Re: On classifying attacks

To: James Longstreet <jlongs2@xxxxxxx>
Subject: Re: On classifying attacks
From: Adam Shostack <adam@xxxxxxxxxxxx>
Date: Mon, 18 Jul 2005 21:20:37 -0400
Cc: Derek Martin <code@xxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.A41.4.58.0507181005020.191290@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20050715023930.GE23576@xxxxxxxxxx> <DFE4F2E1-38F5-475A-A9E1-B151C1556C84@xxxxxxx> <20050716164029.GA26195@xxxxxxxxxx> <Pine.A41.4.58.0507181005020.191290@xxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.4.2i

On Mon, Jul 18, 2005 at 10:49:00AM -0500, James Longstreet wrote:
| > We disagree here.  The vulnerability is neither truly remote nor
| > local, in the normal senses as we have defined them here.  It is a
| > different kind of vulnerability altogether.  The vulnerability is one
| > to automatically triggering trojan horses....  Just as in the case of
| > the fabled Trojan Horse, there is no vulnerability at all until the
| > local users make a decision to trust something (data in this case,
| > rather than a hollowed out horse-shaped monument) from an outside
| > source.  In this case, the trust is given implicitly rather than
| > explicitly.  This is no different than if I handed you a disk, told
| > you to run the program on the disk, and you did so -- resulting in the
| > destruction of your hard drive.  Would you call this a remote
| > vulnerability?  Of course not.  But the mechanism is exactly the
| > same... except that some of the minor details are different.
| 
| It's completely different.  If you gave me a program on a disk, I wouldn't
| run it, because I know that programs that I run can do whatever they want
| on my system.  That's not because of a bug, it's because that's what a
| computer does -- run programs.

Just as an aside, no.

Operating systems run programs and control access to resources.  The
idea that any program can do anything to your system is a strange
one.  Systems like Goldberg and Wagner's Janus, or Cowan and co.'s
Subdomain, or heck, even the Java security manager, impose limits on
what a program that you run can do.

That most commercial operating systems lack these sorts of controls is
unfortunate.  I would really like to be able to limit what files and
directories my mail client or web browser can touch.

| If you gave me a program on disk and I ran it, I am giving you permission
| to run arbitrary code on my system.  Therefore, there is no bug.  The
| blame lies solely on me, not on my operating system, computer, or the
| program itself.

Again, the blame lies on your operating system for not letting you do
what you want in a common situation.

That's neither here nor there with regards to the local/remote or
credentialed/anonymous discussion.  But I think that on a security
list, we should not udnerestimate the value of OS features.

Adam

References:
- On classifying attacks
  - From: Derek Martin
- Re: On classifying attacks
  - From: James Longstreet
- Re: On classifying attacks
  - From: Derek Martin
- Re: On classifying attacks
  - From: James Longstreet

Prev by Date: HPSBUX01164 SSRT4884 rev.4 - HP-UX TCP/IP Remote Denial of Service (DoS)
Next by Date: Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
Previous by thread: Re: On classifying attacks
Next by thread: Re: On classifying attacks
Index(es):
- Date
- Thread