Catálogo de publicaciones - libros

The two main objectives in the first three chapters of this book are to establish the key goals of computer security and to provide an overview of the core principles of secure systems design.

This chapter examines how to architect and design systems that accomplish the security goals covered in Chapter 1. We first spend some time discussing prototypical threats to software, and then discuss how to design security into applications from the beginning. We focus on a number of high-level approaches and trade-offs, and discuss how security is sometimes perceived to be at odds with factors such as convenience and usability. We also discuss the concept of “security by obscurity” and why it is usually not sufficient. We look at security as a game of economics and risk management. Some of the approaches and design principles we cover in this chapter and the next were for the first time described in Jerome Saltzer and Michael Schroeder’s paper, “The Protection of Information in Computer Systems”—we bring them to life and illustrate them with many real-world examples.

While the previous chapter was concerned with high-level approaches and trade-offs in security, this chapter will focus on security design principles. When building a house, there are certain very specific things that a builder will do: roofing shingles are laid so that the higher shingles overlap the lower ones. Flashing is placed over the top of newly installed windows. These specific practices protect the house from water damage, and they flow from a single, general principle: that water needs to run off of a house in waterfall fashion. Similarly, while there are many specific security practices, they flow from a small set of well-accepted principles. Understanding the fundamental principles puts you in the best position to implement specific practices where needed in your own projects.

In this book, we advocate a hands-on approach to learning about security. In addition to reading the chapters in this book, we strongly encourage you to do the exercises that appear at the end of each part. Some of the exercises ask concept-based questions that test your understanding of what you have read, while others are hands-on programming exercises that involve constructing attacks and writing code that defends against them.

This chapter provides a detailed look and some history as to how vulnerable software can impact the entire Internet. Malicious hackers write software that takes advantage of software vulnerabilities to spread worms and infiltrate many machines on the Internet, since much deployed software is vulnerable to attack. If you create software to be fundamentally less vulnerable to attack, then you can minimize the ease with which worms spread. In addition to describing how some worms have worked in detail, we describe other types of malware—such as rootkits, botnets, and keyloggers—and how these have posed threats to the security of the Internet and electronic commerce. The primary purpose of this chapter is to give you a sense of how badly things can go wrong, and give you an idea of what you are up against when you write code.

In this chapter, along with the next few, you’ll learn how to protect code against various threats to ensure an application’s security from the beginning of construction. These chapters are example driven. Knowledge of the C programming language, background with using databases, and/or experience with web and HTML programming will be useful. In the case that you’re not familiar with all of these technologies, we provide an explanation of the code examples so that you can benefit regardless of the technologies you’re most familiar with.

This chapter describes an additional type of attack that can occur due to unvalidated input: client-state manipulation.

In this chapter, you will see that exploiting buffer overflow vulnerabilities in C programs is not the only way for an attacker to take control of a running system. Rather, an attacker might exploit a different class of vulnerabilities that can arise when untrusted data is evaluated in the context of a command or query language. Here, you’ll study SQL injection vulnerabilities as an example of this class of security issues. SQL injection vulnerabilities can affect applications that use untrusted input in an SQL query made to a database back end without taking precautions to sanitize the data.

Many web sites, operating systems, and other types of software have been built to use passwords to authenticate users. Although the security community has been working over the years to move toward systems that use more sophisticated authentication mechanisms, it is likely that password systems will be in use for some time. Hence, it is important to understand the strengths and weaknesses of passwords systems, and how to make them less vulnerable to attacks.

This chapter explores in detail security issues that arise from interactions between multiple web sites or web-based applications that a user is visiting with the same browser. Since such security concerns usually involve web-based resources or applications in two or more different domains,^1 such issues are called cross-domain security issues. The purpose of this chapter is twofold: First, it serves to demonstrate that in security, the “devil is often in the details,” and that an aspect of application security that at first seems fairly straightforward actually turns out to be rather complex. As such, this chapter assumes a deeper knowledge of HTML and web technologies to understand all the detail. You are encouraged to re-read Chapter 7 to freshen up on the basics before attacking this chapter, and also to consult the HTML specification when necessary as you read through this chapter. Second, we believe that to date no comprehensive treatment of cross-domain security is available, and we fill that gap.