计算机专业毕业设计说明书外文翻译Word格式.docx
- 文档编号:18914385
- 上传时间:2023-01-02
- 格式:DOCX
- 页数:9
- 大小:22.99KB
计算机专业毕业设计说明书外文翻译Word格式.docx
《计算机专业毕业设计说明书外文翻译Word格式.docx》由会员分享,可在线阅读,更多相关《计算机专业毕业设计说明书外文翻译Word格式.docx(9页珍藏版)》请在冰豆网上搜索。
cannotdo,andaresafety-relateddeficiencies.Thisshortcomingcanbeamatterofdesign,coderealizationoftheproblem.
Differentperspectiveofsecurityloopholes
Intheclassificationofaspecificprocedureissafefromthemanyloopholesinclassification.
1.Classificationfromtheusergroups:
●Publicloopholesinthesoftwarecategory.IftheloopholesinWindows,IEloophole,andsoon.
●specializedsoftwareloophole.IfOracleloopholes,Apache,etc.loopholes.
2.Datafromtheperspectiveinclude:
●couldnotreasonablybereadandreaddata,includingthememoryofthedata,documentsthedata,Usersinputdata,thedatainthedatabase,network,datatransmissionandsoon.
●designatedcanbewrittenintothedesignatedplaces(includingthelocalpaper,memory,databases,etc.)
●Inputdatacanbeimplemented(includingnativeimplementation,accordingtoShellcodeexecution,bySQLcodeexecution,etc.)
3.Fromthepointofviewofthescopeoftheroleare:
●Remoteloopholes,anattackercouldusethenetworkanddirectlythroughtheloopholesintheattack.Suchloopholesgreatharm,anattackercancreatealoopholethroughotherpeople'
scomputersoperate.SuchloopholesandcaneasilyleadtowormattacksonWindows.
●Localloopholes,theattackermusthavethemachinepremiseaccesspermissionscanbelaunchedtoattacktheloopholes.Typicalofthelocalauthoritytoupgradeloopholes,loopholesintheUnixsystemarewidespread,allowordinaryuserstoaccessthehighestadministratorprivileges.
4.Triggerconditionsfromthepointofviewcanbedividedinto:
●Initiativetriggerloopholes,anattackercantaketheinitiativetousetheloopholesintheattack,Ifdirectaccesstocomputers.
●Passivetriggerloopholesmustbecomputeroperatorscanbecarriedoutattackswiththeuseoftheloophole.Forexample,theattackermadetoamailadministrator,withaspecialjpgimagefiles,iftheadministratortoopenimagefileswillleadtoapictureofthesoftwareloopholewastriggered,therebysystemattacks,butifmanagersdonotlookatthepictureswillnotbeaffectedbyattacks.
5.Onanoperationalperspectivecanbedividedinto:
●Fileoperationtype,mainlyfortheoperationofthetargetfilepathcanbecontrolled.,parameters,configurationfiles,environmentvariables,thesymboliclinkHEC),thismayleadtothefollowingtwoquestions:
◇Contentcanbewrittenintocontrol,thecontentsofthedocumentscanbeforged.Upgradingorauthoritytodirectlyaltertheimportantdata(suchasrevisingthedepositandlendingdata),thishasmanyloopholes.IfhistoryOracleTNSLOGdocumentcanbedesignatedloopholes,couldleadtoanypersonmaycontroltheoperationoftheOraclecomputerservices;
◇informationcontentcanbeoutputPrintcontenthasbeencontainedtoascreentorecordreadablelogfilescanbegeneratedbythecoreusersreadingpapers,SuchloopholesinthehistoryoftheUnixsystemcrontabsubsystemseenmanytimes,ordinaryuserscanreadtheshadowofprotecteddocuments;
●Memorycoverage,mainlyformemorymodulescanbespecified,writecontentmaydesignatesuchpersonswillbeabletoattacktoenforcethecode(bufferoverflow,formatstringloopholes,PTraceloopholes,Windows2000historyofthehardwaredebuggingregistersuserscanwriteloopholes),ordirectlyalterthememoryofsecretsdata.
●logicerrors,suchwidegapsexist,butveryfewchanges,soitisdifficulttodiscern,canbebrokendownasfollows:
◇loopholescompetitiveconditions(usuallyforthedesign,typicalofPtraceloopholes,Theexistenceofwidespreaddocumenttimingofcompetition)◇wrongtactic,usuallyindesign.IfthehistoryoftheFreeBSDSmartIOloopholes.◇Algorithm(usuallycodeordesigntoachieve),IfthehistoryofMicrosoftWindows95/98sharingpasswordcaneasilyaccessloopholes.◇Imperfectionsofthedesign,suchasTCP/IPprotocolofthethree-stephandshakeSYNFLOODledtoadenialofserviceattack.◇realizethemistakes(usuallynoproblemforthedesign,butthepresenceofcodinglogicwrong,Ifhistorybettingsystempseudo-randomalgorithm)
●Externalorders,Typicalofexternalcommandscanbecontrolled(viathePATHvariable,SHELLimportationofspecialcharacters,etc.)andSQLinjectionissues.
6.Fromtimeseriescanbedividedinto:
●haslongfoundloopholes:
manufacturersalreadyissuedapatchorrepairmethodsmanypeopleknowalready.Suchloopholesareusuallyalotofpeoplehavehadtorepairmacroperspectiveharmrathersmall.
●recentlydiscoveredloophole:
manufacturersjustmadepatchorrepairmethods,thepeoplestilldonotknowmore.Comparedtogreaterdangerloopholes,ifthewormappearedfoolortheuseofprocedures,sowillresultinalargenumberofsystemshavebeenattacked.
●0day:
notopentheloopholeintheprivatetransactions.Usuallysuchloopholestothepublicwillnothaveanyimpact,butitwillallowanattackertothetargetbyaimingprecisionattacks,harmisverygreat.
Differentperspectiveontheuseoftheloopholes
Ifadefectshouldnotbeusedtostemthe"
original"
cannotdowhatthe(safety-related),onewouldnotbecalledsecurityvulnerability,securityloopholesandgapsinevitablycloselylinkedtouse.
Perspectiveuseoftheloopholesis:
●DataPerspective:
visithadnotvisitedthedata,includingreadingandwriting.Thisisusuallyanattacker'
scorepurpose,butcancauseveryseriousdisaster(suchasbankingdatacanbewritten).
●CompetencePerspective:
MajorPowerstobypassorpermissions.Permissionsareusuallyinordertoobtainthedesireddatamanipulationcapabilities.
●Usabilityperspective:
accesstocertainservicesonthesystemofcontrolauthority,thismayleadtosomeimportantservicestostopattacksandleadtoadenialofserviceattack.
●Authenticationbypass:
usuallyusecertificationsystemandtheloopholeswillnotauthorizetoaccess.Authenticationisusuallybypassedforpermissionsordirectdataaccessservices.
●Codeexecutionperspective:
mainlyproceduresfortheimportationofthecontentsastoimplementthecode,obtainremotesystemaccesspermissionsorlocalsystemofhigherauthority.ThisangleisSQLinjection,memorytypegamespointerloopholes(bufferoverflow,formatstring,Plasticoverflowetc.),themaindriving.Thisangleisusuallybypassingtheauthenticationsystem,permissions,anddatapreparationforthereading.
Loopholesexploremethodsmust
FirstremovesecurityvulnerabilitiesinsoftwareBUGinasubset,allsoftwaretestingtoolshavesecurityloopholestoexplorepractical.Nowthatthe"
hackers"
usedtoexplorethevariousloopholesthattherearemeansavailabletothemodelare:
●fuzztesting(blackboxtesting),byconstructingproceduresmayleadtoproblemsofstructuralinputdataforautomatictesting.
●FOSSaudit(WhiteBox),nowhaveaseriesoftoolsthatcanassistinthedetectionofthesafetyproceduresBUG.ThemostsimpleisyourhandsthelatestversionoftheClanguagecompiler.
●IDAanti-compilationoftheaudit(grayboxtesting),andabovethesourceauditareverysimilar.Theonlydifferenceisthatmanytimesyoucanobtainsoftware,butyoucannotgettothesourcecodeaudit,ButIDAisaverypowerfulanti-Seriesplatform,letyoubasedonthecode(thesourcecodeisinfactequivalent)conductedasafetyaudit.
●dynamictracking,istherecordofproceedingsunderdifferentconditionsandtheimplementationofallsecurityissuesrelatedtotheoperation(suchasfileoperations),thensequenceanalysisoftheseoperationsifthereareproblems,itiscompetitivecategoryloopholesfoundoneofthemajorways.Othertrackingtaintedspreadalsobelongstothiscategory.
●patch,thesoftwaremanufacturersoutofthequestionusuallyaddressedinthepatch.Bycomparingthepatchbeforeandafterthesourcedocument(ortheanti-coding)tobeawareofthespecificdetailsofloopholes.
Moretoolswithwhichbothrelatetoacrucialpoint:
Artificialneedtofindacomprehensiveanalysisoftheflowpathcoverage.Analysismethodsvariedanalysisanddesigndocuments,sourcecodeanalysis,analysisoftheanti-codecompilation,dynamicdebuggingprocedures.
Gradingloopholes
loopholesintheinspectionharmshouldclosetheloopholesandtheuseofthehazardsrelatedOftenpeoplearenotawareofalltheBufferOverflowVulnerabilityloopholesarehigh-risk.Along-distanceloopholeexampleandbetterdelineation:
●RemoteaccesscanbeanOS,applicationprocedures,versioninformation.
●openunnecessaryordangerousintheservice,remoteaccesstosensitiveinformationsystems.
●Remotecanberestrictedforthedocuments,datareading.
●remotelyimportantorrestricteddocuments,datareading.
●maybelimitedforlong-rangedocument,datarevisions.
●Remotecanberestrictedforimportantdocuments,datachanges.
●Remotecanbeconductedwithoutlimitation
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 计算机专业 毕业设计 说明书 外文 翻译