From: drh Date: Sat, 13 Jul 2002 16:52:35 +0000 (+0000) Subject: Added a document describing how to do a security audit. (CVS 673) X-Git-Tag: version-3.6.10~5402 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=674d712126603cd6e34976f6a535b319ae12cd2b;p=thirdparty%2Fsqlite.git Added a document describing how to do a security audit. (CVS 673) FossilOrigin-Name: cff271837796d84471b09147c59cb7601d16b358 --- diff --git a/manifest b/manifest index d87ef3af84..225fc91c4f 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Fix\sfor\sticket\s#54:\sExport\sadditional\sAPIs\sto\sthe\sWin32\sDLL.\s(CVS\s672) -D 2002-07-13T14:41:50 +C Added\sa\sdocument\sdescribing\show\sto\sdo\sa\ssecurity\saudit.\s(CVS\s673) +D 2002-07-13T16:52:35 F Makefile.in 6291a33b87d2a395aafd7646ee1ed562c6f2c28c F Makefile.template 4e11752e0b5c7a043ca50af4296ec562857ba495 F README a4c0ba11354ef6ba0776b400d057c59da47a4cc0 @@ -124,6 +124,7 @@ F tool/speedtest2.tcl ee2149167303ba8e95af97873c575c3e0fab58ff F www/arch.fig d5f9752a4dbf242e9cfffffd3f5762b6c63b3bcf F www/arch.png 82ef36db1143828a7abc88b1e308a5f55d4336f4 F www/arch.tcl 72a0c80e9054cc7025a50928d28d9c75c02c2b8b +F www/audit.tcl 90e09d580f79c7efec0c7d6f447b7ec5c2dce5c0 F www/c_interface.tcl 58cf4d128dcae08d91d0011c6d4d11de323f470f F www/changes.tcl a6d732a78b451eab29a66a068dc07b359f32c5a8 F www/conflict.tcl 81dd21f9a679e60aae049e9dd8ab53d59570cda2 @@ -140,7 +141,7 @@ F www/speed.tcl da8afcc1d3ccc5696cfb388a68982bc3d9f7f00f F www/sqlite.tcl ae3dcfb077e53833b59d4fcc94d8a12c50a44098 F www/tclsqlite.tcl 1db15abeb446aad0caf0b95b8b9579720e4ea331 F www/vdbe.tcl 2013852c27a02a091d39a766bc87cff329f21218 -P 0603eb74e6aca48f62bd95cb6c236b9e559af850 -R fec5cfcbc1c303b4f7beaf771235ce69 +P 072fd2ad588332b1f1f725515bedfbc0cf035315 +R 0c58a47e130f778dc9990a3b129c0313 U drh -Z b3e582a584f7f5a3ef64bc137f861e98 +Z 87e130d886df3a6228f2f58c5ec9b87e diff --git a/manifest.uuid b/manifest.uuid index b72dd0cb74..447662e73e 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -072fd2ad588332b1f1f725515bedfbc0cf035315 \ No newline at end of file +cff271837796d84471b09147c59cb7601d16b358 \ No newline at end of file diff --git a/www/audit.tcl b/www/audit.tcl new file mode 100644 index 0000000000..8b30373aed --- /dev/null +++ b/www/audit.tcl @@ -0,0 +1,214 @@ +# +# Run this Tcl script to generate the audit.html file. +# +set rcsid {$Id: audit.tcl,v 1.1 2002/07/13 16:52:35 drh Exp $} + +puts { + + SQLite Security Audit Procedure + + +

+SQLite Security Audit Procedure +

} +puts "

+(This page was last modified on [lrange $rcsid 3 4] UTC) +

" + +puts { +

+A security audit for SQLite consists of two components. First, there is +a check for common errors that often lead to security problems. Second, +an attempt is made to construct a proof that SQLite has certain desirable +security properties. +

+ +

Part I: Things to check

+ +

+Scan all source code and check for the following common errors: +

+ +

+Verify that the destination buffer is large enough to hold its result +in every call to the following routines: +
- strcpy()
- strncpy()
- strcat()
- memcpy()
- memset()
- memmove()
- bcopy()
- sprintf()
- scanf()
+
+Verify that pointers returned by subroutines are not NULL before using +the pointers. In particular, make sure the return values for the following +routines are checked before they are used: +
- malloc()
- realloc()
- sqliteMalloc()
- sqliteRealloc()
- sqliteStrDup()
- sqliteStrNDup()
- sqliteExpr()
- sqliteExprFunction()
- sqliteExprListAppend()
- sqliteResultSetOfSelect()
- sqliteIdListAppend()
- sqliteSrcListAppend()
- sqliteSelectNew()
- sqliteTableNameToTable()
- sqliteTableTokenToSrcList()
- sqliteWhereBegin()
- sqliteFindTable()
- sqliteFindIndex()
- sqliteTableNameFromToken()
- sqliteGetVdbe()
- sqlite_mprintf()
- sqliteExprDup()
- sqliteExprListDup()
- sqliteSrcListDup()
- sqliteIdListDup()
- sqliteSelectDup()
- sqliteFindFunction()
- sqliteTriggerSelectStep()
- sqliteTriggerInsertStep()
- sqliteTriggerUpdateStep()
- sqliteTriggerDeleteStep()
+
+On all functions and procedures, verify that pointer parameters are not NULL +before dereferencing those parameters. +
+Check to make sure that temporary files are opened safely: that the process +will not overwrite an existing file when opening the temp file and that +another process is unable to substitute a file for the temp file being +opened. +

+ + + +

Part II: Things to prove

+ +

+Prove that SQLite exhibits the characteristics outlined below: +

+ +

+The following are preconditions:
+
- Z is an arbitrary-length NUL-terminated string.
- An existing SQLite database has been opened. The return value + from the call to sqlite_open() is stored in the variable + db.
- The database contains at least one table of the form: +
```
+CREATE TABLE t1(a CLOB);
+
```
- There are no user-defined functions other than the standard + build-in functions.
+
The following statement of C code is executed:
+
```
+sqlite_exec_printf(
+   db,
+   "INSERT INTO t1(a) VALUES('%q');", 
+   0, 0, 0, Z
+);
+
```
+
Prove the following are true for all possible values of string Z:
+
1. +The call to sqlite_exec_printf() will +return in a length of time that is a polynomial in strlen(Z). +It might return an error code but it will not crash. +
2. +At most one new row will be inserted into table t1. +
3. +No preexisting rows of t1 will be deleted or modified. +
4. +No tables other than t1 will be altered in any way. +
5. +No preexisting files on the host computers filesystem, other than +the database file itself, will be deleted or modified. +
6. +For some constants K1 and K2, +if at least K1*strlen(Z) + K2 bytes of contiguous memory are +available to malloc(), then the call to sqlite_exec_printf() +will not return SQLITE_NOMEM. +
+
+The following are preconditions: +
- Z is an arbitrary-length NUL-terminated string.
- An existing SQLite database has been opened. The return value + from the call to sqlite_open() is stored in the variable + db.
- There exists a callback function cb() that appends all + information passed in through its parameters into a single + data buffer called Y.
- There are no user-defined functions other than the standard + build-in functions.
+
The following statement of C code is executed:
+
```
+sqlite_exec(db, Z, cb, 0, 0);
+
```
+
Prove the following are true for all possible values of string Z:
+
1. +The call to sqlite_exec() will +return in a length of time which is a polynomial in strlen(Z). +It might return an error code but it will not crash. +
2. +After sqlite_exec() returns, the buffer Y will not contain +any content from any preexisting file on the host computers file system, +except for the database file. +
3. +After the call to sqlite_exec() returns, the database file will +still be well-formed. It might not contain the same data, but it will +still be a properly constructed SQLite database file. +
4. +No preexisting files on the host computers filesystem, other than +the database file itself, will be deleted or modified. +
5. +For some constants K1 and K2, +if at least K1*strlen(Z) + K2 bytes of contiguous memory are +available to malloc(), then the call to sqlite_exec() +will not return SQLITE_NOMEM. +
+

+} +puts { +

+Back to the SQLite Home Page +

+ +}