This report describes a class of operation system protection errors known as \“insufficient validation of critical conditions,\” or simply \“validaion errors,\” and outlines a scheme for finding them. This class of errors is recognized as a very broad one, lying outside the scope of the basic protection mechanisms of existing systems; the extent of the problem is illustrated by a set of validation errors taken from current systems. Considerations for validity conditions and their attachment to variables and to various types of control points in procedures are explored, and categories of validation methods noted. The notion of critiality itself is analyzed, and criteria suggested for determining which variables and control points are most critical in the protection sense. Because a search for validation errors can involve substantial information processing, the report references existing or developing tools and techniques applicable to this task.

We show how mutation testing can be used to detect simple and complex errors that are often found in production software. We present a classification of the errors of TEX reported by Knuth. Using this classification we show that indeed the simple errors that mutation models do form a significant percentage of the errors found in production software. We introduce the notion of an \‘error revealing\’ mutant and show how such mutants, created by simple alterations of the program under test, can expose complex errors. We use the data provided by Knuth to obtain the types of complex errors used in our examples.

A number of people have published studies of faults found in software systems. This report summarizes the results of many of those studies.

A common security problem is the residual—data or access capability left after the completion of a process and not intended for use outside the context of that process. If the residual becomes accessible to another process, a security error may result. A major source of such residuals is improper or incomplete allocation/deallocation processing. The various types of allocation/deallocation residuals are discussed in terms of their characteristics and the manner in which they occur, and a semiautomatable search strategy for detecting sources of these residuals is presented.

This document describes a class of protection errors found in current computer operating systems. It is intended (1) for persons responsible for improving the security aspects of existing operating system software and (2) for designers and students of operating systems. The purpose is to help protection evaluators find such errors in current systems and to help designers and implementers avoid them in future systems, by analysis and methodical approach.

This report deals with a class of errors, initially identified empirically, that formeditself around a group of protection errors (within a larger collection) having the common characteristic of involving operations or accesses ocurring in the wrong order or at the wrong times; hence the name \“serialization\”. In its broadest sense, it includes a large proportion of all programming errors which may have improper order or scheduling, and, in a narrower sense includes only those errors resulting from improper ordering of accesses to objects accessible by potentially concurrent operations.

This study is neither a full analysis of the subject of the ordering of operations nor only a discussion of process synchronization, but rather an attempt to give perspective to several closely-related subclasses of problems in this area.

In an open network computing environment, a workstation cannot be trusted to identify its users correctly to network services. Kerberos provide an alternative approach whereby a trusted third-party authentication service is used to verify users\’ identities. This paper gives an overview of the Kerberos authentication model as implemented for MIT\‘s Project Athena. It describes the protocols used by clients, servers, and Kerberos to achieve authentication. It also describes the management and replication of the database required. The views of Kerberos as seen by the user authentication. We describe the addition of Kerberos authentication to the Sun Network File System as a case study for integrating Kerberos with an existing application.

The successful penetration testing of a major time-sharing operating system is desribed. The educational value of such a project is stressed, and principle of methodologyand team organization are discussed as well as the technical conclusions from the study.

The protection of computer resources, data of value, and individual privacy has motivted a concern for security of EDP installations, especially of the operating systems. In this report, three commercial operating systems are analyzed and security enhancements suggested. Because of the similarity of operating systems and their security problems, specific security flaws are formally classified according to a taxonomy developed here. This classification leads to a clearer understanding of security flaws and aids in analyzing new systems. The discussions of security flaws and the security enhancements offer a starting reference for planning a security investigation of an EDP installation\‘s operating system.

This report describes a pattern-based approach for finding a general class of computer operating system errors characterized by the inconsistency of a data value between pairs of references. A formal description of the error class is given, both as a protection policy being enforced and as a violation of that policy, i.e., an error statement. A particular subclass of the general error class is then examined, i.e., those errors in which the data type is a parameter. A formal specification of a procedure for finding instances of the subclass is given with examples of errors found using the procedure.

As the UNIX operating system becomes more widely used, considerations of operating system security and data integrity become more important. Unfortunately, UNIX has deficiencies in this regard. This note describes several ways of violating the protection mechanisms provided by UNIX, and where appropriate suggests solutions.