IOS安全编码指南 Secure Coding Guide -- 02 Types of Security Vulnerabilities 下-CSDN博客

IOS安全编码指南 Secure Coding Guide -- 02 Types of Security Vulnerabilities 下

Interprocess Communication

Separate(|ˈsepərət| adj 分开的) processes(进程)—either within a single program(程序) or in two different programs—sometimes have to share information. Common methods include using shared memory or using some messaging protocol, such as Sockets, provided by the operating system. These messaging protocols used for interprocess communication are often vulnerable to attack; thus, when writing an application, you must always assume that the process at the other end of your communication channel could be hostile(|ˈhɒstaɪl, American ˈhɒstl| adj 不友善的、反对的).

For more information on how to perform secure interprocess communication, read Validating Input and Interprocess Communication.

Insecure File Operations

In addition to time-of-check–time-of-use problems, many other file operations are insecure. Programmers often make assumptions about the ownership, location, or attributes of a file that might not be true. For example, you might assume that you can always write to a file created by your program. However, if an attacker can change the permissions or flags on that file after you create it, and if you fail to check the result code after a write operation, you will not detect the fact that the file has been tampered with.

assumption |əˈsʌmpʃn| noun 假定

ownership |ˈəʊnəʃɪp| noun 所有权

permission |pəˈmɪʃn| noun 许可

detect |dɪˈtekt| verb 查明、发现

tamper |ˈtæmpə(r)| verb 鼓捣、篡改

Examples of insecure file operations include:

• writing to or reading from a file in a location writable by another user
• failing to make the right checks for file type, device ID, links, and other settings before using a file
• failing to check the result code after a file operation
• assuming that if a file has a local pathname, it has to be a local file

These and other insecure file operations are discussed in more detail in Securing File Operations.

Access Control Problems

Access control is the process of controlling who is allowed to do what. This ranges from controlling physical access to a computer—keeping your servers in a locked room, for example—to specifying who has access to a resource (a file, for example) and what they are allowed to do with that resource (such as read only). Some access control mechanisms are enforced by the operating system, some by the individual application or server, some by a service (such as a networking protocol) in use. Many security vulnerabilities are created by the careless or improper use of access controls, or by the failure to use them at all.

mechanism |ˈmekənɪzəm| noun 机械装置

enforce |ɪnˈfɔːs| transitive verb 强制实施

individual |ˌɪndɪˈvɪdʒʊəl| adjective 单独的、个人的

improper |ɪmˈprɒpə(r)| adjective 不合时宜的、不得体的、非法的

Much of the discussion of security vulnerabilities in the software security literature is in terms of privileges, and many exploits involve an attacker somehow gaining more privileges than they should have. Privileges, also called permissions(|pəˈmɪʃn|), are access rights(权利) granted by the operating system, controlling who is allowed to read and write files, directories, and attributes of files and directories (such as the permissions for a file), who can execute a program, and who can perform other restricted operations such as accessing hardware devices and making changes to the network configuration. File permissions and access control in OS X are discussed in File System Programming Guide.

restrict |rɪˈstrɪkt| transitive verb 限制

grant |grɑːnt, American grænt| transitive verb 准予、准许

involve |ɪnˈvɒlv| transitive verb 需要、影响

exploit noun 英雄业绩、风流韵事 transitive verb 开发、发挥、剥削、滥用

literature |ˈlɪtrətʃə(r), American -tʃʊər| noun Uncountable 文学、宣传册

Of particular interest to attackers is the gaining of root privileges, which refers to having the unrestricted permission to perform any operation on the system. An application running with root privileges can access everything and change anything. Many security vulnerabilities involve programming errors that allow an attacker to obtain root privileges. Some such exploits involve taking advantage of buffer overflows or race conditions, which in some special circumstances allow an attacker to escalate their privileges. Others involve having access to system files that should be restricted or finding a weakness in a program—such as an application installer—that is already running with root privileges. For this reason, it’s important to always run programs with as few privileges as possible. Similarly, when it is necessary to run a program with elevated privileges, you should do so for as short a time as possible.

elevate |ˈelɪveɪt| transitive verb 抬起、提高 elevate one's mind 提高修养、使…高昂、提升

escalate |ˈeskəleɪt| transitive verb 使…上涨、使…升级、使…恶化、使…增加

circumstance |ˈsɜːkəmstəns| noun 状况、形势

advantage |ədˈvɑːntɪdʒ, American -ˈvæn-| noun 有利条件

involve |ɪnˈvɒlv| transitive verb 需要、影响、使参与、牵连、使加入

particular |pəˈtɪkjʊlə(r)| adjective 特指的

Much access control is enforced by applications, which can require a user to authenticate before granting authorization to perform an operation. Authentication can involve requesting a user name and password, the use of a smart card, a biometric scan, or some other method. If an application calls the OS X Authorization Services application interface to authenticate a user, it can automatically take advantage of whichever authentication method is available on the user’s system. Writing your own authentication code is a less secure alternative, as it might afford an attacker the opportunity to take advantage of bugs in your code to bypass your authentication mechanism, or it might offer a less secure authentication method than the standard one used on the system. Authorization and authentication are described further in Security Overview.

mechanism |ˈmekənɪzəm| noun 机械装置、机件、机制

bypass |ˈbaɪpɑːs| noun 旁路 transitive verb 为…加设旁路、越过

opportunity |ˌɒpəˈtjuːnəti, American -ˈtuːn-| noun 机遇 to miss an opportunity 失去机会、[就业、升职的] 机会

alternative |ɔːlˈtɜːnətɪv| adjective 可供替代的、非传统的 noun 选择、可能的选择

available |əˈveɪləbl| adjective 可获得的

scan |skæn| transitive verb(present participle etc. -nn-) 仔细观察、横扫

biometrics |ˌbaɪəʊˈmetrɪks| noun pluralplus singular verb 生物统计学

grant |grɑːnt, American grænt| transitive verb 准予、准许

authenticate |ɔːˈθentɪkeɪt| transitive verb 证明…是真的

enforce |ɪnˈfɔːs| transitive verb 强制实施、加强

Digital certificates are commonly used—especially over the Internet and with email—to authenticate users and servers, to encrypt communications, and to digitally sign data to ensure that it has not been corrupted and was truly created by the entity that the user believes to have created it. Incorrect or careless use of digital certificates can lead to security vulnerabilities. For example, a server administration program shipped with a standard self-signed certificate, with the intention that the system administrator would replace it with a unique certificate. However, many system administrators failed to take this step, with the result that an attacker could decrypt communication with the server. [CVE-2004-0927]

decrypt |diːˈkrɪpt| transitive verb 破译

unique |juːˈniːk| adjective 唯一的、独一无二

ship |ʃɪp| noun 轮船

administration |ədˌmɪnɪˈstreɪʃn| noun 管理、司法监管、执行

entity |ˈentəti| noun 实体

certificate |səˈtɪfɪkət|noun 结业证书、合格证

It’s worth noting that nearly all access controls can be overcome by an attacker who has physical access to a machine and plenty of time. For example, no matter what you set a file’s permissions to, the operating system cannot prevent someone from bypassing the operating system and reading the data directly off the disk. Only restricting access to the machine itself and the use of robust encryption techniques can protect data from being read or corrupted under all circumstances.

robust |rəʊˈbʌst| adjective 强壮的、结实的、强劲的、旺盛的、茁壮的

circumstance |ˈsɜːkəmstəns| noun 状况、形势

The use of access controls in your program is discussed in more detail in Elevating Privileges Safely.

Secure Storage and Encryption

encryption |enˈkrɪpʃən| noun

Encryption can be used to protect a user’s secrets from others, either during data transmission or when the data is stored. (The problem of how to protect a vendor’s data from being copied or used without permission is not addressed here.) iOS provides a variety of encryption-based security options, such as

vendor |ˈvendə(r)| noun 小贩、摊贩、卖主

variety |vəˈraɪəti| noun 多样化

• passcode to prevent unauthorized use of the device

unauthorized |ʌnˈɔːθəraɪzd| adjective 未经授权的

• data encryption

• the ability to add a digital signature to a block of data

• keychain

• SSL/TLS secure network communication

Each service has appropriate uses, and each has limitations.

It is a serious mistake to try to create your own encryption method or to implement a published encryption algorithm yourself unless you are already an expert in the field. It is extremely(|ɪkˈstriːmli|) difficult to write secure, robust encryption code that generates unbreakable ciphertext, and it is almost always a security vulnerability to try. For OS X, if you need cryptographic services beyond those provided by the OS X user interface and high-level programming interfaces, you can use the open-source CSSM Cryptographic Services Manager. See the documentation provided with the Open Source security code, which you can download at http://developer.apple.com/darwin/projects/security/. For iOS, the development APIs should provide all the services you need.

cryptographic 英 ['krɪptəʊ'græfɪk] 美 [ˌkrɪptə'græfɪk] adj. 关于暗号的，用密码写的

ciphertext 英 ['saɪfətekst] 美 ['saɪfəˌtekst] n. 密文;密码，暗记文

generate |ˈdʒenəreɪt| transitive verb 产生

robust |rəʊˈbʌst| adjective 强壮的

For more information about OS X and iOS security features, read Authentication, Authorization, and Permissions Guide.

Social Engineering(社会工程)

Often the weakest link in the chain of security features protecting a user’s data and software is the user himself. As developers eliminate buffer overflows, race conditions, and other security vulnerabilities, attackers increasingly concentrate on fooling users into executing malicious code or handing over(交出) passwords, credit-card numbers, and other private information. Tricking a user into giving up secrets or into giving access to a computer to an attacker is known as social engineering.

feature |ˈfiːtʃə(r)| noun 特征、方面

eliminate |ɪˈlɪmɪneɪt| transitive verb 排除、消除

concentrate |ˈkɒnsntreɪt| intransitive verb 全神贯注、集中、聚焦

trick |trɪk| noun 诡计、花招

For example, in February of 2005, a large firm that maintains credit information, Social Security numbers, and other personal information on virtually all U.S. citizens revealed that they had divulged information on at least 150,000 people to scam artists who had posed as legitimate businessmen. According to Gartner (www.gartner.com), phishing attacks cost U.S. banks and credit card companies about $1.2 billion in 2003, and this number is increasing. They estimate that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing.

approximately |əˈprɒksɪmətli| adverb 大约

estimate |ˈestɪmət|noun 估计

phishing |ˈfɪʃɪŋ| nounUncountable 网络诱骗

legitimate adjective 合法的

artist |ˈɑːtɪst| noun 艺术家、画家、能手

scam |skæm| noun 诈骗、骗局

divulge |daɪˈvʌldʒ| transitive verb 泄露

firm¹|fɜːm| noun 商行

maintain |meɪnˈteɪn| transitive verb 维持、供养

virtually |ˈvɜːtʃʊəlɪ| adverb 实际上，there is virtually no public transport 几乎没有公共交通、虚拟地

citizen |ˈsɪtɪzn| noun 公民

reveal |rɪˈviːl| transitive verb 披露

Software developers can counter such attacks in two ways: through educating their users, and through clear and well-designed user interfaces that give users the information they need to make informed decisions.

inform |ɪnˈfɔːm| transitive verb 通知

informed |ɪnˈfɔːmd| adjective 有见识的、有依据的

counter¹|ˈkaʊntə(r)| noun 柜台、专柜、筹码、计数器

counter² 逆向地 transitive verb 反驳、反击 intransitive verb 反驳

For more advice on how to design a user interface that enhances security, see Designing Secure User Interfaces.