On Thu, 2003-10-23 at 11:42 -0600, Eric Knight wrote: > Remote Authenticated > Remote Unauthenticated > Local Authenticated > Local Unauthenticated. > > This is the beginning of the taxnomy matrix. Greetings! I'm currently catching up with emails and came across this (slightly aged) thread. The matrix above categorizes on the "locality" of the attack executor (being remote, exploiting a buffer overflow through the network, or local, exploiting a suid vulnerability). It also categorizes on the "condition of the executor" itself (anonymous/unauthenticated or credentialed/authenticated). However, I think there is another factor to consider when classifying vulnerabilities -- that of the "timeliness" of the attack. I believe the matrix should be enhanced to include: Immediate: An attack performed will have an immediate impact on the target. An example is the remote buffer overflow. Delayed: An attack is initiated now, but executed later. Examples include most email-borne viruses, trojans, malware, etc. Including the timeliness of the attack is important, especially when considering the adverse effects on surrounding infrastructure. An email virus doesn't spread quite as fast as a worm like SQL slammer. Given these three criteria, we could classify as follows: Timeliness / User Level / Locality Daemon buffer overflow: Immediate anonymous remote Setuid exploitation: Immediate anonymous local Emailing a setuid exploit[1]: Delayed anonymous local Emailing a rm -rf / script[1]: Delayed authenticated local Backdoor script on web page: Delayed authenticated local Emailing overflow to virus gateway: Delayed anonymous remote [1] The emailed setuid exploit script will elevate privileges by itself while the rm -rf / requires privileges in order to be effective. This point is probably debatable :) I apologies for bringing this topic up again, but I think it is important that we find consensus on these classifications. So I respectfully submit: Immediate/delayed Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part