不使用OO封装会产生安全风险吗? [英] Does not use OO Encapsulation creates Security Risks?

问题描述

这个问题可能听起来有些愚蠢，但我很想知道，如果暴露像 public 这样的对象的字段，会不会在我的应用程序中造成安全风险或漏洞，可能会被其他人利用?

公共类AClass{公共 int AProperty { 获取；放;}//不太安全?public int APublicField;}

谢谢

解决方案

访问修饰符(公共、私有、受保护)只是一种机制，允许对具有源访问权限的人进行不同级别的封装.您应该将它们与 OOP 最佳实践结合使用，以使您的逻辑易于维护.它们与您的应用程序的安全性完全无关.

在 C# 中，您可以使用 RTTI 来反映私有数据，就像公开数据一样容易.由于 C# 的 CLR 和二进制兼容性保证，您甚至可以在您自己的外部二进制文件上执行此操作.即使您不能使用反射，攻击者也可以使用反汇编器并将代码作为中间语言进行检查.您可能想阅读这篇帖子.>

熟悉该平台的精明攻击者甚至可以寻找有关如何对运行内核级调试器(例如 softICE.

你总是可以尝试使用某种形式的通过默默无闻的安全试图使执行不那么明显，但显然如果有人足够坚持，他们会找到办法.

安全的最佳选择是进行研究并寻找使用良好的商业和开源库.密码学的曝光度越高越好，因为库开发人员和白帽公司可以合作修复被发现的漏洞.

This question maybe sounds some stupid, but i have the curiosity to know, if expose the fields of an object like publics, can create a security risk or a hole in my aplication that can be exploited by other persons?

public class AClass
{
    public int AProperty { get; set; }

    //Less Secure?
    public int APublicField;
}

Thanks

解决方案

Access modifiers (public, private, protected) are simply a mechanism to allow different levels of encapsulation for those with source access. You should employ them with OOP best practices to make your logic easy to maintain. They have absolutely nothing to do with the security of your application.

In C# you can use RTTI to reflect on private data just as easily as public. Thanks to the CLR and binary compatibility guarantees of C# you can even do this on external binaries from within your own. Even if you couldn't use reflection, an attacker can use a dissasembler and inspect the code as intermediate language. You may want to read this post.

An astute attacker familiar with the platform could even look for clues on how to reverse engineer your application running kernel level debuggers such as softICE.

You could always try to use some form of security through obscurity by encapsulating your logic in an attempt to make the execution less obvious, but obviously if someone is persistant enough they will find a way.

The best bet for security is to do your research and look for well used libraries both commercial and open source. The more exposure there is in cryptography the better as library developers and white hats can collaborate to fix exploits as they are discovered.

这篇关于不使用OO封装会产生安全风险吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！