Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 23: Vulnerability Analysis

Published byYenny Atmadjaja Modified over 5 years ago

Similar presentations

Presentation on theme: "Chapter 23: Vulnerability Analysis"— Presentation transcript:

1 Chapter 23: Vulnerability Analysis
Dr. Wayne Summers Department of Computer Science Columbus State University

2 Penetration Studies Test for evaluating strengths of all security controls on the computer system (tiger team attack, red team attack) Authorized attempt to violate constraints stated in security policy Layering of Tests External attacker with no knowledge of system External attacker with access to the system Internal attacker with access to the system

3 Penetration Studies Flaw Hypothesis Methodology Information Gathering
Flaw Testing Flaw Generalization Flaw Elimination

4 Vulnerability Classification
Goal of vulnerability analysis is to develop methodologies that provide Ability to specify, design, and implement a computer system without vulnerabilities Ability to analyze a computer system to detect vulnerabilities Ability to address any vulnerabilities introduced during the operation of the computer system Ability to detect attempted exploitations of vulnerabilities

5 Frameworks Research Into Secure Operating Systems (RISOS) – classified flaws Incomplete parameter validation (buffer overflow) Inconsistent parameter validation Implicit sharing of privileged/confidential data Asynchronous validation/inadequate serialization (race conditions/time-of-check to time-of-use) Inadequate identification/authentication/authorization Violable prohibition/limit (bound conditions) Exploitable logic error

6 Frameworks Protection Analysis Model (pattern-directed protection evaluation) Improper protection domain initialization and enforcement Improper choice of initial protection domain Improper isolation of implementation detail Improper change Improper naming Improper deallocation or deletion Improper validation Improper sychronization Improper indivisibility Improper sequencing Improper choice of operand / operation

7 Frameworks NRL Taxonomy Flaws by genesis Intentional
Malicious Trojan horse Trapdoor Logic/time bomb Nonmalicious Covert channel Other Unintentional (RISOS taxonomy)

8 Frameworks NRL Taxonomy Flaws by time of introduction Development
Requirement/specification/design Source code Object code Maintenance Operation

9 Frameworks NRL Taxonomy Flaws by location Software Hardware
Operating System System initialization Memory management Process management/scheduling Device management File management Identification/authentication Other/unknown Support Privileged utilities Unprivileged utilities Application Hardware

Download ppt "Chapter 23: Vulnerability Analysis"

Similar presentations

Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,

A Taxonomy of Computer Program Security Flaws C. E. Landwehr, A. R. Bull, J. P. McDermott and W.S. Choi -- Presented by: Feng Hui Luo ACM Computing Surveys,
Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips.

Lecture 14 Program Flaws CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Csilla Farkas and Brandon Phillips.
1 Vulnerability Analysis CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 26, 2004.

1 Vulnerability Analysis CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 26, 2004.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,

Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Vulnerability Analysis

Vulnerability Analysis
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.

Chapter 13 Processing Controls. Operating System Integrity Operating system -- the set of programs implemented in software/hardware that permits sharing.
CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.

CSCE 201 Attacks on Desktop Computers: Malicious Code Hardware attacks.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.

Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
CSCE 522 Lecture 12 Program Security Malicious Code.

CSCE 522 Lecture 12 Program Security Malicious Code.
Operating system Security By Murtaza K. Madraswala.

Operating system Security By Murtaza K. Madraswala.
Program Security Week-2. Programming Fault: When a human makes a mistake, called an error, in performing some software activity, the error may lead to.

Program Security Week-2. Programming Fault: When a human makes a mistake, called an error, in performing some software activity, the error may lead to.
Software Security and Security Engineering (Part 2)

Software Security and Security Engineering (Part 2)
Chapter 1 Ethical Hacking Overview. Objectives After reading this chapter and completing the exercises, you will be able to: Describe the role of an ethical.

Chapter 1 Ethical Hacking Overview. Objectives After reading this chapter and completing the exercises, you will be able to: Describe the role of an ethical.

Similar presentations

Ads by Google