Outline for November 1, 2023

Reading: text, §18.2, 24.3–24.6
Due: Homework 3, due November 6; Background Research, due November 3 (note extension)


  • Covert channels
    1. Storage channes
    2. Timing channels

  • Vulnerability models
    1. PA model
    2. RISOS
    3. NRL
    4. Aslam

  • Example flaws
    1. fingerd buffer overflow
    2. xterm race condition

  • RISOS
    1. Goal: Aid managers, others in understanding security issues in OSes, and work required to make them more secure
    2. Incomplete parameter validation — failing to check that a parameter used as an array index is in the range of the array;
    3. Inconsistent parameter validation — if a routine allowing shared access to files accepts blanks in a file name, but no other file manipulation routine (such as a routine to revoke shared access) will accept them;
    4. Implicit sharing of privileged/confidential data — sending information by modulating the load average of the system;
    5. Asynchronous validation/Inadequate serialization — checking a file for access permission and opening it non-atomically, thereby allowing another process to change the binding of the name to the data between the check and the open;
    6. Inadequate identification/authentication/authorization — running a system program identified only by name, and having a different program with the same name executed;
    7. Violable prohibition/limit — being able to manipulate data outside one’s protection domain; and
    8. Exploitable logic error — preventing a program from opening a critical file, causing the program to execute an error routine that gives the user unauthorized rights.

  • PA Model (Neumann’s organization)
    1. Goal: develop techniques to search for vulnerabilities that less experienced people could use
    2. Improper protection (initialization and enforcement)
      1. Improper choice of initial protection domain: incorrect initial assignment of security or integrity level at system initialization or generation; a security critical function manipulating critical data directly accessible to the user;
      2. Improper isolation of implementation detail: allowing users to bypass operating system controls and write to absolute input/output addresses; direct manipulation of a hidden data structure such as a directory file being written to as if it were a regular file; drawing inferences from paging activity
      3. Improper change: the time-of-check to time-of-use flaw; changing a parameter unexpectedly;
      4. Improper naming: allowing two different objects to have the same name, resulting in confusion over which is referenced;
      5. Improper deallocation or deletion: leaving old data in memory deallocated by one process and reallocated to another process, enabling the second process to access the information used by the first; failing to end a session properly
    3. Improper validation: not checking critical conditions and parameters, so a process addresses memory not in its memory space by referencing through an out-of-bounds pointer value; allowing type clashes; overflows
    4. Improper synchronization
      1. Improper indivisibility: interrupting atomic operations (e.g. locking); cache inconsistency
      2. Improper sequencing: allowing actions in an incorrect order (e.g. reading during writing)
    5. Improper choice of operand or operation: using unfair scheduling algorithms that block certain processes or users from running; using the wrong function or wrong arguments.

  • NRL
    1. Goal: Find out how vulnerabilities enter the system, when they enter the system, and where they are
    2. Axis 1: inadvertent (RISOS classes) vs. intentional (malicious/nonmalicious)
    3. Axis 2: time of introduction (development, maintenance, operation)
    4. Axis 3: location (hardware, software: OS, support utilities, applications)

  • Aslam
    1. Goal: Treat vulnerabilities as faults
    2. Coding faults: introduced during software development
      1. Synchronization errors
      2. Validation errors
    3. Emergent faults: introduced by incorrect initialization, use, or application
      1. Configuration errors
      2. Environment faults
    4. Introduced decision procedure to classify vulnerabilities in exactly one category

  • Standards
    1. CVE
    2. CWE

    UC Davis sigil
    Matt Bishop
    Office: 2209 Watershed Sciences
    Phone: +1 (530) 752-8060
    Email: mabishop@ucdavis.edu
    ECS 235A, Computer and Information Security
    Version of October 31, 2023 at 9:03PM

    You can also obtain a PDF version of this.

    Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh