IOS安全编码指南 Secure Coding Guide -- 02 Types of Security Vulnerabilities 下

IOS安全编码指南 Secure Coding Guide -- 02 Types of Security Vulnerabilities下

Interprocess Communication

    Separate(|ˈsepərət| adj 分开的) processes(进程)—either within a single program(程序) or in two different programs—sometimes have to share information. Common methods include using shared memory or using some messaging protocol, such as Sockets, provided by the operating system. These messaging protocols used forinterprocess communication are often vulnerable to attack; thus, when writing an application, you must always assume that the process at the other end of yourcommunication channel could be hostile(|ˈhɒstaɪl, American ˈhɒstl| adj 不友善的、反对的).

    For more information on how to perform secure interprocess communication, readValidating Input and Interprocess Communication.

Insecure File Operations

    In addition to time-of-check–time-of-use problems, many other file operations are insecure. Programmers often make assumptions about the ownership, location, or attributes of a file that might not be true. For example, you might assume that you can always write to a file created by your program. However, if an attacker can change the permissions or flags on that file after you create it, and if you fail to check the result code after a write operation,you will not detect the fact that the file has been tampered with.

          assumption |əˈsʌmpʃn| noun假定

          ownership |ˈəʊnəʃɪp| noun所有权 

          permission |pəˈmɪʃn| noun许可

          detect |dɪˈtekt| verb查明、发现

          tamper |ˈtæmpə(r)| verb鼓捣、篡改

    Examples of insecure file operations include:

•      • writing to or reading from a file in a location writable by another user
•      • failing to make the right checks for file type, device ID, links, and other settings before using a file
•      • failing to check the result code after a file operation
•      •assuming that if a file has a local pathname, it has to be a local file

    These and other insecure file operations are discussed in more detail inSecuring File Operations.

Access Control Problems

    Access control is the process of controlling who is allowed to do what. This ranges from controlling physical access to a computer—keeping your servers in a locked room, for example—to specifying who has access to a resource (a file, for example) and what they are allowed to do with that resource (such as read only). Some access control mechanisms are enforced by the operating system, some by the individual application or server, some by a service (such as a networking protocol) in use. Many security vulnerabilities are created by the careless or improper use of access controls, or by the failure to use them at all.

          mechanism |ˈmekənɪzəm| noun机械装置 

          enforce |ɪnˈfɔːs| transitive verb强制实施

          individual |ˌɪndɪˈvɪdʒʊəl| adjective单独的、个人的

          improper |ɪmˈprɒpə(r)| adjective不合时宜的、不得体的、非法的

    Much of the discussion of security vulnerabilities in the software security literature is in terms of privileges, and many exploits involve an attacker somehow gaining more privileges than they should have.Privileges, also called permissions(|pəˈmɪʃn|), are access rights(权利) granted by the operating system, controlling who is allowed to read and write files, directories, and attributes of files and directories (such as the permissions for a file), who can execute a program, and who can perform other restricted operations such as accessing hardware devices and making changes to the network configuration. File permissions and access control in OS X are discussed inFile System Programming Guide.

          restrict |rɪˈstrɪkt| transitive verb限制

          grant |grɑːnt, American grænt| transitive verb准予、准许

          involve |ɪnˈvɒlv| transitive verb需要、影响 

          exploit noun 英雄业绩、风流韵事 transitive verb开发、发挥、剥削、滥用

          literature |ˈlɪtrətʃə(r), American -tʃʊər| noun Uncountable文学、宣传册 

    Of particular interest to attackers is the gaining of root privileges, which refers to having the unrestricted permission to perform any operation on the system.An application running with root privileges can access everything and change anything.Many security vulnerabilities involve programming errors that allow an attacker to obtain root privileges.Some such exploits involve taking advantage of buffer overflows or race conditions, which in some special circumstances allow an attacker toescalate their privileges.Others involve having access to system files that should be restricted or finding a weakness in a program—such as an application installer—that is already running with root privileges. For this reason, it’s important to always run programs with as few privileges as possible. Similarly, when it is necessary to run a programwith elevated privileges, you should do so for as short a time as possible.

          elevate |ˈelɪveɪt| transitive verb抬起、提高 elevate one's mind 提高修养、使…高昂、提升

          escalate |ˈeskəleɪt| transitive verb使…上涨、使…升级、使…恶化、使…增加

          circumstance |ˈsɜːkəmstəns| noun状况、形势

          advantage |ədˈvɑːntɪdʒ, American -ˈvæn-| noun有利条件

          involve |ɪnˈvɒlv| transitive verb需要、影响、使参与、牵连、使加入

          particular |pəˈtɪkjʊlə(r)| adjective特指的

    Much access control is enforced by applications, which can require a user to authenticate before granting authorization to perform an operation.Authentication can involve requesting a user name and password, the use of a smart card, a biometric scan, or some other method.If an application calls the OS X Authorization Services application interface to authenticate a user, it can automatically take advantage of whichever authentication method is available on the user’s system.Writing your own authentication code is a less secure alternative, as it might afford an attacker the opportunity to take advantage of bugs in your code to bypass your authentication mechanism, or it might offer a less secure authentication method than the standard one used on the system. Authorization and authentication are described further inSecurity Overview.

          mechanism |ˈmekənɪzəm| noun机械装置、机件、机制 

          bypass |ˈbaɪpɑːs| noun旁路 transitive verb 为…加设旁路、越过 

          opportunity |ˌɒpəˈtjuːnəti, American -ˈtuːn-| noun机遇  to miss an opportunity 失去机会、[就业、升职的]机会

          alternative |ɔːlˈtɜːnətɪv| adjective可供替代的、非传统的 noun 选择、可能的选择

          available |əˈveɪləbl| adjective可获得的

          scan |skæn| transitive verb(present participle etc.-nn-) 仔细观察、横扫

          biometrics |ˌbaɪəʊˈmetrɪks| noun pluralplus singular verb生物统计学

          grant |grɑːnt, American grænt| transitive verb准予、准许

          authenticate |ɔːˈθentɪkeɪt| transitive verb证明…是真的

          enforce |ɪnˈfɔːs| transitive verb强制实施、加强

    Digital certificates are commonly used—especially over the Internet and with email—to authenticate users and servers, to encrypt communications, and to digitally sign data to ensure that it has not been corrupted and was truly created by the entity that the user believes to have created it. Incorrect or careless use of digital certificates can lead to security vulnerabilities. For example, a server administration program shipped with a standard self-signed certificate, with the intention that the system administrator would replace it with a unique certificate. However, many system administrators failed to take this step, with the result that an attacker could decrypt communication with the server. [CVE-2004-0927]

          decrypt |diːˈkrɪpt| transitive verb破译

          unique |juːˈniːk| adjective唯一的、独一无二

          ship |ʃɪp| noun轮船

          administration |ədˌmɪnɪˈstreɪʃn| noun管理、司法监管、执行

          entity |ˈentəti| noun实体

          certificate |səˈtɪfɪkət|noun结业证书、合格证

    It’s worth noting that nearly all access controls can be overcome by an attacker who has physical access to a machine and plenty of time. For example, no matter what you set a file’s permissions to, the operating system cannot prevent someone from bypassing the operating system and reading the data directly off the disk. Only restricting access to the machine itself and the use of robust encryption techniques can protect data from being read or corrupted under all circumstances.

          robust |rəʊˈbʌst| adjective强壮的、结实的、强劲的、旺盛的、茁壮的

          circumstance |ˈsɜːkəmstəns| noun状况、形势

    The use of access controls in your program is discussed in more detail inElevating Privileges Safely.

Secure Storage and Encryption

          encryption |enˈkrɪpʃən| noun 

    Encryption can be used to protect a user’s secrets from others, either during data transmission or when the data is stored. (The problem of how to protect a vendor’s data from being copied or used without permission is not addressed here.) iOS  provides a variety of encryption-based security options, such as

          vendor |ˈvendə(r)| noun小贩、摊贩、卖主

          variety |vəˈraɪəti| noun多样化 

         • passcode to prevent unauthorized use of the device

                    unauthorized |ʌnˈɔːθəraɪzd| adjective未经授权的 

     • data encryption

     • the ability to add a digital signature to a block of data

     • keychain

     • SSL/TLS secure network communication

    Each service has appropriate uses, and each has limitations. 

    It is a serious mistake to try to create your own encryption method or to implement a published encryption algorithm yourself unless you are already an expert in the field.It is extremely(|ɪkˈstriːmli|) difficult to write secure, robust encryption code that generates unbreakable ciphertext, and it is almost always a security vulnerability to try. For OS X, if you need cryptographic services beyond those provided by the OS X user interface and high-level programming interfaces, you can use the open-source CSSM Cryptographic Services Manager. See the documentation provided with the Open Source security code, which you can download at http://developer.apple.com/darwin/projects/security/. For iOS, the development APIs should provide all the services you need.

          cryptographic 英 ['krɪptəʊ'græfɪk] 美 [ˌkrɪptə'græfɪk]  adj. 关于暗号的，用密码写的

          ciphertext 英 ['saɪfətekst] 美 ['saɪfəˌtekst] n. 密文;密码，暗记文

          generate |ˈdʒenəreɪt| transitive verb产生 

          robust |rəʊˈbʌst| adjective强壮的

    For more information about OS X and iOS security features, read  Authentication, Authorization, and Permissions Guide.

Social Engineering(社会工程)

    Often the weakest link in the chain of security features protecting a user’s data and software is the user himself. As developers eliminate buffer overflows, race conditions, and other security vulnerabilities, attackers increasingly concentrate on fooling users into executing malicious code or handing over(交出) passwords, credit-card numbers, and other private information. Tricking a user into giving up secrets or into giving access to a computer to an attacker is known as social engineering.

          feature |ˈfiːtʃə(r)| noun特征、方面 

          eliminate |ɪˈlɪmɪneɪt| transitive verb排除、消除

          concentrate |ˈkɒnsntreɪt| intransitive verb全神贯注、集中、聚焦

          trick |trɪk| noun诡计、花招

    For example, in February of 2005, a large firm that maintains credit information, Social Security numbers, and other personal information on virtually all U.S. citizens revealed that they had divulged information on at least 150,000 people to scam artists who had posed as legitimate businessmen. According to Gartner (www.gartner.com), phishing attacks cost U.S. banks and credit card companies about $1.2 billion in 2003, and this number is increasing. They estimate that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing.

          approximately |əˈprɒksɪmətli| adverb大约

          estimate |ˈestɪmət|noun估计

          phishing |ˈfɪʃɪŋ| nounUncountable网络诱骗 

          legitimate adjective 合法的

          artist |ˈɑːtɪst| noun艺术家、画家、能手

          scam |skæm| noun诈骗、骗局

          divulge |daɪˈvʌldʒ| transitive verb泄露 

          firm ¹ |fɜːm| noun商行

          maintain |meɪnˈteɪn| transitive verb维持、供养

          virtually |ˈvɜːtʃʊəlɪ| adverb实际上，there is virtually no public transport几乎没有公共交通、虚拟地

          citizen |ˈsɪtɪzn| noun公民

          reveal |rɪˈviːl| transitive verb披露

    Software developers can counter such attacks in two ways: through educating their users, and through clear and well-designed user interfaces that give users the information they need to make informed decisions.

          inform |ɪnˈfɔːm| transitive verb通知

          informed |ɪnˈfɔːmd| adjective有见识的、有依据的

          counter ¹ |ˈkaʊntə(r)| noun柜台、专柜、筹码、计数器

          counter ² 逆向地 transitive verb反驳、反击 intransitive verb 反驳

    For more advice on how to design a user interface that enhances security, seeDesigning Secure User Interfaces.