementing security costs less the earlier you bring
it into the development process
●
It can be very difficult or impossible to add it if it was not considered
early enough in a project