How are Security Attacks made?

Software exploits

The majority of security attacks involve finding and exploiting undesirable behaviour in existing software. A simple example of this would be a web browser which stored passwords to web sites in a text document on the user's computer. Clearly this is not a confidential way to treat this potentially sensitive data. A more complex example might involve exploiting weaknesses of the language the program was written in. For example, buffer overflows are a form of attack which exploit the lack of memory safety in C / C++ and can be used to devastating effect, perhaps to run malicious code on an important network server.

Timing attacks

Sometimes, although software is functionally secure, information can be deduced about secret data from the timing-behaviour of a system. For example, a password-checking function written in a particular way might take a time corresponding to how close the guess was to the actual password, and in this way there is a security leak which may eventually be exploited.

Denial of Service (DOS) attacks

Some attacks have the specific aim of crashing a piece of software, or even a computer itself, and usually do this by starving it of resources. The general method involves finding some command or service which causes the victim computer to allocate extra memory to a task, and then repeating this process at enormous speed so that the target is overrun and eventually crashes.

Other attacks

These are just a few of the possibilities... it should be understood that there are many more methods for attacking secure systems.

<< back: Where do Security Issues arise?                                                                         next: Possible solutions >>