Outline for January 16, 2002

  1. Greetings and Felicitations!
    1. Homework turn-in directory had a problem; if submitted before 8PM on Sunday, please resubmit
  2. Puzzle of the day
  3. Common Implementation Vulnerabilities
    1. Unknown interaction with other system components (DNS entry with bad names, assuming finger port is finger and not chargen)
    2. Overflow (year 2000, lpr overwriting flaw, sendmail large integer flaw, su buffer overflow)
    3. Race conditions (xterm flaw, ps flaw)
    4. Environment variables (vi one-upsmanship, loadmodule)
    5. Not resetting privileges (Purdue Games incident)
  4. Vulnerability Models
    1. PA model
    2. RISOS
    3. NSA
  5. PA Model (Neumann's organization)
    1. Improper protection (initialization and enforcement)
      1. improper choice of initial protection domain
      2. improper isolation of implementation detail
      3. improper change
      4. improper naming
      5. improper deallocation or deletion
    2. Improper validation
    3. Improper synchronization;
      1. improper indivisibility
      2. improper sequencing
    4. Improper choice of operand or operation
  6. RISOS
    1. Incomplete parameter validation
    2. Inconsistent parameter validation
    3. Implicit sharing of privileged/confidential data
    4. Asynchronous validation/Inadequate serialization
    5. Inadequate identification/authentication/authorization
    6. Violable prohibition/limit
    7. Exploitable logic error
  7. Comparison and Problems
    1. Levels of abstraction
    2. Point of view

ECS 153, Introduction to Computer Security
Winter Quarter 2002
Email: cs153@cs.ucdavis.edu