Outline for October 31, 2022
Happy Halloween!

Reading: text, §24.1–24.4
Due: Homework 3, due November 11; Progress report, due Nov 11 (Note change in due date!)

---

1. Penetration Studies
   1. Goals
   2. Where to start
      1. Unknown system
      2. Known system, no authorized access
      3. Known system, authorized access

2. Flaw Hypothesis Methodology
   1. System analysis
   2. Hypothesis generation
   3. Hypothesis testing
   4. Generalization

3. System Analysis
   1. Learn everything you can about the system
   2. Learn everything you can about operational procedures
   3. Compare to other systems

4. Hypothesis Generation
   1. Study the system, look for inconsistencies in interfaces
   2. Compare to other systems’ flaws
   3. Compare to vulnerabilities models

5. Hypothesis testing
   1. Look at system code, see if it would work (live experiment may be unneeded)
   2. If live experiment needed, observe usual protocols

6. Generalization
   1. See if other programs, interfaces, or subjects/objects suffer from the same problem
   2. See if this suggests a more generic type of flaw

7. Elimination

8. Examples
   1. Michigan Terminal System

---

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 235A, Computer and Information Security Version of October 31, 2022 at 10:43PM

You can also obtain a PDF version of this.