Abstract not found

Flaws due to race conditions in which the binding of a name to an object changes between repeated references occur in many programs. We examine one type of this flaw in the UNIX operating system, and describe a semantic method for detecting possible instances of this problem. We present the results of one such analysis in which a previously undiscovered race condition flaw was found.

This paper provides a taxonomy for computer program security flaws together with an appendix that carefully documents 50 actual security flaws. These flaws have all been described previously in the open literature, but in widely separated places. For those new to the field of computer security, they provide a good introduction to the characteristics of security flaws and how they can arise. Because these flaws were not randomly selected from a valid statistical sample of such flaws, we make no strong claims concerning the likely distribution of actual security flaws within the taxonomy. However, this method of organizing security flaw data can help those who have custody of more representative samples to organize them and to focus their efforts to remove and, eventually, to prevent the introduction of security flaws. Categories and Subject Descriptors: D.4.6[Operating Systems]:Security and Protection---access

Abstract not found

Security in computer systems is important so as to ensure reliable operation and to protect the integrity of stored information. Faults in the implementation of critical components can be exploited to breach security and penetrate a system. These faults must be identified, detected, and corrected to ensure reliability and safeguard against denial of service, unauthorized modification of data, or disclosure of information. We define a classification of security faults in the Unix operating system. We state the criteria used to categorize the faults and present examples of the different fault types. We present the design and implementation details of a prototype database to store vulnerability information collected from different sources. The data is organized according to our fault categories. The information in the database can be applied in static audit analysis of systems, intrusion detection, and fault detection. We also identify and describe software testing methods that should be effective in detecting different faults in our classification scheme.

Today's computer systems are vulnerable to both abuse by insiders and penetration by outsiders, as evidenced by the growing number of incidents reported in the press. Because closing all security loopholes from today's systems is infeasible, and since no combination of technologies can prevent legitimate users from abusing their authority in a system, auditing is viewed as the last line of defense. What is needed are automated tools to analyze the vast amount of audit data for suspicious user behavior. This paper presents a survey of the automated audit trail analysis techniques and intrusiondetection systems that have emerged in the past several years. 1 Introduction The last few years have seen a sudden and growing interest in automated security analysis of computer system audit trails and in systems for real-time intrusion detection. There is a growing number of research activities devoted to the subject, and some operational systems and even a few commercial products have ...

Although a computer system's primary defense is its access controls, computer system access controls cannot be relied upon in most cases to safeguard against a penetration or insider attack. Even the most secure systems are vulnerable to abuse by insiders who misuse their privileges, and audit trails may be the only means of detecting authorized but abusive user activity. While many computer systems collect audit data, most do not have any capability for automated analysis of that data. Moreover, many systems collect large volumes of data that are not necessarily security relevant. To address the need for automated security analysis of audit trails, SRI is developing a real-time intrusion-detection expert system (NIDES). NIDES is an independent system that runs on its own workstation and processes audit data characterizing user activity received from a target system. NIDES provides a system-independent mechanism for real-time detection of security violations, whether they are initiated...

ix 0.1 An Overview of Software Testing Methods # # # # # # # # # # # # # # # 2 0.2 Provable Security and Formal Methods # # # # # # # # # # # # # # # # # 9 0.3 Security Testing # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 10 0.4 Applications of Fault Categories # # # # # # # # # # # # # # # # # # # # # 11 0.5 Organization of the Thesis # # # # # # # # # # # # # # # # # # # # # # # # 12 1. RELATED WORK # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 14 1.1 Protection Analysis Project # # # # # # # # # # # # # # # # # # # # # # # 14 1.2 RISOS Project # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 19 1.3 Flaw Hypothesis Methodology # # # # # # # # # # # # # # # # # # # # # # 21 1.4 Case Study# Penetration Analysis of the Michigan Terminal System # 23 1.5 Software Fault Studies # # # # # # # # # # # # # # # # # # # # # # # # # # 25 1.5.1 Fault Categories # # # # # # # # # # # # # # # # # # # # # # # # # # 27 1.6 Errors of T E X # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 31 1.7 A Taxonomy of Computer Program Security Flaws # # # # # # # # # # 32 1.8 Comparison of Security Fault Classi#cation Schemes # # # # # # # # # # 33 2. A TAXONOMY OF SECURITY FAULTS IN THE UNIX OPERATING SYSTEM # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 35 2.1 A Taxonomy of Security Faults # # # # # # # # # # # # # # # # # # # # # 36 2.2 Con#guration Errors # # # # # # # # # # # # # # # # # # # # # # # # # # # 40 2.2.1 Examples # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 40 2.3 Synchronization Errors # # # # # # # # # # # # # # # # # # # # # # # # # # 41 2.3.1 Example # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 41...

The majority of attacks made upon modern computers have been successful due to the exploitation of the same errors and weaknesses that have plagued computer systems for the last thirty years. Because the industry has not learned from these mistakes, new protocols and systems are not designed with the aspect of security in mind; and security that is present is typically added as an afterthought. What makes these systems so vulnerable is that the security design process is based upon assumptions that have been made in the past; assumptions which now have become obsolete or irrelevant. In addition, fundamental errors in the design and implementation of systems repeatedly occur, which lead to failures. This

Ambrose Bierce defined ``history'' as ``a record of mistakes made in the past, so we shall know when we make them again.'' Although sardonic, his definition describes the state of affairs of computer system vulnerabilities.