rlogin(1): The Untold Story
November 1998 • Technical Report
Members of the CERT/CC have analyzed coding defects with the goalof understanding each well enough to communicate the details to those responsible for fixing them and those responsible for installing their fixes (systems administrators). This report describes everything that members of the CERT/CC have learned and subsequentlysynthesized from analyzing the rlogin defect.
Software Engineering Institute
CMU/SEI Report Number
Coding defects account for a significant portion of the reports received by the CERT Coordination Center (CERT/CC). Through in-depth analysis of these reports and generalizing our findings from those analyses, we have begun to create guidelines for mitigation strategies for existing defects and avoidance strategies when coding new software. In this document, we report the results of our analysis of the well-known defect in the rlogin program. We discuss the coding defect in detail, three mitigation strategies devised to remedy the defect, and two avoidance strategies offered as a guide to reducing the instances of similar coding defects in new programs. We end with three design notes aimed at eliminating these defects at the hardware and protocol design level.