Outline for June 6, 2000

  1. Greetings and felicitations!
  2. Implementation
    1. Object naming
    2. Process environment
    3. Process interaction
    4. Error and exception handling
  3. Object naming
    1. Trojan horses
    2. Race conditions (TOCTTOU)
  4. Process environment
    1. Privileges
    2. Environment variables
    3. System constraints (root directory, etc.)
  5. Process interaction
    1. IPC and pipes
    2. Use of the network
    3. Multithreading and synchronization (locking)
  6. Error and exception handling
    1. Assumptions
    2. Signals and race conditions
  7. Auditing
    1. Goals: reconstruction or deduction?
    2. Relationship to security policy
    3. Application logs
    4. System logs
  8. Example analysis technique
    1. GOAL methodology
    2. Do it on local file accesses
  9. Problems
    1. Log size
    2. Impact on system services
    3. Correllation of disparate logs
  10. Intrusion detection
    1. Anomaly detection
    2. Misuse detection
    3. Specification detection
  11. Anomaly detection
    1. Dorothy Denning's model and IDES
    2. Useful characteristics (examples)
    3. Cautions and problems
    4. Defeating it
  12. Misuse detection
    1. TIM (from DEC)
    2. Rule-based analysis and attack recognition
    3. Cautions and problems
    4. Defeating it
  13. Specification Detection
    1. Property-Based Testing (introduce specifications here)
    2. Example
    3. Cautions and problems
    4. Defeating it
  14. Toss in a network
    1. NSM
    2. DIDS
    3. GrIDS

Send email to bishop@cs.ucdavis.edu.

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562


Page last modified on 6/8/2000