above
Above this paragraph estimate many friends have seen, programmers have been hacked countless times, in the eyes of others, as if we need to write a Trojan horse, turned over the wall, repair the computer, find resources, but all touch the edge of the computer, we have to be able to go.
Content of this article:
Information security can be roughly divided into three major branches:
-
Network security
-
System security
-
cryptography
The following Xuanyuan Jun on these three fields respectively listed some commonly used hacker technology, part of the technology exists in the field of crossover, it will be classified into the main category.
Network security
SQL injection
The first of the three Web security axes is SQL injection.
The core of SQL injection attack is to make the Web server execute the SQL statement expected by the attacker, so as to obtain the data of interest in the database or to read, modify, delete, insert and other operations to achieve its evil purpose.
How do you get a Web server to execute an attacker’s SQL statement? The usual routine of SQL injection is to place SQL statements in Form or request parameters and submit them to the back-end server. If the back-end server does not perform input security verification and directly takes out variables for database query, it is easy to be fooled.
Examples are as follows:
For an interface that gets user information based on the user ID, the SQL statement on the back end typically looks like this:
Where $id is the user ID submitted by the front end, if the front end request looks like this:
If the request parameter id is escaped, it is 1 or 1=1. If the backend does not do security filtering, it is directly submitted to the database query, and the SQL statement becomes:
The result is to find out all the data in the user table, to achieve the purpose of hackers to leak data.
The above is a very simple example. Parameter construction and SQL statements are much more complex in a real SQL injection attack, but the principles are the same.
Defense: Checks the input and blocks the input with SQL statement features
Focus on: front-end engineers, Web back-end engineers
XSS attacks
The second of the three Web security axes, called Cross Site Scripting, has been changed to another acronym XSS to distinguish it from overlapping style sheet CSS.
reflective
2. After the user clicks, the JS is sent to the back end of the Web server as a request parameter
3, the back-end server does not check filtering, simple processing into the web page body back to the browser
4, browser parsing returned web page, trick!
Storage type
1. The attacker’s webpage reply contains JS script
2. After the reply is submitted to the server, it is stored in the database
3, other users view the post, background query the post’s reply content, build a complete web page, return to the browser
4, the user browser rendering back to the web page, trick!
Defense: Perform content detection on both the front and back ends to filter out intrusion from executable scripts
Focus on: front-end engineers, Web back-end engineers
CSRF attacks
The attack diagram is as follows:
The core idea is that in the case of opening website A, another Tab page is opened to open malicious website B. At this time, under the “instigation” of page B, the browser initiates an HTTP request to website A. This process is harmful in two ways:
1, this HTTP request is not the user’s active intention, but B “instigated”, if it is a more harmful request operation (send an email? Delete the data? Etc.) That’s a problem
2. Since the website OF A has been opened before, the browser has cookies or other information for identity authentication issued by A. This “instigated” request will automatically carry these information, and the backend of the website of A is not clear whether this is the real intention of the user
Focus on: front-end engineers, Web back-end engineers
DDoS attack
DDoS Full name Distributed Denial of Service: Distributed Denial of Service attack. It’s an upgraded version of a denial of service attack. Denial-attack service makes the service unavailable as the name suggests. Often used to attack servers that provide external services, such as:
-
The Web service
-
The mail service
-
DNS service
-
Instant Messaging service
-
.
-
In the early Internet technology is not so developed, DoS attack is a very easy thing: a high-performance computer, write a program multithreading continuously to the request to the server, the server overwhelmed, ultimately unable to process request normal, for other normal customers, look website seems to be unable to access, denial of service is so mean.
Later with the development of technology, now the server is not a server so simple, you visit a www.baidu.com domain name, behind is countless CDN nodes, countless Web servers.
In this case, trying to load a network service with a single computer is like trying to get down before the other computer gets down.
Denial-of-service attacks are actually a kind of technology, which can be further subdivided according to different implementation methods:
-
SYN Flood
-
ICMP Flood
-
UDP Flood
-
.
Defense means: Even now, there is no 100% guarantee against DDoS, only some mitigation technologies to reduce the power of the attack to a certain level. These technologies include: traffic cleaning, SYN cookies, and so on.
Focus on: Operation and maintenance engineers, safety engineers
DNS hijacking
Today, HTTP/HTTPS Web services account for most of the Traffic on the Internet. The development of Web services is in full swing, which is inseparable from an unknown major contributor is the domain name resolution system:
It is also because of its importance, people with ulterior motives will not let it go, DNS hijacking technology was invented.
DNS provides a service to convert domain names into IP addresses. However, security was not considered much in the design of early protocols.
-
Is it really a DNS server THAT I’m asking for? Is it someone else’s fake?
-
Have the results of the query been tampered with? Does this IP really belong to this site?
There is no mechanism in the DNS protocol to guarantee the answer to these questions, so DNS hijacking is rampant. From the moment a user enters a domain name into the address bar, there are many dangers along the way:
-
Modify the hosts file on the local computer
-
A Trojan in the local computer modifies replies in DNS packets
-
Nodes in the network, such as routers, modify replies in DNS packets
-
Nodes in the network, such as carriers, modify replies in DNS packets
-
.
Later, in order to verify the received DNS reply on the client side, DNSSEC technology appeared, which can solve part of the above problems to a certain extent. However, due to some reasons, the technology is not widely used, especially in China, where it is rarely deployed.
Later, to Ali, Tencent and other head Internet manufacturers began to launch the httpDNS service, to a move from the bottom to the bottom, although the name of this technology there are DNS three letters, but the implementation and the original but DNS has been very different, through this technology to make DNS into an application service on the HTTP protocol.
Focus on: security engineers, back-end engineers, operation and maintenance engineers
TCP hijacked
TCP is an important member of the TCP/IP protocol family and is located at the transport layer. The protocol itself does not authenticate TCP packets, so knowing the SEQ and ACK elements of a TCP connection makes it easy to fake the packets, pretending that either party is communicating with the other. This process is called TCP Session Hijacking (= temporarily taking control of something)
TCP hijacking is a very old technology and has been favored by hackers since it was proposed in 1995. However, in recent years, with the enhancement of the security mechanism at the operating system level and the improvement of the detection ability of firewall software, this basic attack mode is more and more easy to be discovered, and gradually faded out of people’s view.
Focus on: safety engineers, operation and maintenance engineers
Port scanning technology
Port scanning is a technique frequently used by hackers as an early stage of a network attack to detect which services a target has enabled for subsequent attacks.
Remember just learning network security, we always have nothing to take out tools to sweep, although there is no below after the sweep, also always happy, in front of people who do not understand a show their “hacker” ability.
-
21: FTP file transfer service
-
25: SMTP mail service
-
53: DNS service
-
80: HTTP Hypertext Transfer protocol service
-
135: RPC Remote Procedure call service
-
443: HTTPS -
3389: MSRDP Microsoft Remote Desktop Connection Service
-
.
Port scanning works. For UDP-based services, the SVN sends the corresponding service request packet to check whether there is an answer. For tcp-based services, a three-way handshake is used to send TCP SYN packets and check whether there is a response.
If the remote server responds, it indicates that the corresponding service is running on the peer server. Next, it further discovers the operating system used by the peer server, the type and version of the server program running, and then launches network attacks against the corresponding vulnerability program.
Therefore, for the sake of security, we should expose as little information as possible on the Internet and close the service ports that are not needed.
Defense: Use security products such as firewalls to detect and block illegal scanning and detection behaviors in a timely manner.
Focus on: Operation and maintenance engineers, safety engineers
System security
The techniques in the system security section generally mean that the attack occurs on the terminal and is closely related to the operating system.
Stack overflow attack
Stack overflow attack has a long history and is the most basic attack on the system side.
One of the biggest problems with the von Neumann system on which modern computers are based is that data and instructions are stored in memory.
In the computer’s memory, it contains both all code instructions for the program to run, and all kinds of data such as input and output of the program to run, and there is no mandatory mechanism to distinguish instructions from data. Because they are all the same binary zeros and ones to a computer, most of the time it is up to the program to interpret the zeros and ones in memory according to a set of “rules.” And when these “rules” are misunderstood, things go wrong.
Specifically, our modern CPU and OS, no matter x86 / X64 processor or ARM processor, all adopt the design of register + stack, and this stack not only contains the variable data and other information in each function stack frame of the program running, but also saves the return address generated by the function call.
The so-called stack overflow attack is to enter the buffer in the stack by some means, break through the original limit of the buffer, and overwrite the location of the stored return address as a value, so that it points to the location of malicious code arranged by the attacker in advance, and hijack the execution process of the program.
Defense: Modern operating systems have very mature solutions to Stack overflow attacks, such as Stack Canary on Linux, GS on Windows, etc. Programmers need to take full advantage of these mechanisms.
Focus: C/C++ engineers
Integer overflow attack
Like stack overflow attacks, integer overflow attacks also belong to overflow attacks. The difference is that the target of overflow is not the buffer in the stack, but an integer.
We know that computer values are represented and stored in the form of complement. When representing a signed number, the highest bit is used to indicate whether it is a positive (0) or a negative (1). For example, for a 16-bit short variable, +1 and -1 are represented as follows:
A 16-bit short variable represents a range from -32768 to 32767. Now consider the problem that a short variable is now 32767:
If +1 is now applied to it, it becomes:
And that’s the complement of -32768!
Imagine if the variable was called length as a strcpy parameter, or index as an array subscript. An overflow of integers would have terrible consequences, ranging from process crashes and service outages to remote code execution and loss of control.
Focus: all programmers
Null pointer attack
A null pointer typically occurs when the pointer is not initialized, or when object creation/memory allocation using new fails and a careless programmer does not check to see if the pointer is null and accesses it.
In most cases, this will cause memory access exceptions and the program will crash and exit, causing denial of service
Use attack after release
To Use After Free means to access a memory block that has been freed. More often in attacks on the browser’s JavaScript engine.
Normally, a freed object cannot be accessed again, but if the programmer is careless enough to delete the object without setting the pointer to NULL and then continue to use the pointer to access the object later (such as calling a virtual function from the object’s virtual table pointer), memory access exceptions will occur.
In the above scenario, if an attacker immediately creates a new object of the same memory size after deleting an object, the heap memory management algorithms of modern operating systems will have a high probability of placing the new object at the same location as the newly deleted object. This time also through the original object of the pointer to visit, will appear hatoyama occupy the magpie nest, there are terrible consequences.
Make it a good programming practice to empty the pointer immediately after an object is deleted.
Focus: C/C++ engineers
HOOK
The word HOOK is used in computer programming to change the flow of a program.
In an era when the Internet was rife with rogue software, a keylogger Trojan was popular to record users’ keystrokes and steal passwords, of which QQ was the hardest hit.
The technology to achieve this function is to use HOOK technology, HOOK to the event message of the keyboard.
In addition to message hooks, hooks at the process level of program execution are more commonly used. After the malicious code is injected into the target program, jump instruction is added at the function entrance, causing the thread executed here to execute the attacker’s code instead, realizing the purpose of modifying parameters and filtering parameters.
HOOK technology is not only used by hackers, but also by security software. Security software needs to guard the security line of the whole system. Through HOOK technology, checks are set up at various sensitive APIS to resist illegal calls and attacks.
In addition, HOOK technology is often used in software patching technology. After software manufacturers discover the vulnerability of the original program, they modify the execution logic of the existing program through HOOK, so as to achieve the purpose of repairing the vulnerability.
Focus: C/C++ engineers
Elevated privileges
Modern operating systems provide permission management for processes and threads running in them, because security attacks are inevitable, and permission restrictions serve as an effective barrier to minimize the impact of program attacks.
In other words, even if our program was attacked to execute malicious code for vulnerability reasons, there is a limit to what malicious code can do because of the operating system’s permission controls.
Just like a coin always has two sides, there are limits on authority, naturally there will be permission to improve. If an attacker wants to do more, he or she has to go beyond the limits of the operating system and gain more privileges.
On Windows, it is often called to get administrator privileges.
On Linux, it is often called “get Root”, which is the same for mobile phones.
On iOS, it’s often called jailbreak.
Permissions can be promoted in a variety of ways. Generally speaking, when a program executes, the owning process/thread has a security token that identifies its security level and is audited by the operating system kernel when accessing resources and performing actions.
The goal of permission promotion is to change this security token to a high-level token, so that the token can pass the security audit of the system when the user accesses sensitive resources and performs sensitive actions.
Focus: Safety engineers
Trusted computing
Security attacks are everywhere, not only the application environment is unreliable, but even the operating system kernel environment is full of risk.
What if a procedure, such as a payment, has to be performed in an extremely secret environment?
Trusted computing“Has been proposed by security researchers, according to the encyclopedia:
Trusted Computing (TC) is a technology driven and developed by the Trusted Computing Group (Trusted Computing Cluster, formerly known as TCPA). Trusted computing is a trusted computing platform supported by hardware security modules that is widely used in computing and communication systems to improve the overall security of the system [1]. The endorsement key is a 2048-bit RSA public and private key pair that is randomly generated at the chip factory and cannot be changed. This private key is always on the chip, and the public key is used to authenticate and encrypt sensitive data sent to the chip.
One of the most important concepts in Trusted computing is the Trusted Execution Environment (TEE), which simply means building a secret base inside the world of the existing computer to run extremely secret programs. The secret base is easily inaccessible even to the operating system, let alone the applications that run on top of it.
In the mobile terminal, ARM chips occupy the mainstream market. ARM chips provide a technology named TrustZone technology, which adds a trusted computing environment at the hardware level, including a trusted OS and some trusted apps. It is isolated from the common environment at the hardware level, and the processor communicates internally to complete the interaction between the two worlds.
Focus: Terminal system engineer
cryptography
Due to the risk of information leakage, tampering and forgery in the process of data transmission, encryption technology arises at the historic moment.
Symmetric encryption & asymmetric encryption
Encryption involves decryption. According to whether the key used in encryption is the same as that used in decryption, encryption algorithms are divided into two categories: symmetric encryption and asymmetric encryption.
Symmetric encryption was the first encryption technique to appear
-
Symmetric encryption: The encryption key is the same as the decryption key, and the encryption speed and efficiency are high. Commonly used symmetric encryption algorithms are:
-
DES
-
AES
-
RC4
A key problem in this encryption method is that the decryptor needs to get the key to decrypt, and the key key transmission through the network will face the risk of insecurity, which becomes a chicken-and-egg problem.
So an epoch-making technology in communication technology was invented, which is asymmetric encryption!
-
Asymmetric encryption: The encryption key is inconsistent with the decryption key. It is characterized by a complex algorithm but high security. Asymmetric encryption keys are classified into public keys and private keys. The public key is public and the private key is confidential. It is used for digital authentication, such as server authentication in the handshake phase in HTTPS. Commonly used asymmetric encryption algorithms are:
-
RSA
-
DH
-
ECC (Elliptic Curve Encryption)
It is no exaggeration to say that without asymmetric encryption, the Internet would never have developed to the heights it has today.
Key exchange technology
In Internet communication, there is encryption, there is decryption, decryption naturally need a key, then how to tell the key to the other party? Key exchange algorithm is to solve this problem: how to safely transfer the key to each other?
-
The server is responsible for generating a pair of public and private keys. The public key tells the client and the private key keeps itself
-
After obtaining the public key, the client uses it to encrypt and transfer the symmetric encryption algorithm key for subsequent communication
-
The server uses the private key to decrypt and retrieve the key
-
In the future, the two parties can transmit and communicate through symmetric encryption
The above example is not just an example; in earlier versions of HTTPS, this is how key exchanges were performed. In later versions, another key exchange algorithm called DH and its variants became more and more popular.
The full name of DH is Diffie-Hellman, which is formed by two mathematicians. The core of this algorithm is the exchange of keys based on mathematical operations.
Information summarization algorithm
In fact, the information summarization algorithm is not a encryption algorithm, the premise of encryption is that it can be restored through decryption, and the purpose of the information summarization algorithm is not to protect the data, nor can it be decrypted and restored.
In some contexts, we hear less about information summaries and more about the noun hash
One of the purposes of the information summarization algorithm is to verify the correctness of the data, the algorithm is open, the data through the algorithm to obtain a summary value, after receiving the data through the algorithm to calculate the summary, before and after comparison to know whether there is tampering.
Commonly used information summarization algorithms are:
-
MD5
-
SHA1
-
SHA256
Data coding technique
Strictly speaking, data encoding is not an encryption algorithm, because the purpose is not to encrypt either, but to encode data for transmission.
The most common encoding algorithm is Base64, which is mostly used for encoding binary data. After encoding invisible characters, it converts them into text composed of 64 common characters, which is easy to print, display, transfer and store. Such as mail EML format, the attachment file through base64 encoding.
In addition to Base64, there is Base58, which is commonly used to encode bitcoin wallet addresses. Base family also base85, base92, base128 and many other algorithms. They differ not only in the character sets involved in the encoding, but also in the algorithm execution.
Multi-factor authentication technology
When it comes to authentication, the most common scenarios are login, payment and so on. The traditional authentication technology is cryptographic technology, but with the increasingly rampant network attacks and Internet penetration into every aspect of people’s life, the security of the traditional cryptographic technology is not enough to meet the development of the Internet.
Multi-factor authentication refers to the use of two or more authentication methods to complement the traditional password authentication. With the development of ARTIFICIAL intelligence technology, biometric authentication technology advances by leaps and bounds:
-
Fingerprint authentication
-
The iris certification
-
Face recognition
-
.
At present, there are three mainstream multi-factor authentication platforms at home and abroad:
-
FIDO is an international standard. In China, Yipay, Baidu Wallet, JINGdong Wallet, Webank and so on have been applied
-
IFAA, Ali department, with the advantages of Ali in the field of e-commerce, also attracted many followers.
TUSITencent is
conclusion
This paper lists some common information security technology, mainly divided into network security, system security and cryptography three fields.
Information security technology is not just a matter of security engineers, as a programmer, understanding these technologies will help us better
Build The World!
Knowledge is shared! Welcome to the previous article ~
Private letter xiaobian can enter the source code base! Love you, remember three ha!