Re: On classifying attacks
James Longstreet wrote:
> On Jul 14, 2005, at 9:39 PM, Derek Martin wrote:
>
> >> This kind of attack has a name already: it is a trojan horse.
> <snip>
> >> But is this a remote exploit?
>
> No, it's not an exploit at all. Systems are not vulnerable to it
> unless a local user runs an executable. The only thing it exploits
> is trust of email (or similar vector).
But it is a remote *attack*. There is no other word for it than "remote"
when the attacker is not local.
Which is not to say that the distinction Derek raised is invalid; there
certainly is a semantic difference between an attack delivered by an
e-mail, which does nothing until the user reads it or clicks on
something, and a traditional remote attack where the attacker exploits a
flaw in a program that is listening. Such a program typically is a
server (BIND, Apache, Sendmail) but could also be a client (Gaim).
Pushing the boundaries, the program could be a web browser, where the
attack does happen immediately, does not involve a Trojan, but does
still require the user to do something like click a particular URL.
So what we have is a very complicated space full of adjectives:
* Attack: doing bad stuff to someone else's stuff.
* Vulnerability: an unfortunate software flaw or configuration that
enables an attack. It might be very specific, such as a buffer
overflow vulnerability in a particular program, or it might be
very general, such as "running Outlook with administrator privilege".
* Exploit: software that automates attacking a vulnerability.
o *Note:* by this definition, an e-mail virus that leverages
the common fact that many users run Outlook as administrator
is in fact an "exploit", even if it is a weak one.
* Remote: attacker is over there somewhere, usually across some kind
of network.
* Local: attacker and victim are connected to the same computer.
o *Note:* in common parlance, this usually means that the
attacker must compose a local vulnerability with some other
vulnerability that will get them a login shell on the
machine to be attacked, or must be granted legitimate access
to the machine.
These terms are all commonly used in Bugtraq discussions, and I believe
these definitions follow common usage. Using these terms precisely is
important.
Yet none of them capture the distinction Derek pointed out, and so
perhaps we need a new term. We could say that attacks against connected
programs like BIND and Gaim are "synchronous" and attacks that involve
sending now for impact later such as e-mailed malware are "asynchronous".
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Director of Software Engineering, Novell http://novell.com