Chapter 3.
Program Security
In this chapter
· Programming errors with security implications:
buffer overflows, incomplete access control
· Malicious code: viruses, worms, Trojan horses
· Program development controls against malicious
code and vulnerabilities: software engineering principles and practices
· Controls to protect against program flaws in
execution: operating system support and administrative controls
In the first two chapters, we learned about the
need for computer security and we studied encryption, a fundamental tool in
implementing many kinds of security controls. In this chapter, we begin to
study how to apply security in computing. We start with why we need security at
the program level and how we can achieve it.
In one form or another, protecting programs is
at the heart of computer security because programs constitute so much of a
computing system (the operating system, device drivers, the network
infrastructure, database management systems and other applications, even executable
commands on web pages). For now, we call all these pieces of code "programs." So we need to ask two
important questions:
oHow do we keep programs free from flaws?
oHow do we protect computing resources against
programs that contain flaws?
In later chapters, we examine particular types
of programsincluding operating systems, database management systems, and
network implementationsand the specific kinds of security issues that are
raised by the nature of their design and functionality. In this chapter, we
address more general themes, most of which carry forward to these
special-purpose systems. Thus, this chapter not only lays the groundwork for
future chapters but also is significant on its own.
This chapter deals with the writing of programs. It defers to a
later chapter what may be a much larger issue in program security: trust. The
trust problem can be framed as follows: Presented with a finished program, for
example, a commercial software package, how can you tell how secure it is or
how to use it in its most secure way? In part the answer to these questions is
independent, third -party evaluations, presented for operating systems (but
applicable to other programs, as well) in Chapter 5.
The reporting and fixing of discovered flaws is discussed in Chapter 11, as are liability and software
warranties. For now, however, the unfortunate state of commercial software
development is largely a case of trust your source, and buyer beware.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.