Outline for May 24, 2005

Reading: §22.4-22.5, §22.7, §23.1-4


A recurring question in computer security is how the discoverer of a vulnerability in a program or computer system should report it to the responsible party (in this context, the vendor of the program or system). The SANS Organization has proposed the following, which they are calling the Fisher Plan. This description is from SANS NewsBites, Vol. 4, Num. 50 (Dec. 12, 2002):

What are the good points about this plan? What are its drawbacks?


  1. Malicious logic
    1. Logic Bombs, Worms (Schoch and Hupp)
  2. Ideal: program to detect malicious logic
    1. Can be shown: not possible to be precise in most general case
    2. Can detect all such programs if willing to accept false positives
    3. Can constrain case enough to locate specific malicious logic
    4. Can use:
      1. Type chcking (data vs. instructions)
      2. Limiting rights (sandboxing)
      3. Limiting sharing
      4. Preventing or detecting changes to files
      5. Prevent code from acting beyond specification (proof carrying code)
      6. Check statistical characteristics of programs (more authors than known, constructs in object files not corresponding to anything in the source)

Here is a PDF version of this document.