Take Up Code / 237: Filesystem: How To Avoid Security Vulnerabilities. Part 3.
- Avoid being predictable. This advice applies to almost everything you do as a programmer. This episode will focus on the filesystem and how being predictable can make it much easier for an attacker to gain control.
- Publishing date
- 2018-06-25 03:33
- Wahid Tanner author
Avoid being predictable. This advice applies to almost everything you do as a programmer. This episode will focus on the filesystem and how being predictable can make it much easier for an attacker to gain control.
We use files to store information and configuration. And we also use files to communicate. Especially between companies or departments within a company. Maybe you’re writing an application that needs to wait on some information that will be sent to you when it’s ready. It’s a lot of information so you agree with the other team that they can just write it all to a file and send it to you when it’s ready. Your application just needs to wait for the file to appear, open it, and start reading.
The only question is where should the file be placed and what should it be named. This is where the problem of predictability comes in.
Anybody who has access to write a file to that location and who knows the name of the file your application is waiting on can trick your application into reading fake data. You need to use some form of cryptography when coming up with the name of the files used for communication. Anything else is just too predictable.
Listen to the full episode for examples of how you can solve the predictability problem. You’ll learn why simple solutions are not enough and how you can use an HMAC or hashed message authentication code to help.