7.10. Fail Safe

A secure program should always “fail safe”, that is, it should be designed so that if the program does fail, the safest result should occur. For security-critical programs, that usually means that if some sort of misbehavior is detected (malformed input, reaching a “can’t get here” state, and so on), then the program should immediately deny service and stop processing that request. Don’t try to “figure out what the user wanted”: just deny the service. Sometimes this can decrease reliability or useability (from a user’s perspective), but it increases security. There are a few cases where this might not be desired (e.g., where denial of service is much worse than loss of confidentiality or integrity), but such cases are quite rare.

Note that I recommend “stop processing the request”, not “fail altogether”. In particular, most servers should not completely halt when given malformed input, because that creates a trivial opportunity for a denial of service attack (the attacker just sends garbage bits to prevent you from using the service). Sometimes taking the whole server down is necessary, in particular, reaching some “can’t get here” states may signal a problem so drastic that continuing is unwise.

Consider carefully what error message you send back when a failure is detected. if you send nothing back, it may be hard to diagnose problems, but sending back too much information may unintentionally aid an attacker. Usually the best approach is to reply with “access denied” or “miscellaneous error encountered” and then write more detailed information to an audit log (where you can have more control over who sees the information).