[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <599093BB9416BA4F93619FAE038A031A03D33565@exchange.essexcorp.com>
Date: Tue, 19 Jul 2005 09:11:00 -0400
From: "Black, Michael" <black@...exCorp.com>
To: "Crispin Cowan" <crispin@...ell.com>,
"James Longstreet" <jlongs2@....edu>
Cc: "Derek Martin" <code@...zashack.org>, <bugtraq@...urityfocus.com>
Subject: RE: On classifying attacks
You might try re-using the rather large effort that went into the CERT
taxonomy:
http://www.cert.org/research/taxonomy_988667.pdf
You'll note the complete lack of "local" and "remote" in the taxonomy.
The email example of "rm -r /*" being executed would be:
Attack:
Tool: Information Exchange
Vulnerability: Design
Action: Delete
Target: Data
Unauthorized Result: Corruption of Information
Remote exploit of Bind (causing "rm -r /*" to be executed):
Attack:
Tool: User Command
Vulnerability: Design
Action: Delete
Target: Data
Unauthorized Result: Corruption of Information
Remote exploit of Bind (causing a shell to be opened):
Attack:
Tool: User Command
Vulnerability: Design
Action: Bypass
Target: Account
Unauthorized Result: Increased Access
If you really want to stick with "remote" and "local" I think you can
define them thusly:
Remote -- control/access of resources occurs from outside the
machine/network
Local -- control/access of resources occurs on the local machine (i.e.
no network connection required)
Using this definition the email example is local and both bind examples
are remote. The bind vulnerabilities are completely solved by
unplugging the machines from the network whereas the email machine may
still be vulnerable after being disconnected.
_______________________________
Michael D. Black, MSIA, CISSP, IAM
Information Systems Security Officer
Essex Corporation
black@...excorp.com
-----Original Message-----
From: Crispin Cowan [mailto:crispin@...ell.com]
Sent: Sunday, July 17, 2005 4:59 AM
To: James Longstreet
Cc: Derek Martin; bugtraq@...urityfocus.com
Subject: Re: On classifying attacks
James Longstreet wrote:
> On Jul 14, 2005, at 9:39 PM, Derek Martin wrote:
>
> >> This kind of attack has a name already: it is a trojan horse.
> <snip>
> >> But is this a remote exploit?
>
> No, it's not an exploit at all. Systems are not vulnerable to it
> unless a local user runs an executable. The only thing it exploits
> is trust of email (or similar vector).
But it is a remote *attack*. There is no other word for it than "remote"
when the attacker is not local.
Which is not to say that the distinction Derek raised is invalid; there
certainly is a semantic difference between an attack delivered by an
e-mail, which does nothing until the user reads it or clicks on
something, and a traditional remote attack where the attacker exploits a
flaw in a program that is listening. Such a program typically is a
server (BIND, Apache, Sendmail) but could also be a client (Gaim).
Pushing the boundaries, the program could be a web browser, where the
attack does happen immediately, does not involve a Trojan, but does
still require the user to do something like click a particular URL.
So what we have is a very complicated space full of adjectives:
* Attack: doing bad stuff to someone else's stuff.
* Vulnerability: an unfortunate software flaw or configuration that
enables an attack. It might be very specific, such as a buffer
overflow vulnerability in a particular program, or it might be
very general, such as "running Outlook with administrator
privilege".
* Exploit: software that automates attacking a vulnerability.
o *Note:* by this definition, an e-mail virus that leverages
the common fact that many users run Outlook as administrator
is in fact an "exploit", even if it is a weak one.
* Remote: attacker is over there somewhere, usually across some kind
of network.
* Local: attacker and victim are connected to the same computer.
o *Note:* in common parlance, this usually means that the
attacker must compose a local vulnerability with some other
vulnerability that will get them a login shell on the
machine to be attacked, or must be granted legitimate access
to the machine.
These terms are all commonly used in Bugtraq discussions, and I believe
these definitions follow common usage. Using these terms precisely is
important.
Yet none of them capture the distinction Derek pointed out, and so
perhaps we need a new term. We could say that attacks against connected
programs like BIND and Gaim are "synchronous" and attacks that involve
sending now for impact later such as e-mailed malware are
"asynchronous".
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Powered by blists - more mailing lists