The document presents an overview of secure coding in Perl, emphasizing the importance of avoiding vulnerabilities in software through awareness and the use of resources like perlsec and SEI CERT standards. It outlines the processes for reporting security vulnerabilities, security mechanisms in Perl such as taint mode, and recommendations for coding practices. Additionally, it highlights valuable tools, coding standards, and resources to enhance security in Perl programming.

1. 03/04/2021 1
Secure Coding in Perl
Silicon Valley Perl
March 4, 2021 monthly meeting
presented by Ian Kluft
San Jose, California

2. 03/04/2021 Secure Coding in Perl
by Ian Kluft
2
Why secure coding matters
●
Any software or hardware can be under attack today
●
True for any and all coding - this presentation applies to Perl
●
Vulnerabilities in code often result from carelessness
●
We can prevent vulnerabilities by making ourselves aware of
●
what to avoid in new code
●
what to look for in existing code
●
There is a lot of Perl code on servers all over the Internet
●
This presentation overviews available Perl security resources

3. 03/04/2021 Secure Coding in Perl
by Ian Kluft
3
PERLSEC in the Perl Documentation
●
every Perl installation comes with the “perlsec” doc page
●
you can read it with the command “perldoc perlsec”
●
on Unix/Linux/BSD systems, “man perlsec” reads it as a manual page
●
on CPAN: https://metacpan.org/pod/distribution/perl/pod/perlsec.pod
●
It’s a good place to start but not the only resource you’ll need
●
If you haven’t read it before (or lately), it’s worth a review
●
Upcoming slides have an overview of PERLSEC

4. 03/04/2021 Secure Coding in Perl
by Ian Kluft
4
PERLSEC: Vulnerability Reporting
●
What if you find a security vulnerability in Perl?
●
reporting contact address: mailto:perl-security@perl.org
●
perlsecpolicy doc page says what is considered a security issue
https://metacpan.org/pod/distribution/perl/pod/perlsecpolicy.pod
●
The Perl security team’s scope covers
●
Perl interpreter
●
Perl modules shipped with the interpreter and from the core repository
●
CLI tools shipped with the interpreter and from the core repository

5. 03/04/2021 Secure Coding in Perl
by Ian Kluft
5
PERLSECPOLICY: Not a Perl core security issue
●
Feeding untrusted code to the
interpreter
●
Stack overflows due to excessive
recursion
●
Out of memory errors
●
Escape from a Safe compartment
●
Use of the p and P pack templates
●
Stack not reference-counted issues
●
Thawing attacker-supplied data with
Storable
●
Using attacker supplied SDBM_File
databases
●
Badly encoded UTF-8 flagged scalars
●
Issues that exist only in blead, or in a
release candidate
●
CPAN modules or other Perl project
resources
●
Emulated POSIX behaviors on Windows
systems
Contact appropriate authors for non-core
modules or other software!

6. 03/04/2021 Secure Coding in Perl
by Ian Kluft
6
PERLSECPOLICY: Special cases
●
Special cases are described in perlsecpolicy doc page for...
●
Regular expressions
●
DB_File, ODBM_File, or GDBM_File databases
●
Algorithmic complexity attacks

7. 03/04/2021 Secure Coding in Perl
by Ian Kluft
7
PERLSECPOLICY: Vulnerability remediation
When reporting a vulnerability, see
perlsecpolicy to review details on the
process.
●
Initial contact
●
Initial triage
●
Issue ID assignment
●
Development of patches
●
CVE ID assignment
●
Pre-release notifications
●
Pre-release testing
●
Release of fixes and
announcements
●
Zero-day security issues
(vulnerabilities under active attack)
●
Credits in vulnerability
announcements

8. 03/04/2021 Secure Coding in Perl
by Ian Kluft
8
PERLSEC: Security mechanisms and concerns
taint mode
●
detecting tainted data
●
switches on #! line
●
in taint mode, @INC ignores
environment variables
securing $PATH
●
also remove IFS CDPATH ENV
BASH_ENV
protecting programs with licensing terms
(serves only as a foundation)
Unicode issues - from perlunicode doc page
"Security Implications of Unicode"
●
malformed UTF-8
●
regex surprises with Unicode
●
"Unicode Security Considerations"
https://www.unicode.org/reports/tr36
●
"Unicode Security FAQ"
http://www.unicode.org/faq/security.html

9. 03/04/2021 Secure Coding in Perl
by Ian Kluft
9
PERLSEC: Algorithmic complexity attacks
●
Hash algorithm
●
Perl 5.18 (2013) and above are
considered hardened for hash
collision attacks
●
Perl does not guarantee any
ordering of hash keys
●
hash key ordering changes
sometimes between releases
●
Regular expressions
●
Regex engine is not resistant
to denial of service (DoS)
attacks
●
don’t feed unsanitized strings
to the regex compiler
●
Sorting
●
Perl 5.8 (2002) switched from
quicksort to mergesort to
prevent DoS attacks

10. 03/04/2021 Secure Coding in Perl
by Ian Kluft
10
PERLSEC: Pros and cons of using sudo
Any setting of user or group ID is a
place to direct extra security attention!
Benefits of sudo
●
sanitizes execution environment
●
avoids shebang race condition
●
more convenient than set-id scripts
Drawbacks of sudo
●
sudo sets real uid/gid
●
Perl can’t detect it was run by sudo
●
won’t automatically turn on taint
●
use -T option to control taint in
scripts launched by sudo

11. 03/04/2021 Secure Coding in Perl
by Ian Kluft
11
Static analysis tools for Perl
●
Perl::Critic https://metacpan.org/pod/Perl::Critic
●
PerlTidy https://metacpan.org/pod/perltidy
●
Padre IDE http://padre.perlide.org/
Do you have others to suggest?

12. 03/04/2021 Secure Coding in Perl
by Ian Kluft
12
SEI CERT Perl Coding Standard
●
A project of Carnegie Mellon University (CMU) Software Engineering Institute
(SEI)
●
SEI hosts Secure Coding standards for C, C++, Perl, Oracle and Android
●
Each standard is a community-based group effort
●
The Perl standard was last updated in 2018
●
The Perl community should take this as a hint it needs more volunteers
https://wiki.sei.cmu.edu/confluence/display/perl/SEI+CERT+Perl+Coding+Standard

13. 03/04/2021 Secure Coding in Perl
by Ian Kluft
13
SEI CERT Perl Coding Standard (cont’d)
●
The standard is organized into rules (mandatory) and recommendations
●
8 subject areas
●
Input Validation and Data Sanitization (IDS)
●
Declarations and Initialization (DCL)
●
Expressions (EXP)
●
Integers (INT)
●
Strings (STR)
●
Object-Oriented Programming (OOP)
●
File Input and Output (FIO)
●
Miscellaneous (MSC)

14. 03/04/2021 Secure Coding in Perl
by Ian Kluft
14
Input Validation and Data Sanitization (IDS)
Rules
●
IDS30-PL. Exclude user input from
format strings
●
IDS31-PL. Do not use the two-argument
form of open()
●
IDS32-PL. Validate any integer that is
used as an array index
●
IDS33-PL. Sanitize untrusted data
passed across a trust boundary
●
IDS34-PL. Do not pass untrusted,
unsanitized data to a command
interpreter
●
IDS35-PL. Do not invoke the eval form
with a string argument
Recommendations
●
IDS00-PL. Canonicalize path names
before validating them
●
IDS01-PL. Use taint mode while being
aware of its limitations

15. 03/04/2021 Secure Coding in Perl
by Ian Kluft
15
Declarations and Initialization (DCL)
Rules
●
DCL30-PL. Do not import deprecated
modules
●
DCL31-PL. Do not overload reserved
keywords or subroutines
●
DCL33-PL. Declare identifiers before
using them
Recommendations
●
DCL00-PL. Do not use subroutine
prototypes
●
DCL01-PL. Do not reuse variable names
in subscopes
●
DCL02-PL. Any modified punctuation
variable should be declared local
●
DCL03-PL. Do not read a foreach
iterator variable after the loop has
completed
●
DCL04-PL. Always initialize local
variables
●
DCL05-PL. Prohibit Perl4 package
names

16. 03/04/2021 Secure Coding in Perl
by Ian Kluft
16
Expressions (EXP) Rules
●
EXP30-PL. Do not use deprecated or obsolete functions or modules
●
EXP31-PL. Do not suppress or ignore exceptions
●
EXP32-PL. Do not ignore function return values
●
EXP33-PL. Do not invoke a function in a context for which it is not defined
●
EXP34-PL. Do not modify $_ in list or sorting functions
●
EXP35-PL. Use the correct operator type for comparing values
●
EXP37-PL. Do not use the one-argument form of select()

17. 03/04/2021 Secure Coding in Perl
by Ian Kluft
17
Expressions (EXP) Recommendations
●
EXP00-PL. Do not return undef
●
EXP01-PL. Do not depend on the return value of functions that lack a return statement
●
EXP03-PL. Do not diminish the benefits of constants by assuming their values in expressions
●
EXP04-PL. Do not mix the early-precedence logical operators with late-precedence logical
operators
●
EXP06-PL. Do not use an array in an implicit scalar context

18. 03/04/2021 Secure Coding in Perl
by Ian Kluft
18
Integers (INT)
Rules:
●
none
Recommendations:
●
INT00-PL. Do not prepend leading zeroes to integer literals
●
INT01-PL. Use small integers when precise computation is required

19. 03/04/2021 Secure Coding in Perl
by Ian Kluft
19
Strings (STR)
Rules:
●
STR30-PL. Capture variables should be read only immediately after a
successful regex match
●
STR31-PL. Do not pass string literals to functions expecting regexes
Recommendations
●
none

20. 03/04/2021 Secure Coding in Perl
by Ian Kluft
20
Object-Oriented Programming (OOP)
Rules:
●
OOP31-PL. Do not access private variables or subroutines in other packages
●
OOP32-PL. Prohibit indirect object call syntax
Recommendations:
●
OOP00-PL. Do not signify inheritence at runtime

21. 03/04/2021 Secure Coding in Perl
by Ian Kluft
21
File Input and Output (FIO)
Rules:
●
FIO30-PL. Use compatible character encodings when performing network or
file I/O
Recommendations:
●
FIO00-PL. Do not use bareword file handles
●
FIO01-PL. Do not operate on files that can be modified by untrusted users

22. 03/04/2021 Secure Coding in Perl
by Ian Kluft
22
Miscellaneous (MSC)
Rules:
●
MSC30-PL. Do not use comma to separate statements
●
MSC31-PL. Do not embed global statements
●
MSC32-PL. Do not provide a module's version value from outside the module
Recommendations:
●
MSC00-PL. Detect and remove dead code
●
MSC01-PL. Detect and remove unused variables
●
MSC02-PL. Run programs with full warnings and strict checking

23. 03/04/2021 Secure Coding in Perl
by Ian Kluft
23
Common Weakness Enumeration (CWE)
●
Community-maintained database of known causes of
vuilnerabilities
●
Think of it as a lessons learned knowledge base
●
It’s huge
●
It covers many languages including Perl
https://cwe.mitre.org/

24. 03/04/2021 Secure Coding in Perl
by Ian Kluft
24
Common Weakness Enumaeraion (CWE) links
●
Top 25 Most Dangerous Software Weaknesses
https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
●
- Weaknesses Addressed by the SEI CERT Perl Coding Standard
https://cwe.mitre.org/data/definitions/1178.html
●
and many others – have a looke around

25. 03/04/2021 Secure Coding in Perl
by Ian Kluft
25
●
OWASP Top 10 Web Application Security Risks
●
Maintained by OWASP Open Web Application Security Project
●
list updated occasionally on multiple-year cycle
●
2017 edition is current as of March 2021
●
Not specific to any programming language
●
Specific to web applications
●
often applicable to networking beyond just web applications
https://owasp.org/www-project-top-ten/
https://owasp.org/www-project-top-ten/2017/

26. 03/04/2021 Secure Coding in Perl
by Ian Kluft
26
OWASP Top 10
●
A1:2017-Injection
●
A2:2017-Broken Authentication
●
A3:2017-Sensitive Data Exposure
●
A4:2017-XML External Entities
(XXE)
●
A5:2017-Broken Access Control
●
A6:2017-Security Misconfiguration
●
A7:2017-Cross-Site Scripting (XSS)
●
A8:2017-Insecure Deserialization
●
A9:2017-Using Components with
Known Vulnerabilities
●
A10:2017-Insufficient Logging &
Monitoring

27. 03/04/2021 Secure Coding in Perl
by Ian Kluft
27
Conclusion
●
These were some useful resources for
●
writing new code
●
maintaining existing code
●
code reviews
●
There are many more resources out there
●
Remember: implementing security costs less the earlier you bring
it into the development process
●
It can be very difficult or impossible to add it if it was not considered
early enough in a project

28. 03/04/2021 Secure Coding in Perl
by Ian Kluft
28
Q&A
Questions?
Recommendations?
Discussion?