Security Information Vulnerability Research Security Blog

Q: Socket Security

March 7th, 2008 by , Filed under: Ask the Expert

A new question for you guys – you have been great answering the previous one:
—-
Hi I’m a bit new to java and socket programming.
Anyway I just wrote a client server socket program and I have an open port listening on my unix box.

I was told that this is vulnerable because now anyone could write a client side program to my open port and send in whatever command line they want.

I am not sure where to go about researching what security measures I need to put in place for socket programming.

From:
B.M
USA
—-

Share
  • http://arik.baratz.org Arik

    Dear B.M.

    Indeed, whoever told you anyone can write a client side program and SEND whatever command line they want was absolutely right.

    Depending on what you do within your server program, it may or may not be executed in a way that will be vulnerable. Hint: I would avoid sending the command received on the socket to a java.lang.Runtime object… Especially through the exec() method.

    The mere fact that you are asking this question in this way suggests that, with all due respect, you are not knowledgeable enough to implement a server program, at least not on a publicly accessible machine.

    However, a good way to gain knowledge is by trial and error. I suggest that you start with running your server on a private network that cannot be accessed by untrusted people. If you don’t know how to set this up or if your network meets this criteria, have someone knowledgeable help you set it up. Then you can play with your server until you figure out how to write it in a way that you at least feel confidence about it not being vulnerable.

    And while you’re at it, google “secure programming” and get yourself clued in on some good server coding practices.

    – Arik

  • Steve King

    I would recommend at the very least to place an authentication scheme on the communication port and not allow anything through until the use has been authenticated

  • dave

    well, just because you bind a socket and accept input does not mean you will get rooted. a lot more has to come into play first.

    what language – you’ve chosen java which should help you against several classes of vulnerabilities – but obviously not all.

    how will you authenticate the connections to the port? will you use tcp wrappers? will you integrate your own authentication -passwords? will you use java secure sockets extension and certs?

    did you bind the socket to a port as root?

    did you bind to all interfaces? the external interface? internal interface? or just to loopback?

    is your computer directly on the internet? is there a firewall in place, etc..?

    what does your socket do? does it call other libraries or programs on the system? –the real meat of secure sockets programming is in writing good code that does what it is intended to do and handles unexpected input and outcomes appropriately – the code should complete as expected regardless of user modification.

  • Share







  • Categories


Security RSS Subscribe