Page 1482 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1482

variable).

                    The user can’t enter an invalid value for the variable types that will
                    hold it (for example, a letter into a numeric variable).


                    The user can’t enter a value that will cause the program to operate
                    outside its specified parameters (for example, answer a “yes” or
                    “no” question with “maybe”).

               Failure to perform simple checks to make sure these conditions are
               met can result in a buffer overflow vulnerability that may cause the
               system to crash or even allow the user to execute shell commands and

               gain access to the system. Buffer overflow vulnerabilities are especially
               prevalent in code developed rapidly for the web using Common
               Gateway Interface (CGI) or other languages that allow unskilled
               programmers to quickly create interactive web pages. Most buffer
               overflow vulnerabilities are mitigated with patches provided by
               software and operating system vendors, magnifying the importance of
               keeping systems and software up to date.



               Time of Check to Time of Use

               The time of check to time of use (TOCTOU or TOC/TOU) issue is a
               timing vulnerability that occurs when a program checks access
               permissions too far in advance of a resource request. For example, if
               an operating system builds a comprehensive list of access permissions
               for a user upon logon and then consults that list throughout the logon

               session, a TOCTOU vulnerability exists. If the system administrator
               revokes a particular permission, that restriction would not be applied
               to the user until the next time they log on. If the user is logged on
               when the access revocation takes place, they will have access to the
               resource indefinitely. The user simply needs to leave the session open

               for days, and the new restrictions will never be applied.


               Back Doors

               Back doors are undocumented command sequences that allow
               individuals with knowledge of the back door to bypass normal access
               restrictions. They are often used during the development and

               debugging process to speed up the workflow and avoid forcing
   1477   1478   1479   1480   1481   1482   1483   1484   1485   1486   1487