lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040420175817.GA9236@bunuel.tii.matav.hu>
Date: Tue, 20 Apr 2004 17:58:17 +0000
From: Magosányi Árpád <mag@...uel.tii.matav.hu>
To: kincses zoli <kincses@...sar.elte.hu>
Cc: bugtraq@...urityfocus.com, balsa@...ssnet.hu
Subject: Re: Idea of CAW (Creation of Attack Wood)


A levelezőm azt hiszi, hogy kincses zoli a következőeket írta:
> there is the attack tree concept of Bruce Schneier:
> http://www.schneier.com/paper-attacktrees-ddj-ft.html
> http://www.counterpane.com/attacktrees.pdf

[]
> i am working on attack tree of smartcards, and i have the
> idea of creating as many as possible attack trees for
> different systems and at the end they can build an Attack Wood
> of IT security...and of course this wood is like the real one,
> where new trees are born or old ones die, boughs are broken
> or outgrown etc.

It is a very good idea. Though one should always be aware
of the fact that there are two cake-slicing problems hidden here
(a cake can be sectioned any way you feel comfortable):
-Your definition of the goal is your definition. I might have
a goal which is very similar to yours, but have some different
aspects.
-Your categorisation of the ways attacking the problem is your
categorisation. I might even have a widely different categorisation
of the solutions for the same problem.

This means than you might soon find that your wood have more
instances of the same species and variations of the species.

It is not a problem as such, because one can learn a lot by
studying the different attack trees.

I am wondering if there is a benefit of having a standard set
of attack trees, in a way as part 2 and 3 of the Common
Criteria are standard sets of security functional and assurance
requirements.

> 
> maybe on HEX (http://www.hex2005.org/) we will have the 1.0
> version :-)

Does it mean that we can send you our attack trees for inclusion
in the wood? I have already sent one, and you can expect others.
Where will the webpage of the wood will be located?


-- 
GNU GPL: csak tiszta forrásból


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ