2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	369/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 365 366 367 368 369 370 371 372 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Programming
We have already mentioned the biggest fl aw in programming: the buffer overfl ow, which
can occur if the programmer fails to check or sanitize the format and/or the size of input
data. There are other potential fl aws with programs. Any program that does not handle any
exception gracefully is in danger of exiting in an unstable state. It is possible to cleverly crash
a program after it has increased its security level to carry out a normal task. If an attacker is
successful in crashing the program at the right time, they can attain the higher security level
and cause damage to the confi dentiality, integrity, and availability of your system.
All programs that are executed directly or indirectly must be fully tested to comply with
your security model. Make sure you have the latest version of any software installed, and
be aware of any known security vulnerabilities. Because each security model, and each
security policy, is different, you must ensure that the software you execute does not exceed
the authority you allow. Writing secure code is diffi cult, but it’s certainly possible. Make
sure all programs you use are designed to address security concerns. Please see Chapter 15
for more information on code review and testing.

Common Architecture Flaws and Security Issues
389
Timing, State Changes, and Communication Disconnects
Computer systems perform tasks with rigid precision. Computers excel at repeatable tasks.
Attackers can develop attacks based on the predictability of task execution. The common
sequence of events for an algorithm is to check that a resource is available and then access
it if you are permitted. The
time of check (TOC)
is the time at which the subject checks
on the status of the object. There may be several decisions to make before returning to the
object to access it. When the decision is made to access the object, the procedure accesses
it at the
time of use (TOU)
. The difference between the TOC and the TOU is sometimes
large enough for an attacker to replace the original object with another object that suits
their own needs.
Time of check to time of use (TOCTOU) attacks
are often called
race
conditions
because the attacker is racing with the legitimate process to replace the object
before it is used.
A classic example of a TOCTTOU attack is replacing a data file after its identity has
been verified but before data is read. By replacing one authentic data file with another file
of the attacker’s choosing and design, an attacker can potentially direct the actions of a
program in many ways. Of course, the attacker would have to have in-depth knowledge of
the program and system under attack.
Likewise, attackers can attempt to take action between two known states when the state
of a resource or the entire system changes. Communication disconnects also provide small
windows that an attacker might seek to exploit. Anytime a status check of a resource pre-
cedes action on the resource, a window of opportunity exists for a potential attack in the
brief interval between check and action. These attacks must be addressed in your security
policy and in your security model. TOCTTOU attacks, race condition exploits, and com-
munication disconnects are known as
state attacks
because they attack timing, data flow
control, and transition between one system state to another.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 365 366 367 368 369 370 371 372 ... 881