2 cissp ® Official Study Guide Eighth Edition

934
Chapter 21 
■
Malicious Code and Application Attacks
vulnerability because many programmers feel parameter checking is an unnecessary burden 
that slows down the development process. As a security practitioner, it’s your responsibility 
to ensure that developers in your organization are aware of the risks posed by buffer over-
flow vulnerabilities and that they take appropriate measures to protect their code against 
this type of attack.
Anytime a program variable allows user input, the programmer should take steps to 
ensure that each of the following conditions is met:
■
The user can’t enter a value longer than the size of any buffer that will hold it (for 
example, a 10-letter word into a 5-letter string variable).
■
The user can’t enter an invalid value for the variable types that will hold it (for example, 
a letter into a numeric variable).
■
The user can’t enter a value that will cause the program to operate outside its specified 
parameters (for example, answer a “yes” or “no” question with “maybe”).
Failure to perform simple checks to make sure these conditions are met can result in a 
buffer overflow vulnerability that may cause the system to crash or even allow the user to 
execute shell commands and gain access to the system. Buffer overflow vulnerabilities are 
especially prevalent in code developed rapidly for the web using Common Gateway Interface 
(CGI) or other languages that allow unskilled programmers to quickly create interactive 
web pages. Most buffer overflow vulnerabilities are mitigated with patches provided by 
software and operating system vendors, magnifying the importance of keeping systems and 
software up to date.

Download 19,3 Mb.

Do'stlaringiz bilan baham: