Talking about security loopholesRichard S. Kraus reference to the core network security business objective is to protect the sustainability of the system and data security, This two of the main threats come from the worm outbreaks, hacking attacks, denial of service attacks, Trojan horse. Worms, hacker attacks problems and loopholes closely linked to, if there is major security loopholes have emerged, the entire Internet will be faced with a major challenge. While traditional Trojan and little security loopholes, but recently many Trojan are clever use of the IE loophole let you browse the website at unknowingly were on the move.Security loopholes in the definition of a lot, I have here is a popular saying: can be used to stem the "thought" can not do, and are safety-related deficiencies. This shortcoming can be a matter of design, code realization of the problem.Different perspective of security loo phole sIn the classification of a specific procedure is safe from the many loopholes in classification.1. Classification from the user groups:● Public loopholes in the software category. If the loopholes inWindows, IE loophole, and so on.● specialized software loophole. If Oracle loopholes, Apach e,etc. loopholes.2. Data from the perspective include :● could not reasonably be read and read data, including thememory of the data, documents the data, Users input data, the data in the database, network, data transmission and so on.● designa ted can be written into the designated places(including the local paper, memory, databases, etc.)● Input data can be implemented (including nativeimplementation, according to Shell code execution, by SQL code execution, etc.)3. From the point of view of the scope of the role are :● Remote loopholes, an attacker could use the network anddirectly through the loopholes in the attack. Such loopholes great harm, an attacker can create a loophole through other people's computers operate. Such loopholes and can easily lead to worm attacks on Windows.● Local loopholes, the attacker must have the machinepremise access permissions can be launched to attack the loopholes. Typical of the local authority to upgrade loopholes, loopholes in the Unix system are widespread, allow ordinary users to access the highest administrator privileges.4. Trigger conditions from the point of view can be divided into:● Initiative trigger loopholes, an attacker can take the initiative to use the loopholes in the attack, If direct access to computers.● Passive trigger loopholes must be computer operators can be carried out attacks with the use of the loophole. For example, the attacker made to a mail administrator, with a special jpg image files, if the administrator to open image files will lead to a picture of the software loophole was triggered, thereby system attacks, but if managers do not look at the pictures will not be affected by attacks.5. On an operational perspective can be divided into:● File opera tion type, mainly for the operation of the target file path can be controlled (e.g., parameters, configuration files, environment variables, the symbolic link HEC), this may lead to the following two questions:◇Content can be written into control, the contents of the documents can be forged. Upgrading or authority to directly alter the important data (such as revising the deposit and lending data), this has many loopholes. If history Oracle TNS LOG document can be designated loopholes, could lead to any person may control the operation of the Oracle computer services;◇information content can be output Print content has beencontained to a screen to record readable log files can be generated by the core users reading papers, Such loopholes in the history of the Unix system crontab subsystem seen many times, ordinary users can read the shadow of protected documents;● Memory coverage, mainly for memory modules can be specified, write content may designate such persons will be able to attack to enforce the code (buffer overflow, format string loopholes, PTrace loopholes, Windows 2000 history of the hardware debugging registers users can write loopholes), or directly alter the memory of secrets data.● logic errors, such wide gaps exist, but very few changes, so it is difficult to discern, can be broken down as follows : ◇loopholes competitive conditions (usually for the design, typical of Ptrace loopholes, The existence of widespread document timing of competition) ◇wrong tactic, usually in design. If the history of the FreeBSD Smart IO loopholes. ◇Algorithm (usually code or design to achieve), If the history of Microsoft Windows 95/98 sharing password can easily access loopholes. ◇Imperfections of the design, such as TCP / IP protocol of the three-step handshake SYN FLOOD led to a denial of service attack. ◇realize the mistakes (usually no problem for the design, but the presence of codinglogic wrong, If history betting system pseudo-random algorithm)● External orders, Typical of external commands can becontrolled (via the PATH variable, SHELL importation of special characters, etc.) and SQL injection issues.6. From time series can be divided into:● has long found loopholes: manufacturers already issued apatch or repair methods many people know already. Such loopholes are usually a lot of people have had to repair macro perspective harm rather small.● recently discovered loophole: manufacturers just made patchor repair methods, the people still do not know more. Compared to greater danger loopholes, if the worm appeared fool or the use of procedures, so will result in a large number of systems have been attacked.● 0day: not open the loophole in the private transactions. Usuallysuch loopholes to the public will not have any impact, but it will allow an attacker to the target by aiming precision attacks, harm is very great.Different perspective on the use of the loopholesIf a defect should not be used to stem the "original" can not do what the (safety-related), one would not be called security vulnerability, security loopholes and gaps inevitably closely linked to use.Perspective use of the loopholes is:● Data Perspective: visit had not visited the data, includingreading and writing. This is usually an attacker's core purpose, but can cause very serious disaster (such as banking data can be written).● Competence Perspective: Major Powers to bypass or p ermissions.Permissions are usually in order to obtain the desired data manipulation capabilities.● Usability perspective: access to certain services on the system ofcontrol authority, this may lead to some important services to stop attacks and lead to a denial of service attack.● Authentication bypass: usually use certification system and theloopholes will not authorize to access. Authentication is usually bypassed for permissions or direct data access services.● Code execution perspective: mainly procedures for theimportation of the contents as to implement the code, obtain remote system access permissions or local system of higher authority. This angle is SQL injection, memory type games pointer loopholes (buffer overflow, format string, Plastic overflow etc.), the main driving. This angle is usually bypassing the authentication system, permissions, and data preparation for the reading. Loopholes explore methods mustFirst remove security vulnerabilities in software BUG in a subset, all software testing tools have security loopholes to explore practical. Now that the "hackers" used to explore the various loopholes that there are means available to the model are:● fuzz testing (black box testing), by constructing procedures maylead to problems of structural input data for automatic testing.● FOSS audit (White Box), now have a series of tools that can assistin the detection of the safety procedures BUG. The most simple is your hands the latest version of the C language compiler.● IDA anti-compilation of the audit (gray box testing), and abovethe source audit are very similar. The only difference is that many times you can obtain software, but you can not get to the source code audit, But IDA is a very powerful anti-Series platform, let you based on the code (the source code is in fact equivalent) conducted a safety audit.● dynamic tracking, is the record of proceedings under differentconditions and the implementation of all security issues related to the operation (such as file operations), then sequence analysis of these operations if there are problems, it is competitive category loopholes found one of the major ways. Other tracking tainted spread also belongs to this category.● patch, the software manufacturers out of the question usuallyaddressed in the patch. By comparing the patch before and after the source document (or the anti-coding) to be aware of the specific details of loopholes.More tools with which both relate to a crucial point: Artificial need to find a comprehensive analysis of the flow path coverage. Analysis methods varied analysis and design documents, source code analysis, analysis of the anti-code compilation, dynamic debugging procedures. Grading loopholesloopholes in the inspection harm should close the loopholes and the use of the hazards related Often people are not aware of all the Buffer Overflow Vulnerability loopholes are high-risk. A long-distance loophole example and better delineation:●R emote access can be an OS, application procedures, versioninformation.●open unnecessary or dangerous in the service, remote access tosensitive information systems.● Remote can be restricted for the documents, data reading.●remotely important or res tricted documents, data reading.● may be limited for long-range document, data revisions.● Remote can be restricted for important documents, data changes.● Remote can be conducted without limitation in the importantdocuments, data changes, or for general service denial of service attacks.● Remotely as a normal user or executing orders for system andnetwork-level denial of service attacks.● may be remote management of user identities to theenforcement of the order (limited, it is not easy to use).● can be remote management of user identities to theenforcement of the order (not restricted, accessible).Almost all local loopholes lead to code execution, classified above the 10 points system for:●initiative remote trigger code execution (such a s IE loophole).● passive trigger remote code execution (such as Word gaps /charting software loopholes).DEMOa firewall segregation (peacekeeping operation only allows the Department of visits) networks were operating a Unix server; operating systems only root users and users may oracle landing operating system running Apache (nobody authority), Oracle (oracle user rights) services. An attacker's purpose is to amend the Oracle database table billing data. Its possible attacks steps:● 1. Access pea cekeeping operation of the network. Access to apeacekeeping operation of the IP address in order to visit throughthe firewall to protect the UNIX server.● 2. Apache services using a Remote Buffer Overflow Vulnerabilitydirect access to a nobody's competence hell visit.● 3. Using a certain operating system suid procedure of theloophole to upgrade their competence to root privileges.● 4. Oracle sysdba landing into the database (local landingwithout a password).● 5. Revised target table data.Over five down for process analysis:●Step 1: Authentication bypass●Step 2: Remote loopholes code execution (native),Authentication bypassing● Step 3: permissions, authentication bypass● Step 4: Authentication bypass● Step 5: write data安全漏洞杂谈Richard S. Kraus 网络安全的核心目标是保障业务系统的可持续性和数据的安全性，而这两点的主要威胁来自于蠕虫的暴发、黑客的攻击、拒绝服务攻击、木马。