Re: On classifying attacks
Black, Michael wrote:
>You might try re-using the rather large effort that went into the CERT
>taxonomy:
>http://www.cert.org/research/taxonomy_988667.pdf
>
>You'll note the complete lack of "local" and "remote" in the taxonomy.
>
That pretty much tells me everything I need to know about whether I want
to use that taxonomy :)
>Remote exploit of Bind (causing "rm -r /*" to be executed):
>Attack:
> Tool: User Command
> Vulnerability: Design
>
"Design"?!
>If you really want to stick with "remote" and "local" I think you can
>define them thusly:
>Remote -- control/access of resources occurs from outside the
>machine/network
>Local -- control/access of resources occurs on the local machine (i.e.
>no network connection required)
>
Ok, but I had no trouble with those definitions in the first place, and
so far you have not captured the distinction Derek was asking about.
>Using this definition the email example is local and both bind examples
>are remote.
.. and any definition that classifies the e-mail example as "local" is
just broken.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Director of Software Engineering, Novell http://novell.com