Notes for October 14, 1998
- Greetings and Felicitations!
- Remember, discussion section today covers important material.
- Puzzle of the Day: can argue this one many ways; thought problem ...
- Common Implementation Vulnerabilities
- Unknown interaction with other system components (DNS entry with bad names, assuming finger port is finger and not chargen)
- Overflow (year 2000, lpr overwriting flaw, sendmail large integer flaw, su buffer overflow)
- Race conditions (xterm flaw, ps flaw)
- Environment variables (vi one-upsmanship, loadmodule)
- Not resetting privileges (Purdue Games incident)
- Vulnerability Models
- PA model
- RISOS
- NSA
- PA Model (Neumann's organization)
- Improper protection (initialization and enforcement)
- improper choice of initial protection domain - "incorrect
initial assignment of security or integrity level at system
initialization or generation; a security critical function manipulating
critical data directly accessible to the user";
- improper isolation of implementation detail - allowing users to
bypass operating system controls and write to absolute input/output
addresses; direct manipulation of a "hidden" data structure
such as a directory file being written to as if it were a regular file;
drawing inferences from paging activity
- improper change - the "time-of-check to time-of-use"
flaw; changing a parameter unexpectedly;
- improper naming - allowing two different objects to have the same
name, resulting in confusion over which is referenced;
- improper deallocation or deletion - leaving old data in memory
deallocated by one process and reallocated to another process, enabling
the second process to access the information used by the first; failing
to end a session properly
- Improper validation - not checking critical conditions and
parameters, leading to a process' addressing memory not in its memory
space by referencing through an out-of-bounds pointer value; allowing
type clashes; overflows
- Improper synchronization
- improper indivisibility - interrupting atomic operations (e.g.
locking); cache inconsistency
- improper sequencing - allowing actions in an incorrect order (e.g.
reading during writing)
-
Improper choice of operand or operation - using unfair scheduling
algorithms that block certain processes or users from running; using
the wrong function or wrong arguments.
- RISOS
-
Incomplete parameter validation - failing to check that a parameter
used as an array index is in the range of the array;
-
Inconsistent parameter validation - if a routine allowing shared access
to files accepts blanks in a file name, but no other file manipulation
routine (such as a routine to revoke shared access) will accept
them;
- Implicit sharing of privileged/confidential data - sending
information by modulating the load average of the system;
- Asynchronous validation/Inadequate serialization - checking a file
for access permission and opening it non-atomically, thereby allowing
another process to change the binding of the name to the data between
the check and the open;
- Inadequate identification/authentication/authorization - running a
system program identified only by name, and having a different program
with the same name executed;
-
Violable prohibition/limit - being able to manipulate data outside
one's protection domain; and
-
Exploitable logic error - preventing a program from opening a critical
file, causing the program to execute an error routine that gives the
user unauthorized rights.
You can also see this document
in its native format,
in Postscript,
in PDF,
or
in ASCII text.
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 10/19/98