AaTr܁  0 PPP` PPHH $ @d HHHH̀̀̀ff@  d Footnote TableFootnote**.\t.\t/ - :;,.!? - a;6# dxTOCHeading1Heading2   [EquationVariablesE ?@>@@A A#A@??? <$lastpagenum><$monthname> <$daynum>, <$year>"<$monthnum>/<$daynum>/<$shortyear>J<$hour>:<$minute00> <$ampm> on <$dayname>, <$monthname> <$daynum>, <$year>"<$monthnum>/<$daynum>/<$shortyear><$monthname> <$daynum>, <$year>"<$monthnum>/<$daynum>/<$shortyear> <$fullfilename> <$filename> <$paratext[Title]> <$paratext[Heading1]> <$curpagenum> <$marker1> <$marker2> (Continued)+ (Sheet <$tblsheetnum> of <$tblsheetcount>)Heading & Page <$paratext> on page<$pagenum>Pagepage<$pagenum>See Heading & Page%See <$paratext> on page<$pagenum>. Table All7Table<$paranumonly>, <$paratext>, on page<$pagenum>Table Number & Page'Table<$paranumonly> on page<$pagenum> Handout DateJanuary 7, 1999Heading <$paratext>AHHTMLHeadings2A;;==??A&5y??? 5 5*D1.D2.?*???"?$?& ?( ?* ?, ?. ?0 ?2 ?4 ?6 ?8 ?: ?< ?> ?@ ?B ?D ?F ?H ?J ?L ?N ?P ?R ?T ?V F>+Da.?X ?Z ?\ ?^ ?` ?b ?d ?e ?f ?h ?j ?l ?n ?p ?r ?t ?v ?x ?z ?{ ?| ?~ ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? @ @ @ @ @ @  @  @ @ @ @ @ @ @ @ @ @  @" @$ ABADAFAH AJ AL AN AP AR AT@& @( @* @, @. @0 @2 @4 @6 @8 @: @< @> @@ @B @D @F @H @J @L @N @P @R @T @V @X @Z @\ @^ @` @b @d @f @h @j @l @n @p @r @t @v @x @z @| Db.@~ @ @ @@Dc.Dd.De.@@ @ @ @ AV AX AZ@ @ @ @ @ A\ A^ A` @ @ @ @ @ @ @ @ @ @@@@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ Ab Ad Ae@ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @@@@ @ @ @ A A A A A  A AAAA A A A A A A  A" A%A'A)A+ A- A/ A1 A3 A5 A6Df.D3.Da.Db.Dc.Dd.De.Df.Dg.D4.Da.Db.Dc.Dd.D5.D6.Da.Db.Dc.Dd.De.D7.Da.Db.D8.Da.Db.D 9.D a.D b.D c.D d.D 10.D a.D b.D 11.D a.D b.D c.D 12.D a.E b.E c.E d.E 13.E a.E b.E c.E14.Ea.E b.E 15.E a.E b.E 16.Ea.Eb.Ec. D%2dqdD22d? HmR? HmRHRHRFootnote Hr@? Hr@HzHz Single LineH? Footnote ?   HD?  HDHH Double LineH? Double Line? ? H?  Single Line? HZ?  TableFootnote EGxR?EGxREPwEPw TableFootnoted5p HHˆ5xHHˆGe HHˆ5zHHˆld?d?dHl d?d1lmpvy|  #'+/ADW3Bm       }d ?!d WeHTML Mapping Table }Hd ?Hd We }Hd ?Hd We HUV 5HUV Ge HUV 5HUV l H$ 5H$ Ge H$ 5H$ l HHˆ5HHˆ}22( `Outline for May 30, 2000 `Greetings and felicitations! `Vulnerabilities Models )D`BRISOS (1975), to let managers, etc. know about integrity problems L`-PA (1976-78), automated checking of programs R`2NSA, contents unknown but similar to PA and RISOS S`#Aslam, fault-based; for C programs T`OLandwehr, classify according to attack purpose as well as type; based on RISOS 4`Bishop, still being developed 5`CRISOS (Research Into Secure Operating Systems); Abbott  et al. 6`Improper parameter validation 7`"Inconsistent parameter validation 8`$Implicit sharing of privileged data 9`IAsynchronous validation/incorrect serialization ( eg ., TOCTTOU) :`8 Inadequate identification/authorization/authentication ;`Violable prohibition/limit <`Exploitable logic error =`2PA (Protection Analysis); Bisbey  et al . 1> )Improper protection domain; 5 subclasses % Improper initial protection domain / Improper isolation of implementation details # Improper change, (TOCTTOU flaws)  Improper naming @! Improper deletion/deallocation ?`Improper validation !@ 'Improper synchronization; 2 subclasses  Improper divisibility @ Improper sequencing A`)Improper choice of operand and operation B`7Note: PA classes map into RISOS classes and vice versa C`Flaw Hypothesis Methodology 1D iInformation gathering -- emphasize use of sources such as manuals, protocol specs, design documentation, @Gsocial engineering, source code, knowledge of other systems,  etc. !E mFlaw hypothesis -- old rule of if forbidden, try it; if required, dont do it; knowledge of other systems @Sflaws, analysis of interfaces particularly fruitful, go for assumptions and trusts !F {Flaw testing -- see if hypothesized flaw holds; preferable  not  to try it out, but look at system closely enough mto see if it will work, design attack and be able to show why it works; but sometimes actual test necessary -@@- do not use live production system and be sure its backed up! !G hFlaw generalization -- given flaw, look at causes and try to generalize. Example: UNIX environment vari@ables. H`^(sometimes) Flaw elimination -- fix it; may require redesign so the penetrators may not do it I`Example penetrations J"`MTS K` Burroughs L<`Principles of Secure Design MH~`ERefer to both designing secure systems and securing existing systems N`Speaks to limiting damage Ob|`Principle of Least Privilege Pn{`,Give process only those privileges it needs AQ dDiscuss use of roles; examples of systems which violate this (vanilla UNIX) and which maintain this HHˆ5HHˆ2l}Hd ?!Hd W e }Hd ?#Hd W e }H?%"H% FrameMaker PE Source Item }H ?'!$H We HTML Item }H ?)H We }H?+"%H WeInclude Auto# } H?-$' H We Comments }H?/H We }HH?1%(HH WeElement }H?3'+H We New Topic? }H?5H We } H?7 H We }H ?9(,H We P:Date Line }HH ?;+-HH WeP }H ?=,.H WeN }H ??-/H WeN } H ?A.0 H We }EH ?C/1EH We P:Reading }HEH ?E02HEH WeP }EH ?G13EH WeN }EH ?I24EH W eN } EH ?K35 EH W!e }QH ?M46QH W"eP:Title }HQH ?O57HQH W#eH* }QH ?Q68QH W$eN }QH ?S79QH W%eN } QH ?U8: QH W&e }]H ?W9;]H W*eP:Body }H]H ?Y:<H]H W+eP }]H ?[;=]H W,eN }]H ?]<>]H W-eN } ]H ?_=? ]H W.e }iH(?a>@iH( W/e P:Numbered1 }HiH(?c?AHiH((0eLI 1e Parent = OL Q2e Depth = 0 }iH(?g@BiH( W3eN }iH(?iACiH( W4eY } iH(?kBD iH( W5e }H ?mCEH  W6e P:Heading1 }HH ?oDFHH  W7eH* }H ?qEGH  W8eN }H ?sFHH  W9eN } H ?uGI H  W:e }H(?wHJH(  W;e P:Numbered }HH(?yIKHH(( <eP =e Parent = OL Q>e Depth = 0 }H(?}JLH(  W?eN }H(?KMH(  W@eY } H(?LN H(  WAe }H ?MOH  WBe P:CellBody }HH ?NPHH  WCeP }H ?OQH  WDeN }H ?PRH  WEeN } H ?QS H  WFe }H ?RTH  WGeP:CellHeading }HH ?SUHH  WHeP }H ?TVH  WIeN }H ?UWH  WJeN } H ?VX H  WKe }H ?WYH  WLe P:Footnote }HH ?XZHH  WMeP }H ?Y[H  WNeN }H ?Z\H  WOeN } H ?[] H  WPe }H(?\^H( WQe P:Bulleted }HH(?]_HH((ReLI Se Parent = UL QTe Depth = 0 }H(?^`H( WUeN }H(?_aH( WVeN } H(?`b H( WWe }H ?acH WXe P:Heading2 }HH ?bdHH WYeH* }H ?ceH WZeN }H ?dfH W[eN } H ?eg H W\e }H?fhH]% P:HeadingRuPEnIn }HH?giHH W^eP }H?hjH W_eN }H?ikH W`eN } H?jl H Wae }7H ?km7H Wbe P:Indented }H7H ?lnH7H WceP }7H ?mo7H WdeN }7H ?np7H WeeN } 7H ?oq 7H Wfe }CH?prCHg% P:TableFootPEnote }HCH?qsHCH WheP }CH?rtCH WieN }CH?suCH WjeN } CH?tv CH Wke }]H(?uw]H( Wle P:TableTitle }H]H(?vxH]H((meLI ne Parent = OL Qoe Depth = 0 }]H(?wy]H( WpeN }]H(?xz]H( WqeN } ]H(?y{ ]H( Wre }H ?z|H Wse P:BodySpaced }HH ?{}HH WteP }H ?|~H WueN }H ?}H WveN } H ?~ H Wwe }H ?H WxeP:Date }HH ?HH WyeP }H ?H WzeN }H ?H W{eN } H ? H W|e }H(?H(}% P:NumberedPESpaced }HH(?HH((~eP e Parent = OL Qe Depth = 0 }H(?H( WeN }H(? H( WeY } H(? H( We }H @ H WeP:DateProject }HH @ HH WeP }H @ H WeN dA=dA> dl dA? douWBm  }d AA d !WeHeadings Table }Hd AC Hd !We }Hd AE Hd !We }HAG H"%Paragraph ForPEmat }HHAI HH "WeHeading Level }HAK H "We Comments }HAM H#W eTitle }HHAO HH #We }HAQ OH #We }H @ H WeN } H @  H We }H @ H W e C:BoldItalic }HH @ HH W eSTRONG }H @H W eN }H @H W eN } H @ H W e }H@!H% C:EquationPE Variables }HH@ "HH WeEM }H@!#H WeN }H@"$H WeN } H@#% H We }H @$&H We C:Italic }HH @!%'HH WeEM }H @#&(H WeN }H @%')H W eN } H @'(* H W!e }H @))+H W"eC:Bold }HH @+*,HH W#eSTRONG }H @-+-H W$eN }H @/,.H W%eN } H @1-/ H W&e }H@3.0H'% X:Heading & PEPage }HH@5/1HH W(e See Also }H@702H W)eN }H@913H W*eN } H@;24 H W+e })H @=35)H W,eX:Page }H)H @?46H)H W-e See Also })H @A57)H W.eN })H @C68)H W/eN } )H @E79 )H W0e }5H@G8:5H1% X:See HeadPE ing & Page }H5H@I9;H5H W2e See Also }5H@K:<5H W3eN }5H@M;=5H W4eN } 5H@O<> 5H W5e }OH @Q=?OH W6e X:Table All }HOH @S>@HOH W7e See Also }OH @U?AOH W8eN }OH @W@BOH W9eN } OH @YAC OH W:e }[H@[BD[H ;% X:Table NumPE ber & Page }H[H@]CEH[H  W<e See Also }[H@_DF[H  W=eN }[H@aEG[H  W>eN } [H@cFH [H  W?e }uH@eGJuH $W@e X:Heading HHˆDHHˆ  2Q@(Secure Xenix) R fExamples in programming (making things setuid to root unnecessarily, limiting protection domain; modu@larity, robust programming) S`-Example attacks (misuse of privileges, etc.) T` Principle of Fail-Safe Defaults UD`Default is to deny V`+Example of violation:  su  program W^`"Principle of Economy of Mechanism Xj`KISS principle YH`!Enables quick, easy verification Z`%Example of complexity:  sendmail [` Principle of Complete Mediation \`All accesses must be checked ]`$Forces system-wide view of controls ^`1Sources of requests must be identified correatly !_ nSource of problems: caching (because it may not reflect the state of the system correctly); examples are race @conditions, DNS poisoning `ڪ`Principle of Open Design a檘`[Designs are open so everyone can examine them and know the limits of the security provided b4`/Does  not  apply to cryptographic keys c`5Acceptance of reality: they can get this info anyway d `%Principle of Separation of Privilege e`]Require multiple conditions to be satisfied before granting permission/access/ etc . fG`UAdvantage: 2 accidents/errors/ etc . must happen together to trigger failure g2`$Principle of Least Common Mechanism h>`Minimize sharing iЫ`cNew service: in kernel or as a library routine? Latter is better, as each user gets their own copy jX`)Principle of Psychological Acceptability kd`"Willingness to use the mechanisms lz]`Understanding model m`Matching users goal _wP*1` }HuH@gHKHuH$A% USE XREF PEFMT }uH@iJLuH $WBeN }uH@kKMuH $WCeN } uH@mLN uH $WDe }H@oMRH %WEe P:Header }KH AS PKH 0We Heading1 }HKH AU OQHKH 0WZe }KH AW PWKH 0W[e }HH@qNSHH%F%THROW PEAWAY }H@sRTH %WGeN }H@uSUH %WHeN } H@wTV H %WIe }©H @yUZ©H &WJe }WH AY QXWH 2W\e Heading2 }HWH A[ WYHWH 2Wbe }WH A] XsWH 2Wce }H©H @{V[H©H &WKe }©H @}Z\©H &WMe }©H @[]©H &WNe } ©H @\^ ©H &WOe }»d @]a»d 'WPeHTML Options Table }D»d @D»d 'WQe }D»d @D»d 'WUe }D @^bD (WVe }DH @acDH (WWe }H @bdH (WXe }D @ceD )WYe Image Format }DH @dfDH )W]eIMAGGIF }H @egH )W^e }D @fhD *W_eBanners }DH @giDH *W`eN }H @hjH *Wae }D@ikD+e% Banner ReferPE ence Frame }DH@jlDH +Wfe }H@kH +Wge }D(@GnD((I,h% Copy Files  Imported by PE Rerefernce }DH(@GmoDH( I,Wie }H(@GnpH( I,Wje }DD @GoqDD I-Wke }DDH @GprDDH I-Wle }DH @GqvDH I-Wme }cH A_ YtcH 8Wde }HcH Aa suHcH 8We }cH Ac tcH 8We }Vd @GryVd I.WneSystem Macros }?Vd @G?Vd I.Woe }?Vd @G?Vd I.Wpe }f? @Gvzf? I/Wqe Macro Name }?fH @Gy{?fH I/Wre Replace With }fH @Gz|fH I/Wse Comments }r? @G{}r? I1Wte StartOfDoc }?rH @G|~?rH I1Wue }rH @G}rH I1Wve }~? @G~~? I3Wwe EndOfDoc }?~H @G?~H I3Wxe }~H @G~H I3Wye }?@G?I4z% StartOfSubPEDoc }?H@G?H I4W{e }H@GH I4W|e }?@G?I5}% EndOfSubPEDoc }?H@G?H I5W~e }H@GH I5We }?@G ?I6% StartOfFirstPESubDoc }?H@G ?H I6We }H@G H I6We }?@G ?I7% EndOfFirstPESubDoc }?H@G ?H I7We }H@G H I7We }?@G ?I9 % StartOfLastPESubDoc }?H@G?H I9W e }H@GH I9W e } ?@G ?I: % EndOfLastPESubDoc }? H@G? H I:W e } H@G H I:We }&? @G&? I;We }?&H @G?&H I;We }&H @G&H I;We }8d @G8d I<WeCross-Reference Macros }?8d @G?8d I<We }?8d @G?8d I<We }H? @GH? I=We Macro Name }?HH @G?HH I=We Replace With }HH @GHH I=We Comments }T?@GT? I>We See Also }?THAG?THI>% See Also: PE <$paratext> }THAG TH I>We }n? AG!n? I?We }?nH AG "?nH I?We }nH AG!#nH I?We }d A G"'d I@WeGeneral Macros }?d A G?d I@We }?d AG?d I@W e }?d AG?d I@W!e }? AG#(? IAW"e Macro Name }?H AG')?H IAW#e Replace With }H AG(*H IAW$eHead }H AG)+H IAW%e Comments }? AG*,? IBW&e }?H AG+-?H IBW'e }H AG,.H IBW(e }H A!G-/H IBW)e }d A$G.Ad ICW*eCharacter Macros }?d A&G?d ICW+e }?d A(G?d ICW,e HHˆDHHˆIIld>;?H$ >:=H$ << l H$ >:H$ ;W h4May 30, 2000ECS 253 Spring 2000Page  1  HUV >:;?HUV >> l HUV >:HUV =W l>Last modified at  11:35 am on Tuesday, May 30, 2000  HHˆ>:=HHˆ@@ l HHˆ>:HHˆ?W ` }? A*G/B? IDW-e Macro Name }?H A,GAC?H IDW.e Replace With }H A.GBDH IDW/e Comments }? A0GCE? IEW0e }?H A2GDF?H IEW1e }H A4GEH IEW2e dA8HHdA9GdII l dA:GdmFHmpvy|  #'+/ADdLeftd:Rightd ReferenceddHTMLd HeadingsdGHTMLd f@U \. Numbered < =0>.Letter. @@ \Body. f@ 3 @.@.@. Date Line Single Line. f@e \. Letter < >.Letter. @@ \Footer. f@U \. Numbered < =0>.Letter. @@ \Mapping Table Title. f@e \. Letter < >. Numbered-. @@ 3  Footer. @@ \Mapping Table Cell. @@3 Mapping Table Cell. $f@ 3 $. Numbered-.\t. f@T \! TableTitleT:Table : . f@ \ CellHeading. f@ \CellBody. f@ \ CellFooting. f@ 3 ...Signup.\t. f@e \. Letter < >.Letter. f@E \ Numbered1.\tNumbered. @@ 3 Mapping Table Cell. @@ \ Mapping Table Cell. $f@E 3 $. Numbered-a.\t Numbered-. f@ \Body.  @@ \Header Double Line.  f@P\ TitleBody. f@ \Body. f@ \ BodySpaced. f@ \ Bulleted\t. f@ \...Date. mf@ \l. DateProject. @@ \Header Double Line. f@T \Heading1Body. f@E \ Numbered1.\tNumbered. f@ \ NumberedSpaced.\t. f@ \.Reading.  f@P\TitleBody. f@$\.Line Single Line. f@ \CellBody. f@ \ CellHeading. f@ \ Footnote. f@T \Heading2Body. f@T \ HeadingRunInBody. f@ \ Indented. f@ \ TableFootnote. f@T \ TableTitleT:Table : .  \ \   Subscript \ \ \ \ 33 3  \ 3  X Symbol \3 3 \ \\Emphasis\EquationVariables 3  BoldItalic \Italic \Bold\ \ZZThinMediumDoubleThick@ Very Thin HHHHHFormat AH Mapping Table HHHHHFormat BH Mapping Tableh*|&HHHHHf'-DHH.;?HH&ih( ?@ABCh  D E F G H h( I J K L M h  N O P Q R h  S T U V W h  X Y Z [ \ h( ]^_`ah bcdefhghijk7h lmnopChqrstu]h(vwxyzh {|}~h h( h    h h !"#$h %&'()h *+,-.h/0123)h 456785h9:;<=Oh  >?@AB[h$C D E F G  "!!!!#""""0###uh %H$J$K$L$M$h$&N%R%S%T%U%©h %V&Z&[&\&]&» (^'_'`' ')a(b(c( (*d)e)f) )+g*h*i**,j+k+l+(+-Im,n,o,D ,Ip-q-r-V /Iv.w.x.f .1Iy/z/{/K #2O0P0Q0r /3I|1}1~1W 08W2X2Y2~ 14I33335I44446I55557I6 6 669I 7 7 7c 2s8t8u87:I999 9;I:::& :I;;;8 =I<<<H <>I===T=?I>>>n >I ?!?"? AI#@$@%@&@ @BI'A(A)A*A AI+B,B-B.B DI/C0C1C CEIADBDCD DIDEEEFEComment >?d BlackT!WhiteddARedddGreendd BluedCyandMagentad YellowHeader/Footer $1Header/Footer $1Header/Footer $2Header/Footer $2IndexIndexCommentCommentSubjectSubjectAuthorAuthorGlossaryGlossaryEquationEquation Hypertext Hypertext  Cross-Ref Cross-Ref Conditional TextConditional TextPositionFMPrivatePositionFMPrivateRangeEndFMPrivateRangeEndFMPrivate HTML Macro HTML Macro M.Times.P Times-Roman FrameRoman M.Helvetica.P Helvetica FrameRoman M.Helvetica.BHelvetica-Bold FrameRoman M.Times.B Times-Bold FrameRoman M.Times.BITimes-BoldItalic FrameRoman M.Symbol.PSymbol FrameRoman M.Times.I Times-Italic FrameRomanM.Helvetica.BIHelvetica-BoldOblique FrameRomanm2 HelveticaWSymbol[Times#Regular$Roman MediumBoldRegular ObliqueItalic<8J@γ({8M|c(oLL ?Ru+oY{KHi }C=u W)YpdBi?