Bugtraq mailing list archives

RE: On classifying attacks

From: "Black, Michael" <black () EssexCorp com>
Date: Tue, 19 Jul 2005 09:11:00 -0400

You might try re-using the rather large effort that went into the CERT
taxonomy:
http://www.cert.org/research/taxonomy_988667.pdf

You'll note the complete lack of "local" and "remote" in the taxonomy.

The email example of "rm -r /*" being executed would be:
Attack:
        Tool: Information Exchange
        Vulnerability: Design
        Action: Delete
        Target: Data
        Unauthorized Result: Corruption of Information

Remote exploit of Bind (causing "rm -r /*" to be executed):
Attack:
        Tool: User Command
        Vulnerability: Design
        Action: Delete
        Target: Data
        Unauthorized Result: Corruption of Information  

Remote exploit of Bind (causing a shell to be opened):
Attack:
        Tool: User Command
        Vulnerability: Design
        Action: Bypass
        Target: Account
        Unauthorized Result: Increased Access


If you really want to stick with "remote" and "local" I think you can
define them thusly:
Remote -- control/access of resources occurs from outside the
machine/network
Local -- control/access of resources occurs on the local machine (i.e.
no network connection required)

Using this definition the email example is local and both bind examples
are remote.  The bind vulnerabilities are completely solved by
unplugging the machines from the network whereas the email machine may
still be vulnerable after being disconnected.

        
_______________________________
Michael D. Black, MSIA, CISSP, IAM
Information Systems Security Officer
Essex Corporation
black () essexcorp com
-----Original Message-----
From: Crispin Cowan [mailto:crispin () novell com] 
Sent: Sunday, July 17, 2005 4:59 AM
To: James Longstreet
Cc: Derek Martin; bugtraq () securityfocus com
Subject: Re: On classifying attacks

James Longstreet wrote:

On Jul 14, 2005, at 9:39 PM, Derek Martin wrote:

This kind of attack has a name already: it is a trojan horse.

<snip>

But is this a remote exploit?


No, it's not an exploit at all.  Systems are not vulnerable to it 
unless a local user runs an executable.  The only thing it exploits 
is trust of email (or similar vector).

But it is a remote *attack*. There is no other word for it than "remote"
when the attacker is not local.

Which is not to say that the distinction Derek raised is invalid; there
certainly is a semantic difference between an attack delivered by an
e-mail, which does nothing until the user reads it or clicks on
something, and a traditional remote attack where the attacker exploits a
flaw in a program that is listening. Such a program typically is a
server (BIND, Apache, Sendmail) but could also be a client (Gaim).
Pushing the boundaries, the program could be a web browser, where the
attack does happen immediately, does not involve a Trojan, but does
still require the user to do something like click a particular URL.

So what we have is a very complicated space full of adjectives:

    * Attack: doing bad stuff to someone else's stuff.
    * Vulnerability: an unfortunate software flaw or configuration that
      enables an attack. It might be very specific, such as a buffer
      overflow vulnerability in a particular program, or it might be
      very general, such as "running Outlook with administrator
privilege".
    * Exploit: software that automates attacking a vulnerability.
          o *Note:* by this definition, an e-mail virus that leverages
            the common fact that many users run Outlook as administrator
            is in fact an "exploit", even if it is a weak one.
    * Remote: attacker is over there somewhere, usually across some kind
      of network.
    * Local: attacker and victim are connected to the same computer.
          o *Note:* in common parlance, this usually means that the
            attacker must compose a local vulnerability with some other
            vulnerability that will get them a login shell on the
            machine to be attacked, or must be granted legitimate access
            to the machine.

These terms are all commonly used in Bugtraq discussions, and I believe
these definitions follow common usage. Using these terms precisely is
important.

Yet none of them capture the distinction Derek pointed out, and so
perhaps we need a new term. We could say that attacks against connected
programs like BIND and Gaim are "synchronous" and attacks that involve
sending now for impact later such as e-mailed malware are
"asynchronous".

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Current thread:

Re: On classifying attacks, (continued)
- Re: On classifying attacks James Longstreet (Jul 16)
  - Re: On classifying attacks Derek Martin (Jul 16)
    - Re: On classifying attacks Godwin Stewart (Jul 18)
    - Re: On classifying attacks James Longstreet (Jul 18)
    - Re: On classifying attacks Adam Shostack (Jul 19)
    - Re: On classifying attacks Mihai Amarandei-Stavila (Jul 18)
  - Re: On classifying attacks Crispin Cowan (Jul 18)
- Re: On classifying attacks Indigo Haze (Jul 16)
- Re: On classifying attacks Steven M. Christey (Jul 18)
- Re: On classifying attacks Dustin D. Trammell (Jul 19)
- RE: On classifying attacks Black, Michael (Jul 19)
  - Re: On classifying attacks Crispin Cowan (Jul 19)
    - Re: On classifying attacks Technica Forensis (Jul 20)
    - Re: On classifying attacks Crispin Cowan (Jul 27)
- RE: On classifying attacks Black, Michael (Jul 27)
  - Re: On classifying attacks Crispin Cowan (Jul 28)