Software Security

These flashcards cover key terms and concepts related to software security from the lecture notes.

Buffer Overflow

A flaw occurring when data is written beyond the buffer's boundary, potentially overwriting executable code.

Stack Memory

Memory that stores function call information, following Last-In, First-Out (LIFO) principle, and is automatically managed by the system.

Heap Memory

Memory used for dynamic allocation during program execution, allowing arbitrary order for memory allocation and typically managed by the programmer.

Incomplete Mediation

A security weakness where access checks to an object are performed only once, allowing potential unauthorized access.

Race Condition

A flaw that occurs when two or more threads or processes interact in a way that produces unintended behavior, depending on timing.

Authentication

The process of verifying the identity of a user or system prior to granting access to resources.

Access Control

Mechanisms that restrict access to resources based on user permissions or roles.

Cryptographic Practices

Methods used to secure communications and data, often involving encryption and secure key management.

Least Privilege Principle

A security concept where users are granted the minimum levels of access necessary to perform their functions.

Time-Of-Check to Time-Of-Use (TOCTOU)

A type of race condition where the state of a resource may change between checking its status and using it.

Input Validation

The process of ensuring that the input data is both syntactically and semantically correct to prevent security vulnerabilities.

Error Handling and Logging

Practices for managing error messages and logging activities to diagnose issues and maintain security.

Memory Management

The process of efficiently managing a computer's memory resources, including allocation and deallocation of memory.

DNS Cache Poisoning

A technique used to attack domain name servers by inserting incorrect address records in the cache.

General Purpose Registers

Registers in a CPU that can hold data and addresses, such as eax, ebx, ecx, etc.

Static Data

Data that remains constant and is stored in a fixed memory location, usually includes global variables and constants.

Error Message

Information provided by a system when an operation cannot be completed, often containing hints for troubleshooting.

Modular Code

Code designed in small, single-purpose modules that promote reusability and ease of maintenance.

Dynamic Memory Allocation

The process of allocating memory during runtime, typically managed via heap.

Code Testing

The process of verifying that software functions as intended through various types of testing like unit and integration testing.

SQL Injection

A code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

Cross-Site Scripting (XSS)

A type of security vulnerability typically found in web applications; it enables attackers to inject client-side scripts into web pages viewed by other users.

Privilege Escalation

The act of exploiting a bug, design flaw, or configuration vulnerability in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

Defense in Depth

A security strategy that uses a series of defensive mechanisms to protect valuable data and information from unauthorized access via multiple layers.