VULNERABILITIES MEETING
April 12, 1999
4:00 4:30pm
3085 ENG II

In attendance:
Matt Bishop (MB), Tuomas Aura (TA) and Todd Heberlein (TH)

  1. Symbolic Links
    1. Indirect aliases - instead of pointing to an inode, it points to another name or inode.
    2. The goal is to formalize symbolic links to see whether eliminating or redefining symbolic links reduces race conditions.

  2. Issues
    1. LPR is written
    2. Symbolic Links vs. Hard Links
      1. If treated as a hard link, would the vulnerabilities be different?
      2. Cannot chain hard links
    3. Symbolic Link - restricting length of chain
      1. What happens if target doesn't exist?
    4. Macintosh model - can't point to a pointer
      1. Could introduce new symbolic link

  3. Comments
    1. TA: The link looks like any other name - is it a file or a name? Is there a way to evaluate attributes?
    2. MB: HPs and Iris symbolic links are different from DECs
    3. The semantics are not well settled; they are inconsistent between systems.
    4. Why would you change ownership of a symbolic link?
    5. TA: You should not be allowed to check permission of a pointer to an inode or the object itself
      1. You need to resolve the name issue
      2. Access to object, permissions, properties
        1. Bind(fd, name)
        2. Open (fd)
      3. Secure bind - not follow any links?
        1. Sbind (fd, name w/o links)
        2. New API
        3. 3-4 attacks involving finger - which systems have which semantics
      4. Are there similar problems in NT?
        1. Macro language
        2. Discuss Melissa virus at next Vulner meeting - it affected Window 98, 95, NT and Macs.
        3. IT teaches classes in macro language