http://www.hackerschool.org/HS_Boards/zboard.php?id=HS_Translate&no=15 [º¹»ç]
than you going to detailed code analysi
ÀÌÁ¦ ÄÚµå ¾Æ³¯¸®½Ã½º¸¦ ¼¼¼¼ÇÏ°Ô ºÐ¼®ÇؾßÇϱ¸¿ä,
and for that you sould µðÇÇÄø® have a common *******, that you need to review.
±×°ÍÀ» À§Çؼ **** ´ç½ÅÀÌ ¸®ºä¸¦ ÇؾßÇÏ´Â *******¿¡ ´ëÇØ ¾Ë¾Æ¾ß ÇÕ´Ï´Ù.
And every one should be ****** the same *******.
±×¸®°í ¸ðµÎ°¡ °°Àº *******¸¦ ******ÇØ¾ß ÇÕ´Ï´Ù.
we all are export in diffrent ****.
¿ì¸®´Â ¸ðµÎ, ´Ù¸¥ ****·Î Ãß°¡ÇؾßÇÕ´Ï´Ù.
so you shuold try it complie it a huge list, and understand that list.
Áï, ´ç½ÅÀº Å« ¸®½ºÆ®·Î ÄÄÆÄÀÏÇÑÈÄ, ±× ¸®½ºÆ®¸¦ ÀÌÇØÇؾ߸¸ ÇÕ´Ï´Ù.
so that everyone as looking as a same *******.
±×·¡¼ ¸ðµÎµé °°Àº *******¸¦ ¹Ù¶óº¸°í ÀÖ´Â °ÍÀÌÁÒ.
Than **** on the line,
±×¸®°í, ¶óÀÎÀ§¿¡ ****¸¦ Çؾ߸¸,
are can ******** line defending on whice were and some one else comes review
*****************************************************************************
the same ***** thier should be a methoded and thier should be some documented that he or she shuold be ***************.
*************** ÇÑ ±×³ª ±×³à´Â °°Àº *****¸¦ ü°èÈÇؾßÇÏ°í, ¹®¼È ÇØ¾ß ÇÒ °Í ÀÔ´Ï´Ù.
OK, these other knows this is what the application is doing,
±×·¡¿ä, ÀÌ µéÀº, ¾îÇø®ÄÉÀ̼ÇÀÌ ¹«¾ùÀ» ÇÏ´ÂÁö,
this is what the what are they review. oh, there is a new type of exploit.
¹«¾ùÀ» ¸®ºäÇÏ´ÂÁö¾ËÁÒ. ¿À, Àú±â »õ·Î¿î ŸÀÔÀÇ ÀͽºÇ÷ÎÀÕÀÌ Àֳ׿ä.
for match string exploit for example of course it is pretty or not.
¸ÅÄ¡ ½ºÆ®¸µ ÀͽºÇ÷ÎÀÕÀ» ¿¹·Îµé¾î¼¿ä. ¼³»ç ±×°Ô ¾Æ´Ï´õ¶óµµ¿ä.
but over here that taking ********** let's go and look over there they don't have to spend too much time trying to go to all the **** look for some new *****.
ÇÏÁö¸¸, ¿©±â¿¡ ±×µéÀº ****¿¡ ´ëÇÑ ¸ðµç°ÍÀ» °¡Áú ½Ã°£À» °°Áö ¾Ê½À´Ï´Ù. »õ·Î¿î *****À» ã¾Æ°¡ÁÒ.
Threat Analysys. Let's get trying to it.
Æ®¸´ ¾Æ³¯¸®½Ã½º. ÀÌÁ¦ ÀÌ°ÍÀ» ¾Ë¾Æº¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
I'll be talk review about what is Treat Analysis. when why who and how.
Àú´Â Æ®¸´¾Æ³¯¸®½Ã½º°¡ ¹«¾ùÀÎÁö, ¾ðÁ¦, ¿Ö, ´©°¡ ±×¸®°í ¾î¶»°Ô »ç¿ëµÇ´ÂÁö ¸»¾¸µå¸®°Ú½À´Ï´Ù.
acroding to C/C++ Languege ******.
C¿Í C++ ******¾ð¾î¸¦ ¿¡ µû¶ó ¸»¾¸µå¸®°Ú½À´Ï´Ù.
this part are *** will be like a intresting apply.
ÀÌ ºÎºÐÀº Èï¹Ì·Î¿î °Íµé·Î *** Â÷ÀÖÀ» °ÍÀÔ´Ï´Ù.
and i have put in a lot of note here simply.
±×¸®°í Àü ÀÌ°÷¿¡ °£´ÜÇÑ ³ëÆ®µéÀ» ¸¹ÀÌ ³Ö¾úÁÒ.
because you can report to a lot of this **** after it is well.
¿Ö³ÄÇϸé, ´ç½ÅÀº ÀÌ ¸¹Àº °ÍµéÀ» Àß ¸¶Ä£ÈÄ, ÀÌ ****µé¿¡ ´ëÇÏ¿© ¹ßÇ¥ ÇÒ ¼ö Àְŵç¿ä.
This is the very greatfulist.
À̰͵éÀº ¸Å¿ì ÈǸ¢ÇÕ´Ï´Ù.
**** my example i'm gonna cover these example very fast ***** very long day.(?)
*******************************************************************************
so and that why i think you can download most of this stop from recon site and you can review it again.
±×°ÍÀÌÀÌ ¹Ù·Î ´ç½ÅÀÌ ÀÌ ¸¹Àº °ÍµéÀº ·¹ÄÜ »çÀÌÆ®¿¡¼ ´Ù¿î·ÎµåÇÏ°í, ¸®ºäÇÒ ¼ö ÀÖ´Â ÀÌÀ¯ ÀÔ´Ï´Ù.
so Threat Modeling.
Æ®¸´ ¸ðµ¨¸µ¿¡ ´ëÇØ ¾Ë¾Æº¸°Ú½À´Ï´Ù.
What is Threat Modeling.
Æ®¸´ ¸ðµ¨¸µ À̶õ,
it is not but an organized method of attaking an application.
******* ÇÏÁö¸¸ ¾îÇø®ÄÉÀ̼ÇÀ» °ø°ÝÇÏ´Â Á¶Á÷µÈ ü°èÀÔ´Ï´Ù.
so, when you decide that you want actually attack an appliation whether is developer whether is attacker.
Áï, ´ç½ÅÀÌ °³¹ßÀÚ³ª °ø°ÝÀÚÀÇ ¾îÇø®ÄÉÀ̼ÇÀ» °ø°ÝÇϴ°ÍÀ» °áÁ¤ ÇÒ¶§´Â,
You Just try to figured out.
´ç½ÅÀº ±×³É °è»ê ÇÏ¸é µÇ´Â °ÍÀÔ´Ï´Ù.
OK, what is the ***** application. you have ***** diagram. you have the hole a ********* the application.
ÀÚ, *****¾îÇø®ÄÉÀ̼ÇÀ» *****´ÙÀ̾î±×·¥È Çϰųª ¾îÇø®ÄÉÀ̼ÇÀ» ******** ÇؾßÇÕ´Ï´Ù.
you should try it figured out intel applications floor before you even try to look at the core.
´ç½ÅÀÌ ÀÎÅÚ ¾îÇø®ÄÉÀ̼ÇÃþÀ» °è»êÇϱâ Àü¿¡ ´ç½ÅÀº Äھ º¸¾Æ¾ßÇÕ´Ï´Ù.
before you go to the core level think about that.
ÄÚ¾î ·¹º§·Î °¡±âÀü¿¡´Â Àú°Í¿¡´ëÇØ Çѹø ´õ »ý°¢ Çغ¸½Ã±¸¿ä.
ok, hmmm. it, a
±×·¡¿ä, À½... ±×... ¾Æ.
threat analysys is µðÇÇÄø® consider as a systematic method of finding diffrent type, so wonderfulist.
Æ®¸´ ¾Æ³¯¸®½Ã½º´Â ****, ´Ù¸¥ ŸÀÔÀ» ã´Â ½Ã½ºÅÛÀûÀΠü°è·Î ¿©±é´Ï´Ù. ¸Å¿ì ÈǸ¢ÇÏÁÒ.
and how do you figured out diffrent type of *****.
±×¸®°í, ´ç½ÅÀº ´Ù¸¥ ŸÀÔÀÇ *****¸¦ ¾î¶»°Ô °è»êÇմϱî?
that what we were going to detail of what we should be looking at that. how do we seperate.
ÀÌÁ¦, ¿ì¸®´Â ±×°Í¿¡ ´ëÇؼ ¼¼¼¼ÇÏ°Ô º¸¾Æ¾ßÇÕ´Ï´Ù. ¾î¶»°Ô ³ª´©´ÂÁö¿ä.
than we do ****.
±×¸®°í ¿ì¸®´Â ****ÇؾßÁÒ.
so has threat modeling been are all for a while, i think so. ammm...
±×·¡¼, Æ®¸´ ¸ðµ¨¸µÀº ********ÇÕ´Ï´Ù. Á¦ »ý°¢¿¡´Â¿ä.
i mean just **** secury people have formalized **** threat modeling. but, if you ******* a Attackers and Hackers have been actually thinking from ****.
Á¦ ¸»Àº, ¾ÈÀüÇÑ ****»ç¶÷µéÀº ****¸¦ Æ®¸´ ¸ðµ¨¸µÀ¸·Î °ø½ÄÈ ÇÏ·Á°í ÇÕ´Ï´Ù¸¸, ´ç½ÅÀÌ ************************.
they think where the ********** input. and they trying an attack does pacific area they mind are be thinking from the big picture going a ***,
±×µéÀº ÀÔ·ÂµÈ ********* ¸¦ »ý°¢ÇÏÁÒ. ±×¸®°í ±×µéÀº ÆòÈ·Î¿î °÷À» °ø°ÝÇÏ·Á°í »ý°¢ ÇÒ °ÍÀÔ´Ï´Ù. Å« ****ÀÌ °¡´Â °÷¿¡¼ ºÎÅÍ ¸»ÀÌÁÒ.
but they are actually they have been focusing for major area already.
ÇÏÁö¸¸ »ç½Ç»ó ±×µéÀº ÀÌ¹Ì Áß¿äÇÑ ºÎºÐ¿¡ Áß½ÉÀ» µÎ°íÀÖÁÒ.
so it not a really an new *****.
Áï ÀÌ°ÍÀº »õ·Î¿î *****´Â ¾Æ´ÏÁÒ.
so can Threat Model are really help and who does really help. diffculy would help develop countermeasures.
±×·¡¼, Æ®¸´ ¸ðµ¨¸µÀº Á¤¸»µµ¿òÀÌ ÇÊ¿äÇÑ »ç¶÷¿¡°Ô Á¤¸» µµ¿òÀÌ µË´Ï´Ù. ¾î·Æ°Ôµµ °³¹ß´ëÃ¥¿¡µµ µµ¿òÀÌ µÉ°ÍÀÔ´Ï´Ù.
how did help develop countermeasures? ones you know what the major area *****.
¾î¶»°Ô °³¹ß´ëÃ¥¿¡ µµ¿òÀÌ µÇ³Ä±¸¿ä? ¸ÕÀú ´ç½ÅÀº Áß¿äÇѺκÐÀÌ *****¸¦ ÇÏ´ÂÁö ¾Ë¾Æ¾ß ÇÕ´Ï´Ù.
developer don't made realize a diffrent types of tricks that could access.
°³¹ßÀÚµéÀÌ Á¢±ÙÇÒ ¼ö ÀÖ´Â ´Ù¸¥ ŸÀÔÀÇ Æ®¸¯Àº ¸¸µé¼ö ¾øÀ¸´Ï±î¿ä.
and that is one of major problem that, the actally in the ********. one ablilty is a *** in there applications.
±×¸®°í Áß¿äÇÑ ºÎºÐ¿¡´Â ÇÑ°¡Áö ¹®Á¦Á¡À» °¡Áö°í ÀÖ½À´Ï´Ù. ********¿¡ ¸»ÀÌÁÒ. ÇÑ°¡Áö ´É·ÂÀº ***ÀÔ´Ï´Ù. ±×µéÀÇ ¾îÇø®ÄÉÀ̼ǿ¡¼ ¸»ÀÌÁÒ.
so you should can educate the developer is well, ******** you can either fix at the project architecture level it self.
±×·¯¹Ç·Î, ´ç½ÅÀº °³¹ßÀÚ°¡ Àß ÇϱâÀ§ÇÑ ±³À°À» ÇÒ ¼ö ÀÖ½À´Ï´Ù. ******** ´ç½ÅÀÌ ½º½º·Î ÇÁ·ÎÁ§Æ®ÀÇ ·¹º§ ±¸¼ºÀ» °íÄ¥¼ö ÀÖµç ¾Æ´Ïµç ¸»ÀÌÁÒ.
or you can educate ************. aaa,****
¶Ç´Â ´ç½ÅÀº ************¸¦ ±³À° ÇÒ ¼öµµ ÀÖ½À´Ï´Ù. ¾Æ, ****
you can also weigh each threat and figured out. how much value to assign to them.
´ç½ÅÀº ¶Ç °¢°¢ÀÇ Æ®¸´À» µûÁ®º¸°í, °è»ê ÇÒ ¼öµµ ÀÖ½À´Ï´Ù. °¡Ä¡¸¦ ±×µé¿¡°Ô ¸Ã±â´Â ¸¸Å¿ä.
by weigh each treat you wanna know. if is it a local type of exploit is it a remote exploit, is it ****** is something that a required the ****** and a admin.
Æ®¸´À» µûÁ®º¼¶§, ´ç½ÅÀÌ ¾Ë¾Æ¾ß ÇÒ Á¡ÀÌ ÀÖ½À´Ï´Ù. ±×°ÍÀÌ ·ÎÄà ÀͽºÇ÷ÎÀÕÀ̵ç, ¸®¸ðÆ® ÀͽºÇ÷ÎÀÕÀ̵ç, ******À̵ç, ****³ª ¾îµå¹ÎÀÇ ÇʼöÁ¶°ÇÀ̵ç¿ä.
you are *** assign value accroding to them. and then say.
´ç½ÅÀº ¸Ã±ä °¡Ä¡¸¦ ***ÇؾßÇÕ´Ï´Ù. ±×µéÀ» µû¶ó¼¿ä. ********
OK, if is there a remote exploit is something that you wanna fixing ****,
±×·¡¿ä, ¸¸¾à ´ç½Å °íÄ¥ ¼ö ÀÖ´Â ¸®¸ðÆ® ÀͽºÇ÷ÎÀÕÀÌ ÀÖÀ¸¸é¿ä
**** local exploit, it could problem delay you know for *****.
. ****ÇÑ ·ÎÄà ÀͽºÇ÷ÎÀÕµµ ¸»ÀÌÁÒ. ±×°ÍÀº µô·¹ÀÌ ¹®Á¦¸¦ °¡Áö°í ÀÖÁÒ.
*********
and the most important part is.... do understand risks, and threat to the applications.
±×¸®°í Á¦ÀÏ Áß¿äÇÑ ºÎºÐ ÀÔ´Ï´Ù. ¾îÇø®ÄÉÀ̼ÇÀ» ¸®½ºÅ©Çϴ°Ͱú Æ®¸´Çϴ°ÍÀ» ÀÌÇØÇÏ´Â °ÍÀÌÁÒ.
there is a *** diffrent between risks and threats... ÀÌ µÑ »çÀÌ¿£ ¾à°£ÀÇ Â÷ÀÌÁ¡ÀÌ ÀÖ½À´Ï´Ù.
threats is basicaly something that, could access in an applications.
Æ®¸´Àº ¾îÇø®ÄÉÀ̼ǿ¡ Á¢±Ù ÇÒ ¼ö ÀÖ°Ô ¸¸µå´Â °ÍÀÔ´Ï´Ù.
risks is trying to assign a value to that treats. and figuring that out.
¸®½ºÅ©´Â Æ®¸´µÈ °Í¿¡ °¡Ä¡¸¦ ¸Ã±â´Â °ÍÀ» ¸»ÇÕ´Ï´Ù. ±×¸®°í ±×µéÀ» °è»ê ÇÏÁÒ.
we going to actually definition ********, also what dictionary and other web site.
¿ì¸®´Â ********¸¦ Á¤ÀÇ ÇÒ °ÍÀÔ´Ï´Ù. ¶Ç ******°ú ´Ù¸¥ À¥»çÀÌÆ®¿¡ ´ëÇؼµµ ¸»ÀÌÁÒ.
¿ì... ¸¹ÀÌ ¾î·Æ±º¿ä...
¸ð¸£´Â ºÎºÐµµ ¸¹¾Ò½À´Ï´Ù¸¸, °í¼ö ºÐµé ²²¼ µµ¿ÍÁÖ¼ÌÀ¸¸é ÇÕ´Ï´Ù. |
Hit : 1671 Date : 2011/05/09 06:21
|