Bugtraq mailing list archives
Re: On classifying attacks
From: Adam Shostack <adam () homeport org>
Date: Mon, 18 Jul 2005 21:20:37 -0400
On Mon, Jul 18, 2005 at 10:49:00AM -0500, James Longstreet wrote: | > We disagree here. The vulnerability is neither truly remote nor | > local, in the normal senses as we have defined them here. It is a | > different kind of vulnerability altogether. The vulnerability is one | > to automatically triggering trojan horses.... Just as in the case of | > the fabled Trojan Horse, there is no vulnerability at all until the | > local users make a decision to trust something (data in this case, | > rather than a hollowed out horse-shaped monument) from an outside | > source. In this case, the trust is given implicitly rather than | > explicitly. This is no different than if I handed you a disk, told | > you to run the program on the disk, and you did so -- resulting in the | > destruction of your hard drive. Would you call this a remote | > vulnerability? Of course not. But the mechanism is exactly the | > same... except that some of the minor details are different. | | It's completely different. If you gave me a program on a disk, I wouldn't | run it, because I know that programs that I run can do whatever they want | on my system. That's not because of a bug, it's because that's what a | computer does -- run programs. Just as an aside, no. Operating systems run programs and control access to resources. The idea that any program can do anything to your system is a strange one. Systems like Goldberg and Wagner's Janus, or Cowan and co.'s Subdomain, or heck, even the Java security manager, impose limits on what a program that you run can do. That most commercial operating systems lack these sorts of controls is unfortunate. I would really like to be able to limit what files and directories my mail client or web browser can touch. | If you gave me a program on disk and I ran it, I am giving you permission | to run arbitrary code on my system. Therefore, there is no bug. The | blame lies solely on me, not on my operating system, computer, or the | program itself. Again, the blame lies on your operating system for not letting you do what you want in a common situation. That's neither here nor there with regards to the local/remote or credentialed/anonymous discussion. But I think that on a security list, we should not udnerestimate the value of OS features. Adam
Current thread:
- On classifying attacks Derek Martin (Jul 15)
- RE: On classifying attacks Bryan McAninch (Jul 15)
- Re: On classifying attacks James Longstreet (Jul 16)
- Re: On classifying attacks Derek Martin (Jul 16)
- Re: On classifying attacks Godwin Stewart (Jul 18)
- Re: On classifying attacks James Longstreet (Jul 18)
- Re: On classifying attacks Adam Shostack (Jul 19)
- Re: On classifying attacks Mihai Amarandei-Stavila (Jul 18)
- Re: On classifying attacks Derek Martin (Jul 16)
- Re: On classifying attacks Crispin Cowan (Jul 18)
- Re: On classifying attacks Indigo Haze (Jul 16)
- <Possible follow-ups>
- Re: On classifying attacks Steven M. Christey (Jul 18)
- Re: On classifying attacks Dustin D. Trammell (Jul 19)
- RE: On classifying attacks Black, Michael (Jul 19)
- Re: On classifying attacks Crispin Cowan (Jul 19)
- Re: On classifying attacks Technica Forensis (Jul 20)
- Re: On classifying attacks Crispin Cowan (Jul 27)
- Re: On classifying attacks Crispin Cowan (Jul 19)