Notes for October 13, 1999
- Greetings and Felicitations!
- Puzzle of the Day
- Common Implementation Vulnerabilities
- Unknown interaction with other system components (DNS entry with bad
names, assuming finger port is finger and not chargen)
- Overflow (year 2000, lpr overwriting flaw, sendmail large integer
flaw, su buffer overflow)
- Race conditions (xterm flaw, ps flaw)
- Environment variables (vi one-upsmanship, loadmodule)
- Not resetting privileges (Purdue Games incident)
- Vulnerability Models
- PA model
- RISOS
- NSA
- PA Model (Neumann's organization)
- Improper protection (initialization and enforcement)
- improper choice of initial protection domain - "incorrect
initial assignment of security or integrity level at system
initialization or generation; a security critical function manipulating
critical data directly accessible to the user";
- improper isolation of implementation detail - allowing users to
bypass operating system controls and write to absolute input/output
addresses; direct manipulation of a "hidden" data structure
such as a directory file being written to as if it were a regular file;
drawing inferences from paging activity
- improper change - the "time-of-check to time-of-use" flaw;
changing a parameter unexpectedly;
- improper naming - allowing two different objects to have the same
name, resulting in confusion over which is referenced;
- improper deallocation or deletion - leaving old data in memory
deallocated by one process and reallocated to another process, enabling
the second process to access the information used by the first; failing
to end a session properly
- Improper validation - not checking critical conditions and
parameters, leading to a process' addressing memory not in its memory
space by referencing through an out-of-bounds pointer value; allowing
type clashes; overflows
- Improper synchronization;
- improper indivisibility - interrupting atomic operations (e.g.
locking); cache inconsistency
- improper sequencing - allowing actions in an incorrect order (e.g.
reading during writing)
- Improper choice of operand or operation - using unfair scheduling
algorithms that block certain processes or users from running; using the
wrong function or wrong arguments.
- RISOS
- Incomplete parameter validation - failing to check that a parameter
used as an array index is in the range of the array;
- Inconsistent parameter validation - if a routine allowing shared
access to files accepts blanks in a file name, but no other file
manipulation routine (such as a routine to revoke shared access) will
accept them;
- Implicit sharing of privileged/confidential data - sending
information by modulating the load average of the system;
- Asynchronous validation/Inadequate serialization - checking a file
for access permission and opening it non-atomically, thereby allowing
another process to change the binding of the name to the data between
the check and the open;
- Inadequate identification/authentication/authorization - running a
system program identified only by name, and having a different program
with the same name executed;
- Violable prohibition/limit - being able to manipulate data outside
one's protection domain; and
- Exploitable logic error - preventing a program from opening a
critical file, causing the program to execute an error routine that
gives the user unauthorized rights.
- Penetration Studies
- Why? Why not analysis?
- Effectiveness
- Interpretation
-
Flaw Hypothesis Methodology
- System analysis
- Hypothesis generation
- Hypothesis testing
- Generalization
- System Analysis
- Learn everything you can about the system
- Learn everything you can about operational procedures
- Compare to models like PA, RISOS
- Hypothesis Generation
- Study the system, look for inconsistencies in interfaces
- Compare to previous systems
- Compare to models like PA, RISOS
- Hypothesis testing
- Look at system code, see if it would work (live experiment may be
unneeded)
- If live experiment needed, observe usual protocols
- Generalization
- See if other programs, interfaces, or subjects/objects suffer from
the same problem
- See if this suggests a more generic type of flaw
- Peeling the Onion
- You know very little (not even phone numbers or IP addresses)
- You know the phone number/IP address of system, but nothing else
- You have an unprivileged (guest) account on the system.
- You have an account with limited privileges.
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 10/14/99