The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities

Index

[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z]

DACL (discretionary access control list)

daemons, UNIX

Dangerous Data Type Use listing (7-41)

Dangerous Use of IsDBCSLeadByte( ) listing (8-30)

Dangerous Use of strncpy( ) listing (8-2)

data assumptions, ACC logs

data buffers, OpenSSH, vunerabilities

data flow diagrams (DFDs)

data flow, vunerabilities

data hiding

data integrity

     cryptographic signature

     hash functions

     originator validation

     salt values

data link layer, network segmentation

data ranges, lists 2nd

data storage, C programming language

data tier (Web applications)

Data Truncation Vulnerability 2 listing (8-12)

Data Truncation Vulnerability listing (8-11)

data types, application protocols, matching

data verification, application protocols

data-flow sensitivee code navigation

data_xfer( ) function

datagrams, IP datagrams

Date header field (HTTP)

DCE (Distirbuted Computing Environment) RPCs 2nd

DCE (Distributed Computing Environment) RPCs 2nd

DCOM (Distributed Component Object Model) 2nd 3rd

     access controls

     Active X security

     application audits

     application identity

     application registration

     ATL (Active Template Library)

     automation objects, fuzz testing

     DCOM Configuration utility

     impersonation

     interface audits

     MIDL (Microsoft Interface Definition Language)

     subsystem access permissions

DCOM Configuration utility

DDE (Dynamic Data Exchange)

     Windows messaging

DDE Management Library (DDEML) API

de Weger, Benne

deadlocks

     concurrent programming 2nd

     threading

debuggers, code auditing

DecodePointer( ) function

DecodeSystemPointer( ) function

Decoding Incorrect Byte Values listing (8-28)

decoding routines, RPCs (Remote Procedure Calls), UNIX

decoding, Unicode

decomposition, software design

default argument promotions 2nd

default settings, insecure defaults

default site installations, Web-based applications

Default Switch Case Omission Vulnerability listing (7-24)

default type conversions

defense in depth

definition files, RPCs (Remote Procedure Calls), UNIX

DELETE method

delete payloads, ISAKMP (Internet Security Association and Key Management Protocol)

delete_session( ) function

Delivering Signals for Fun and Profitî

demilitarized zones (DMZs)

denial-of-service (DoS) attacks [See DoS (denial-of-service) attacks.]

dependency alnalysis, code audits

DER (Distinguished Encoding Rules), ASN.1 (Abstract Syntax Notation)

Derived-From header field (HTTP)

descriptors, UNIX files

design

     SDLC (Systems Development Life Cycle)

     software

         abstraction

         accuracy

         algorithms

         clarity

         decomposition

         failure handling

         loose coupling

         strong cohesion

         strong coupling exploitation

         threat modeling

         transitive trust exploitation

         trust relationships

         vunerabilities

design conformity checks, DG (design generalization) strategy

desk checking, code audits

desktop object, IPC (interprocess communications)

Detect_attack Small Packet Algorithm in SSH listing (6-18)

Detect_attack Truncation Vulnerability in SSH listing (6-19)

developer documentation, reviewing

developers, interviewing

development protective measures, operational vulnerabilities

     ASLR (address space layout randomization)

     heap protection

     nonexecutable stacks

     registered function pointers

     stack protection

     VMs (virtual machines)

device files

     UNIX

     Windows NT

DeviceIoControl( ) function

DFDs (data flow diagrams)

DG (design generalization) strategies, code audits 2nd

     design conformity check

     hypothesis testing

     system models

Different Behavior of vsnprintf( ) on Windows and UNIX listing (8-1)

Digital Encryption Standard (DES) encryption

Digital Equipment Corporation (DEC) Virtual Memory System (VMS)

dilimiters

     embedded delimiters, metacharacters

     extraneous dilimiters

direct program invocation, UNIX

directionality, stateful firewalls

directories, UNIX 2nd

     creating

     entries

     Filesystem Hierarchy Standard

     mount points

     parent directories

     permissions

     public directories

     race conditions

     root directories

     safety

     working directories

directory cleaners, UNIX temporary files

directory indexing, Web servers

Directory Traversal Vulnerability listing (8-15)

discretionary access control list (DACL)

Distributed Component Object Model (DCOM) [See DCOM (Distributed Component Object Model).]

Division Vulnerability Example listing (6-27)

DllGetClassObject( ) function

DLLs (dynamic link libraries)

     loading

     redirection

dlopen( ) function

DMZs (demilitarized zones)

DNS (Domain Name System) 2nd

     headers

     length variables 2nd 3rd

     name servers

     names

     packets

     question structure

     request traffic

     resource records 2nd

         conventions

     spoofing

     zones

do_cleanup( ) function

do_ip( ) function

do_mremap( ) function

documentation

     application protocols, collecting

     threat modeling

documentation phase, code review 2nd

     findings summary

domain name caches

Domain Name System (DNS) [See DNS (Domain Name System).]

domain names

domain sockets, UNIX 2nd

domains

     error domains

DoS (denial-of-service) attacks

     name validation

DOS 8.3 filenames

Double-Free Vulnerability in OpenSSL listing (7-46)

Double-Free Vulnerability listing (7-45)

double-frees, auditing

doubly linked lists

Dowd, Mark 2nd

Dragomirescu, Razvan

DREAD risk ratings

Dubee, Nicholas

duplicate elements, lists

dynamic content

Dynamic Data Exchange (DDE) [See DDE (Dynamic Data Exchange).]

dynamic link libraries (DLLs) [See DLLs (dynamic link libraries).]