HOME

TheInfoList



Click Here for Items Related To - Hardening (computing)
OR:
Hardening (computing) on:   [Wikipedia]   [Google]   [Amazon]

In
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
, hardening is usually the process of securing a system by reducing its
attack surface The attack surface of a software environment is the sum of the different points (for " attack vectors") where an unauthorized user (the "attacker") can try to enter data to, extract data, control a device or critical software in an environment. Ke ...
, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or
login In computer security, logging in (or logging on, signing in, or signing on) is the process by which an individual gains access to a computer system or program by identifying and authenticating themselves. Typically, user credential ...
s, and the disabling or removal of unnecessary services. Hardening measures can include setting up intrusion prevention systems, disabling accounts, reducing
file system permissions Typically, a file system maintains permission settings for each stored item commonly files and directories that either grant or deny the ability to manipulate file system items. Often the settings allow controlling access based on function s ...
and using encrypted network connections.


Binary hardening

Binary hardening is a security technique in which binary executables are analyzed and modified to protect against common exploits. Binary hardening is independent of compilers and involves the entire
toolchain A toolchain is a set of software development tools used to build and otherwise develop software. Often, the tools are executed sequentially and form a pipeline such that the output of one tool is the input for the next. Sometimes the term is us ...
. For example, one binary hardening technique is to detect potential buffer overflows and to substitute the existing code with safer code. The advantage of manipulating binaries is that vulnerabilities in legacy code can be fixed automatically without the need for source code, which may be unavailable or obfuscated. Secondly, the same techniques can be applied to binaries from multiple compilers, some of which may be less secure than others. Binary hardening often involves the non-deterministic modification of control flow and instruction addresses so as to prevent attackers from successfully reusing program code to perform exploits. Common hardening techniques are: * Buffer overflow protection * Stack overwriting protection * Position independent executables and
address space layout randomization Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably redirecting code execution to, for example, a pa ...
* Binary stirring (randomizing the address of basic blocks) * Pointer masking (protection against
code injection Code injection is a computer security exploit where a program fails to correctly process external data, such as user input, causing it to interpret the data as executable commands. An attacker using this method "injects" code into the program whi ...
) * Control flow randomization (to protect against control flow diversion)


See also

*
Computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
*
Network security policy A network security policy (NSP) is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The docum ...
*
Security-focused operating system This is a list of operating systems specifically focused on computer security, security. Similar concepts include security-evaluated operating systems that have achieved certification from an code audit, auditing organization, and trusted operati ...
*
Security-Enhanced Linux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space to ...


References


External links

* at globalsecurity.org * {{cite web, url= https://www.cisecurity.org/cis-benchmarks , title=CIS Benchmark List at globalsecurity.org Computer security procedures