Improper protection (initialization and enforcement)
improper choice of initial protection domain - "incorrect initial assignment of security or integrity level at system initialization or generation; a security critical function manipulating critical data directly accessible to the user";
improper isolation of implementation detail - allowing users to bypass operating system controls and write to absolute input/output addresses; direct manipulation of a "hidden" data structure such as a directory file being written to as if it were a regular file; drawing inferences from paging activity
improper change - the "time-of-check to time-of-use" flaw; changing a parameter unexpectedly;
improper naming - allowing two different objects to have the same name, resulting in confusion over which is referenced;
improper deallocation or deletion - leaving old data in memory deallocated by one process and reallocated to another process, enabling the second process to access the information used by the first; failing to end a session properly
Improper validation - not checking critical conditions and parameters, leading to a process' addressing memory not in its memory space by referencing through an out-of-bounds pointer value; allowing type clashes; overflows
improper sequencing - allowing actions in an incorrect order (e.g. reading during writing)
Improper choice of operand or operation - using unfair scheduling algorithms that block certain processes or users from running; using the wrong function or wrong arguments.
RISOS
Incomplete parameter validation - failing to check that a parameter used as an array index is in the range of the array;
Inconsistent parameter validation - if a routine allowing shared access to files accepts blanks in a file name, but no other file manipulation routine (such as a routine to revoke shared access) will accept them;
Implicit sharing of privileged/confidential data - sending information by modulating the load average of the system;
Asynchronous validation/Inadequate serialization - checking a file for access permission and opening it non-atomically, thereby allowing another process to change the binding of the name to the data between the check and the open;
Inadequate identification/authentication/authorization - running a system program identified only by name, and having a different program with the same name executed;
Violable prohibition/limit - being able to manipulate data outside one's protection domain; and
Exploitable logic error - preventing a program from opening a critical file, causing the program to execute an error routine that gives the user unauthorized rights.
Penetration Studies
Why? Why not analysis?
Effectiveness
Interpretation
Flaw Hypothesis Methodology
System analysis
Hypothesis generation
Hypothesis testing
Generalization
System Analysis
Learn everything you can about the system
Learn everything you can about operational procedures
Compare to models like PA, RISOS
Hypothesis Generation
Study the system, look for inconsistencies in interfaces
Compare to previous systems
Compare to models like PA, RISOS
Hypothesis testing
Look at system code, see if it would work (live experiment may be unneeded)
If live experiment needed, observe usual protocols
Generalization
See if other programs, interfaces, or subjects/objects suffer from the same problem
See if this suggests a more generic type of flaw
Peeling the Onion
You know very little (not even phone numbers or IP addresses)
You know the phone number/IP address of system, but nothing else
You have an unprivileged (guest) account on the system.
