تأثیر مکانیزم‌های امنیتی بر آسیب‌پذیری‌های نرم‌افزاری

نویسندگان

کارشناسی ارشد کامپیوتر، دانشگاه جامع امام حسین (ع)

چکیده

امروزه آسیب‌پذیری‌های موجود در سیستم‌عامل‌ها و برنامه‌های پراستفاده، شالوده حملات نفوذگران به زیرساختهای فناوری اطلاعات را تشکیل میدهد و مهاجمان از این طریق، کنترل سیستم‌‌های رایانه‌ای را بهدست می‌گیرند. پژ‍وهشگران عرصه نرم‌افزار، تلاش زیادی در ساخت و راه‌اندازی مکانیزم‌های امنیتی در چرخه حیات نرم‌افزارها برای مقابله با رشد روزافزون این آسیب‌پذیری‌ها کرده‌اند. این مقاله، با بررسی و تحلیل آماری گزارش‌های موجود در پایگاه داده جهانی آسیب‌پذیری‌ها، اقدام به ارزیابی میزان‌ عملکرد و اثربخشی این مکانیزم‌های امنیتی نموده است. در بررسی‌‌های انجامگرفته، مشخص شد که با وجود توسعه مکانیزم‌های امنیتی، برخی از این آسیب‌پذیری‌ها رشد صعودی داشته‌‌اند و برخی نیز، در آستانه حذف از لیست آسیب‌پذیری‌های مطرح قرار دارند. نکته حائز اهمیت در این تحقیق، دخالت دادن میزان استفاده از نرم‌افزارها است. با اِعمال این پارامتر بر میزان آسیب‌پذیری‌ها، میزان اثر خسارتی نرم‌افزارها تخمین زده شده و باهم مقایسه گردیده است.

کلیدواژه‌ها

عنوان مقاله [English]

The Impact of Security Mechanisms on Software Vulnerabilities

نویسندگان [English]

  • Mahdi Naqavi
  • Taqi Noushi Fard
  • Mahdi Gholami
Master of Computer Science, Imam Hossein University (AS)
چکیده [English]

Nowadays, the vulnerabilities of operating systems and commonly applied software have provided a
major hole for intruders to attacks to the information technology infrastructures. In this way, attackers may
take the control of computer systems. Researches in software area have struggled a lot to develop and operate
security mechanisms, to be applied in software development lifecycle, to resist the increasing growth of
vulnerabilities. This paper evaluates the measure of impact and effectiveness of these security mechanisms
by reviewing and statistical analysis of the existent reports in global database vulnerabilities. According to
our conducted surveys, it is clarified that despite of the growing development of security mechanisms, some
of the vulnerabilities have grown up and some of them are about removal from the list of the proposed vulnerabilities.
The valuable point of this survey is introducing the rate of using a software as a parameter for
estimating the amount of damage caused by software vulnerabilities.

کلیدواژه‌ها [English]

  • Software
  • Security Mechanism
  • Vulnerability
  • Number Errors
  • Format String Errors
  • Buffer Overflow Error

مراجع

[1] MITRE. (2011). 2011 CWE/SANS Top 25 Most Dangerous
Software Errors. Available: http://cwe.mitre.org/
top25/
[2] A. One, "Smashing the Stack for Fun and Profit,"
BugTraq Archives, p. http://immunix.org/StackGuard/
profit.html, 1996.
[3] C. P. C. Cowan, D. Maier, H. Hinton, P. Bakke, S. Beattie,
A. Grier, P. Wagle and Q. Zhang, " Automatic Detection
and Prevention of Buffer-Overflow Attacks," 7th
USENIX Security Symposium, 1998.
[4] A. S. L. R. A. T.P. Team. (2003). ASLR. Available:
http://pax.grsecurity.net/docs/aslr.txt
[5] WIKI. (2012). Stack buffer overflow. Available: http://
en.wikipedia.org/wiki/Stack_buffer_overflow
[6] Z. K. Jun Xu, and K. I. Ravishankar , "Transparent
Runtime Randomization for Security.
[7] C. P. Kyungtae-Kim, "Securing heap memory by datapointer
encoding," Elsevier, 2011.
[8] Z. K. Jun Xu, and Ravishankar K. Iyer, "Transparent
Runtime Randomization for Security," 2002.
[9] J. P.anderson, "Computer Security Technology Planning
Study," EDS-TR-73-51, vol. 2, pp. 61-61, Octobr 1972
1972.
[10] D. Seeley. A Tour of the Worm. Available: http://
web.archive.org/web/20070520233435/http://
world.std.com/~franl/worm.html#p4.5.2
[11] WIKI. (2012). Buffer overflow. Available: http://
en.wikipedia.org/wiki/Buffer_overflow
[12] D. Alhambra "Smashing The Stack For Fun And Profit,"
phrack vol. seven, August 1996.
[13] M. technet, "Microsoft Security Bulletin MS02-039,"
2007-06-03 2003.
[14] Games industry, "Hacker breaks Xbox protection without
mod-chip," 2003.
[15] C. P. C. Cowan, D. Maier, J. Walpole, P. Bakke, S.
Beattie, A. Grier, P. Wagle, and Q. Zhang,,
"StackGuard: Automatic Adaptive Detection and Prevention
of Buffer-Overflow Attacks," 1998.
[16] P. W. C. Cowan, C. Pu, S. Beattie, and Jo. Walpole,
"Buffer Overflows: Attacks and Defenses for the Vulnerability
of the Decade*," 1999.
[17] J. S. F. D. Wagner, E. A. Brewer, Al. Aiken, "A First
Step Towards Automated Detection of Buffer Overrun
Vulnerabilities," 2000.
[18] D. E. D. Larochelle, "Statically Detecting Likely Buffer
Overflow Vulnerabilities," 2001.
[19] S. B. C. Cowan, J. Johansen, P. Wagle, "Point
GuardTM: Protecting Pointers From Buffer Overflow
Vulnerabilities," ed Washington, D.C., USA, 2003.
[20] M. B. E. Haugh "Testing C programs for buffer overflow
vulnerabilities," 2003.
[21] M. L. O. Ruwase, "A Practical Dynamic Buffer
Overflow Detector," 2004.
[22] P. K. R. Jones "Backwards-compatible bounds checking
for arrays and pointers in C programs," pp. 13-26, 1997.
[23] F. P. Y. Younan, W. Joosen, "Protecting global and
static variables from buer overflow attacks without
overhead," 2006.
[24] Y. F. Y. Fen, S. Xiaobing, Y. Xinchun, M. Bing "A
New Data Randomization Method to Defend Buffer
Overflow Attacks," Elsevie, 2011.
[25] D. Lea. (2009). A Memory Allocator. Available: http://
g.oswego.edu/dl/html/malloc.html
[26] C. K. Th. Toth, "Accurate Buffer Overflow Detection
via Abstract Payload Execution," 2002.
[27] A. D. K. Gaurav S. Kc, Vassilis Prevelakis, "Countering
Code-Injection Attacks With Instruction-Set Randomization,"
Copyright 2003 ACM, 2003.
[28] M. S. L. Olatunji Ruwase, "A Practical Dynamic Buffer
Overflow Detector," 2003.
[29] J. J. Ch. Kil, Ch. Bookholt, J. Xu, P. Ning, "Address
Space Layout Permutation (ASLP): Towards Fine-
Grained Randomization of Commodity Software,"
2005.
[30] P. N. Jun Xu, Ch. Kil, Y. Zhai, Ch. Bookholt,
"Automatic Diagnosis and Response to Memory Corruption
Vulnerabilities," ACM, 2005.
[31] X. J. M. Kharbutli, Y. Solihin, G. Venkataramani, M.
Prvulovic, "Comprehensively and Efficiently Protecting
the Heap," Intl. Symp. on Architecture Support for Programming
Languages and Operating Systems, 2006.
[32] B. G. Z. Emery D. Berger, "DieHard: Probabilistic
Memory Safety for Unsafe Languages," ACM, 2006.
[33] M. R. C. M. Linn, S. Baker, C. Collberg, S. K. Debray,
J. H. Hartman, "Protecting Against Unexpected System
Calls," 2005.
[34] W. J. Y. Younan, and F. Piessens, "Efficient protection
against heap-based buffer overflows without resorting
to magic," 2005.
[35] J. C. Z. Shao , K. C.C. Chan, C. Xue, E. H.-M. Sha,
"Hardware/software optimization for array & pointer
boundary checking against buffer overflow attacks,"
ScienceDirect, 2006.
[36] A. G. Del Grosso C, Di Penta M, "An evolutionary
testing approach to detect buffer overflow," 2004.
[37] D. P. M. Del Grosso C, Antoniol G, Merlo E, Galinier
P, "Improving network applications security: a new
heuristic to generate stress testing data," 2005.
[38] G. A. C. Del Grosso, E. Merlo, P. Galinier, "Detecting
buffer overflow via automatic test input data generation,"
www.elsevier.com, 2007.
[39] B. L. P. Ratanaworabhan, B. Zorn, "Nozzle: A Defense
Against Heap-spraying Code Injection Attacks," Microsoft
Research Technical Report MSR-TR-2008-176,
2008.
[40] C. H. H. Fu-Hau Hsu, Chi-Hsien Hsu, Chih-Wen Ou, Li
-Han Chen, Ping-Cheng Chiu, "HSP: A solution against
heap sprays," http://www.elsevier.com/locate/jss, 2010.
[41] Symantec, "Analysis of GS protections in Microsoft®
Windows Vista™," 2007.
[42] Symantec, "An Analysis of Address Space Layout Randomization
on Windows Vista™," 2010.
[43] Secunia, "DEP/ASLR Implementation Progress in Popular
Third-party Windows Applications," 2010.
[44] nvd.nist.gov/, "National Vulnerability Database," 2012.
[45] Wiki. (2012). Usage_share_of_web_browsers. Available:
http://en.wikipedia.org/
wikiUsage_share_of_web_browsers
[46] Wiki.(2012).Usage_share_of_operating_systems. Available
:http://en.wikipedia.org/wikiUsage share of operating
systems.

فایل ها

سابقه مقاله

  • تاریخ دریافت: 18 شهریور 1393
  • تاریخ بازنگری: 12 تیر 1402
  • تاریخ پذیرش: 28 شهریور 1397
  • تاریخ انتشار: 01 خرداد 1393

هم رسانی

ارجاع به این مقاله

آمار