1answer.
Ask question
Login Signup
Ask question
All categories
  • English
  • Mathematics
  • Social Studies
  • Business
  • History
  • Health
  • Geography
  • Biology
  • Physics
  • Chemistry
  • Computers and Technology
  • Arts
  • World Languages
  • Spanish
  • French
  • German
  • Advanced Placement (AP)
  • SAT
  • Medicine
  • Law
  • Engineering
Nataly_w [17]
3 years ago
13

Consider the following general code for allowing access to a resource:

Computers and Technology
1 answer:
Margaret [11]3 years ago
6 0

Answer:

a) The code allows access even when  IsAccessAllowed(...) method fails.

b) Either use If

(dwRet = ACCESS_ALLOWED)

or use

if (dwRet == NO_ERROR)

to avoid flaw

Explanation:

Lets first see what the code chunk does:

DWORD dwRet = IsAccessAllowed(...);

if (dwRet == ERROR_ACCESS_DENIED) {

// Security check failed.

// Inform user that access is denied.

} else {

// Security check OK.

}

In the given code, DWORD is basically a data type for double word type integers and this is defined in windows.h

So there is DWORD type variable dwRet that is assigned a method calls.

The method is IsAccessAllowed() which checks if the access is allowed to user.

if (dwRet == ERROR_ACCESS_DENIED) condition basically checks if the value of DWORD type variable dwRet is equal to ERROR_ACCESS_DENIED

If this condition evaluates to true then the security checks fails and user is informed via some message or action that the access is denied.  But when the if condition evaluates to false then the else part executes which allows access.

So basically this chunk of code checks if the error ERROR_ACCESS_DENIED is returned.

Now the flaw in this program is what if the method IsAccessAllowed() by any reason. The reasons can be system failure or the memory failure. In memory failure case for example, the system returns out of memory error. So this means that the error is not  ERROR_ACCESS_DENIED. Instead it is out of memory error. So in such a case the user is allowed access as the if condition evaluates to false and else part executes. So if any other error is produced due to some reason like mentioned above, then user has unrestricted access.

This shows that the doe should not check for the failure or rely on checking ERROR_ACCESS_DENIED to allow access but instead it should check for success. Code should only give access privilege if access is allowed successfully or no error is produced.

So to avoid this flaw the code is altered as:

DWORD dwRet = IsAccessAllowed(...);

If (dwRet = ACCESS_ALLOWED) {

//Security check OK.

} else {

//Security check failed.

//Inform user that access is denied.

}

This will only allow access if ACCESS_ALLOWED evaluates to true and success is checked instead of failure here

You can also alter the if condition as:

If (dwRet = No_Error)

or

If (dwRet = 0)

The above if conditions checks if the access is allowed or if no error is produced. Only then it will allowed access otherwise not. So the access check is a success is checked first and failure (for any reason). The user is allowed access only if there is no error otherwise user is not allowed access.

You might be interested in
"You are on a service call to fix a customer’s printer when she asks you to install a software package. The software is on a per
pickupchik [31]

Answer:

Ask her to get a genuine software

Explanation:

if i will install, it can cause the following problems:

1. Prated software makes your system Vulnerable to the security attacks because the activities of the software are not monitored by any organization and no one is responsible for anything bad happened to your system.

2. It may stop working anytime because there would not be maintenance patches available for it so that it can work properly.

3. It cannot be updated and may cause problems in core functionalities of it.

4.Serious legal actions can be taken against anyone using them because  economy has drastic decrease due ti use of it.

7 0
3 years ago
¿Qué significa PPO a nivel de programación?
aleksandr82 [10.1K]

Answer:

La programación procedimental o programación por procedimientos es un paradigma de la programación. Muchas veces es aplicable tanto en lenguajes de programación de bajo nivel como en lenguajes de alto nivel.

Explanation:

espero y te sirva

4 0
3 years ago
When a formula contains the address of a cell, it is called a(n)
Shalnov [3]
When a formula contains the address of a cell, it is called a c<span>ell reference.

hope this helps!</span>
8 0
3 years ago
Which of the following types of software applications would open a file
Mumz [18]
It’s C. An MP3 file is an audio/video file, so only a media player would be able to play this
8 0
3 years ago
An algorithm requires numbers.<br> O True<br> O<br> False
Naya [18.7K]
True hope this helps
6 0
3 years ago
Read 2 more answers
Other questions:
  • The set of appearance choices for files and folders is known as the
    7·1 answer
  • Assume you have just started a new job, have a car loan, and have a student loan. You have just received a cash gift of $1,000 f
    14·1 answer
  • Which of the following is NOT essential for individuals to have to build their own web page?
    9·1 answer
  • All web page urls begin with the letters ____.
    6·1 answer
  • What is the full form of icimod?
    6·1 answer
  • Write a routine to interchange the mth and nth elements of a singly-linked list. You may assume that the ranks m and n are passe
    10·1 answer
  • You would like to put the data in order by product number. What should you do?
    15·1 answer
  • The design of a blog refers to:
    10·1 answer
  • Which of the following is not a common input device?
    6·1 answer
  • What skills did Carl work on, and what steps did he take to reach his long term goals?<br>​
    10·1 answer
Add answer
Login
Not registered? Fast signup
Signup
Login Signup
Ask question!