攻击程序使用的最常见方式之一就是利用这些程序向其他程序发出请求的方式。
And one of the most common ways to attack programs is to exploit how they make requests to other programs.
本实例是一个系统攻击程序。仅供读者学习和测试之用,否则后果自负。
This example is to attack a system process. Readers for learning and testing, or else at your peril.
如果您的程序是数据的浏览器或者编辑器——比如文字处理器或者图像显示器——那么那些数据有可能来自攻击者,所以那是不可信的输入。
If your program is a viewer or editor of data—such as a word processor or an image displayer—that data might be from an attacker, so it's an untrusted input.
然后,收集到的信息可以用来分配资源和识别那些可能易受恶意的用户和程序攻击的机器。
The information harvested can then be used to allocate resources and identify machines that may be vulnerable to attack by rogue users and programs.
使用这种模式,可以在一个已知的网络攻击或者病毒程序沿着网络传播期间,暂时地锁定电脑。
Use this mode to temporarily lock down computers during a known network attack or when a malicious program is spreading.
由于这个事实,将所有可执行代码转移到包含0的地址就会使得攻击该程序困难多了。
Since that's the case, moving all executable code to addresses with a 0 in it makes attacking the program far more difficult.
一个异常的系统调用序列就是一个程序有漏洞或受到攻击的确凿证据。
An aberrant system call sequence would be a dead giveaway that the program has a bug or is being attacked.
在SQL注入攻击中,程序会创建一个SQL命令,并将其发送给SQL解释器。
In an SQL injection attack, a program creates an SQL command and sends it to an SQL interpreter.
如果您能不让恶意的数据进入您的程序,或者至少不在程序中处理它,您的程序在面对攻击时将更加健壮。
If you can keep malicious data from entering your program, or at least keep it from being processed, your program becomes much harder to attack.
这个程序允许攻击者包括可以修改SQL命令意义的字符。
The program allows an attacker to include characters that change the meaning of that SQL command.
在当天工作时间快要结束的时候,一个公司里的用户打开了一个垃圾邮箱里的邮件,他打开了它,然后程序的攻击开始了。
At the end of the day, a user within that company opened an email. It went into his spam box, he opened it, and that launched the attack.
如果受攻击的程序是由系统管理员启动的,那么恶意代码将作为原始程序的一部分进行执行,给黑客系统中的管理员特权。
If the attacked program was initiated by a system administrator, the malicious code will then run as a part of the original program, giving the attacker administrator privileges on the system.
网站的访问量收到了绊倒安全机制,让人觉得这个搜索引擎在受到一个垃圾邮件程序的攻击。
The volume of searches the site received tripped safety mechanisms and made the search engine think it was under attack from a spambot.
问题是,如果攻击者可以控制程序用到的底层库,那么攻击者就可以控制整个程序。
The problem is that if an attacker can control the underlying libraries used by a program, the attacker can completely control the program.
在缓冲区溢出攻击的实例中,程序的内部值溢出,从而改变程序的运行方式。
In the instance of a buffer overflow attack, an internal value in a program is overflowed to alter how the program runs.
在缓冲溢出攻击中,黑客利用了程序执行期间存储分配中的特定计算机程序漏洞。
In a buffer overflow attack, the hacker takes advantage of specific type of computer program bug that involves the allocation of storage during program execution.
在模糊测试中,用随机坏数据(也称做fuzz)攻击一个程序,然后等着观察哪里遭到了破坏。
In fuzz testing, you attack a program with random bad data (aka fuzz), then wait to see what breaks.
而根据veracode的Wysopal所说,搜索“gets ”函数——一个臭名昭著的不安全字符串操作——可以揭示很可能易受内存溢出攻击的程序。
And, searching for the function "gets" — a notoriously insecure string operation — can reveal programs that are likely vulnerable to a memory overflow, said Veracode's Wysopal.
同样,并非所有黑客都是攻击者-许多黑客编写保护您的程序!
Also, not all hackers are attackers — many hackers write the programs that defend you!
最近爆发的几起重大数据失窃事件,就是电子邮件和数据系统等网络应用程序遭受黑客攻击的结果。
Yet, most of the major data breaches in recent news have been the result of attacks on Web apps like email and data systems.
从根本上讲,所有这些方法都能减轻从程序接管攻击到拒绝服务攻击的缓冲区溢出攻击所带来的破坏。
Fundamentally, all these approaches reduce the damage of a buffer overflow attack from a program-takeover attack into a denial-of-service attack.
或者,FLOSS是否会更不安全,因为攻击者获得了更多的信息-这会使得进行对程序的攻击更容易吗?
Or, will FLOSS be less secure because attackers have more information — making it easier to create attacks against the program?
动态分析工作的方法与黑客在攻击一个应用程序时所使用的方法十分相似。
Dynamic analysis works in a way very similar to the one a hacker would employ when attacking an application.
这不如永久地去除特权好,因为如果攻击者可以控制您的程序,攻击者就可以重新启用特权并利用它。
This isn't as good as permanently dropping the privilege, since if an attacker can take control of your program, the attacker can re-enable the privilege and exploit it.
这样做可使SQL更加易于维护,且可使您的应用程序免受SQL注入攻击。
Doing so makes the SQL easier to maintain and secures your application from SQL injection attacks.
请记住,内部应用程序总是可以利用外部攻击方法进行攻击。
Keep in mind that internal applications can always take advantage of external methods of attack as well.
测试额外的安全性和可攻击性问题;例如,所部署应用程序上会间接伤害数据中心中其他应用程序的恶意攻击。
Testing for additional security and vulnerability issues; for example, malicious attacks on a deployed application that can indirectly harm other applications in the data center.
然而,研究人员往往可以研究语言和恶意软件程序的特点,获悉攻击者的国籍线索。
However, researchers can often learn clues about the attackers' country of origin by studying the language and other signs in the malicious software's programming.
黑客的目的就是利用自动攻击来寻找应用程序中的漏洞,进而破解应用程序,将数据直接转移到自己手中。
The goal for hackers is to break applications with automated attacks searching for vulnerabilities until the apps crack and spill data straight into the hands of the hackers.
黑客的目的就是利用自动攻击来寻找应用程序中的漏洞,进而破解应用程序,将数据直接转移到自己手中。
The goal for hackers is to break applications with automated attacks searching for vulnerabilities until the apps crack and spill data straight into the hands of the hackers.
应用推荐