计算机安全漏洞中英文对照外文翻译文献.docx

计算机安全漏洞中英文对照外文翻译文献.docx

《计算机安全漏洞中英文对照外文翻译文献.docx》由会员分享，可在线阅读，更多相关《计算机安全漏洞中英文对照外文翻译文献.docx（13页珍藏版）》请在冰豆网上搜索。

计算机安全漏洞中英文对照外文翻译文献

计算机安全漏洞中英文对照外文翻译文献

（文档含英文原文和中文翻译）

Talkingaboutsecurityloopholes

referencetothecorenetworksecuritybusinessobjectiveistoprotectthesustainabilityofthesystemanddatasecurity,Thistwoofthemainthreatscomefromthewormoutbreaks,hackingattacks,denialofserviceattacks,Trojanhorse.Worms,hackerattacksproblemsandloopholescloselylinkedto,ifthereismajorsecurityloopholeshaveemerged,theentireInternetwillbefacedwithamajorchallenge.WhiletraditionalTrojanandlittlesecurityloopholes,butrecentlymanyTrojanarecleveruseoftheIEloopholeletyoubrowsethewebsiteatunknowinglywereonthemove.

Securityloopholesinthedefinitionofalot,Ihavehereisapopularsaying:

canbeusedtostemthe"thought"cannotdo,andaresafety-relateddeficiencies.Thisshortcomingcanbeamatterofdesign,coderealizationoftheproblem.

Differentperspectiveofsecurityloopholes

Intheclassificationofaspecificprocedureissafefromthemanyloopholesinclassification.

1.Classificationfromtheusergroups:

●Publicloopholesinthesoftwarecategory.IftheloopholesinWindows,IEloophole,andsoon.

●specializedsoftwareloophole.IfOracleloopholes,Apache,etc.loopholes.

2.Datafromtheperspectiveinclude:

●couldnotreasonablybereadandreaddata,includingthememoryofthedata,documentsthedata,Usersinputdata,thedatainthedatabase,network,datatransmissionandsoon.

●designatedcanbewrittenintothedesignatedplaces（includingthelocalpaper,memory,databases,etc.）

●Inputdatacanbeimplemented（includingnativeimplementation,accordingtoShellcodeexecution,bySQLcodeexecution,etc.）

3.Fromthepointofviewofthescopeoftheroleare:

●Remoteloopholes,anattackercouldusethenetworkanddirectlythroughtheloopholesintheattack.Suchloopholesgreatharm,anattackercancreatealoopholethroughotherpeople'scomputersoperate.SuchloopholesandcaneasilyleadtowormattacksonWindows.

●Localloopholes,theattackermusthavethemachinepremiseaccesspermissionscanbelaunchedtoattacktheloopholes.Typicalofthelocalauthoritytoupgradeloopholes,loopholesintheUnixsystemarewidespread,allowordinaryuserstoaccessthehighestadministratorprivileges.

4.Triggerconditionsfromthepointofviewcanbedividedinto:

●Initiativetriggerloopholes,anattackercantaketheinitiativetousetheloopholesintheattack,Ifdirectaccesstocomputers.

●Passivetriggerloopholesmustbecomputeroperatorscanbecarriedoutattackswiththeuseoftheloophole.Forexample,theattackermadetoamailadministrator,withaspecialjpgimagefiles,iftheadministratortoopenimagefileswillleadtoapictureofthesoftwareloopholewastriggered,therebysystemattacks,butifmanagersdonotlookatthepictureswillnotbeaffectedbyattacks.

5.Onanoperationalperspectivecanbedividedinto:

●Fileoperationtype,mainlyfortheoperationofthetargetfilepathcanbecontrolled（e.g.,parameters,configurationfiles,environmentvariables,thesymboliclinkHEC）,thismayleadtothefollowingtwoquestions:

◇Contentcanbewrittenintocontrol,thecontentsofthedocumentscanbeforged.Upgradingorauthoritytodirectlyaltertheimportantdata（suchasrevisingthedepositandlendingdata）,thishasmanyloopholes.IfhistoryOracleTNSLOGdocumentcanbedesignatedloopholes,couldleadtoanypersonmaycontroltheoperationoftheOraclecomputerservices;

◇informationcontentcanbeoutputPrintcontenthasbeencontainedtoascreentorecordreadablelogfilescanbegeneratedbythecoreusersreadingpapers,SuchloopholesinthehistoryoftheUnixsystemcrontabsubsystemseenmanytimes,ordinaryuserscanreadtheshadowofprotecteddocuments;

●Memorycoverage,mainlyformemorymodulescanbespecified,writecontentmaydesignatesuchpersonswillbeabletoattacktoenforcethecode（bufferoverflow,formatstringloopholes,PTraceloopholes,Windows2000historyofthehardwaredebuggingregistersuserscanwriteloopholes）,ordirectlyalterthememoryofsecretsdata.

●logicerrors,suchwidegapsexist,butveryfewchanges,soitisdifficulttodiscern,canbebrokendownasfollows:

◇loopholescompetitiveconditions（usuallyforthedesign,typicalofPtraceloopholes,Theexistenceofwidespreaddocumenttimingofcompetition）◇wrongtactic,usuallyindesign.IfthehistoryoftheFreeBSDSmartIOloopholes.◇Algorithm（usuallycodeordesigntoachieve）,IfthehistoryofMicrosoftWindows95/98sharingpasswordcaneasilyaccessloopholes.◇Imperfectionsofthedesign,suchasTCP/IPprotocolofthethree-stephandshakeSYNFLOODledtoadenialofserviceattack.◇realizethemistakes（usuallynoproblemforthedesign,butthepresenceofcodinglogicwrong,Ifhistorybettingsystempseudo-randomalgorithm）

●Externalorders,Typicalofexternalcommandscanbecontrolled（viathePATHvariable,SHELLimportationofspecialcharacters,etc.）andSQLinjectionissues.

6.Fromtimeseriescanbedividedinto:

●haslongfoundloopholes:

manufacturersalreadyissuedapatchorrepairmethodsmanypeopleknowalready.Suchloopholesareusuallyalotofpeoplehavehadtorepairmacroperspectiveharmrathersmall.

●recentlydiscoveredloophole:

manufacturersjustmadepatchorrepairmethods,thepeoplestilldonotknowmore.Comparedtogreaterdangerloopholes,ifthewormappearedfoolortheuseofprocedures,sowillresultinalargenumberofsystemshavebeenattacked.

●0day:

notopentheloopholeintheprivatetransactions.Usuallysuchloopholestothepublicwillnothaveanyimpact,butitwillallowanattackertothetargetbyaimingprecisionattacks,harmisverygreat.

Differentperspectiveontheuseoftheloopholes

Ifadefectshouldnotbeusedtostemthe"original"cannotdowhatthe（safety-related）,onewouldnotbecalledsecurityvulnerability,securityloopholesandgapsinevitablycloselylinkedtouse.

Perspectiveuseoftheloopholesis:

●DataPerspective:

visithadnotvisitedthedata,includingreadingandwriting.Thisisusuallyanattacker'scorepurpose,butcancauseveryseriousdisaster（suchasbankingdatacanbewritten）.

●CompetencePerspective:

MajorPowerstobypassorpermissions.Permissionsareusuallyinordertoobtainthedesireddatamanipulationcapabilities.

●Usabilityperspective:

accesstocertainservicesonthesystemofcontrolauthority,thismayleadtosomeimportantservicestostopattacksandleadtoadenialofserviceattack.

●Authenticationbypass:

usuallyusecertificationsystemandtheloopholeswillnotauthorizetoaccess.Authenticationisusuallybypassedforpermissionsordirectdataaccessservices.

●Codeexecutionperspective:

mainlyproceduresfortheimportationofthecontentsastoimplementthecode,obtainremotesystemaccesspermissionsorlocalsystemofhigherauthority.ThisangleisSQLinjection,memorytypegamespointerloopholes（bufferoverflow,formatstring,Plasticoverflowetc.）,themaindriving.Thisangleisusuallybypassingtheauthenticationsystem,permissions,anddatapreparationforthereading.

Loopholesexploremethodsmust

FirstremovesecurityvulnerabilitiesinsoftwareBUGinasubset,allsoftwaretestingtoolshavesecurityloopholestoexplorepractical.Nowthatthe"hackers"usedtoexplorethevariousloopholesthattherearemeansavailabletothemodelare:

●fuzztesting（blackboxtesting）,byconstructingproceduresmayleadtoproblemsofstructuralinputdataforautomatictesting.

●FOSSaudit（WhiteBox）,nowhaveaseriesoftoolsthatcanassistinthedetectionofthesafetyproceduresBUG.ThemostsimpleisyourhandsthelatestversionoftheClanguagecompiler.

●IDAanti-compilationoftheaudit（grayboxtesting）,andabovethesourceauditareverysimilar.Theonlydifferenceisthatmanytimesyoucanobtainsoftware,butyoucannotgettothesourcecodeaudit,ButIDAisaverypowerfulanti-Seriesplatform,letyoubasedonthecode（thesourcecodeisinfactequivalent）conductedasafetyaudit.

●dynamictracking,istherecordofproceedingsunderdifferentconditionsandtheimplementationofallsecurityissuesrelatedtotheoperation（suchasfileoperations）,thensequenceanalysisoftheseoperationsifthereareproblems,itiscompetitivecategoryloopholesfoundoneofthemajorways.Othertrackingtaintedspreadalsobelongstothiscategory.

●patch,thesoftwaremanufacturersoutofthequestionusuallyaddressedinthepatch.Bycomparingthepatchbeforeandafterthesourcedocument（ortheanti-coding）tobeawareofthespecificdetailsofloopholes.

Moretoolswithwhichbothrelatetoacrucialpoint:

Artificialneedtofindacomprehensiveanalysisoftheflowpathcoverage.Analysismethodsvariedanalysisanddesigndocuments,sourcecodeanalysis,analysisoftheanti-codecompilation,dynamicdebuggingprocedures.

Gradingloopholes

loopholesintheinspectionharmshouldclosetheloopholesandtheuseofthehazardsrelatedOftenpeoplearenotawareofalltheBufferOverflowVulnerabilityloopholesarehigh-risk.Along-distanceloopholeexampleandbetterdelineation:

●RemoteaccesscanbeanOS,applicationprocedures,versioninformation.

●openunnecessaryordangerousintheservice,remoteaccesstosensitiveinformationsystems.

●Remotecanberestrictedforthedocuments,datareading.

●remotelyimportantorrestricteddocuments,datareading.

●maybelimitedforlong-rangedocument,datarevisions.

●Remotecanberestrictedforimportantdocuments,datachanges.

●Remotecanb