Skip to content

Computer Security 计算机安全

Information Technology Services Center & School of Computer Science, Nanjing University

Regarding computer security, there exists a fundamental doctrine: security is not a product, but a process. We have examined the classic CIA triad—Confidentiality, Integrity, and Availability—and explored how every security mechanism ultimately serves one or more of these objectives. This framework provides an indispensable analytical foundation for analyzing threats within any system.

Cryptography constitutes a critical cornerstone of security. We investigated symmetric encryption algorithms (such as AES and DES) and asymmetric cryptographic schemes (such as RSA and ECC). Understanding key generation, distribution, and management proved essential; without secure key exchange, even the most robust cryptographic algorithm remains ineffectual. Hash functions, digital signatures, and Certificate Authorities collectively form the trust infrastructure upon which modern secure communications rely.

Network security occupies a pivotal role in contemporary computer security. We recognize that while the TCP/IP protocol suite was revolutionary in design, it was not originally architected with security as a primary concern. Attacks such as ARP spoofing can redirect traffic within local area networks, while IP spoofing and ICMP flooding exploit vulnerabilities at the network layer; furthermore, TCP hijacking turns the three-way handshake mechanism against itself. We subsequently studied countermeasures to these weaknesses: IPsec secures communications at the network layer; TLS/SSL encrypts web traffic via meticulously designed handshake protocols and certificate chains; and DNSSEC prevents cache poisoning by authenticating DNS responses. We also explored wireless security, tracing the evolution from the compromised WEP protocol to the AES-CCMP standard in WPA2, and examined how 802.1X provides enterprise-level access control. On the defensive side, we analyzed how firewalls, Intrusion Detection and Prevention Systems (IDPS), network segmentation, and VPNs operate synergistically to establish layered defenses. This illustrates that Defense in Depth is not merely a slogan, but a tangible necessity. The escalating prevalence of DDoS attacks and the inherent fragility of BGP routing further reveal that Internet infrastructure remains largely predicated on trust assumptions readily exploitable by adversaries.

Furthermore, we delved into software and system security. We analyzed buffer overflows, format string vulnerabilities, and Return-Oriented Programming (ROP)—techniques capable of weaponizing a program’s own memory space. Operating system security mechanisms, including Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and sandboxing, were studied as specific countermeasures. We dissected web-based vulnerabilities such as Cross-Site Scripting (XSS), SQL injection, and Cross-Site Request Forgery (CSRF), and practiced exploitation and mitigation techniques within controlled laboratory environments.

From a pragmatic perspective, we addressed access control models, authentication protocols, security policy design, and incident response. The evolving threat landscape—ranging from Advanced Persistent Threats (APTs) to zero-day exploits—serves as a stark reminder: computer security demands continuous vigilance rather than a one-time remediation.

Before Computer Security

Two roads diverged in a wood, and I--

I took the one less traveled by,

And that has made all the difference.

一片森林里分出两条路

而我却选择了人迹更少的一条

从此决定了我一生的道路