Notes for February 13, 1998
[ ended here ]
- Greetings and felicitations!
- Reading: Pfleeger, pp. 176-198, 277-280; Garfinkel & Spaddord,
- Writing to files that are symbolic links
- Ideal: program to detect malicious logic
- Can be shown: not possible to be precise in most general case
- Can detect all such programs if willing to accept false positives
- Can constrain case enough to locate specific malicious logic
- Can use: writing, structural detection (patterns in code), common code
analyzers, coding style analyzers, instruction analysis (duplicting OS),
dynamic analysis (run it in controlled environment and watch)
- Best approach: data, instruction typing
- On creation, it's type "data"
- Trusted certifier must move it to type "executable"
- Duff's idea: executable bit is "certified as executable" and must be set by
- Practise: blocking writing to communicate information or do damage
- Limit writing (use of MAC if available; show how to arrange system
- Practise: Trust
- Untrusted software: what is it, example (USENET)
- Check source, programs (what to look for); C examples
- Limit who has access to what
- Your environment (how do you know what you're executing); UNIX examples
- Least privilege; above with root
- Practise: detecting writing
- Integrity check files a la binaudit, tripwire; go through signature block
- LOCUS approach: encipher program, decipher as you execute.
- Co-processors: checksum each sequence of instructions, compute checksum as
you go; on difference, complain
You can also see this document
in its native format,
in ASCII text.
Send email to
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 2/14/98