written 7.9 years ago by
teamques10
★ 68k
|
•
modified 7.9 years ago
|
- Programmers are not ‘robots’ but human beings who occasionally commit mistakes unintentionally. Some of these mistakes do cause any damage to the program e.g. spelling mistakes. However there are certain mistakes if went un-noticed can cause serious negative implications on the program. Three such common non-malicious programming errors are:
Buffer Overflow:
- A buffer-overflow occurs when a memory reference which is beyond the declared boundary occurs. When an array/ string is declared, a finite memory is reserved for that variable. E.g. int arr[5] will reserve five memory slots.
- When a reference like ‘arr[5]=22;’ the subscript is out of bounds.
- Some compiler check for such errors while some don’t (e.g. C compiler).
- Now, for those which don’t check such errors, the question arises as to Where ‘22’ went since no “Buffer Overflow” error happens.
- The answer to that lies as to what is adjacent to arr[4] (the last element of array). The number ‘22’ will be written in adjacent block of arr[4]. If that location contained any user’ data- that data will be over-written.
- If at the same spot any program is located (system or user) , an attacker can create a fake overflow and place his own software at that location next to arr[4].
- In such manner, an attacker can gain privileges or full control of the OS.
Incomplete Mediation:
- Often secret or private data gets exposed
- Consider a the following URL generated by a user’s browser to access a server: https://www.things.com/order/final&custID=101&part=555A&qy=10&price=10&ship=boat&shipcost=5&total=105
- Instead the user can edit the line as https://www.things.com/order/final&custID=101&part=555A&qy=10&price=1&ship=boat&shipcost=5&total=15
- A forged URL was used to access the server.
Time-of-Check to Time-of-Use errors:
- Non-static Program data is bound to change as time passes.
- In OS/DBMS scenario, transaction values needs to synchronized. If they are not synced properly, improper values will enter the system.
- E.g. X=Rs 1000 $\rightarrow$ A adds Rs 500 ; X=1000+500 $\rightarrow$ B reads X=1000; B adds Rs.200 $\rightarrow$ A writes 1500$\rightarrow$ B writes 1200 (Actual value should have been Rs.1700)
- A attacker can manipulate the bank accounts and move lost money to his personal account.