OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Guillermo Marro (gmmarroyahoo.com)
Date: Fri Apr 05 2002 - 17:26:09 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From an academic perspective, it's worth mentioning
    that UCDavis is currently offering (this spring
    quarter) a very interesting grad class about this
    topic taught by Matt Bishop.

    Some pointers you might find of interest:

    Protection Analysis (PA) model
    RISOS (Research Into Secure Operating Systems) model
    Aslam's model
    NRL Taxonomy

    Additionally Gupta & Gligor have made important
    research contributions in this area.

    If you prefer the information logically organized and
    condensed, you might want to wait for Bishop's book
    "Art & Science of Computer Security" to be published
    soon. (you'll find a whole chapter devoted to this
    subject).

    G.

    Oliver Petruzel wrote:

    I am sincerely glad someone brought this up. My
    concern lies in a total
    lack of education or training in this area. Hacking
    101 courses are all
    over the place now; teaching MCSE-kiddies and
    non-technical managers how
    to run scripts and nmap (swell..$2-4k to learn this
    stuff in 3 days?
    Ach, ask a single grad of those programs what nmap is
    ACTUALLY sending
    and receiving..lol "duhh, errr, but it says it's BeOS
    with port 80 open,
    I'll just use securityfocus like they showed me to
    find a script to
    shoot at it..")...

    (I digress...) There are not many courses that I know
    of that actually
    explain the methodology in searching for *new*
    vulnerabilities... As in
    "Tearing apart that new .dll, .asp, or cgi from a
    security perspective
    101"

    Some folks claim it's just trial and error and dumb
    luck. Others say
    that folks troll the "most downloaded" new pieces of
    software at
    shareware sites and then pound away semi-blindly with
     input variables
    and switches that have worked against previously
    announced holes in
    other software until they find something that will get
    their name on
    bugtraq...

    Problem is, in our growing field of infosec, beyond
    post-grad or
    doctorate level CS, there aren't very many educational
    tracks to show
    your average programmer/engineer how to start finding
    new holes... The
    only thing I can think of is to send someone through:
    a secure
    programming program AND a webapp dev course AND a
    windows API course AND
    AND AND..etc...we're talking tens of thousands of
    bucks there, not to
    mention the hours involved..ouch.

    My goal: I want to take 4 of my Jr Security Engineers
    and send them
    somewhere for a week or two, or perhaps several weeks
    at night, and have
    them come back to tear apart software like it's
    nothing... <foundstone,
    hint hint, E&Y, hint hint.. Anyone? Bueller?
    Bueller?...> Of course,
    pre-req's would be a solid know
    ledge of scripting languages, C/C++,
    network architectures and protocols, and all
    publically known scripts
    and code... (but I require that of my jr's anyways so
    I just want
    someone else to show them the next level! I have no
    time, and hell, if
    the course is good enough, I would even go so that I
    can stop using
    semi-educated dumbluck and trial and error! lol)

    I am VERY interested to see someone post a resource...
    Maybe this is
    just a pipe-dream.

    ./oliver

    Ps: on a side note, there are several interesting
    projects currently in
    dev everywhere to automate all of this.. So don't
    worry, soon those
    afraid of anything they can't click on will also be
    able to point and
    click their way through code to find new vulns...swell
    eh? There are
    even dev projects going to automate vulnerability
    discovery in ALREADY
    COMPILED software! Woohoo...

    "Excellent Smithers! Now activate the artificial
    lightning and blue
    screens of death!"

    -----Original Message-----
    From: kaipower [mailto:kaipowersubdimension.com]
    Sent: Thursday, April 04, 2002 8:05 PM
    To: security-basicssecurityfocus.com;
    vuln-devsecurity-focus.com;
    vuln-devsecurityfocus.com
    Subject: Techniques for Vulneability discovery

    Hi,

    After reading the mailing list for quite a while,
    there is a burning
    question which I kept asking myself:

    How do experts discover vulnerabilities in a
    system/software?

    Some categories of vulnerabilities that I am aware of:
    1) Buffer overflow (Stack or Heap)
    2) Mal access control and

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Tax Center - online filing with TurboTax
    http://taxes.yahoo.com/