SST Design principles
12 feb. 2013Saltzer/Schroeder 8+2 design principles
Combine it with Star-Wars, can it get any better?
(See Applied Information Security - lecture 1)
- Economy of mechanism
- Fail-safe defaults
- Complete mediation
- Open design: But there might be things hard to change. Apply other measures like firewalls?
- Separation of privileges
- Least privilege
- Least common mechanism
- Psychological accessibility
- Work factor: Problem is when vulnerabilities are found, cost of usage is orders of magnitude easier to deploy then finding them in the first place
- Compromise recording: But it's difficult to separate good from bad usage
Java 7u10 vulnerability
See this presentation:
Race conditions
Two examples: one with insecure usage of file in temporary folder and one with secure version.
res = access("/tmp/userfile", R_OK);
if (res!=0){
die("access");
/* Ok, we can read from /tmp/userfile */
/* What can happen between access() and open()? */
fd = open("/tmp/userfile", O_RDONLY);
/* And what would be the effect? */
}
if (lstat(fname, &stb1) >= 0){
if (!S_ISREG(stb1.st_mode) || (stb1.st_nlink>1)){
raise_error();
}
fd = open(fname, O_RDWR);
if (fd < 0 || fstat(fd, &stb2) < 0){
raise_error();
}
if (stb1.st_ino != stb2.st_ino || stb1.st_dev != stb2.st_dev || stb2.st_nlink > 1){
raise_error();
}
}
else {
fd = open(fname, O_RDWR | O_CREAT | O_EXCL, FMODE);
if (fd < 0){
raise_error();
}
}
Snarveier
Flere fra skole