lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <42E8986A.3010608@novell.com>
Date: Thu, 28 Jul 2005 01:33:46 -0700
From: Crispin Cowan <crispin@...ell.com>
To: "Black, Michael" <black@...exCorp.com>
Cc: Technica Forensis <forensis.technica@...il.com>,
	James Longstreet <jlongs2@....edu>,
	Derek Martin <code@...zashack.org>, bugtraq@...urityfocus.com
Subject: Re: On classifying attacks


Black, Michael wrote:
> Perhaps the current popularity of remote/local terms comes from the
> Lincoln Labs studies done in 1998:
> http://www.usenix.org/events/sec99/full_papers/ghosh/ghosh_html/
>
> Attacks were divided into four categories:
> 	denial of service
> 	probing/surveillance
> 	remote to local
> 	user to root attacks
>   
I participated in that Lincoln Labs study, and my recollection is that
the remote/local distinction was already popular on bugtraq at the time.
The LL study was an attempt to simulate a natural threat.

> In the email examples given so far (note that nothing of similarity was
> in the LL study) they would all be "remote to local".
>   
Well, no. There is also direct "remote to root", which is a significant
classification that is distinct from "remote to local" and "local to
root". It is what you get if you have an exploit against root privileged
daemons (BIND, ntpd, etc.) and what you get if you have an exploit
against Microsoft Outlook being run as Administrator.

> There's no need for trying to define a compound attack -- it serves no
> purpose.
How is that? Classification schemes work best when you break things down
to their component atoms so that you can build up letters into words and
words into sentences. Those pesky attackers insist on using blended
attacks, and if we want to discuss what attackers do, we will either
need to define compound attacks, or else come up with a *very* large
lexicon :)

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ