RE: On classifying attacks

To: "Crispin Cowan" <crispin@xxxxxxxxxx>, "James Longstreet" <jlongs2@xxxxxxx>
Subject: RE: On classifying attacks
From: "Black, Michael" <black@xxxxxxxxxxxxx>
Date: Tue, 19 Jul 2005 09:11:00 -0400
Cc: "Derek Martin" <code@xxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcWMD9FXz5ruFpW7TJ+O7WxQKVUElAAT0iLw
Thread-topic: On classifying attacks

You might try re-using the rather large effort that went into the CERT
taxonomy:
http://www.cert.org/research/taxonomy_988667.pdf

You'll note the complete lack of "local" and "remote" in the taxonomy.

The email example of "rm -r /*" being executed would be:
Attack:
        Tool: Information Exchange
        Vulnerability: Design
        Action: Delete
        Target: Data
        Unauthorized Result: Corruption of Information

Remote exploit of Bind (causing "rm -r /*" to be executed):
Attack:
        Tool: User Command
        Vulnerability: Design
        Action: Delete
        Target: Data
        Unauthorized Result: Corruption of Information  

Remote exploit of Bind (causing a shell to be opened):
Attack:
        Tool: User Command
        Vulnerability: Design
        Action: Bypass
        Target: Account
        Unauthorized Result: Increased Access

If you really want to stick with "remote" and "local" I think you can
define them thusly:
Remote -- control/access of resources occurs from outside the
machine/network
Local -- control/access of resources occurs on the local machine (i.e.
no network connection required)

Using this definition the email example is local and both bind examples
are remote.  The bind vulnerabilities are completely solved by
unplugging the machines from the network whereas the email machine may
still be vulnerable after being disconnected.

_______________________________
Michael D. Black, MSIA, CISSP, IAM
Information Systems Security Officer
Essex Corporation
black@xxxxxxxxxxxxx
-----Original Message-----
From: Crispin Cowan [mailto:crispin@xxxxxxxxxx] 
Sent: Sunday, July 17, 2005 4:59 AM
To: James Longstreet
Cc: Derek Martin; bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: On classifying attacks

James Longstreet wrote:
> On Jul 14, 2005, at 9:39 PM, Derek Martin wrote:
>
> >> This kind of attack has a name already: it is a trojan horse.
> <snip>
> >> But is this a remote exploit?
>
> No, it's not an exploit at all.  Systems are not vulnerable to it 
> unless a local user runs an executable.  The only thing it exploits 
> is trust of email (or similar vector).
But it is a remote *attack*. There is no other word for it than "remote"
when the attacker is not local.

Which is not to say that the distinction Derek raised is invalid; there
certainly is a semantic difference between an attack delivered by an
e-mail, which does nothing until the user reads it or clicks on
something, and a traditional remote attack where the attacker exploits a
flaw in a program that is listening. Such a program typically is a
server (BIND, Apache, Sendmail) but could also be a client (Gaim).
Pushing the boundaries, the program could be a web browser, where the
attack does happen immediately, does not involve a Trojan, but does
still require the user to do something like click a particular URL.

So what we have is a very complicated space full of adjectives:

    * Attack: doing bad stuff to someone else's stuff.
    * Vulnerability: an unfortunate software flaw or configuration that
      enables an attack. It might be very specific, such as a buffer
      overflow vulnerability in a particular program, or it might be
      very general, such as "running Outlook with administrator
privilege".
    * Exploit: software that automates attacking a vulnerability.
          o *Note:* by this definition, an e-mail virus that leverages
            the common fact that many users run Outlook as administrator
            is in fact an "exploit", even if it is a weak one.
    * Remote: attacker is over there somewhere, usually across some kind
      of network.
    * Local: attacker and victim are connected to the same computer.
          o *Note:* in common parlance, this usually means that the
            attacker must compose a local vulnerability with some other
            vulnerability that will get them a login shell on the
            machine to be attacked, or must be granted legitimate access
            to the machine.

These terms are all commonly used in Bugtraq discussions, and I believe
these definitions follow common usage. Using these terms precisely is
important.

Yet none of them capture the distinction Derek pointed out, and so
perhaps we need a new term. We could say that attacks against connected
programs like BIND and Gaim are "synchronous" and attacks that involve
sending now for impact later such as e-mailed malware are
"asynchronous".

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Follow-Ups:
- Re: On classifying attacks
  - From: Crispin Cowan

Prev by Date: [ISR] - Novell Groupwise WebAccess Cross-Site Scripting
Next by Date: Oracle Security Advisory: Various Cross-Site-Scripting Vulnerabilities in Oracle Reports
Previous by thread: Re: On classifying attacks
Next by thread: Re: On classifying attacks
Index(es):
- Date
- Thread