Notes for October 16, 1998

  1. Greetings and Felicitations!
    1. John has posted new office hours; see the class news group
    2. Puzzle of the Day: any more thoughts ...
  2. PA (following Neumann)
    1. Improper protection (initialization and enforcement)
    2. Improper validation
    3. Improper synchronization;
      1. improper indivisibility - interrupting atomic operations (e.g. locking); cache inconsistency
      2. improper sequencing - allowing actions in an incorrect order (e.g. reading during writing)
    4. Improper choice of operand or operation - using unfair scheduling algorithms that block certain processes or users from running; using the wrong function or wrong arguments.
  3. RISOS
    1. Incomplete parameter validation - failing to check that a parameter used as an array index is in the range of the array;
    2. Inconsistent parameter validation - if a routine allowing shared access to files accepts blanks in a file name, but no other file manipulation routine (such as a routine to revoke shared access) will accept them;
    3. Implicit sharing of privileged/confidential data - sending information by modulating the load average of the system;
    4. Asynchronous validation/Inadequate serialization - checking a file for access permission and opening it non-atomically, thereby allowing another process to change the binding of the name to the data between the check and the open;
    5. Inadequate identification/authentication/authorization - running a system program identified only by name, and having a different program with the same name executed;
    6. Violable prohibition/limit - being able to manipulate data outside one's protection domain; and
    7. Exploitable logic error - preventing a program from opening a critical file, causing the program to execute an error routine that gives the user unauthorized rights.
  4. Penetration Studies
    1. Why? Why not analysis?
    2. Effectiveness
    3. Interpretation
  5. Flaw Hypothesis Methodology
    1. System analysis
    2. Hypothesis generation
    3. Hypothesis testing
    4. Generalization
  6. System Analysis
    1. Learn everything you can about the system
    2. Learn everything you can about operational procedures
    3. Compare to models like PA, RISOS
  7. Hypothesis Generation
    1. Study the system, look for inconsistencies in interfaces
    2. Compare to previous systems
    3. Compare to models like PA, RISOS
  8. Hypothesis testing
    1. Look at system code, see if it would work (live experiment may be unneeded)
    2. If live experiment needed, observe usual protocols
  9. Generalization
    1. See if other programs, interfaces, or subjects/objects suffer from the same problem
    2. See if this suggests a more generic type of flaw
  10. Peeling the Onion
    1. You know very little (not even phone numbers or IP addresses)
    2. You know the phone number/IP address of system, but nothing else
    3. You have an unprivileged (guest) account on the system.
    4. You have an account with limited privileges.

You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
Send email to

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 10/21/98