计算机专业毕业设计论文说明书外文翻译中英对照Word格式文档下载.docx
《计算机专业毕业设计论文说明书外文翻译中英对照Word格式文档下载.docx》由会员分享,可在线阅读,更多相关《计算机专业毕业设计论文说明书外文翻译中英对照Word格式文档下载.docx(9页珍藏版)》请在冰豆网上搜索。
cannotdo,andaresafety-relateddeficiencies.Thisshortingcanbeamatterofdesign,coderealizationoftheproblem.
Differentperspectiveofsecurityloopholes
Intheclassificationofaspecificprocedureissafefromthemanyloopholesinclassification.
1.Classificationfromtheusergroups:
●Publicloopholesinthesoftwarecategory.IftheloopholesinWindows,IEloophole,andsoon.
●specializedsoftwareloophole.IfOracleloopholes,Apache,etc.loopholes.
2.Datafromtheperspectiveinclude:
●couldnotreasonablybereadandreaddata,includingthememoryofthedata,documentsthedata,Usersinputdata,thedatainthedatabase,network,datatransmissionandsoon.
●designatedcanbewrittenintothedesignatedplaces(includingthelocalpaper,memory,databases,etc.)
●Inputdatacanbeimplemented(includingnativeimplementation,accordingtoShellcodeexecution,bySQLcodeexecution,etc.)
3.Fromthepointofviewofthescopeoftheroleare:
●Remoteloopholes,anattackercouldusethenetworkanddirectlythroughtheloopholesintheattack.Suchloopholesgreatharm,anattackercancreatealoopholethroughotherpeople'
sputersoperate.SuchloopholesandcaneasilyleadtowormattacksonWindows.
●Localloopholes,theattackermusthavethemachinepremiseaccesspermissionscanbelaunchedtoattacktheloopholes.Typicalofthelocalauthoritytoupgradeloopholes,loopholesintheUnixsystemarewidespread,allowordinaryuserstoaccessthehighestadministratorprivileges.
4.Triggerconditionsfromthepointofviewcanbedividedinto:
●Initiativetriggerloopholes,anattackercantaketheinitiativetousetheloopholesintheattack,Ifdirectaccesstoputers.
●Passivetriggerloopholesmustbeputeroperatorscanbecarriedoutattackswiththeuseoftheloophole.Forexample,theattackermadetoamailadministrator,withaspecialjpgimagefiles,iftheadministratortoopenimagefileswillleadtoapictureofthesoftwareloopholewastriggered,therebysystemattacks,butifmanagersdonotlookatthepictureswillnotbeaffectedbyattacks.
5.Onanoperationalperspectivecanbedividedinto:
●Fileoperationtype,mainlyfortheoperationofthetargetfilepathcanbecontrolled(e.g.,parameters,configurationfiles,environmentvariables,thesymboliclinkHEC),thismayleadtothefollowingtwoquestions:
◇Contentcanbewrittenintocontrol,thecontentsofthedocumentscanbeforged.Upgradingorauthoritytodirectlyaltertheimportantdata(suchasrevisingthedepositandlendingdata),thishasmanyloopholes.IfhistoryOracleTNSLOGdocumentcanbedesignatedloopholes,couldleadtoanypersonmaycontroltheoperationoftheOracleputerservices;
◇informationcontentcanbeoutputPrintcontenthasbeencontainedtoascreentorecordreadablelogfilescanbegeneratedbythecoreusersreadingpapers,SuchloopholesinthehistoryoftheUnixsystemcrontabsubsystemseenmanytimes,ordinaryuserscanreadtheshadowofprotecteddocuments;
●Memorycoverage,mainlyformemorymodulescanbespecified,writecontentmaydesignatesuchpersonswillbeabletoattacktoenforcethecode(bufferoverflow,formatstringloopholes,PTraceloopholes,Windows2000historyofthehardwaredebuggingregistersuserscanwriteloopholes),ordirectlyalterthememoryofsecretsdata.
●logicerrors,suchwidegapsexist,butveryfewchanges,soitisdifficulttodiscern,canbebrokendownasfollows:
◇loopholespetitiveconditions(usuallyforthedesign,typicalofPtraceloopholes,Theexistenceofwidespreaddocumenttimingofpetition)◇wrongtactic,usuallyindesign.IfthehistoryoftheFreeBSDSmartIOloopholes.◇Algorithm(usuallycodeordesigntoachieve),IfthehistoryofMicrosoftWindows95/98sharingpasswordcaneasilyaccessloopholes.◇Imperfectionsofthedesign,suchasTCP/IPprotocolofthethree-stephandshakeSYNFLOODledtoadenialofserviceattack.◇realizethemistakes(usuallynoproblemforthedesign,butthepresenceofcodinglogicwrong,Ifhistorybettingsystempseudo-randomalgorithm)
●Externalorders,Typicalofexternalmandscanbecontrolled(viathePATHvariable,SHELLimportationofspecialcharacters,etc.)andSQLinjectionissues.
6.Fromtimeseriescanbedividedinto:
●haslongfoundloopholes:
manufacturersalreadyissuedapatchorrepairmethodsmanypeopleknowalready.Suchloopholesareusuallyalotofpeoplehavehadtorepairmacroperspectiveharmrathersmall.
●recentlydiscoveredloophole:
manufacturersjustmadepatchorrepairmethods,thepeoplestilldonotknowmore.paredtogreaterdangerloopholes,ifthewormappearedfoolortheuseofprocedures,sowillresultinalargenumberofsystemshavebeenattacked.
●0day:
notopentheloopholeintheprivatetransactions.Usuallysuchloopholestothepublicwillnothaveanyimpact,butitwillallowanattackertothetargetbyaimingprecisionattacks,harmisverygreat.
Differentperspectiveontheuseoftheloopholes
Ifadefectshouldnotbeusedtostemthe"
original"
cannotdowhatthe(safety-related),onewouldnotbecalledsecurityvulnerability,securityloopholesandgapsinevitablycloselylinkedtouse.
Perspectiveuseoftheloopholesis:
●DataPerspective:
visithadnotvisitedthedata,includingreadingandwriting.Thisisusuallyanattacker'
scorepurpose,butcancauseveryseriousdisaster(suchasbankingdatacanbewritten).
●petencePerspective:
MajorPowerstobypassorpermissions.Permissionsareusuallyinordertoobtainthedesireddatamanipulationcapabilities.
●Usabilityperspective:
accesstocertainservicesonthesystemofcontrolauthority,thismayleadtosomeimportantservicestostopattacksandleadtoadenialofserviceattack.
●Authenticationbypass:
usuallyusecertificationsystemandtheloopholeswillnotauthorizetoaccess.Authenticationisusuallybypassedforpermissionsordirectdataaccessservices.
●Codeexecutionperspective:
mainlyproceduresfortheimportationofthecontentsastoimplementthecode,obtainremotesystemaccesspermissionsorlocalsystemofhigherauthority.ThisangleisSQLinjection,memorytypegamespointerloopholes(bufferoverflow,formatstring,Plasticoverflowetc.),themaindriving.Thisangleisusuallybypassingtheauthenticationsystem,permissions,anddatapreparationforthereading.
Loopholesexploremethodsmust
FirstremovesecurityvulnerabilitiesinsoftwareBUGinasubset,allsoftwaretestingtoolshavesecurityloopholestoexplorepractical.Nowthatthe"
hackers"
usedtoexplorethevariousloopholesthattherearemeansavailabletothemodelare:
●fuzztesting(blackboxtesting),byconstructingproceduresmayleadtoproblemsofstructuralinputdataforautomatictesting.
●FOSSaudit(WhiteBox),nowhaveaseriesoftoolsthatcanassistinthedetectionofthesafetyproceduresBUG.ThemostsimpleisyourhandsthelatestversionoftheClanguagepiler.
●IDAanti-pilationoftheaudit(grayboxtesting),andabovethesourceauditareverysimilar.Theonlydifferenceisthatmanytimesyoucanobtainsoftware,butyoucannotgettothesourcecodeaudit,ButIDAisaverypowerfulanti-Seriesplatform,letyoubasedonthecode(thesourcecodeisinfactequivalent)conductedasafetyaudit.
●dynamictracking,istherecordofproceedingsunderdifferentconditionsandtheimplementationofallsecurityissuesrelatedtotheoperation(suchasfileoperations),thensequenceanalysisoftheseoperationsifthereareproblems,itispetitivecategoryloopholesfoundoneofthemajorways.Othertrackingtaintedspreadalsobelongstothiscategory.
●patch,thesoftwaremanufacturersoutofthequestionusuallyaddressedinthepatch.Byparingthepatchbeforeandafterthesourcedocument(ortheanti-coding)tobeawareofthespecificdetailsofloopholes.
Moretoolswithwhichbothrelatetoacrucialpoint:
Artificialneedtofindaprehensiveanalysisoftheflowpathcoverage.Analysismethodsvariedanalysisanddesigndocuments,sourcecodeanalysis,analysisoftheanti-codepilation,dynamicdebuggingprocedures.
Gradingloopholes
loopholesintheinspectionharmshouldclosetheloopholesandtheuseofthehazardsrelatedOftenpeoplearenotawareofalltheBufferOverflowVulnerabilityloopholesarehigh-risk.Along-distanceloopholeexampleandbetterdelineation:
●RemoteaccesscanbeanOS,applicationprocedures,versioninformation.
●openunnecessaryordangerousintheservice,remoteaccesstosensitiveinformationsystems.
●Remotecanberestrictedforthedocuments,datareading.
●remotelyimportantorrestricteddocuments,datareading.
●maybelimitedforlong-rangedocument,datarevisions.
●Remotecanberestrictedforimportantdocuments,datachanges.
●Remotecanbeconductedwithoutlimitationintheimportantdocuments,datachanges,or