📄 audit.html
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><title>SQLite Security Audit Procedure</title><style type="text/css">body { margin: auto; font-family: "Verdana" "sans-serif"; padding: 8px 1%;}a { color: #45735f }a:visited { color: #734559 }.logo { position:absolute; margin:3px; }.tagline { float:right; text-align:right; font-style:italic; width:240px; margin:12px; margin-top:58px;}.toolbar { font-variant: small-caps; text-align: center; line-height: 1.6em; margin: 0; padding:1px 8px;}.toolbar a { color: white; text-decoration: none; padding: 6px 12px; }.toolbar a:visited { color: white; }.toolbar a:hover { color: #80a796; background: white; }.content { margin: 5%; }.content dt { font-weight:bold; }.content dd { margin-bottom: 25px; margin-left:20%; }.content ul { padding:0px; padding-left: 15px; margin:0px; }/* rounded corners */.se { background: url(images/se.png) 100% 100% no-repeat #80a796}.sw { background: url(images/sw.png) 0% 100% no-repeat }.ne { background: url(images/ne.png) 100% 0% no-repeat }.nw { background: url(images/nw.png) 0% 0% no-repeat }</style><meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head><body><div><!-- container div to satisfy validator --><a href="index.html"><img class="logo" src="images/SQLite.gif" alt="SQLite Logo" border="0"></a><div><!-- IE hack to prevent disappearing logo--></div><div class="tagline">Small. Fast. Reliable.<br>Choose any three.</div><table width=100% style="clear:both"><tr><td> <div class="se"><div class="sw"><div class="ne"><div class="nw"> <div class="toolbar"> <a href="about.html">About</a> <a href="sitemap.html">Sitemap</a> <a href="docs.html">Documentation</a> <a href="download.html">Download</a> <a href="copyright.html">License</a> <a href="news.html">News</a> <a href="http://www.sqlite.org/cvstrac/index">Developers</a> <a href="support.html">Support</a> </div></div></div></div></div></td></tr></table> <p>A security audit for SQLite consists of two components. First, there isa check for common errors that often lead to security problems. Second,an attempt is made to construct a proof that SQLite has certain desirablesecurity properties.</p><h2>Part I: Things to check</h2><p>Scan all source code and check for the following common errors:</p><ol><li><p>Verify that the destination buffer is large enough to hold its resultin every call to the following routines:<ul><li> <b>strcpy()</b> </li><li> <b>strncpy()</b> </li><li> <b>strcat()</b> </li><li> <b>memcpy()</b> </li><li> <b>memset()</b> </li><li> <b>memmove()</b> </li><li> <b>bcopy()</b> </li><li> <b>sprintf()</b> </li><li> <b>scanf()</b> </li></ul></p></li><li><p>Verify that pointers returned by subroutines are not NULL before usingthe pointers. In particular, make sure the return values for the followingroutines are checked before they are used:<ul><li> <b>malloc()</b> </li><li> <b>realloc()</b> </li><li> <b>sqliteMalloc()</b> </li><li> <b>sqliteRealloc()</b> </li><li> <b>sqliteStrDup()</b> </li><li> <b>sqliteStrNDup()</b> </li><li> <b>sqliteExpr()</b> </li><li> <b>sqliteExprFunction()</b> </li><li> <b>sqliteExprListAppend()</b> </li><li> <b>sqliteResultSetOfSelect()</b> </li><li> <b>sqliteIdListAppend()</b> </li><li> <b>sqliteSrcListAppend()</b> </li><li> <b>sqliteSelectNew()</b> </li><li> <b>sqliteTableNameToTable()</b> </li><li> <b>sqliteTableTokenToSrcList()</b> </li><li> <b>sqliteWhereBegin()</b> </li><li> <b>sqliteFindTable()</b> </li><li> <b>sqliteFindIndex()</b> </li><li> <b>sqliteTableNameFromToken()</b> </li><li> <b>sqliteGetVdbe()</b> </li><li> <b>sqlite_mprintf()</b> </li><li> <b>sqliteExprDup()</b> </li><li> <b>sqliteExprListDup()</b> </li><li> <b>sqliteSrcListDup()</b> </li><li> <b>sqliteIdListDup()</b> </li><li> <b>sqliteSelectDup()</b> </li><li> <b>sqliteFindFunction()</b> </li><li> <b>sqliteTriggerSelectStep()</b> </li><li> <b>sqliteTriggerInsertStep()</b> </li><li> <b>sqliteTriggerUpdateStep()</b> </li><li> <b>sqliteTriggerDeleteStep()</b> </li></ul></p></li><li><p>On all functions and procedures, verify that pointer parameters are not NULLbefore dereferencing those parameters.</p></li><li><p>Check to make sure that temporary files are opened safely: that the processwill not overwrite an existing file when opening the temp file and thatanother process is unable to substitute a file for the temp file beingopened.</p></li></ol><h2>Part II: Things to prove</h2><p>Prove that SQLite exhibits the characteristics outlined below:</p><ol><li><p>The following are preconditions:</p><p><ul><li><b>Z</b> is an arbitrary-length NUL-terminated string.</li><li>An existing SQLite database has been opened. The return value from the call to <b>sqlite_open()</b> is stored in the variable <b>db</b>.</li><li>The database contains at least one table of the form:<blockquote><pre>CREATE TABLE t1(a CLOB);</pre></blockquote></li><li>There are no user-defined functions other than the standard build-in functions.</li></ul></p><p>The following statement of C code is executed:</p><blockquote><pre>sqlite_exec_printf( db, "INSERT INTO t1(a) VALUES('%q');", 0, 0, 0, Z);</pre></blockquote><p>Prove the following are true for all possible values of string <b>Z</b>:</p><ol type="a"><li><p>The call to <b>sqlite_exec_printf()</b> willreturn in a length of time that is a polynomial in <b>strlen(Z)</b>.It might return an error code but it will not crash.</p></li><li><p>At most one new row will be inserted into table t1.</p></li><li><p>No preexisting rows of t1 will be deleted or modified.</p></li><li><p>No tables other than t1 will be altered in any way.</p></li><li><p>No preexisting files on the host computers filesystem, other thanthe database file itself, will be deleted or modified.</p></li><li><p>For some constants <b>K1</b> and <b>K2</b>,if at least <b>K1*strlen(Z) + K2</b> bytes of contiguous memory areavailable to <b>malloc()</b>, then the call to <b>sqlite_exec_printf()</b>will not return SQLITE_NOMEM.</p></li></ol></p></li><li><p>The following are preconditions:<p><ul><li><b>Z</b> is an arbitrary-length NUL-terminated string.</li><li>An existing SQLite database has been opened. The return value from the call to <b>sqlite_open()</b> is stored in the variable <b>db</b>.</li><li>There exists a callback function <b>cb()</b> that appends all information passed in through its parameters into a single data buffer called <b>Y</b>.</li><li>There are no user-defined functions other than the standard build-in functions.</li></ul></p><p>The following statement of C code is executed:</p><blockquote><pre>sqlite_exec(db, Z, cb, 0, 0);</pre></blockquote><p>Prove the following are true for all possible values of string <b>Z</b>:</p><ol type="a"><li><p>The call to <b>sqlite_exec()</b> willreturn in a length of time which is a polynomial in <b>strlen(Z)</b>.It might return an error code but it will not crash.</p></li><li><p>After <b>sqlite_exec()</b> returns, the buffer <b>Y</b> will not containany content from any preexisting file on the host computers file system,except for the database file.</p></li><li><p>After the call to <b>sqlite_exec()</b> returns, the database file willstill be well-formed. It might not contain the same data, but it willstill be a properly constructed SQLite database file.</p></li><li><p>No preexisting files on the host computers filesystem, other thanthe database file itself, will be deleted or modified.</p></li><li><p>For some constants <b>K1</b> and <b>K2</b>,if at least <b>K1*strlen(Z) + K2</b> bytes of contiguous memory areavailable to <b>malloc()</b>, then the call to <b>sqlite_exec()</b>will not return SQLITE_NOMEM.</p></li></ol></p></li></ol><hr><small><i>This page last modified 2007/11/12 14:15:19 UTC</i></small></div></body></html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -