Java程序辅导

C C++ Java Python Processing编程在线培训 程序编写 软件开发 视频讲解

客服在线QQ:2653320439 微信:ittutor Email:itutor@qq.com
wx: cjtutor
QQ: 2653320439
Principles of secure programming - 5062CEM: Programming and Algorithms 2 Skip to content 5062CEM: Programming and Algorithms 2 Principles of secure programming Initializing search 5062CEM: Programming and Algorithms 2 Home Module Guide Data and Processing Abstractions Data and Processing Abstractions Introduction to language and data abstraction Complexity Algorithms Algorithms Introduction Common Algorithms Recursion The Eight Queens Problem Data structures Data structures Introduction to data structures Interaction Interaction Human-Computer Interaction (HCI) Secure Development Secure Development Principles of secure programming Principles of secure programming Table of contents Standards and Guides Technical measures Static checkers Dynamic tools ASLR, canaries and other compiler security measures Practical Encrypted Communications in Python Authentication Interacting with the Operating System Interacting with the Operating System OS/application separation, booting and the BIOS System Calls Processes and Threads Assessment Assessment Coursework 1 Coursework 2 Table of contents Standards and Guides Technical measures Static checkers Dynamic tools ASLR, canaries and other compiler security measures Practical Encrypted Communications in Python Secure Programming Standards and Guides 8 principles of secure development: https://www.ncsc.gov.uk/collection/developers-collection Clean code: https://www.ncsc.gov.uk/collection/developers-collection/principles/produce-clean-maintainable-code Security considerations when writing code "in the open": https://www.gov.uk/government/publications/open-source-guidance/security-considerations-when-coding-in-the-open NCSC/StSG "problem book": https://www.ncsc.gov.uk/files/Problem%20Book%20v4.0%20for%20Blog%20PDF.pdf SafeCode: https://safecode.org/wp-content/uploads/2018/03/SAFECode_Fundamental_Practices_for_Secure_Software_Development_March_2018.pdf ISO27034: https://www.iso27001security.com/html/27034.html Technical measures Static checkers Bandit for Python Semgrep for multiple languages Dynamic tools valgrind - dynamic analysis for memory and thread problems (such as leaks) efence - a kind of debugging canary ASLR, canaries and other compiler security measures Some reading: https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf Practical Encrypted Communications in Python First, a client that works... ish. import socket import ssl host = '127.0.0.1' port = 9099 #Use `ncat -nvlp 9099 --ssl` to listen #Or use the server... context = ssl.SSLContext() #Defaults to TLS with socket.create_connection((host, port)) as sock: #Create secure socket ssock=context.wrap_socket(sock, server_hostname=host) print(ssock.version()) print(ssock.getpeercert()) ssock.send(b"HELLO ENCRYPTED WORLD!\n") ssock.shutdown(2) #Nicely close the encrypted channel The data is encrypted, but we can't verify who we are connecting to. Here's a server that provides a certificate: import socket import ssl port = 9099 cert="./cert.pem" key="./key.pem" #Needs cert and key generated: #openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 context = ssl.SSLContext() context.load_cert_chain(certfile=cert, keyfile=key) with socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) as sock: sock.bind(('127.0.0.1', port)) sock.listen(5) with context.wrap_socket(sock, server_side=True) as ssock: conn, addr = ssock.accept() print('Connected by', addr) while True: data = conn.recv(1024) if not data: break print(f"Recieved: {data}") Hmmm. But the client doesn't even notice. Now to make sure the client requires a certificate, and then to check it with a Certificate Authority (in this case, itself, since this is a self-signed certificate, but more on this next year!). import socket import ssl host = '127.0.0.1' port = 9099 #Use `ncat -nvlp 9099 --ssl` to listen #Or use the server... context = ssl.SSLContext() #Defaults to TLS context.verify_mode = ssl.CERT_REQUIRED context.load_verify_locations('./cert.pem') with socket.create_connection((host, port)) as sock: #Create secure socket ssock=context.wrap_socket(sock, server_hostname=host) print(ssock.version()) print(ssock.getpeercert()) ssock.send(b"HELLO ENCRYPTED WORLD!\n") ssock.shutdown(2) #Nicely close the encrypted channel To verify, try using ncat as a "false" host... Previous Human-Computer Interaction (HCI) Next Authentication Made with Material for MkDocs