cs-lecture7-programms and programming.docx
Document Details
Uploaded by MemorableIndium
University of Baghdad
Tags
Related
Full Transcript
**7.1 Program Flaws** The programs have become more numerous and complex, users are more frequently unable to know what the program is really doing or how. More importantly, users seldom know whether the program they are using is producing correct results. If a program stops abruptly, text disappea...
**7.1 Program Flaws** The programs have become more numerous and complex, users are more frequently unable to know what the program is really doing or how. More importantly, users seldom know whether the program they are using is producing correct results. If a program stops abruptly, text disappears from a document, or music suddenly skips passages, code may not be working properly. (Sometimes these interruptions are intentional, as when a CD player skips because the disk is damaged or a medical device program stops in order to prevent an injury.) These flaws, seen and unseen can be cause for concern in several ways. Program flaws can have two kinds of security implications: - A program flaw can be a fault affecting the correctness of the program's result that is, a fault can lead to a failure. Incorrect operation is an integrity failing. Integrity is one of the three fundamental security properties of the C-I-A triad. Integrity involves not only correctness but also accuracy, precision, and consistency. A faulty program can also inappropriately modify previously correct data, sometimes by overwriting or deleting the original data. Even though the flaw may not have been inserted maliciously, the outcomes of a flawed program can lead to serious harm. - On the other hand, even a flaw from a benign cause can be exploited by someone malicious. If an attacker learns of a flaw and can use it to manipulate the program's behavior, a simple and non-malicious flaw can become part of a malicious attack. **7.1.1 Nonmalicious Program Errors** Un Intentional program error can be one of the following: - Buffer Overflows - Incomplete Mediation - Time-of-Check to Time-of-Use Errors **7.1.1.1 Buffer Overflow** - A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-liter pitcher: Some water is going to spill out and make a mess. - A buffer (or array or string) is a space in which data can be held. A buffer resides in memory. Because memory is finite, a buffer\'s capacity is finite. For this reason, in many programming languages the programmer must declare the buffer\'s maximum size so that the compiler can set aside that amount of space. - Buffer overflows often come from innocent programmer oversights or failures to document and check for excessive data. **Harm from an Overflow** a. **Overwriting Memory** **Suppose a C language program contains the declaration:** **char sample\[10\];** **for (i=0; i\
