Modern CPUs and operating systems collaborate to enforce memory protection. Which of the following is an attack primarily against memory?
A. SQL injection
B. Cross-site scripting (XSS)
C. Object reuse
D. Session hijacking
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Object reuse.
According to the NIST glossary, object reuse refers to “reassignment and reuse of a storage medium containing one or more objects after ensuring no residual data remains on the storage medium.”
However, it’s not uncommon to refer to the “object” as “memory space.” Modern operating systems can allocate memory spaces to processes dynamically and reuse memory when released. The risk of data residency incurs if the operating system doesn’t initiate or clear the memory allocated to a process.
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is “a vulnerability that allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between the website and client. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data so that it is not executable.”
Source: NIST SP 800-63-3
SQL injection refers to “attacks that look for web sites that pass insufficiently-processed user input to database back-ends.”
Source: NISTIR 7682
Session hijacking is “an attack in which the attacker is able to insert himself or herself between a claimant and a verifier subsequent to a successful authentication exchange between the latter two parties. The attacker is able to pose as a subscriber to the verifier or vice versa to control session data exchange. Sessions between the claimant and the RP can be similarly compromised.”
Source: NIST SP 800-63-3
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
B. 跨站點腳本 (XSS)
C. 對象重用 (object reuse)