Inconsistent parameter validation—if a routine
allowing shared access to files accepts blanks in a
file name, but no other file manipulation routine
(such as a routine to revoke shared access) will
accept them;
Implicit sharing of privileged/confidential
data—sending information by modulating the load
average of the system;
Asynchronous validation/Inadequate serialization—checking
a file for access permission and opening it non-atomically,
thereby allowing another process to change the binding of the
name to the data between the check and the open;
Inadequate identification/authentication/authorization—
running a system program identified only by name, and having a
different program with the same name executed;
Violable prohibition/limit—being able to manipulate
data outside one's protection domain; and
Exploitable logic error—preventing a program
from opening a critical file, causing the program to execute
an error routine that gives the user unauthorized rights.
PA Model (Neumann's organization)
Goal: develop techniques to search for
vulnerabilites that less experienced people could use
Improper protection (initialization and
enforcement)
Improper choice of initial protection
domain—“incorrect initial assignment of security or
integrity level at system initialization or generation;
a security critical function manipulating critical data
directly accessible to the user”;
Improper isolation of implementation
detail—allowing users to bypass operating system controls
and write to absolute input/output addresses;
direct manipulation of a “hidden” data structure
such as a directory file being written to as if it were a
regular file; drawing inferences from paging activity
Improper change—the “time-of-check
to time-of-use” flaw; changing a parameter
unexpectedly;
Improper naming—allowing two different objects
to have the same name, resulting in confusion over
which is referenced;
Improper deallocation or deletion—leaving
old data in memory deallocated by one process and reallocated
to another process, enabling the second process to access
the information used by the first; failing to end a session
properly
Improper validation—not checking critical
conditions and parameters, so a process addresses memory not
in its memory space by referencing through an out-of-bounds
pointer value; allowing type clashes; overflows
Improper sequencing—allowing actions in an
incorrect order (e.g. reading during writing)
Improper choice of operand or operation—using
unfair scheduling algorithms that block certain processes or
users from running; using the wrong function or wrong
arguments.
NRL
Goal: Find out how vulnerabilities enter the
system, when they enter the system, and where they are
Axis 1: inadvertent (RISOS classes) vs.
intentional (malicious/nonmalicious)
Axis 2: time of introduction (development,
maintenance, operation)
Axis 3: location (hardware, software: OS, support
utilities, applications)
Aslam
Goal: Treat vulnerabilities as faults
Coding faults: introduced during software
development
Synchronization errors
Validation errors
Emergent faults: introduced by incorrect
initialization, use, or application
Configuration errors
Environment faults
Introduced decision procedure to classify
vulnerabilities in exactly one category