Outline for April 6, 2004
Reading: Chapters 13, 23.1-23.2
A university class requires that each student do his or her own
program. The university also has a rule that forbids people from
looking in other people's directories, and reading other people's
files, without permission. A student submits a program electronically.
During grading, the TA notices that several files are missing. She
emails the student, who responds, "Oh, sorry--get the files
out of my home directory, which is unprotected." The TA goes
to the student's home directory, and while copying the files out,
notices they are dated after the due date. But some earlier versions
of those files are dated before the due date. She checks the earlier
version, to be sure the student has made no changes. The student
has: he deleted the name of the original author of the files, and
inserted his own.
The TA reports the matter to her professor, who files charges against
the student for cheating. The student files charges against the TA
for snooping through the directory without authorization; he contends
she should only have looked at the latest versions of the file, not
the earlier ones. You are on the Committee for Cheating and Computer
- Do you rule that the student's cheating was discovered properly,
and can therefore be used against him?
- Do you rule that the TA violated the student's privacy by looking
at the earlier versions of the files?
Outline for the Day
- Principles of Secure Design
- Principle of Least Privilege
- Principle of Fail-Safe Defaults
- Principle of Economy of Mechanism
- Principle of Complete Mediation
- Principle of Open Design
- Principle of Separation of Privilege
- Principle of Least Common Mechanism
- Principle of Psychological Acceptability
- Penetration Studies
- Why? Why not direct analysis?
- Flaw Hypothesis Methodology
- System analysis
- Hypothesis generation
- Hypothesis testing
- System Analysis
- Learn everything you can about the system
- Learn everything you can about operational procedures
- Compare to other systems
- Hypothesis Generation
- Study the system, look for inconsistencies in interfaces
- Compare to other systems' flaws
- Compare to vulnerabilities models
- Hypothesis testing
- Look at system code, see if it would work (live experiment may
- If live experiment needed, observe usual protocols
- See if other programs, interfaces, or subjects/objects suffer
from the same problem
- See if this suggests a more generic type of flaw
- Peeling the Onion
- You know very little (not even phone numbers or IP addresses)
- You know the phone number/IP address of system, but nothing else
- You have an unprivileged (guest) account on the system.
- You have an account with limited privileges.
Here is a PDF version of this document.