Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 23: Vulnerability Analysis Dr. Wayne Summers Department of Computer Science Columbus State University

Published byTheresa Wood Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 23: Vulnerability Analysis Dr. Wayne Summers Department of Computer Science Columbus State University"— Presentation transcript:

1 Chapter 23: Vulnerability Analysis Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers

2 2 Penetration Studies  Test for evaluating strengths of all security controls on the computer system (tiger team attack, red team attack)  Authorized attempt to violate constraints stated in security policy  Layering of Tests –External attacker with no knowledge of system –External attacker with access to the system –Internal attacker with access to the system

3 3 Penetration Studies  Flaw Hypothesis Methodology –Information Gathering –Flaw Hypothesis –Flaw Testing –Flaw Generalization –Flaw Elimination

4 4 Vulnerability Classification  Goal of vulnerability analysis is to develop methodologies that provide –Ability to specify, design, and implement a computer system without vulnerabilities –Ability to analyze a computer system to detect vulnerabilities –Ability to address any vulnerabilities introduced during the operation of the computer system –Ability to detect attempted exploitations of vulnerabilities

5 5 Frameworks  Research Into Secure Operating Systems (RISOS) – classified flaws –Incomplete parameter validation (buffer overflow) –Inconsistent parameter validation –Implicit sharing of privileged/confidential data –Asynchronous validation/inadequate serialization (race conditions/time-of-check to time-of-use) –Inadequate identification/authentication/authorization –Violable prohibition/limit (bound conditions) –Exploitable logic error

6 6 Frameworks  Protection Analysis Model ( pattern-directed protection evaluation) –Improper protection domain initialization and enforcement Improper choice of initial protection domain Improper isolation of implementation detail Improper change Improper naming Improper deallocation or deletion –Improper validation –Improper sychronization Improper indivisibility Improper sequencing –Improper choice of operand / operation

7 7 Frameworks  NRL Taxonomy –Flaws by genesis Intentional –Malicious Trojan horse Trapdoor Logic/time bomb –Nonmalicious Covert channel Other Unintentional (RISOS taxonomy)

8 8 Frameworks  NRL Taxonomy –Flaws by time of introduction Development –Requirement/specification/design –Source code –Object code Maintenance Operation

9 9 Frameworks  NRL Taxonomy –Flaws by location Software –Operating System System initialization Memory management Process management/scheduling Device management File management Identification/authentication Other/unknown –Support Privileged utilities Unprivileged utilities –Application Hardware

Download ppt "Chapter 23: Vulnerability Analysis Dr. Wayne Summers Department of Computer Science Columbus State University"

Similar presentations

Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,

A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,
Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips.

Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips.
Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 1 Dr. Stephania Loizidou Himona ACSC 345.
1 Vulnerability Analysis CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 26, 2004.

1 Vulnerability Analysis CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 26, 2004.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,

Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Vulnerability Analysis

Vulnerability Analysis
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.

14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.
Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.

Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.
CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.

CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.

Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
CSCE 522 Lecture 12 Program Security Malicious Code.

CSCE 522 Lecture 12 Program Security Malicious Code.
Operating system Security By Murtaza K. Madraswala.

Operating system Security By Murtaza K. Madraswala.
Program Security Week-2. Programming Fault: When a human makes a mistake, called an error, in performing some software activity, the error may lead to.

Program Security Week-2. Programming Fault: When a human makes a mistake, called an error, in performing some software activity, the error may lead to.

Similar presentations

Ads by Google