|
|
|
|
Our model enables us
to categorize attacks according to which model components get attacked, thus
creating a checklist for devs and testers to use to validate the security of
their programs.
|
|
|
|
Attack color code:
black channel; red isolation; green security administration (policy)
|
|
The host and other
things relied upon (e.g. hardware, crypto) work correctly
|
|
the red arrows show possible attack points on the isolation mechanism that
can lead to isolation failures
|
|
- the black arrows show possible attacks
points that can lead to program failures.
|
|
The program knows
about all allowed input channels
|
|
Its up to the
program to handle all inputs correctly
|
|
|
|
Attacks
|
|
Both a crypto protocol stack and the guard
filter traffic, ruling out some attacks.
|
|
The remaining attack points are shown here:
|
|
Packet handling code
exposed to all sources
|
|
Crypto stack exposed
to most sources
|
|
Packet handling code
exposed to crypto-authorized sources
|
|
Guard code exposed
to crypto authorized sources
|
|
Internal app code
exposed to sources passed by the guard
|