6 6 2020125 Concurrency Dining philosophers Complexity Big
回憶篇 6 6 2020/12/5
似曾相識 Ø Concurrency – Dining philosophers Ø Complexity – Big O notation O(n) Ø Hash function – One-way hash Ø SQL – Select * from … Ø SDLC – Software Development Life Cycle 7 7 2020/12/5
事件篇 8 8 2020/12/5
PChome 新聞 http: //news. pchome. com. tw/magazine/report/li/i. Thome/9848/137511360054 226075005. htm 10 10 2020/12/5
事件篇 Ø 2013. 07. 18 蘋果開發者網站 Ø 2013. 08. 19 Facebook 11 11 2020/12/5
Nownews 今日新聞 http: //www. nownews. com/2013/08/19/334 -2976481. htm 12 12 2020/12/5
事件篇 Ø 2013. 07. 18 蘋果開發者網站 Ø 2013. 08. 19 Facebook Ø 2013. 05. 12 經濟部網站 13 13 2020/12/5
ETtoday 東森新聞雲 http: //www. ettoday. net/news/20130512/206205. htm 14 14 2020/12/5
推理篇 15 15 2020/12/5
DB log 35 35 2020/12/5
38 自由時報 電子報 http: //www. libertytimes. com. tw/2007/new/jan/10/today-life 10. htm 38 2020/12/5
Case Study IV Ø 未考慮Concurrency Control – 導致同時有一人以上佔用同一號碼 39 39 2020/12/5
解決篇 41 41 2020/12/5
解決篇 Ø Case Study Ø OWSAP Ø 弱點掃瞄及修補經驗分享 Ø Concurrency 系統設計 42 42 2020/12/5
IIS 6 限制目錄執行 44 44 2020/12/5
IIS 7 限制目錄執行 Ø 該目錄的 web. config 指定 45 45 2020/12/5
Case Study II Ø 47 SQL Injection – Select * from tbl. A where id= – 是外來的參數 – 沒有檢查是否合乎id的格式 – If = 1’ Drop table tbl. A – 會發生什麼事情? 47 2020/12/5
OWASP Ø Open Web Application Security Project Ø Web Site: https: //www. owasp. org/ Ø OWASP Top 10 52 52 2020/12/5
OWASP Top 10 53 53 2020/12/5
Application Security Risk 54 OWASP website 54 2020/12/5
OWASP Risk Rating Methodology OWASP Top 10 -2013 55 55 2020/12/5
A 1. Injection OWASP Top 10 -2013 56 56 2020/12/5
A 2. Broken Auth. & Session Management OWASP Top 10 -2013 57 57 2020/12/5
A 3. Cross-Site Scripting (XSS) OWASP Top 10 -2013 58 58 2020/12/5
Top 10 Risk Factor Summary 59 59 2020/12/5
資安弱點近 10年來演進 OWASP Top Ten 2004 OWASP Top 10 – 2010 OWASP Top 10 – 2012 A 1 -Unvalidated Input A 1 -Injection A 2 -Broken Access Control A 2 -Cross Site Scripting (XSS) A 3 - Broken Authentication and Session Management A 3 -Broken Authentication and Session Management A 4 -Cross Site Scripting (XSS) Flaws A 4 -Insecure Direct Object References A 5 -Buffer Overflows A 5 -Cross Site Request Forgery (CSRF) A 6 - Injection Flaws A 6 -Security Misconfiguration A 7 -Improper Error Handling A 7 -Insecure Cryptographic Storage A 8 -Insecure Storage A 8 -Failure to Restrict URL Access A 9 -Denial of Service A 9 -Insufficient Transport Layer Protection A-10 Insecure Configuration Management A 10 -Unvalidated Redirects and Forwards 61 2013 A 1 -Injection A 2 -Cross Site Scripting /XSS 2013 A 3 -Broken Authentication / Session Management 2013 A 2 A 4 -Insecure Direct Object References A 5 -Cross Site Request Forgery A 6 -Security Missconfiguration 61 2020/12/5
是否存在簡單的方法 Ø 國內外相關論文 – 「應用決策樹演算法於網頁日誌分析 」 • TANET 2011 , 李仁鐘等 – Blocking of SQL Injection Attacks by Comparing Static and Dynamic Queries • J. Computer Network and Information Security, 2013, Jaskanwal Minhas, etc. 63 63 2020/12/5
臺大的經驗—設定資安防線 Ø 第一重--建置防火牆 – L 7 firewall, Application Layer Protection Ø 第二重--導入資安管理制度 – ISO, SOP Ø 第三重--導入 Code Review & Audit 機制 – Code review software 64 64 2020/12/5
Code Review 具使用 Ø 3個分析器 – Static Code Analyzer – Program Trace Analyzer – Real Time Analyzer http: //www. gss. com. tw/index. php/sca 67 67 2020/12/5
Code Review 具使用 , 68 68 2020/12/5
Code Review 具使用
弱點掃瞄範例 70 70 2020/12/5
71 71 2020/12/5
修補範例 Ø SQL injection Ø XSS Script Ø Hardcoded Password 75 75 2020/12/5
正常網頁範例 79 79 2020/12/5
XSS 範例 80 80 2020/12/5
XSS 修補後 82 82 2020/12/5
修補範例3—Hardcoded Password 原程式碼 修補後程式碼 83 83 2020/12/5
常用函數用法差異 Ø Encoding(編碼): Base 64, HTML Encode 資料 Ø f(data) 編碼值 Encrypt(加密): AES 資料 84 編碼值 Hash function (雜湊函數): MD 5, SHA 1 資料 Ø f(data) f(data, key) 編碼值 84 2020/12/5
弱點修補歷程 85 85 2020/12/5
Dining philosophers 應該是筷子左右各一根, 但是外國人怎麼會舉用筷 子的範例,難道是中國人 想出來的例子? Ø 3 States – Think – Hungry – Eat Ø Trap – Livelock – Deadlock – Starvation 86 86 Wiki. Pedia 2020/12/5
ATM 提款範例 87 87 2020/12/5
ATM 提款範例 88 88 2020/12/5
ATM 提款範例 餘額<1000, 底下的 事情不用作, rollback, end transaction 89 89 2020/12/5
Transaction management Ø Database Transaction – Concurrency Control – Failure Recovery – Scheduling –… – 好好翻一下資料庫的書 90 90 2020/12/5
- Slides: 91