Chapter 15: Socket Security

Part III

Even More Secure Coding Techniques

Chapter 15

Socket Security

Sockets are at the heart of any application that communicates using the TCP/IP protocol. The IP protocol and associated transports, such as TCP and UDP, were not designed to meet the threat environments we currently face. However, as we move to IPv6 Internet Protocol version 6, described in the IPv6 Is Coming! section later in this chapter some of these problems will be mitigated. Some of the issues I'll cover in this chapter include binding your server so that it cannot be hijacked by local users, writing a server that can listen on the network interfaces the user chooses, and managing how you accept connections. I'll also discuss general rules for writing firewall-friendly applications, spoofing, and host-based and port-based trust.

This chapter assumes familiarity with the fundamentals of sockets programming. If you are new to sockets programming, a book I found helpful is Windows Sockets Network Programming (Addison-Wesley Publishing Co., 1995), by Bob Quinn and David Shute. The example programs are written in C, with a touch of C++ thrown in. I like to use the .cpp extension to get stricter compiler warnings, but the applications should be accessible to anyone who can read C. Some of the specific socket options and interface management functions are Microsoft-specific, but the general ideas should be useful to people writing code for any platform.

If you're interested in using built-in Windows functionality to authenticate your clients and servers and to establish privacy and integrity (including SSL/TLS), look at the documentation for the SSPI (Security Support Provider Interface) API. Although it has lots of useful functionality, be warned that this bunch of APIs is not for the faint of heart. As mentioned in Chapter 4, Threat Modeling, a good explanation of SSPI is in Programming Server-Side Applications for Microsoft Windows 2000 (Microsoft Press, 2000), by Jeffrey Richter and Jason Clark.



Writing Secure Code
Writing Secure Code, Second Edition
ISBN: 0735617228
EAN: 2147483647
Year: 2001
Pages: 286

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net