跳至內容

英文维基 | 中文维基 | 日文维基 | 草榴社区

用戶:Ek3ru8m4/沙盒

本頁使用了標題或全文手工轉換
維基百科,自由的百科全書

Shellshock,又稱Bashdoor[1],是Bash shell的一系列安全漏洞[2]。最早在2014年9月24日公開。許多互聯網守護行程,如網頁伺服器,使用bash來處理某些命令,從而允許攻擊者在易受攻擊的Bash版本上執行任意代碼。這可使攻擊者在未授權的情況下訪問電腦系統[3]



A simple Shellshock logo, similar to the Heartbleed bug logo

Shellshock, also known as Bashdoor,[1] is a family of security bugs[2] in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.[3]

Stéphane Chazelas contacted Bash's maintainer, Chet Ramey, on 12 September 2014[1] telling Ramey about his discovery of the original bug, which he called "Bashdoor". Working together with security experts, he soon had a patch as well.[1] The bug was assigned the CVE identifier CVE-2014-6271.[4] It was announced to the public on 24 September 2014 when Bash updates with the fix were ready for distribution.[5]

The first bug causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables.[1][6] Within days of the publication of this, intense scrutiny of the underlying design flaws discovered a variety of related vulnerabilities (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187); which Ramey addressed with a series of further patches.[7][8]

Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning.[9][10] Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.[11][12]

Shellshock could potentially compromise millions of unpatched servers and other systems. Accordingly, it has been compared to the Heartbleed bug in its severity.[3][13]

簡介

[編輯]

缺陷報告

[編輯]

參考

[編輯]
  1. ^ 1.0 1.1 1.2 1.3 1.4 Perlroth, Nicole. Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant. New York Times. 25 September 2014 [25 September 2014].  參照錯誤:帶有name屬性「NYT-20140925-NP」的<ref>標籤用不同內容定義了多次
  2. ^ 2.0 2.1 雖然一些訊息來源將Shellshock稱為「病毒」,但它其實是某些作業系統內建程式中的編寫錯誤。參見 => Staff. What does the "Shellshock" bug affect?. The Safe Mac. 25 September 2014 [27 September 2014].  參照錯誤:帶有name屬性「TSM-20140927」的<ref>標籤用不同內容定義了多次
  3. ^ 3.0 3.1 3.2 Seltzer, Larry. Shellshock makes Heartbleed look insignificant. ZD Net. 29 September 2014 [29 September 2014].  參照錯誤:帶有name屬性「ZDN-20140929」的<ref>標籤用不同內容定義了多次
  4. ^ Florian Weimer. oss-sec: Re: CVE-2014-6271: remote code execution through bash. Seclists.org. 24 September 2014 [1 November 2014]. 
  5. ^ Florian Weimer. oss-sec: Re: CVE-2014-6271: remote code execution through bash. Seclists.org. 24 September 2014 [1 November 2014]. 
  6. ^ Leyden, John. Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open. The Register. 24 September 2014 [25 September 2014]. 
  7. ^ 參照錯誤:沒有為名為ITN-20140929的參考文獻提供內容
  8. ^ 參照錯誤:沒有為名為zdnet-betterbash的參考文獻提供內容
  9. ^ 參照錯誤:沒有為名為Wired的參考文獻提供內容
  10. ^ 參照錯誤:沒有為名為IT-20140926-JS的參考文獻提供內容
  11. ^ 參照錯誤:沒有為名為NYT-20140926-NP的參考文獻提供內容
  12. ^ 參照錯誤:沒有為名為businessweek的參考文獻提供內容
  13. ^ Cerrudo, Cesar. Why the Shellshock Bug Is Worse than Heartbleed. MIT Technology Review. 30 September 2014 [1 October 2014]. 

概述

[編輯]
取得等角視角的旋轉步驟
等角格紙

各座標軸之間角度相等(120°)的視角,就是等角的觀點。以正方體為例,先從一個面看過去,然後以垂直方向為轉軸旋轉視角±45°,接着以水平方向為轉軸旋轉視角約±35.264° (準確來說是 arcsin 13)。值得注意的是,平面上正方體(右圖左上)的邊界恰好是一個正六角形:所有黑線的長度相同,而且正方體每一面的面積相同。等角格紙可以在不需要計算的情況下幫忙達到目標。

等角的觀點也可以想成是:從一個正方體空間的頂點,看向對面的頂點。x軸向右下延伸、y軸向左下延伸、z軸向上延伸。沿個軸的線彼此成120°。    

數學

[編輯]

有8種可能的視角符合等角,取決於觀察者的卦限。以第一掛限為例,三維上的點ax,y,z等角投影到二維上成點 bx,y,數學上可以寫成旋轉矩陣

其中 α = arcsin(13) ≈ 35.264° 且 β = 45°。

接着正投影xy平面:

另外7種符合等角的視角,可以藉由旋轉反方向或鏡像來達成。[1]

歷史與限制

[編輯]
研磨機 (1822), 等角投影
三國演義中的等角投影

等角的概念存在了數個世紀,最早由William Farish(1759–1837)在1822年形式化。[2][3] 十九世紀中期,等角投影成為工程師重要的工具。不久之後等角投影和軸測投影被加入歐美國家的建築學課程中。[4] 然而,軸測投影發源於中國。在它對中國藝術的功能,就如同透視投影之於西洋藝術。軸測投影和相關的繪圖法則對電腦圖學 有所幫助。[5]

難以辨識高度的情況,無法從局部看出兩球的高度差
潘洛斯階梯 畫着一座循環的階梯

如同各種平行投影的方法,等角投影所繪製的物體不會因為遠近而改變大小。雖然建築製圖等時候,需要直接測量長度,但卻會造成視覺上失真。不像透視投影呈現眼睛和照相機的結果。等角投影有時會造成高度難以辨識(如右左下圖)。這被用來創造不可能出現的圖形,如潘洛斯階梯

在電玩和像素畫的用途

[編輯]

等角投影提供有限的3D效果,在1980~90年代,因為當時的微電腦能夠負荷,而被用在早期的電玩中。

這種風格也被用在精靈像素畫,用來呈現復古遊戲的風格。

參見

[編輯]

註釋與參考

[編輯]
  1. ^ Ingrid Carlbom, Joseph Paciorek , Dan Lim. Planar Geometric Projections and Viewing Transformations. ACM Computing Surveys (ACM). December 1978, 10 (4): 465–502. doi:10.1145/356744.356750. 
  2. ^ Barclay G. Jones (1986). Protecting historic architecture and museum collections from natural disasters. University of Michigan. ISBN 0-409-90035-4. p.243.
  3. ^ Charles Edmund Moorhouse (1974). Visual messages: graphic communication for senior students.
  4. ^ J. Krikke (1996). "A Chinese perspective for cyberspace?". In: International Institute for Asian Studies Newsletter, 9, Summer 1996.
  5. ^ Jan Krikke (2000). "Axonometry: a matter of perspective". In: Computer Graphics and Applications, IEEE Jul/Aug 2000. Vol 20 (4), pp. 7–11.

外部連結

[編輯]