Revision as of 15:43, 8 April 2019 edit Nehirdemir (talk \| contribs) 6 edits →Format-string attack prevention ← Previous edit		Revision as of 15:43, 8 April 2019 edit undo Samf4u (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 70,126 edits m Reverted edits by Nehirdemir (talk): disruptive edits (HG) (3.3.5) Tags: Huggle Rollback Next edit →
Line 8: '''Secure coding''' is the practice of developing computer [[software]] in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities.<ref name="bss2001">{{Cite book\| last = Viega \| first = John \|author2=Gary McGraw \| title = Building Secure Software: How to Avoid Security Problems the Right Way \| year = 2001 \| publisher = MAddison-Wesley Professional \| pages = 528 \| isbn = 978-0201721522 \| page = }}</ref> Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment. == ~~Ara Bellek~~Buffer-~~taşması~~overflow ~~önlemi~~prevention == [[Buffer overflow]]s, a common software security vulnerability, happen when a process tries to store data beyond a fixed-length buffer. For example, if there are 8 slots to store items in, there will be a problem if there is an attempt to store 9 items. In computer memory the overflowed data may overwrite data in the next ___location which can result in a security vulnerability (stack smashing) or program termination (segmentation fault).<ref name="bss2001"/> [[Ara Bellek Taşması]],İşlemci belirlenen ara bellek uzunluğunu aştığında ortaya çıkan genel yazılım güvenlik açığıdır. Örneğin veri ögelerini saklamak için 8 bölüt varsa,9 veri ögesi saklanmak istenildiğinde problem ortaya çıkar.Bilgisayar belleği taşan veri sorunuyla karşılaştığında verinin bir sonraki yerine üstüne yazma işlemi gerçekleştirir,bu da güvenlik zafiyetine(yığın aşılması) veya programın bitirilmesine(bölümlendirme hatası) sebebiyet verebilir.<ref name="bss2001"/> ~~ara~~An ~~bellek~~example ~~taşmasına~~of ~~eğilimi olan bir C~~a [[C (~~programlama~~programming ~~dili~~language)\|C]] ~~programı~~program prone to a ~~aşağıda~~buffer ~~verilmiştir.~~overflow is<syntaxhighlight lang="c++"> int vulnerable_function(char * large_user_input) { char dst[SMALL]; strcpy(dst, large_user_input); } </syntaxhighlight>~~Eğer~~If ~~kullanıcı~~the ~~hedef~~user ~~bellekten~~input ~~daha~~is ~~büyük~~larger ~~bir~~than ~~girdi~~the ~~verirse~~destination buffer,~~ara~~ ~~bellek~~a buffer ~~taşması~~overflow ~~meydana~~will ~~gelebilir~~occur. BuTo ~~tehlikeli~~fix ~~programı~~this ~~düzeltmek~~unsafe ~~için~~program, ~~strncpy~~use ~~metodu~~strncpy ~~olası~~to ~~ara~~prevent ~~bellek~~a ~~taşması~~possible ~~problemini~~buffer ~~önleyebilir~~overflow.<syntaxhighlight lang="c++"> int secure_function(char * user_input) { char dst[BUF_SIZE]; Line 24: strncpy(dst, user_input,BUF_SIZE); } </syntaxhighlight>~~Diğer~~Another ~~güvenli~~secure ~~seçenek~~alternative ~~ise~~is ~~hafızayı~~to ~~dinamik~~dynamically ~~olarak~~allocate ~~yığın~~memory ~~yapısıyla~~on the heap using ~~ayırmaktır.~~[[malloc]].<syntaxhighlight lang="c++"> char * secure_copy(char * src) { int len = strlen(src); Line 35: return dst; } </syntaxhighlight>~~Yukarıdaki~~In ~~kod~~the ~~parçasında~~above code snippet, the program attempts to copy the contents of '''''src''''' into '''''dst,''''' ~~içeriklerini~~while ~~kopyalar,bunu~~also ~~yaparken~~checking dethe return value of malloc~~'tan~~ ~~gelen~~to ensure that enough ~~dönüş~~memory ~~tipini~~was ~~kontrol~~able ~~eder~~to kibe ~~hedef~~allocated ~~belleğin~~for ~~yeterli~~the ~~hafızası~~destination ~~olsun~~buffer. == ~~Biçim~~Format-~~Dizgi~~string ~~Saldırısı~~attack ~~Önlemleri~~prevention == A [[Format string attacks\|Format String Attack]] is when a malicious user supplies specific inputs that will eventually be entered as an argument to a function that performs formatting, such as [[printf()]]. The attack involves the adversary reading from or writing to the [[Call stack\|stack]]. [[Biçim Dizgi Saldırısı\|Format String Attack]] kötü amaçlı kullanıcının fonksiyon içine argüman olarak spesifik girdiler vererek biçimlendirmeye çalışmasıdır,örneğin [[printf()]] bir biçim-dizgi saldırısıdır.Düşman kişi okuma ve yazma yaparak saldırıyı gerçekleştirebilir. [[Çağrı yığıtı\|stack]]. The C printf function writes output to stdout. If the parameter of the printf function is not properly formatted, several security bugs can be introduced. Below is a program that is vulnerable to a format string attack.<syntaxhighlight lang="c++"> C fonksiyonu çıktıyı stdout a yazar.Eğer parametreler biçimsel olarak uygun değilse,çeşitli güvenlik hatalarıyla karşılaşılabilir.Aşağıda biçim dizgi hatasına sebebiyet verebilecek örnek bir program verilmiştir.<syntaxhighlight lang="c++"> int vulnerable_print(char * malicious_input) { printf(malicious_input); } </syntaxhighlight>~~Programın~~A ~~uygunsuz~~malicious ~~hafıza~~argument ~~okumasından~~passed ~~dolayı~~to ~~sona~~the ~~erdirebilecek~~program ~~hatalı~~could ~~olarak verilebilecek argüman~~be “%s%s%s%s%s%s%s”, ~~parametre~~which can crash the program from improper ~~olarak~~memory ~~verilmiştir~~reads. == Integer-overflow prevention ==

Secure coding: Difference between revisions