Security References: Difference between revisions
Jump to navigation
Jump to search
Line 3: | Line 3: | ||
* [http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Reflections on Trusting Trust] How does writing the C compiler in C bear on security issues? Well, it does (Ken Thompson, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763) |
* [http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Reflections on Trusting Trust] How does writing the C compiler in C bear on security issues? Well, it does (Ken Thompson, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763) |
||
** The idea is to hide a trojan code in the C compiler so that to inject a trojan code in eg. the <tt>login</tt> command code, and another trojan code so that to automatically re-inject itself when the C code is compiled with the infected compiler. |
** The idea is to hide a trojan code in the C compiler so that to inject a trojan code in eg. the <tt>login</tt> command code, and another trojan code so that to automatically re-inject itself when the C code is compiled with the infected compiler. |
||
* [http://cwe.mitre.org/index.html Common Weakness Enumeration] |
|||
* [http://cwe.mitre.org/data/lists/2000.html CWE-2000: Comprehensive CWE Dictionary] |
|||
** [http://cwe.mitre.org/data/definitions/287.html Improper Authentication] |
|||
== PKI == |
== PKI == |
Revision as of 11:10, 16 January 2014
Development
- CWE/SANS TOP 25 Most Dangerous Programming Errors
- Reflections on Trusting Trust How does writing the C compiler in C bear on security issues? Well, it does (Ken Thompson, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763)
- The idea is to hide a trojan code in the C compiler so that to inject a trojan code in eg. the login command code, and another trojan code so that to automatically re-inject itself when the C code is compiled with the infected compiler.
- Common Weakness Enumeration
- CWE-2000: Comprehensive CWE Dictionary
PKI
On trust model flaw in browser CAs:
- "it will CLEARLY not solve the browser security problem.", "the certifications made by even the best of those CAs are effectively MEANINGLESS" "the users are well trained to ignore EVERY browser warning they EVER get" "the ENTIRE question of OCSP is somewhat irrelevant." "spritzing the SKUNK with eau de cologne." "hanging garlands from the corpses ears."' (Cfr mail A mighty fortress is our PKI, Part II (ventzi nikov, 2010 Jul 29 09:06)
Authentication
- Handbook of Applied Cryptography, chap. 9 and 10.
Definition, objectives, properties...
Definitions
- Secure Boot
- Secure Boot [1] is a security property of a bootstrap architecture ensuring that only configurations of a certain property can be loaded. If a modification is detected, the bootstrap process is interrupted.
- Authenticated Boot
- Authenticated Boot [1] is a security property of a bootstrap architecture ensuring that remote parties can verify properties of the booted configuration.
- Trusted storage
- Trusted storage [1] is storage where confidentiality, integrity, and freshness (i.e., protection against replay attacks) of stored data is provided, and where the integrity of the TOE accessing the data is ensured (in order to prevent other software, such as alternative or modified operating systems, from accessing the data).
- Trusted Channel
- A trusted channel [1] is a channel between two entities that provides integrity, confidentiality, and authenticity of the transmitted data, and ensures integrity and authenticity of the end points.
- Nonce
- A nonce [2] is a value used no more than once for the same purpose. It typically serves to prevent (undetectable) replay
Software
References
- ↑ 1.0 1.1 1.2 1.3 Löhr, H., Sadeghi, A., Stüble, C., Weber, M., Winandy, M.: Modeling Trusted Computing Support in a Protection Profile for High Assurance Security Kernels. In TRUST(2009) 45-62
- ↑ Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography, 1997
- ↑ Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, and Armando Solar-Lezama: Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior. In SOSP(2013)