Computer Security Ch 11 - Exam III

a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software

one of the most common failings in software security

two key areas of concern for any input into a system

a wide variety of program flaws related to invalid handling of input data - occurs when program input data can accidentally or deliberately influence the flow of execution of the program

three types of injection attacks

an attack where input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server

an attack where the user-supplied input is used to construct a SQL request to retrieve information from a database

an attack where the input includes code that is then executed by the attacked system

input provided to a program by one user that is subsequently output to another user - most commonly in scripted Web applications

a vulnerability where the attacker includes the malicious script content in data supplied to a site

a pattern composed of a sequence of characters that describe allowable input variants

the process in which input data is transformed into a single, standard, minimal representation - involves replacing alternate, equivalent encodings by one common values

a software testing technique that uses randomly generated data as inputs to a program with the intent to determine whether the program or function correctly handles abnormal inputs or crashes or fails

a steady reduction in memory available on the heap to the point where it is completely exhausted - resulting in a program crash

multiple processes and threads compete to gain uncontrolled access to some resource

various processes or threads wait on a resource held by the other due to an incorrect sequence of synchronization

key issues from a software security perspective