lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 17 Jul 2005 01:58:40 -0700
From: Crispin Cowan <crispin@...ell.com>
To: James Longstreet <jlongs2@....edu>
Cc: Derek Martin <code@...zashack.org>, bugtraq@...urityfocus.com
Subject: Re: On classifying attacks


James Longstreet wrote:
> On Jul 14, 2005, at 9:39 PM, Derek Martin wrote:
>
> >> This kind of attack has a name already: it is a trojan horse.
> <snip>
> >> But is this a remote exploit?
>
> No, it's not an exploit at all.  Systems are not vulnerable to it 
> unless a local user runs an executable.  The only thing it exploits 
> is trust of email (or similar vector).
But it is a remote *attack*. There is no other word for it than "remote"
when the attacker is not local.

Which is not to say that the distinction Derek raised is invalid; there
certainly is a semantic difference between an attack delivered by an
e-mail, which does nothing until the user reads it or clicks on
something, and a traditional remote attack where the attacker exploits a
flaw in a program that is listening. Such a program typically is a
server (BIND, Apache, Sendmail) but could also be a client (Gaim).
Pushing the boundaries, the program could be a web browser, where the
attack does happen immediately, does not involve a Trojan, but does
still require the user to do something like click a particular URL.

So what we have is a very complicated space full of adjectives:

    * Attack: doing bad stuff to someone else's stuff.
    * Vulnerability: an unfortunate software flaw or configuration that
      enables an attack. It might be very specific, such as a buffer
      overflow vulnerability in a particular program, or it might be
      very general, such as "running Outlook with administrator privilege".
    * Exploit: software that automates attacking a vulnerability.
          o *Note:* by this definition, an e-mail virus that leverages
            the common fact that many users run Outlook as administrator
            is in fact an "exploit", even if it is a weak one.
    * Remote: attacker is over there somewhere, usually across some kind
      of network.
    * Local: attacker and victim are connected to the same computer.
          o *Note:* in common parlance, this usually means that the
            attacker must compose a local vulnerability with some other
            vulnerability that will get them a login shell on the
            machine to be attacked, or must be granted legitimate access
            to the machine.

These terms are all commonly used in Bugtraq discussions, and I believe
these definitions follow common usage. Using these terms precisely is
important.

Yet none of them capture the distinction Derek pointed out, and so
perhaps we need a new term. We could say that attacks against connected
programs like BIND and Gaim are "synchronous" and attacks that involve
sending now for impact later such as e-mailed malware are "asynchronous".

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ