[英]Defending classes with 'magic numbers'
A few months ago I read a book on security practices, and it suggested the following method for protecting our classes from overwriting with eg overflows etc.: 几个月前,我读了一本关于安全实践的书,它提出了以下保护我们的类不被覆盖的方法,例如溢出等:
At least this is as I remember it. 至少这是我记得的。 I'm coding a file
encryptor
for learning purposes , and I'm trying to make this code exception safe. 我正在编写一个文件
encryptor
用于学习目的 ,我正在努力使这个代码异常安全。
So, in which scenarios is it useful, and when should I use this method, or is this something totally useless to count on? 那么,在哪些情况下它是有用的,什么时候我应该使用这种方法,或者这是完全无用的东西值得信赖? Does it depend on the compiler or OS?
它取决于编译器还是操作系统?
PS: I forgot the name of the book mentioned in this post, so I cannot check it again, if anyone of you know which one was it please tell me. PS:我忘记了这篇文章中提到的那本书的名字,所以我不能再检查一下,如果你们中的任何一个人知道它是哪一个请告诉我。
What you're describing sounds a Canary , but within your program, as opposed to the compiler. 您所描述的内容听起来像是一个Canary ,但在您的程序中,而不是编译器。 This is usually on by default when using gcc or g++ (plus a few other buffer overflow countermeasures).
默认情况下,这通常在使用gcc或g ++时加上(加上一些其他缓冲区溢出对策)。
If you're doing mutable operations on your class and you want to make sure you don't have side effects, I don't know if having a magic number is very useful. 如果你正在对你的班级进行可变操作并且你想确保你没有副作用,我不知道是否有一个幻数是非常有用的。 Why rely on a homebrew validity check when there are mothods out there that are more likely to be successful?
为什么当有一些更有可能成功的方法时,依靠自制的有效性检查?
Checksums: I think it'd be more useful for you to hash the unencrypted text and add that to the end of the encrypted file. 校验和:我认为散列未加密的文本并将其添加到加密文件的末尾更有用。 When decrypting, remove the hash and compare the hash(decrypted text) with what it should be.
解密时,删除哈希值并将哈希值(解密文本)与应该的哈希值进行比较。
I think most, if not all, widely used encryptors/decryptors store some sort of checksum in order to verify that the data has not changed. 我认为大多数(如果不是全部)广泛使用的加密器/解密器存储某种校验和以验证数据没有改变。
This type of a canary will partially protect you against a very specific type of overflow attack. 这种类型的金丝雀将部分保护您免受特定类型的溢出攻击。 You can make it a little more robust by randomizing the canary value every time you run the program.
每次运行程序时,都可以通过随机化canary值来使其更加健壮。
If you're worried about buffer overflow attacks (and you should be if you are ever parsing user input), then go ahead and do this. 如果你担心缓冲区溢出攻击(和你应该是,如果你曾经解析用户输入),然后继续前进,做到这一点。 It probably doesn't cost too much in speed to check your canaries every time.
每次检查你的金丝雀的速度可能不会太高 。 There will always be other ways to attack your program, and there might even be careful buffer overflow attacks that get around your canary, but it's a cheap measure to take so it might be worth adding to your classes.
总会有其他方法来攻击您的程序,甚至可能会有小心的缓冲区溢出攻击,但这是一个便宜的措施,因此可能值得添加到您的课程中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.