CSE/409/509
Notes for 1/30/09
Email: rob@cs.sunysb.edu for class questions
Reviews: rob+509r@cs.sunysb.edu for review hand-ins
Reading summary:
Thompson: Wrote a special compiler that changes compilers to modify source code
Saltzer Schroeder 1975 Principles of Security:
1. Economy of Mechanism: Keep it simple stupid (K.I.S.S), short and simple makes it easier to not make mistakes.
Trusted computing base would use a system in this order for more security: hardcoded -> file -> database.
An example of a system that was bugged is Multix.
Multix: stored users and passwords in a table that was not hashed.
Sample Code:
login(char*user, char*pwd);
{ char*rpwd = lookup(user);
while(*pwd==*rpwd){
rpwd++;
pwd++;
}
if(*rpwd == *pwd ==0){
return 1;
else return 0;
}
The Bug: If login goes right to the end of a table where the memory is not being used there would be a page fault. According to this
code you will be able to find out each character by simple testing every character in the keyboard and seeing which character takes the longest to fail
The correct character would take the longest to fail because if a character was right then the function will keep going to the next character, if it was wrong,
the function would stop completely, by testing each character and seeing how long it took for each character you could retrieve the full password.
2. Failsafe Defaults: specify what people can and can not do. Default-deny vs. Default-allow.
| Default-deny | .Default-allow |
| Everyone will yell because no one will have access to anything | People will be allowed to access things that they should not be able to |
| Loud Failure | Silent Failure |
3. Separation of Privilege: don't give all power to one person. Have two people be required present to press a button to an atom missile.
4.Least Privilege: gives a person limited privilege, or least privilege that his job requires. Give an admin with the rights to move users into different groups, but not allow
deletion of accounts or giving powers to other users if it isn't needed. Give a janitor keys to rooms but not keys to the safe deposit box.
5. Least Shared Mechanism(State): "don't put all your eggs into on basket." Do not put two things with the different levels of trust
together. Such as Web site users and the actual web site system should not be together.
6. Complete Mediation: If you're trying to protect a resource you want to check anything that tries to access it.
a. Check every access
b. Unix: open/read? would be bad if an admin made a mistake because once a person opens it it can be read forever.
However, you can argue that a person can do whatever they wanted to do in the time given anyway.
7. Open Design(may not be in original Saltzer and Schroeder): Let people see what your source code is so people can see what is wrong
with it.
Fuzz: Open source failure rate is 13% while closed source failure rate is 25%.
Military and Google are one of the good closed source there is.
8. Psychological Acceptability: Has to be something people will actually do, if not they would try to do something else such as using
other people's wireless.
| Weak Security | Stronger Security |
| Secure Use is Easy | Insecure Use is Hard |
| Allow User to input all webpage names | Only allow users to input specific web pages you want them to visit |
Linux used a function copy_from_user(void*dst, void*src, int n)
Was considered easy to do and secure but was not hard to be insecure.
To fix this a checker should be made.