The principle of
fail-safe defaults. If you like or if
you've ever watched any of the old Cold War movies where the bombers are
getting ready to attack, the bomber's flight
was certain point and then they stop
and they cannot proceed beyond
that point unless they are given a direct
instruction to proceed, and they call those points the fail-safe points because that wave communication
breaks down, failing. The bombers will stay where
they are and not attack. That's an example of
fail-safe defaults. Fail-safe defaults in the computer world
covers two things. The first one is, by
default deny access. Deny, deny, deny. Explicitly give permissions. That way, someone who's reading a program understands exactly what permissions
are being given. Furthermore, if you grant permission by
default and then turn it off, well you may forget
to turn it off, we see this a lot when
people leave companies. Often they leave accounts, companies will leave
accounts active for quite awhile even though
the workers no longer there. The second one, pretty
much everyone knows that. Or I should say, that's the obvious statement
of the principle. A much less obvious one is what happens when failure occurs? The system should
always fail safe in the sense that
when failure occurs, the system is just as secure as when this process
that failed began. So in other words in failing, you don't give away
any information or privileges. Now, here's a very good
example of this. Your program is going
to pass input to a second program that's going
to act based on the input, and you have metacharacters
single quote, double quote, dollar sign, exclamation point, question
mark, and so forth. For example, the second program treats the vertical bar
as a command separator, a pipe for example. And letters, digits,
and hyphens will not cause these special actions
and you know that. But those are the ones that as of now costs special actions. The question is, when you get a command right from
the command line, how do you sanitize it or make it safe before you pass it
on to the second program? And the answer is to apply the principle of
fail-safe defaults. Basically, what you do, is instead of accepting
characters and then checking to see whether or not
any of them are in that list of metacharacters, check to see if the only characters you have in the input stream are
letters, digits, and hyphen. The advantage to this is if somebody has a new metacharacter, you know for example ampersand, you'll have to worry about it because you're not
checking for ampersands, you're checking for letters,
digits, and hyphens. This in fact did happen
on a system at one point. When I knew
metacharacter was added, the server didn't check for
it because it didn't know that it had been added
and as a result, you couldn't get into
the system quite easily until
the problem got fixed.