Lecture 3 Outline

1. Greetings and felicitations!
2. Puzzle of the Day
3. Capabilities
   1. Revocation: use of a global descriptor table
4. MULTICS ring mechanism
   1. Rings, gates, ring-crossing faults
   2. Used for both data and procedures; rights are REWA
      (b₁, b₂) access bracket—can access freely; (b₃, b₄) call bracket—can call segment through gate; so if a’s access bracket is (32, 35) and its call bracket is (36, 39), then assuming permission mode (REWA) allows access, a procedure in:
      rings 0–31: can access a, but ring-crossing fault occurs
      rings 32–35: can access a, no ring-crossing fault
      rings 36–39: can access a, provided a valid gate is used as an entry point
      rings 40–63: cannot access a
   3. If the procedure is accessing a data segment d, no call bracket allowed; given the above, assuming permission mode (REWA) allows access, a procedure in:
      rings 0–32: can access d
      rings 33–35: can access d, but cannot write to it (W or A)
      rings 36–63: cannot access d
5. Some common vulnerabilities
   1. Catalogues: CVE (Common Vulnerabilities and Exposures), CWE (Common Weakness Enumeration)
   2. 2011 MITRE/SANS Top 25 Most Dangerous Software Errors
   3. OWASP Top 10 – 2013 rc1 The Ten Most Critical Web Application Security Risks
6. MITRE/SANS list
   1. Insecure interactions among components
      1. SQL injection
      2. OS command injection
      3. Cross-site scripting
      4. Unrestricted upload of file with dangerous type
      5. Cross-site request forgery
      6. URL redirect to untrusted site
   2. Risky resource management
      1. Buffer copy without checking size of input
      2. Improper limitation of a pathname to a restricted directory
      3. Download of code without integrity check
      4. Inclusion of functionality from untrusted control sphere
      5. Use of potentially dangerous function
      6. Incorrect calculation of buffer size
      7. Uncontrolled format string
      8. Integer overflow or wraparound
   3. Porous defenses
      1. Missing authentication for critical function
      2. Missing authorization
      3. Use of hard-coded credentials
      4. Missing encryption of sensitive data
      5. Reliance on untrusted inputs in a security decision
      6. Execution with unnecessary privileges
      7. Incorrect authorization
      8. Incorrect permission assignment for critical resource
      9. Use of a broken or risky cryptographic algorithm
      10. Improper restriction of excessive authentication attempts
      11. Use of a one-way hash without a salt
7. OWASP list
   1. Injection
   2. Broken authentication and session management
   3. Cross-site scripting
   4. Insecure direct object references
   5. Security misconfiguration
   6. Sensitive data exposure
   7. Missing function level access control
   8. Cross-site request forgery
   9. Using known vulnerable components
   10. Unvalidated redirects and forwards
8. Comparison
   1. Everything on the OWASP list is also on the MITRE/SANS list
   2. Injection is #1 on both lists
   3. The MITRE/SANS list covers vulnerabilities generally; OWASP covers only web vulnerabilities

1. Suppose an exploitation of the vulnerability could be prevented by proper system configuration. Which of the above courses of action would you take, and why?
2. If an exploitation of the vulnerability could be detected (but not prevented) by system administrators, how would this change your answer to the first question?
3. Now suppose no exploitation of the vulnerability can be detected or prevented. Would this change your answer, and if so, how?