• 微软的STRIDE模型


    微软的STRIDE模型:

    https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

    • Spoofing identity. An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password.——认证(密码、SSL、TLS、SSH...)
    • Tampering with data. Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet.——完整性(Hash、数字签名、ACL...)
    • Repudiation. Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Nonrepudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package.——防抵赖(认证、审计日志...)
    • Information disclosure. Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers.——机密性(加密、ACL...)
    • Denial of service. Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability.——可用性(负载平衡、过滤、缓存...)
    • Elevation of privilege. In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed.——授权(权限最小化、沙箱...)
      S T R I D E
    外部交互方 Y   Y      
    处理过程 Y Y Y Y Y Y
    数据存储   Y Y Y Y  
    数据流   Y   Y Y  

    数据存储中有日志时,有R抵赖威胁。

  • 相关阅读:
    php中rsa加密及解密和签名及验签
    php中ssl开发的若干问题
    手机web下拉加载
    SVN:One or more files are in a conflicted state
    phpstorm安装laravel-ide-helper实现自动完成、代码提示和跟踪
    Jquery AJAX POST与GET之间的区别
    $.ajax() ,$.post(),$.get() 的用法
    PHP XML和数组互相转换
    [2017-10-25]Abp系列——集成消息队列功能(基于Rebus.Rabbitmq)
    [2017-10-26]Abp系列——DTO入参验证使用方法及经验分享
  • 原文地址:https://www.cnblogs.com/cqufengchao/p/6426040.html
Copyright © 2020-2023  润新知