Why is a precise statement of security requirements critical
to the determination of whether a given system is secure?
System vendors often add security features to strengthen the security of
their systems. These additions are not designed into the system, but
rather are added after the system has been shipped. Discuss whether
adding security features to a large, complex operating system not
designed with security in mind (such as the UNIX operating system or
Windows 95) violates any of Saltzer's and Schroeder's design principles.
Please describe how the vulnerabilities models are used during
the Flaw Hypothesis Methodology. Be explicit: which phase of the
methodology uses them, and how?
Into which category or categories of the Protection Analysis
classification do the following fall? Please justify your answer.
Buffer overflow causing a return into the stack?
Allowing an ordinary user to alter the password file?
Simultaneous writes to a shared database?
Reading a UNIX file by directly accessing the raw device and
reading first the superblock, then the file's inode, and finally the
file's data blocks?