Scribd
Upload
15 views

Common Vulnerability in Computer Program

Vulnerability is undesired program behavior caused by a program vulnerability. Malicious flaws are intentionally inserted to attack systems. TOCTTOU errors (race conditions) can also occur.

Uploaded by

Rajitha Munasinghe
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
15 views

Common Vulnerability in Computer Program

Vulnerability is undesired program behavior caused by a program vulnerability. Malicious flaws are intentionally inserted to attack systems. TOCTTOU errors (race conditions) can also occur.

Uploaded by

Rajitha Munasinghe
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 15

Ilmiya matheen HNDIT_ 77

What is vulnerability?
A flaw or weakness in system

Examples of vulnerabilities
hardware software communication equipment and facilities and their combinations.

Program security vulnerability


an undesired program behavior caused by a program vulnerability.

Types of security vulnerability

Malicious Nonmalicious

Malicious
flaws are intentionally inserted to attack systems

Nonmalicious

Introduced by the programmer overlooking something

Nonmalicious Examples
Buffer overflows TOCTTOU errors (race conditions ) Incomplete mediation

Buffer overflow
A program that fails to check for buffer overflow may allow vital data to be overwritten
A A A A A A A A B

User buffer

Over flow

Example
#define LINELEN 1024 char buffer[LINELEN]; gets(buffer); or strcpy(buffer, argv[1]);

Time-of-check to Timeof use


A delay between checking permission to perform certain operations and using this permission may enable the operations to be changed

examples
A particular Unix terminal program is setuid (runs with super user privileges) so that it can allocate terminals to users (a privileged operation) It supports a command to write the contents of the terminal to a log file It first checks if the user has permissions to write to the requested file; if so, it opens the file for writing The attacker makes a symbolic link: logfile -> file_she_owns Between the check and the open, she changes it: logfile -> /etc/passwd

Incomplete mediation

Inputs to programs are often specified by untrusted users The web application needs to ensure that what the user has entered constitutes a meaningful request This is called mediation

examples
Users sometimes mistype data in web forms
E.g.: Phone number:00717928286

Impossible dates in correct format (yyyyMMMdd):

1800Feb30, 2048Min32

THANK YOU

You might also like