Re: "Local" and "Remote" considered insufficient

To: Eric Knight <eric@xxxxxxxxxxxxx>
Subject: Re: "Local" and "Remote" considered insufficient
From: Frank Knobbe <frank@xxxxxxxxx>
Date: Sun, 23 Jan 2005 11:47:52 -0600
Cc: "Steven M. Christey" <coley@xxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, vuln-dev@xxxxxxxxxxxxxxxxx
In-reply-to: <003301c3998c$fab0fc80$78e3a443@datendrao2d5z7>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200310222039.h9MKdtD3026312@xxxxxxxxxxxxxxx> <003301c3998c$fab0fc80$78e3a443@datendrao2d5z7>

On Thu, 2003-10-23 at 11:42 -0600, Eric Knight wrote:
> Remote Authenticated
> Remote Unauthenticated
> Local Authenticated
> Local Unauthenticated.
> 
> This is the beginning of the taxnomy matrix.  

Greetings!

I'm currently catching up with emails and came across this (slightly
aged) thread. The matrix above categorizes on the "locality" of the
attack executor (being remote, exploiting a buffer overflow through the
network, or local, exploiting a suid vulnerability). It also categorizes
on the "condition of the executor" itself (anonymous/unauthenticated or
credentialed/authenticated).

However, I think there is another factor to consider when classifying
vulnerabilities -- that of the "timeliness" of the attack. I believe the
matrix should be enhanced to include:

Immediate: An attack performed will have an immediate impact on the
target. An example is the remote buffer overflow.

Delayed: An attack is initiated now, but executed later. Examples
include most email-borne viruses, trojans, malware, etc.

Including the timeliness of the attack is important, especially when
considering the adverse effects on surrounding infrastructure. An email
virus doesn't spread quite as fast as a worm like SQL slammer.

Given these three criteria, we could classify as follows:

                                     Timeliness / User Level / Locality

Daemon buffer overflow:              Immediate anonymous remote
Setuid exploitation:                 Immediate anonymous local
Emailing a setuid exploit[1]:        Delayed anonymous local
Emailing a rm -rf / script[1]:       Delayed authenticated local
Backdoor script on web page:         Delayed authenticated local
Emailing overflow to virus gateway:  Delayed anonymous remote

[1] The emailed setuid exploit script will elevate privileges by itself
while the rm -rf / requires privileges in order to be effective. This
point is probably debatable :) 

I apologies for bringing this topic up again, but I think it is
important that we find consensus on these classifications.
So I respectfully submit: Immediate/delayed

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- "Local" and "Remote" considered insufficient
  - From: Steven M. Christey
- Re: "Local" and "Remote" considered insufficient
  - From: Eric Knight

Prev by Date: Re: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow
Next by Date: [USN-70-1] Perl DBI module vulnerability
Previous by thread: Re: "Local" and "Remote" considered insufficient
Next by thread: [LSD] Security vulnerability in SUN's Java Virtual Machine implementation
Index(es):
- Date
- Thread