Outline for May 26, 2005

Reading: §23.1-4

Discussion

A student discovers a flaw in the department's computer system. To ensure that the flaw really exists, she exploits it to gain extra privileges on the system. These privileges allow her to read any file on the system, whereas without the privileges, there are files that the student cannot read.

  1. Given that there were files she was not supposed to be able to read, did the student act ethically in exploiting the flaw?
  2. The computer system did not provide sufficient mechanisms to prevent the student from obtaining the additional privileges. Did she "break in" (that is, breach security) or was her action not a violation of security?
  3. The student reports the problem to the department chairperson, who promptly files charges against the student for breaking in. Assuming that what the student did was a violation of security, did the chairperson act ethically?

Outline

  1. Penetration Studies
    1. Why? Why not direct analysis?
    2. Effectiveness
    3. Interpretation
  2. Flaw Hypothesis Methodology
    1. System analysis
    2. Hypothesis generation
    3. Hypothesis testing
    4. Generalization
  3. System Analysis
    1. Learn everything you can about the system
    2. Learn everything you can about operational procedures
    3. Compare to other systems
  4. Hypothesis Generation
    1. Study the system, look for inconsistencies in interfaces
    2. Compare to other systems' flaws
    3. Compare to vulnerabilities models
  5. Hypothesis Testing
    1. Look at system code, see if it would work (live experiment may be unneeded)
    2. If live experiment needed, observe usual protocols
  6. Generalization
    1. See if other programs, interfaces, or subjects/objects suffer from the same problem
    2. See if this suggests a more generic type of flaw
  7. Peeling the Onion
    1. You know very little (not even phone numbers or IP addresses)
    2. You know the phone number/IP address of system, but nothing else
    3. You have an unprivileged (guest) account on the system.
    4. You have an account with limited privileges.
  8. Example Penetration Studies
    1. Michigan Terminal System
    2. Burroughs System
    3. Attacking the Organization Directly

Here is a PDF version of this document.