DOCSLIB.ORG

The CLASP Application Security Process

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The CLASP Application Security Process Secure Software, Inc. Copyright (c) 2005, Secure Software, Inc. The CLASP Application Security Process The CLASP Application Security Process TABLE OF CONTENTS CHAPTER 1 Introduction 1 CLASP Status 4 An Activity-Centric Approach 4 The CLASP Implementation Guide 5 The Root-Cause Database 6 Supporting Material 7 CHAPTER 2 Implementation Guide 9 The CLASP Activities 11 Institute security awareness program 11 Monitor security metrics 12 Specify operational environment 13 Identify global security policy 14 Identify resources and trust boundaries 15 Identify user roles and resource capabilities 16 Document security-relevant requirements 17 Detail misuse cases 18 Identify attack surface 19 Apply security principles to design 20 Research and assess security posture of technology solutions 21 Annotate class designs with security properties 22 Specify database security configuration 23 Perform security analysis of system requirements and design (threat modeling) 24 Integrate security analysis into source management process 25 Implement interface contracts 26 Implement and elaborate resource policies and security technologies 27 Address reported security issues 28 Perform source-level security review 29 Identify, implement and perform security tests 30 The CLASP Application Security Process i Verify security attributes of resources 31 Perform code signing 32 Build operational security guide 33 Manage security issue disclosure process 34 Developing a Process Engineering Plan 35 Business objectives 35 Process milestones 35 Process evaluation criteria 35 Form the Process Engineering Team 36 Sample Roadmaps 38 “Green Field” Roadmap 39 Legacy Roadmap 40 CHAPTER 3 Role-based Overviews 41 Project Manager 41 Requirements Specifier 42 Architect 43 Designer 43 Implementor 44 Test Analyst 45 Security Auditor 45 CHAPTER 4 Activities 47 Institute security awareness program 47 Provide security training to all team members 47 Promote awareness of the local security setting 48 Institute accountability for security issues 48 Appoint a project security officer 49 Institute rewards for handling of security issues 50 Monitor security metrics 50 Identify metrics to collect 50 Identify how metrics will be used 53 Institute data collection and reporting strategy 54 Periodically collect and evaluate metrics 55 Specify operational environment 55 ii The CLASP Application Security Process Identify requirements and assumptions related to individual hosts 56 Identify requirements and assumptions related to network architecture 57 Identify global security policy 57 Build a global project security policy, if necessary 57 Determine suitability of global requirements to project 58 Identify resources and trust boundaries 59 Identify network-level design 59 Identify data resources 60 Identify user roles and resource capabilities 61 Identify distinct capabilities 61 Map system roles to capabilities 61 Identify the attacker profile (attacker roles and resources) 62 Document security-relevant requirements 63 Document explicit business requirements 64 Develop functional security requirements 64 Explicitly label requirements that denote dependencies 66 Determine risk mitigations (compensating controls) for each resource 67 Resolve deficiencies and conflicts between requirement sets 68 Detail misuse cases 69 Identify misuse cases 69 Describe misuse cases 70 Identify defense mechanisms for misuse cases 70 Evaluate results with stakeholders 70 Identify attack surface 71 Identify system entry points 71 Map roles to entry points 72 Map resources to entry points 72 Apply security principles to design 72 Refine existing application security profile 72 Determine implementation strategy for security services 73 Build hardened protocol specifications 74 Design hardened interfaces 75 Research and assess security posture of technology solutions 75 Get structured technology assessment from vendor 75 Perform security risk assessment 76 The CLASP Application Security Process iii Receive permission to perform security testing of software 76 Perform security testing 77 Annotate class designs with security properties 77 Map data elements to resources and capabilities 77 Annotate fields with policy information 78 Annotate methods with policy data 78 Specify database security configuration 79 Identify candidate configuration 79 Validate configuration 79 Perform security analysis of system requirements and design (threat modeling) 80 Develop an understanding of the system 80 Determine and validate security-relevant assumptions 80 Identify threats on assets/capabilities 82 Determine level of risk 83 Identify compensating controls 85 Evaluate findings 85 Integrate security analysis into source management process 86 Select analysis technology or technologies 86 Determine analysis integration point 86 Integrate analysis technology 87 Implement interface contracts 88 Implement validation and error handling on function or method inputs 88 Implement validation on function or method outputs 89 Implement and elaborate resource policies and security technologies 89 Review specified behavior 89 Implement specification 89 Address reported security issues 90 Assign issue to investigator 90 Assess likely exposure and impact 90 Determine and execute remediation strategies 91 Validation of remediation 91 Perform source-level security review 92 Scope the engagement 92 Run automated analysis tools 93 Evaluate tool results 93 iv The CLASP Application Security Process Identify additional risks 93 Identify, implement and perform security tests 94 Identify security tests for individual requirements 94 Identify resource-driven security tests 95 Identify other relevant security tests 95 Implement test plan 95 Execute security tests 95 Verify security attributes of resources 96 Check permissions on all static resources 96 Profile resource usage in the operational context 96 Perform code signing 97 Obtain code signing credentials 97 Identify signing targets 97 Sign identified targets 97 Build operational security guide 98 Document pre-install configuration requirements 98 Document application activity 98 Document the security architecture 98 Document security configuration mechanisms 98 Document significant risks and known compensating controls 99 Manage security issue disclosure process 99 Provide means of communication for security issues 99 Acknowledge receipt of vulnerability disclosures 100 Address the issue internally 101 Communicate relevant information to the researcher 101 Provide a security advisory and customer access to remediation 102 CHAPTER 5 Vulnerability Root-Causes 103 Preliminaries 105 Problem types 105 Consequences 106 Exposure period 106 Other recorded information 107 Range and type errors 108 Buffer overflow 108 “Write-what-where” condition 110 Stack overflow 113 The CLASP Application Security Process v Heap overflow 115 Buffer underwrite 117 Wrap-around error 118 Integer overflow 120 Integer coercion error 122 Truncation error 124 Sign extension error 126 Signed to unsigned conversion error 127 Unsigned to signed conversion error 130 Unchecked array indexing 132 Miscalculated null termination 133 Improper string length checking 135 Covert storage channel 138 Failure to account for default case in switch 139 Null-pointer dereference 141 Using freed memory 143 Doubly freeing memory 145 Invoking untrusted mobile code 147 Cross-site scripting 148 Format string problem 149 Injection problem (‘data’ used as something else) 151 Command injection 153 SQL injection 155 Deserialization of untrusted data 158 Environmental problems 160 Reliance on data layout 160 Relative path library search 161 Relying on package-level scope 163 Insufficient entropy in PRNG 164 Failure of TRNG 165 Publicizing of private data when using inner classes 167 Trust of system event data 168 Resource exhaustion (file descriptor, disk space, sockets, ...) 169 Information leak through class cloning 172 Information leak through serialization 174 Overflow of static internal buffer 175 Synchronization and timing errors 176 State synchronization error 176 Covert timing channel 178 Symbolic name not mapping to correct object 180 Time of check, time of use race condition 181 vi The CLASP Application Security Process Comparing classes by name 183 Race condition in switch 184 Race condition in signal handler 186 Unsafe function call from a signal handler 188 Failure to drop privileges when reasonable 190 Race condition in checking for certificate revocation 192 Mutable objects passed by reference 193 Passing mutable objects to an untrusted method 195 Accidental leaking of sensitive information through error messages 196 Accidental leaking of sensitive information through sent data 198 Accidental leaking of sensitive information through data queries 199 Race condition within a thread 200 Reflection attack in an auth protocol 202 Capture-replay 204 Protocol errors 206 Failure to follow chain of trust in certificate validation 206 Key exchange without entity authentication 208 Failure to validate host-specific certificate data 209 Failure to validate certificate expiration 211 Failure to check for certificate revocation 212 Failure to encrypt data 213 Failure to add integrity check value 215 Failure to check integrity check value 217 Use of hard-coded password 219 Use of hard-coded cryptographic key 221 Storing passwords in a recoverable format 223 Trusting self-reported IP address 225 Trusting self-reported DNS name 226 Using referrer field for authentication 228 Using a broken or risky cryptographic
Recommended publications
  • 16-Channel DAS with 16-Bit, Bipolar Input, Dual Simultaneous Sampling

    16-Channel DAS with 16-Bit, Bipolar Input, Dual Simultaneous Sampling

    16-Channel DAS with 16-Bit, Bipolar Input, Dual Simultaneous Sampling ADC Data Sheet AD7616 FEATURES APPLICATIONS 16-channel, dual, simultaneously sampled inputs Power line monitoring Independently selectable channel input ranges Protective relays True bipolar: ±10 V, ±5 V, ±2.5 V Multiphase motor control Single 5 V analog supply and 2.3 V to 3.6 V VDRIVE supply Instrumentation and control systems Fully integrated data acquisition solution Data acquisition systems (DASs) Analog input clamp protection GENERAL DESCRIPTION Input buffer with 1 MΩ analog input impedance First-order antialiasing analog filter The AD7616 is a 16-bit, DAS that supports dual simultaneous On-chip accurate reference and reference buffer sampling of 16 channels. The AD7616 operates from a single 5 V Dual 16-bit successive approximation register (SAR) ADC supply and can accommodate ±10 V, ±5 V, and ±2.5 V true bipolar Throughput rate: 2 × 1 MSPS input signals while sampling at throughput rates up to 1 MSPS Oversampling capability with digital filter per channel pair with 90.5 dB SNR. Higher SNR performance can Flexible sequencer with burst mode be achieved with the on-chip oversampling mode (92 dB for an Flexible parallel/serial interface oversampling ratio (OSR) of 2). SPI/QSPI/MICROWIRE/DSP compatible The input clamp protection circuitry can tolerate voltages up to Optional cyclic redundancy check (CRC) error checking ±21 V. T h e AD7616 has 1 MΩ analog input impedance, regardless Hardware/software configuration of sampling frequency. The single-supply operation, on-chip Performance filtering, and high input impedance eliminate the need for 92 dB SNR at 500 kSPS (2× oversampling) driver op amps and external bipolar supplies.
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

    BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
  • How to Analyze the Cyber Threat from Drones

    How to Analyze the Cyber Threat from Drones

    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
  • IS 13737 (1993): Isoinformation Technology

    IS 13737 (1993): Isoinformation Technology

    इंटरनेट मानक Disclosure to Promote the Right To Information Whereas the Parliament of India has set out to provide a practical regime of right to information for citizens to secure access to information under the control of public authorities, in order to promote transparency and accountability in the working of every public authority, and whereas the attached publication of the Bureau of Indian Standards is of particular interest to the public, particularly disadvantaged communities and those engaged in the pursuit of education and knowledge, the attached public safety standard is made available to promote the timely dissemination of this information in an accurate manner to the public. “जान का अधकार, जी का अधकार” “परा को छोड न 5 तरफ” Mazdoor Kisan Shakti Sangathan Jawaharlal Nehru “The Right to Information, The Right to Live” “Step Out From the Old to the New” IS 13737 (1993): ISOInformation Technology - 130 mm Rewritable optical disk cartridges for information interchange [LITD 16: Computer Hardware, Peripherals and Identification Cards] “ान $ एक न भारत का नमण” Satyanarayan Gangaram Pitroda “Invent a New India Using Knowledge” “ान एक ऐसा खजाना > जो कभी चराया नह जा सकताह ै”ै Bhartṛhari—Nītiśatakam “Knowledge is such a treasure which cannot be stolen” IS 13737 : 1993 ISO/IEC 10089 : 1991 CONTENTS Page NationalForeword..........,..........................................‘.““““’ . (vii) 1 Scope 1 2 Conformance 1 3 Normative references 1 4 Conventions and notations 1 5 List of acronyms 2 6 Definitions 2 2 6. I case 2 6.2 Clamping Zone 6.3
  • Cybersecurity Guide: Hackers and Defenders Harness Design and Machine Learning

    Cybersecurity Guide: Hackers and Defenders Harness Design and Machine Learning

    Cybersecurity Guide: HACKERS AND DEFENDERS HARNESS DESIGN AND MACHINE LEARNING CYBERSECURITY GUIDE: HACKERS AND DEFENDERS HARNESS DESIGN AND MACHINE LEARNING TABLE OF CONTENTS 3 INTRODUCTION 4 SECTION 1 THE SITUATION REPORT 9 SECTION 2 THINK LIKE DA VINCI: MORE ART IS NEEDED IN THE SCIENCE OF CYBERSECURITY 16 SECTION 3 THROUGH THE LOOKING GLASS: MACHINE LEARNING AND ARTIFICIAL INTELLIGENCE 21 ENDNOTES PAGE 2 CYBERSECURITY GUIDE: HACKERS AND DEFENDERS HARNESS DESIGN AND MACHINE LEARNING Across the globe, lives and livelihoods are increasingly For information-security professionals, successfully moving online, physical and digital worlds are beginning to defending against the fire hose of now-nonstop online overlap, and digital currencies with no real-world equivalent attacks are both the stuff of nightmares and the reason to can buy real-world goods and services. Artificial intelligence get out of bed in the morning. Who’s winning — the is powering autonomous vehicle decision-making,1 finding attackers or the defenders? new drug candidates2 daily and personalizing lessons3 to help students learn. At the same time, doctors are Given the daily drumbeat of successful intrusions that often performing life-saving surgeries on the other side of the cripple companies’ operations and erase millions of dollars in globe via the internet4 and robot proxies while networked stock value,5 it’s hard to tell. sensors shake up industries from power generation to public transit. Every year, the list of industries being disrupted by To bring the current and future landscape of cybersecurity sensors, smart machines, and microprocessors expand. into focus, HP conferred with leading experts in the field to create this comprehensive, up-to-date guide.
  • 1. Background This Paper Is About a Method for Recovering Data from Floppy Disks That Are Failing Due to “Weak Bits”

    1. Background This Paper Is About a Method for Recovering Data from Floppy Disks That Are Failing Due to “Weak Bits”

    A Method for Recovering Data From Failing Floppy Disks with a Practical Example Dr. Frederick B. Cohen, Ph.D. and Charles M. Preston Fred Cohen & Associates and California Sciences Institute Abstract: As floppy disks and other similar media age, they have a tendency to lose data because of the reduction in retention of electromagnetic fields over time associated with various environmental degradation factors. In attempting to read these disks, the coding techniques used to write them can be exploited along with the proposed fault mechanisms to demonstrate that repetitions of read attempts under proper conditions yield valid data subject to specific error modes. In many cases those errors can be partially or completely reversed by analysis of read results. A practical example involving a case of substantial legal value is used as an example of the application of these methods. Keywords: weak bits, floppy disks, digital forensics, coding, field density loss, the birthday problem, error inversion 1. Background This paper is about a method for recovering data from floppy disks that are failing due to “weak bits”. It describes a repetitive read technique that has successfully recovered data from failing floppy disks in forensic cases and describes analysis of the results of such repetitive reads in terms of yielding forensically sound data values. These techniques are not new or particularly unique; however, they are not widely published and analysis necessary to support their use in legal matters has not been found elsewhere. The particular matter used as an example in this analysis involved a floppy disk that was more than 15 years old and that contained the only copy of a binary assembled version of a software program that was subject to intellectual property claims of sufficient value to warrant recovery beyond the means normally used by commercial recovery firms.
  • Threats and Vulnerabilities in Federation Protocols and Products

    Threats and Vulnerabilities in Federation Protocols and Products

    Threats and Vulnerabilities in Federation Protocols and Products Teemu Kääriäinen, CSSLP / Nixu Corporation OWASP Helsinki Chapter Meeting #30 October 11, 2016 Contents • Federation Protocols: OpenID Connect and SAML 2.0 – Basic flows, comparison between the protocols • OAuth 2.0 and OpenID Connect Vulnerabilities and Best Practices – Background for OAuth 2.0 security criticism, vulnerabilities related discussion and publicly disclosed vulnerabilities, best practices, JWT, authorization bypass vulnerabilities, mobile application integration. • SAML 2.0 Vulnerabilities and Best Practices – Best practices, publicly disclosed vulnerabilities • OWASP Top Ten in Access management solutions – Focus on Java deserialization vulnerabilites in different commercial and open source access management products • Forgerock OpenAM, Gluu, CAS, PingFederate 7.3.0 Admin UI, Oracle ADF (Oracle Identity Manager) Federation Protocols: OpenID Connect and SAML 2.0 • OpenID Connect is an emerging technology built on OAuth 2.0 that enables relying parties to verify the identity of an end-user in an interoperable and REST-like manner. • OpenID Connect is not just about authentication. It is also about authorization, delegation and API access management. • Reasons for services to start using OpenID Connect: – Ease of integration. – Ability to integrate client applications running on different platforms: single-page app, web, backend, mobile, IoT. – Allowing 3rd party integrations in a secure, interoperable and scalable manner. • OpenID Connect is proven to be secure and mature technology: – Solves many of the security issues that have been an issue with OAuth 2.0. • OpenID Connect and OAuth 2.0 are used frequently in social login scenarios: – E.g. Google and Microsoft Account are OpenID Connect Identity Providers. Facebook is an OAuth 2.0 authorization server.
  • Fuzzing with Code Fragments

    Fuzzing with Code Fragments

    Fuzzing with Code Fragments Christian Holler Kim Herzig Andreas Zeller Mozilla Corporation∗ Saarland University Saarland University [email protected] [email protected] [email protected] Abstract JavaScript interpreter must follow the syntactic rules of JavaScript. Otherwise, the JavaScript interpreter will re- Fuzz testing is an automated technique providing random ject the input as invalid, and effectively restrict the test- data as input to a software system in the hope to expose ing to its lexical and syntactic analysis, never reaching a vulnerability. In order to be effective, the fuzzed input areas like code transformation, in-time compilation, or must be common enough to pass elementary consistency actual execution. To address this issue, fuzzing frame- checks; a JavaScript interpreter, for instance, would only works include strategies to model the structure of the de- accept a semantically valid program. On the other hand, sired input data; for fuzz testing a JavaScript interpreter, the fuzzed input must be uncommon enough to trigger this would require a built-in JavaScript grammar. exceptional behavior, such as a crash of the interpreter. Surprisingly, the number of fuzzing frameworks that The LangFuzz approach resolves this conflict by using generate test inputs on grammar basis is very limited [7, a grammar to randomly generate valid programs; the 17, 22]. For JavaScript, jsfunfuzz [17] is amongst the code fragments, however, partially stem from programs most popular fuzzing tools, having discovered more that known to have caused invalid behavior before. LangFuzz 1,000 defects in the Mozilla JavaScript engine. jsfunfuzz is an effective tool for security testing: Applied on the is effective because it is hardcoded to target a specific Mozilla JavaScript interpreter, it discovered a total of interpreter making use of specific knowledge about past 105 new severe vulnerabilities within three months of and common vulnerabilities.
  • Secure by Design, Secure by Default: Requirements and Guidance

    Secure by Design, Secure by Default: Requirements and Guidance

    Biometrics and Surveillance Camera Commissioner Secure by Design, Secure by Default Video Surveillance Products Introduction This guidance is for any organisation manufacturing Video Surveillance Systems (VSS), or manufacturing or assembling components intended to be utilised as part of a VSS. It is intended to layout the Biometrics and Surveillance Camera Commissioners (BSCC) minimum requirements to ensure such systems are designed and manufactured in a manner that assures they are Secure by Design. It also contains certain component requirements that will ensure a configuration that is Secure by Default when the component is shipped, thereby making it more likely that the system will be installed and left in a secure state. This guidance forms part of a wider suite of documentation being developed as part of the SCC Strategy, in support of the SCC Code of Practice. Background and Context The nature of the Internet means that connected devices can be subjected to a cyber attack from anywhere in the world. Widespread attacks on connected products is a current and real threat, and a number of highly publicised attacks have already occurred. The Mirai malware targeted devices such as internet-enabled cameras (IP cameras). Mirai was successful because it exploited the use of common default credentials (such as a username and password being set by the manufacturer as ‘admin’) and poor security configuration of devices. Ultimately, this facilitated attacks on a range of commercial and social media services and included an outage of streaming services such as Netflix. An evolution of Mirai, called Reaper, has also been discovered. Reaper used publicly and easily available exploits that remained unfixed (patched) and highlighted the problem around non patching of known security vulnerabilities, allowing attackers to utilise them to cause harm.
  • A Home User's Security Checklist for Windows

    A Home User's Security Checklist for Windows

    A Home User’s Security Checklist for Windows Andreas Lindqvist Stefan Pettersson Linköpings universitet, Sweden Email: {andli299, stepe955}@student.liu.se Checklists like this are quite powerful because of the Abstract ability to decide which items to include, the level of The user and her desktop are widely held to be one of knowledge required and which knowledge is provided the weaker links in the security chain. By letting the user via the text and links, all depending on the audience. secure their own workstation by following a set of steps The updated version of the checklist [2] was then used put forth in a checklist it could be possible to cover both to evaluate the security settings of at least ten Internet problems at the same time. An already existing checklist users (family and friends). This can be found in was revised to become more concise. Twelve users took Appendix B. this checklist concerning the security posture of them and 2.1 The revised checklist their workstations. It turned out that the majority of users largely used the default settings provided by the operating One impression we got from reading the old checklist system. This is also an obvious trend at Microsoft, to make was that it was too big and hence the first goal became to the default settings secure. It is reasonable to believe that shrink it without losing relevance. With the vision of a this will be even truer in Windows Vista. Checklists are more user-friendly list the number of items was especially good as inspiration for interested users seeking decreased from the original checklist’s 40 items and to increase their knowledge on the subject.
  • Floppy Disc Controller Instruction Manual

    Floppy Disc Controller Instruction Manual

    Part Number 2120-0067 OQ419 FLOPPY DISC CONTROLLER INSTRUCTION MANUAL March 1985 DISTRIBUTED LOGIC CORPORATION 1555 S. Sinclair Street P.O. Box 6270 ~R Anaheim, California 92806 I nmmI Telephone: (714) 937·5700 Telex: 6836051 Contents SECTION 1 - GENERAL INFORMATION 1.1 INTRODUCTION 1 1.2 GENERAL DESCRIPTION 2 1.3 COMPATIBILITY 2 1.4 LOGICAL TRACK FORMAT 3 1.4.1 Sector Header Field 3 1.4.2 Data Field 5 1.4.3 CRC - Cyclic Redundancy Check 5 1.5 RECORDING SCHEME 6 1.6 SPECIFICATIONS 6 SECTION 2 - INSTALLATION 2.1 CONTROLLER JUMPER CONFIGURATIONS 7 2.1.1 Device and Vector Address Selection 8 2.1.2 Device Interrupt Priority 9 2.1.3 Bootstrap 10 2.1.4 Wri te Precompensati on 10 2.1.5 Write Current Control 11 2.1.6 Drive Step Rate 11 2.2 DRIVE CONFIGURATIONS 11 2.3 CABLING 19 2.4 CONTROLLER INSTALLATION 21 2.5 INITIAL CHECKOUT 21 SECTION 3 - OPERATION 3.1 GENERAL INFORHATION 23 3.2 BOOTSTRAPPING 23 3.3 FORMATTING 24 3.4 FILL/WRITE OPERATION 25 3.5 READ/EMPTY OPERATION 27 3.6 OPERATION USING RT-ll 27 SECTION 4 - PROGRAMMING 4.1 GENERAL INFORMATION 29 4.2 COMMAND AND STATUS REGISTER - RXVCS (177170) 30 4.3 DATA BUFFER (177172) 31 4.3.1 Data Buffer Register (RXVDB) 32 4.3.2 Trace Address Register (RXVTA) 32 4.3.3 Sector Address Register (RXVSA) 32 4.3.4 Word Count Register (RXVWC) 32 4.3.5 Bus Address Register (RXVBA) 33 4.3.6 Error and Status Register (RXVES) 33 4.3.7 Bus Address Extension Register (RXVBAE) 35 i i ; 4.4 EXTENDED STATUS REGISTERS 35 4.5 COMMAND PROTOCOL 36 4.5.1 Fill Buffer (000) 36 4.5.2 Empty Buffer (001) 37 4.5.3 Write Buffer
  • High Performance Table-Based Algorithm for Pipelined CRC Calculation

    High Performance Table-Based Algorithm for Pipelined CRC Calculation

    High Performance Table-Based Algorithm for Pipelined CRC Calculation Yan Sun and Min Sik Kim School of Electrical Engineering and Computer Science Washington State University Pullman, Washington 99164-2752, U.S.A. Email: fysun,[email protected] Abstract—In this paper, we present a fast cyclic redun- for message length detection of variable-length message dancy check (CRC) algorithm that performs CRC compu- communications [4], [5]. tation for an arbitrary length of message in parallel. For a Communication networks use protocols with ever in- given message with any length, the algorithm first chunks the message into blocks, each of which has a fixed size equal creasing demands on speed. The increasing performance to the degree of the generator polynomial. Then it computes needs can be fulfilled by using ASICs (Application Spe- CRC for the chunked blocks in parallel using lookup tables, cific Integrated Circuits) and this will probably also be and the results are combined together with XOR operations. the case in the future. Meeting the speed requirement In the traditional implementation, it is the feedback that is crucial because packets will be dropped if processing makes pipelining problematic. In the proposed algorithm, we solve this problem by taking advantage of CRC’s properties is not completed at wire speed. Recently, protocols for and pipelining the feedback loop. The short pipeline latency high throughput have emerged, such as IEEE 802.11n of our algorithm enables a faster clock frequency than WLAN and UWB (Ultra Wide Band), and new protocols previous approaches, and it also allows easy scaling of the with even higher throughput requirement are on the way.