详细: Details:
备注:我没有找到任何安全漏洞,因此拿这篇文章当作小菜一碟。 Note: I did not find any security holes, so take this article as a piece of cake. 对于这篇文章有更好的组织和语法建议,我张开双手欢迎。 For this article, a better organization and grammar suggestions, I welcome with open arms. 任何错误的报告都是紧急必需的。 Emergency report any errors are required.
如果一个有漏洞的程序在极端的情况下表现出来,那么,正常地,它只是一个小问题。 If a flaw in the program and in extreme cases shown, then, normally, it's just a small problem. 通常,你只须避免这种极端的出现,那么臭虫不是个问题。 Usually, you only need to avoid the appearance of this extreme, then the bug is not a problem. 如果你愿意,通过自己编程,你能复制引起这个臭虫的效果。 If you wish, through their own programming, you can replicate the effect caused by this bug.
但是,有时候,程序处于安全的边缘。 However, sometimes, the program is in a safe edge. 它们从某些没有同样权限的程序中读入操作。 They are not the same privileges from some programs read operation. 有些例子:你的邮件阅读器从你的发信人之处读入,这种信通常只对你有权而对其它人不开放。 Some examples: Your e-mail from your readers read at the sender of this letter is usually right and you are not open to other people. 任何连上互联网的电脑的TCP/IP堆栈读取网上所有人的资源。 Any computer connected to the Internet's TCP / IP stack to read all online resources. 对此而言,网上大部分人都无权如此。 In this regard, the Internet most people have the right case.
做这此事情的程序必须小心设计。 Things to do this this program must be carefully designed. 若有任何漏洞,它就有潜在的可能允许其他人(末授权用户)做他们权限之外的事。 If there is any flaw, it has the potential may allow other people (the end of an authorized user) to do things outside of their authority. 有这种特征的臭虫、称“漏洞”或更正式一点──“脆弱性”。 This feature has a bug, called "loopholes" or a little more formal ─ ─ "vulnerability."
下面是一些通常漏洞的分类。 Here are some commonly vulnerability classification.
结构方面: Structure:
当你写一个软件,你的目标是使用者正确操作时,某事成为可能。 When you write a software, your goal is when the user right, something is possible. 当你写一个安全敏感的软件时,你也必须使某事不可能而不管不信任用户如何做。 When you write a security-sensitive software, you also have to make something impossible no matter how the user is not trusted to do. 这意味着你的程序的某些部分必须在一个十分广阔的环境中运行正确。 This means that some parts of your program must be in a very broad environments correctly.
漏洞的改变: Vulnerability to change:
大量的漏洞来自于运行于不同环境下的程序。 Large number of vulnerabilities from running the program in different environments. 首先是一个小小的问题,甚至是一个便利,最终变成了一个漏洞。 The first is a small problem, or even a convenience, and ultimately become a loophole.
例如:假设你有一个脚本解释器,它本设计成让你在打印之前预览文档。 For example: Suppose you have a script interpreter, it is designed to let you in the print preview the document before. 这不是个安全敏感漏洞。 This is not a security-sensitive vulnerability. 脚本解释器无任何你本身不具有的权力。 Script interpreter itself does not have any power to you. 但是,如果你使用它浏览其它你不认识的甚至是不可信任人的文档。 However, if you use it to browse the other you do not even know who the document can not be trusted. 突然,这个脚本解释器变成了一个线程。 Suddenly, the script interpreter into a thread. 某些人就能够寄一篇摧毁你文档的东西给你,或者将你方件拷贝于他们能得到的地方。 Some people will be able to send a thing to destroy your documents to you, or side pieces you can get a copy in their place.
在大多数UNIX系统的TCP/IP堆栈中,这是问题的根源。 In most UNIX system's TCP / IP stack, which is the root of the problem. 它们发展于一个人们相互信任的网络之上,但是现在它们被网上不该信任的用户所得用。 Them to develop mutual trust in a network of people above, but now they are derived from online users should not be trusted with.
这也是SENDMAIL的问题。 This is also the problem of SENDMAIL. 在进行审计之前,它一直是个漏洞。 Before the audit, it has been a loophole.
在一个更微妙的层次:当函数不跃过信任边界时,它们十分安全,但稍一越轨,灾难便开始了。 In a more subtle level: When the function does not jump across trust boundaries, they are very safe, but the slightest transgression, the disaster began. 函数GETS()是个极好的例子。 Function GETS () is an excellent example. 你使用GETS()控制输入,你只是提供了一个比你预料大一点的缓存。 You use the GETS () control input, you just provide a little larger than you expected cache. 但若偶然地提供过大的输入,这个模式便不会运作它或可能溢出缓存进行编译。 However, if too much chance to provide input, the model will not work or it may overflow the cache to be compiled.
但当数据来自于一个不可信任源时,GETS()能溢出缓存并能导致程序做任何事。 However, when data from an untrustworthy source, GETS () can overflow the cache and can cause the program to do anything. 冲突是最普遍的结果,但你通常能小心地架构数据使程序以可执行代码运行。 Conflict is the most common result, but you can usually careful to structure the data so that the program run the executable code.
这就给我们带来了──缓冲区溢出漏洞 This gives us a buffer overflow vulnerability ─ ─
当你往数组中写入一个字符串并继续写过剩下的数组,重写了那个数组的缓冲区溢出便发生了。 When you write a string into an array and wrote the rest of the array to continue, rewrite the array buffer overflow that will happen.
缓冲溢出安全问题在下列环境中能出现: Buffer overflow security issue can occur in the following environments:
* 当直接往缓冲直接读入时 * When read in directly to the buffer directly
* 当从一个大的缓存拷贝入小的缓存时 * When copying from a large cache into smaller caches
* 当将其它进程的输入放入一个字符串缓存 * When the other process input into a string buffer
记住,当输入是被信任的时候,它不是个安全漏洞,只是一个潜在的威胁而已。 Remember, when the input is trusted, it is not a security vulnerability, but a potential threat to it.
在大多数UNIX环境中,这十分混乱,若数组是函数中的局部变量,那就可能返回地址在堆栈之后。 In most UNIX environments, this is very confusing, if the array is a function of local variables, it might return address on the stack after. 这似乎是一个广被利用的漏洞。 This seems to be a widely exploited. 在过去的几年里成千上万的这种性质的漏洞被发现。 In the past few years thousands of vulnerabilities of this nature was found. 甚至某些时候其它地方的缓存也能溢出而导致安全漏洞特别是位于、函数指针或被信任信息附近。 Sometimes even other parts of the buffer overflow can lead to security vulnerabilities, especially in the, near function pointer or trust information.
举例如下: Examples are as follows:
* 无任何边界检查的危险函数:strcpy,strlen,strcat,sprintfs,gets; * No risk of the border inspection functions: strcpy, strlen, strcat, sprintfs, gets;
*带边界检查的危险函数:strcpy,snprintf,这类中的某些将会忽略写零于字符串的未尾。 * The risk function with bounds checking: strcpy, snprintf, such writing will be ignored in some of the string is not zero at the end. 这导致以后能拷贝其它数据进入。 This leads to be able to copy the data into the other. 这类数据通常是敏感的或与程序有冲突。 Such data is often sensitive or conflict with the program. Strucat无这个问题,我不清楚sprintf是否存在这个问题,但strcpy一定有。 Strucat no problem, I do not know whether this problem sprintf, strcpy, but there must be.
* strcat的误用,这能导致在数组的未尾写入零字节。 * Strcat misuse, which can lead to the end of the array does not write zero bytes.
*安全敏感程序冲突。 * Security-sensitive programs conflict. 任何一个冲突来自一个指针臭虫,并且在生产代码中的指针臭虫主要来自于缓冲溢出。 Any conflict from a pointer bug, and a pointer to the code in production mainly from the buffer overflow bug.
*试图为安全敏感数据程序装入大的输入──在环境变量(若它是不可信的)中,在命令行函数中(若它是不可信的),在他们阅读的不可信文件中,在不可信网络连接之上。 * Trying to load a large security-sensitive data input program ─ ─ environmental variable (if it is not credible), in the command line function (if it is not credible), in their reading of the trusted file over an untrusted network connection.
观察冲突,若你能看见,注意冲突地址象你的输入。 Observe the conflict, if you can see, as you pay attention to the input address conflict.
*不正确的边界检查。 * Incorrect bounds checking. 若边界检查散布于几百、百行代码中,而不是集中在两到三个地方。 If the spread in the hundreds of border checks, one hundred lines of code, rather than concentrated in two or three places. 那么出错的机率极大。 Then the probability of error is enormous. 一个保险的解决方案是用边界检查编译所有的安全敏感程序。 An insurance solution is compiled with bounds checking all security-sensitive programs.
我知道的第一个为GCC作的边界工作是由Richard WMJones 和Paul Kelly做的,位于: I know that for the first boundary work for the GCC by Richard WMJones and Paul Kelly to do in:
http://www.doc.ic.ac.uk/~phjk/Bounds checking.html/ http://www.doc.ic.ac.uk/ ~ phjk / Bounds checking.html /
Greg McGary(gkm@eng.ascend.com)做了其它工作。 Greg McGary (gkm@eng.ascend.com) to do other work. 发布于http://www.cygnus.com/ml/egcs1998-MAY/0073.html. Released in http://www.cygnus.com/ml/egcs1998-MAY/0073.html.
Ricard Jones 和Herman ten Brugge做了其它工作。 Ricard Jones and Herman ten Brugge to do other work. 发布在http://cygnus.com/ml/egcs/1998-May/1557.html.Greg 比 Released than in http://cygnus.com/ml/egcs/1998-May/1557.html.Greg
较了两种方法的不同:http://www.cygnsu.com/ml/egcs/1998-May/0559.html Compared two different methods: http://www.cygnsu.com/ml/egcs/1998-May/0559.html
令人困惑的代理(confused deputies) Confusing the agent (confused deputies)
当你让一个程序打开一个文件,这个程序请求操作系统打开文件。 When you make a program to open a file, the program asks the operating system to open the file. 既然程序用你的权限来运行的。 Since the program with your permission to run. 如果你无权打开文件,操作系统会拒绝程序的要求。 If you have no right to open the file, the operating system will refuse to process the request. 至此,一切都好。 So far, so good.
但你若将一个文件名给了一个安全敏感数据,一个CGISCRIPT(通用网关接口脚本),一个设置用户证明的程序,任何网络服务器──它不一定会依赖操作系统内建的自动防卫,那是因为它能做一些你无权做的事。 If a file name, but you gave a security-sensitive data, a CGISCRIPT (Common Gateway Interface script), a set-user certificate program, any network server ─ ─ it does not necessarily rely on the operating system, built-in auto-defense, that because it can do some of you have no right to do. 例如,在一个WEB服务器中,它能做而你不能做的事也许的、很少但它可能至少读些带私人信息的文件。 For example, a WEB server, it can do and you can not do may be a little more but it could at least read the files with private information.
多数程序对它们收到的数据作某种检查,经常掉入某些陷阱。 Most procedures for the data they receive a check, often fall into some trap.
*它们在一个你能参予的时间内检查它,若一个程序在打开它之前首先stats()或lstat()这个文件,用一种无改写方式打开它,然后fstat()那个打开的FD,再比较看是否你已经得到了那个你stat()过的文件。 * They participate in a period of time you can check it, if a program before it is opened first stats () or lstat () the file, open with a non-rewrite it, then fstat () that opens the FD, then compare to see if you've got that you stat () of the file. *它们把文件分段来检测,但是是用一种不同的操作系统的方式。 * The file segments to detect them, but with a different operating system the way. 对于许多微软系统的WEB服务器而言,这是个问题,操作系统对文件进行精密的分段来找出它实际所参照的文件在。 For many Microsoft Systems WEB server, this is a problem, the operating system files to find it sophisticated segment of the actual file referenced. WEB服务器察看文件名来察看你对它的权限。 WEB server look at the file name to look at your rights to it. 若缺省权限让你亠读一个文件,那么改变这个文件名使WEB服务器认为它是个不同的文件,但操作系统分段此文件到同一个文件,这同样给你读的权限。 If the default permissions allow you to Tou read a file, then change the file name so that it is a WEB server different files, but the operating system files to the same section of this document, which also give you permission to read. 这是个双重分段问题,我们待会讨论。 This is a double section, we will be discussing. 它也源于开启失败。 It also stems from the open failure.
*由于原作者对程序理解的错误,它们用一种带漏洞且复杂的方式检测文件。 * As the original author of the program to understand the error, and their vulnerability in a complex manner with a detection file.
* 它们根本不检查它,这非常普遍。 * They do not check it, which is very common.
*它们以一种有漏洞的方式检查。 * They are in a flawed way to check. 例如,许多老的UNIX服务器让你下载某人公共目录中的任何文件(除非操作系统阻止它们)。 For example, many old UNIX server allows you to someone in the public directory to download any file (unless the operating system to stop them). 但若你对某个人私人文件作了符号链接或硬链接,若WEB服务器有权,你是能下载它们的。 However, if you made a personal private file symbolic link or hard link, if the right WEB server, you can download them.
另一个问题是:标准库在环境变量中打开文件,但没有丢掉特权。 Another question: the standard library to open the file in the environment variable, but did not lose privileges. 因此,我们被迫分段文件来看它是否合理。 Therefore, we are forced to sub-file to see if it is reasonable.
并且,如果你能设计一个SETUID的程序冲突,你能覆盖一个其它程序所有者能覆盖的文件。 And, if you can design a program SETUID conflict, you can cover the owner of a program to cover other documents. (带使用者特权的倾倒核心经常导致使用者能读他在正常情况不能阅读的来自核心文件的数据。) (Core dumped with user privileges can often lead to users under normal circumstances he can not read to read data from the core file.)
打开失败: Open failed:
大多数安全系统在某些情况下不能做正确的事情。 Most security systems in some cases, can not do the right thing. 他们以两种方式表现: Their performance in two ways:
他们允许不该允许的事情,这叫打开失败。 They allow things should not be allowed, is called the open fails. 他们拒绝他们不该拒绝的事情,这叫关闭失败。 They refused the things they should not refuse, called off failure.
例如,当停电时一个用电力控制关闭的电门锁会不能关闭,导致这个门被容易打开。 For example, when a power outage shut down the power with the power door lock control will not shut down, causing the door to be easily opened. 当solenoidu关闭失败时,一个用弹簧装载插销的锁门系统会不起作用,当solenlid无电时,它是不可能回插的。 When solenoidu off failure, a spring-loaded bolt with the lock system will not work, when solenlid no electricity, it is impossible to back interpolation.
cgi脚本通常执行其它程序,把用户命令行上的数据传递给他们。 cgi script usually runs other programs, the user data on the command line passed to them. 为了避免这个数据被shell作为命令解释执行给其它程序或文件,cgi脚本去掉了像“<”,“|”之类的特殊字符。 To avoid this data is interpreted as a command shell to other programs or files, cgi scripts like "<","|" like to remove the special characters. 你能够通过一系列的被移掉的坏字符来使用这种打开失败方式。 You can through a series of bad character was removed using this method fails to open. 这后若你忘了它,那便成为一个漏洞了。 After this, if you forget, it has become a loophole. 你能能过一系列被移掉的“好数据”来使用关闭失败方式。 You can be removed to a series of "good data" means failure to use turn off. 如前所示,又有 As shown, there
可能是个被遗忘的陷阱。 May be a forgotten trap. 一个perl的例子http://www.geekgirl.com/bugtraq/1997/0013.html. A perl example http://www.geekgirl.com/bugtraq/1997/0013.html.
若经常失灵,关闭失败比打开失败更不便。 If the frequent breakdowns, failed to open more than closed the failure inconvenience. 它们也更可能是一个避难之所。 They are also more likely to be a refuge for the community.
通常,我所见的打开失败的是Mac各微软的操作系统桌面,若你能在某种程度上利用这个程序,你将取得对电脑的完全控制。 Usually, I have seen the failure to open the Mac operating system of Microsoft's desktop, to some extent if you can take advantage of this program, you will get full control of the computer. 相反,若你损坏了UNIX的登录程序,你将不能使用计算机。 On the contrary, if you damage the UNIX login program, you will not be able to use the computer.
资源缺乏: Lack of resources:
大多数程序设计都假设有足够的资源可用(见上文结构问题)。 Most programs are designed assuming there is sufficient resources are available (see structure above). 很多程序甚至不考虑当没有充分的资源时会发生什么情况,某些时候他们做了不该做的事。 Many programs do not even consider the absence of adequate resources to what happens when some times they do should not do.
看几个例子: Look at a few examples:
*当没有足够的内存和某些配置失败,会从宏和新返回零。 * When there is not enough memory, and some of the configuration fails, the return from the macro and the new zero.
*若非信任用户用尽系统资源(这可能是一个拒绝服务问题,即使程序处理时不允许入侵。但对多数软件而这种问题非常严重) * If not trust the user out of system resources (this may be a denial of service problem, even when procedures do not allow the invasion, but for most software and this problem is very serious)
*若程序运行出了fds,将会发生什么问题--open()函数将会返回-1。 * If the program runs out of fds, what problems will occur - open () function will return -1.
*若程序不能fork(),或由于资源困乏它的子程序在启动的时候死亡,将会发生什么情况? * If the program can not fork (), or due to resource sleepy its routine died at boot time, what will happen?
信任不该信任的通道: Trust should not be trusted channel:
若你在一个有非信任用户的以太网上以一种透明方式发送口令,若你创建了个所有人都能改的文件而稍后试图从那个文件读回数据,如果你在tmp下用O_TRUNC但没用O_EXCL创建了一个文件,你信任了一个不该任的中介来做你想做的事。 If you are a non-trusted user's Ethernet sends the password in a transparent way, if you create a file and change for all later attempts to read back the data from that file, if you are under the tmp with O_TRUNC but useless O_EXCL creates a file, you should not trust an intermediary to do any of you want to do. 若一个进攻者能颠覆非信任通道,也许他们能够通过改变通道数据来拒绝对你的服务,也许能够在你不知觉的情况下改变数据 If an attacker can subvert the untrusted channel, maybe they can to reject the data by changing the channel on your service, may be able in case you do not change the perception of the data
(这导致非常糟糕的事发生:若攻击者将那个TMP下的文件和一个信任文件建立了链接,你将摧毁这个持权文件的内容而不是只创立了了个临时文件。GCC有一些这种臭虫,这导致攻击者能将代码插入你编译的文件中。)即使他们不能做这些事情,他们也能读他们不该读的数据。 (This leads to very bad things happen: if the next attack will be that TMP files and set up a trust file link, you will destroy the contents of the file holding the right, not only created a temporary file. GCC has some of these bug, which causes an attacker can compile the code into your file.) even if they can not do these things, they can read they should not read the data.
不合理的缺省值: Unreasonable default values:
明显的但有安全漏洞的缺省值,人们也许会忽略它。 Obvious, but the default value of a security vulnerability, it may ignore it. 例如,你打开一个RPM包并创建了一些人人可写的配置文件除非积极的寻找漏洞,否则你可能不会注意。 For example, you open an RPM package and created some of the configuration file writable unless actively looking for loopholes, or you may not notice. 这意味着解包的大多数人将会在自己的系统上留下漏洞。 This means that most people will be unpacked on the system to stay in their own vulnerabilities.
大接口: Major interfaces:
小的安全接口比大的要安全。 Smaller than the big security interfaces to be safe. 这是个常识,若我的房子有一张人们能进入的门,在我上床之前我应该记得锁上它,但若有五张门它们全都通向外部,这就可能我会忘记其中一张了。 This is common sense, if I have a house that people can enter the door, I go to bed before I locked it should be remembered, but all of them if five doors to the outside, which may I forget which one of the.
因此,网络服务器比SETUID程序更为安全。 Therefore, the network server is more secure than SETUID program. SETUID程序从各个不信任源取得信息──环境变量,文件描述器,虚拟内存映射,命令行参数,文件输入等。 SETUID do not trust the program from various sources to obtain information ─ ─ environment variables, file descriptors, virtual memory mapping, the command line arguments, file input and so on. 网络服务器只从网络套接字得到输入(也可能是文件输入。) Web servers only receive input from a network socket (and possibly file input.)
QMAIL是一个小安全接口的例子。 QMAIL is a small security interface example. 只有一小部分的QMAIL(尽管与我前面提到的LINUX安全审计邮件列单相比,它超过十行)以ROOT方式运行、剩下的以特别QMAIL用户或邮件接受者身份运行。 Only a small part of the QMAIL (although I mentioned earlier, LINUX e-mail list of security compared to auditing, it is more than ten lines) run as ROOT, the rest of the message to the user or recipient of special QMAIL run.
对于QMAIL内部来说,缓冲溢出检查集中于两个小函数,并且所有用来调节字符串的函数都对这些函数进行检验。 For QMAIL Internally, the buffer overflow checks focused on two small functions, and all the string functions are used to adjust the functions of these tests. 另一个小安全接口的例子──检测工作出错的机率微乎其微。 Another example of a small security interfaces ─ ─ minimal probability of error detection work.
你运行的网络守护程序越多,你和互联网间的安全接口就越大。 Daemon running on your network more secure between you and the Internet, the interface will be. 若你有防火墙,你和互联网间的安全接口便减少到了一台机器上。 If you have a firewall between you and Internet security interface will be reduced to a single machine.
浏览非信任的HTML页面各非信任的JAVA脚本页面之间的区别之一是接口大小问题,后者的解释器中的ROUTINES要比前者RENDERER中的地ROUTINES大且复杂。 Browse untrusted HTML pages of the non-trusted page, JAVA script is one difference between the size of the interface problem, in which the interpreter ROUTINES to the ground than the former RENDERER ROUTINES large and complex.
经常被利用的程序: Often use the program:
这去经常被利用的程序在将来有可能会有漏洞,某些时候应该被替代。 This is the procedure to be used frequently in the future there may be loopholes, some time should be replaced. 基于此因,BSD中的/bin/mail被mail.local所替代。 Based on this result, BSD's / bin / mail is mail.local replaced.
若你正在审计,对这样的程序作出全面的审计是个非常好的主意,但有时候重写他们或不要把他们用在第一地方更好。 If you are audited, for such a comprehensive audit program is a very good idea, but sometimes rewriting them or not to use them better in the first place.
定义不完善的安全组件 Inadequate definition of the security components
一个安全系统被分为安全组件。 A security system is divided into security components. 例如,我的LINUX系统有很多称为使用者的组件,其中一个叫内核,也有的叫网络──它被分为称网络接口的亚组件。 For example, there are a lot of my LINUX system components called user, one called the kernel, and some called the Network ─ ─ It is divided into sub-components called network interface. 这些其于系统组建和授权的组件间有一种定义得非常完善的信任关系。 These systems set up and authorization of its inter-component has a very well defined trust relationships. (例如,在我发出一个口令后,我的使用者KRAGEN信任我的网络接口。) (For example, I send a password, I trust my users KRAGEN network interface.)
在安全组件接口间的信任关必须被加强。 In the security relations of trust between the component interface must be strengthened. 若你正在运行一个库终端,你也许想这个终端只对数据库有读取权。 If you are running a library terminal, this terminal, you might want to have only read access to the database. 你不想它对UNIX的SHELL能进行操作。 You do not want it to be able to operate the UNIX SHELL. 我不能确定怎样完成这个任务,但我确信你能看出我想要表达的。 I'm not sure how to accomplish this task, but I am sure you can see I want to express.
MIRABILIS ICQ信任整个网络发给它正确的用户标识,显然,这是安全的。 MIRABILIS ICQ trust the network user ID issued to correct it, obviously, it is safe.
在某一点,TCP_WRAPPERS信任它得自逆向域名解析的数据,把它传给SHELL。 At some point, TCP_WRAPPERS trust it derived from the reverse DNS data, pass it on to SHELL. (但现在不了)。 (But not now).
当使用SQUID作为一个代理服务器时,网景的探索者浏览器有时会在永久资源列表中插入一个用户键入FTP口令。 When using the SQUID as a proxy server, Netscape Explorer browser sometimes insert a permanent resource list type the FTP user password. JAVASCRIPT程序和其它WEB服务器能读这个永久资源列表。 JAVASCRIPT procedures and other WEB server can read the list of permanent resources.
被忽略的例子: Ignored example:
非可信任逻辑语句IF-ELSE和SWETCH-CASE是危险的,因为它很难检测。 Non-trusted statement IF-ELSE logic and SWETCH-CASE is dangerous because it is difficult to detect. 若你找到一个从末运行过的分支,它就有可能是错误的。 If you find a run-off from the end of the branch, it is likely to be wrong. 若你能找到一个逻辑数据流的结合──例如,若有两个独立行事的例程,第一个的输出是第二个的输入,若给的是四个末经检测的结合体(COMBINATIONS),那就有可留下个漏洞。 If you can find a combination of logical data flow ─ ─ for example, if two routines to act independently, the first output is the second input, if the end to the four tested combination (COMBINATIONS) , then there may leave a loophole.
检查ESLES和SWETCH句中的缺省值,确保它们不能被关闭(failed-closed)命令gcc–pg –a会使程序产生一个bb.out文件,那将有助于你在执行所有的分支语句时确定你的检测的有效性。 Check ESLES and SWETCH sentence defaults to ensure that they can not be shut down (failed-closed) command gcc-pg-a causes the program to produce a bb.out file, it will help you perform all of the branches in the statement determine the effectiveness of your testing. 我相信这就是近来IP拒绝服务问题的根源。 I believe this is the recent denial of service IP source of the problem.
只是一个小小的疏忽: Just a small oversight:
许多人信任只有少数人阅读过的代码。 Many people trust only a few people read the code. 若代码只是一个被少数人自过的软件,那就可能留下漏洞;若代码是有严格安全要求的,那就可能破坏这种安全。 If the code is but a small number of people from over the software, it may leave a loophole; if there is a strict safety code requirements, it could undermine the security. 最近的3COM障碍是个极好的例子。 3COM recent obstacle is an excellent example. 他的所有的地COREBUILDER和SUPERSTACK II集线器都被发现有秘密后门口令,它们在一种极端的情况下能被顾客看到。 All his ground COREBUILDER and SUPERSTACK II hubs are found to have a secret backdoor password, they can be an extreme case of the customer to see. 对LINUX安全审计而言,这不应该是个主要的焦点。 Security audit of LINUX, this should not be a major focus.
这篇文档的问题: This document problems:
几个分类大量重复。 Several categories lot of repetition. 它末经任何实践而成,因此我对不同问题的侧重点有可能有所偏颇,而且我也许汛、漏写了某些重要的东西。 Any practice made by the end of it, so I focus on different issues may be biased, but I might flood, missing some important things to write. 并且,部分内容思想深度不够。 And part of thinking deep enough. 但是,我依然认为对那些不是很有LINUX安全统计经验的人而言,这篇文档仍是个很有用的工具。 However, I still think those statistics are not very experienced LINUX security people, this document is still a useful tool.
对那些有兴趣写安全软件的人给的信息提示: For those people interested in writing secure software, the information given prompt:
太阳世界在线(SUNWORLD ONLINE)有一篇关于设计安全软件的文章。 Sun World Online (SUNWORLD ONLINE) has an article on the design of security software. 尽管sun不是世界最有名的安全公司,这篇文章依然很值一读。 Although the sun is not the world's most well-known security companies, this article is still very worth reading. GUGTRAQ每天详细的报道UNIX安全漏洞,geek-girl.com保存了一些可回溯至1993年的方档。 GUGTRAQ detailed daily coverage of UNIX security holes, geek-girl.com saved some dating back to 1993 square file. 这是学习新安全漏洞或寻找旧 This is a security vulnerability or learning new for old
漏洞的一个非常有用的来源。 Vulnerability of a very useful source. 但它不是个索引安全漏洞的工具书。 But it is not a vulnerability index books.
ADAM SHOSTACK在http://www.homeport.org/~adam/review.html张贴了一些好的代码浏览指导(被一些公司放在其防火墙上浏览代码)。 ADAM SHOSTACK in http://www.homeport.org/ ~ adam / review.html posted some good code to view the guidance (by some companies on the firewall to browse the code).
COPS带有一个SETUID(7)联机帮助,其中包括找出和预防SETUID程序不安全因素的指导,它发布在http://www.homeport.org/~adam/setuid.7.html 。 COPS with a SETUID (7) online help, including procedures to identify and prevent SETUID guidance of insecurity, it is published in the http://www.homeport.org/ ~ adam/setuid.7.html.
EDS 的John Cochran 指引了我寻找AUSCERT编程列单。 EDS 'John Cochran AUSCERT programming guide to find out my single.
ftp://ftp.auscert.org.au/pub/auscert/paper/secureprogramming cheklist ftp://ftp.auscert.org.au/pub/auscert/paper/secureprogramming cheklist
Tidak ada komentar:
Posting Komentar