Bugtraq mailing list archives
Re: On classifying attacks
From: Crispin Cowan <crispin () novell com>
Date: Thu, 28 Jul 2005 01:33:46 -0700
Black, Michael wrote:
Perhaps the current popularity of remote/local terms comes from the Lincoln Labs studies done in 1998: http://www.usenix.org/events/sec99/full_papers/ghosh/ghosh_html/ Attacks were divided into four categories: denial of service probing/surveillance remote to local user to root attacks
I participated in that Lincoln Labs study, and my recollection is that the remote/local distinction was already popular on bugtraq at the time. The LL study was an attempt to simulate a natural threat.
In the email examples given so far (note that nothing of similarity was in the LL study) they would all be "remote to local".
Well, no. There is also direct "remote to root", which is a significant classification that is distinct from "remote to local" and "local to root". It is what you get if you have an exploit against root privileged daemons (BIND, ntpd, etc.) and what you get if you have an exploit against Microsoft Outlook being run as Administrator.
There's no need for trying to define a compound attack -- it serves no purpose.
How is that? Classification schemes work best when you break things down to their component atoms so that you can build up letters into words and words into sentences. Those pesky attackers insist on using blended attacks, and if we want to discuss what attackers do, we will either need to define compound attacks, or else come up with a *very* large lexicon :) Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com
Current thread:
- Re: On classifying attacks, (continued)
- Re: On classifying attacks Mihai Amarandei-Stavila (Jul 18)
- Re: On classifying attacks Crispin Cowan (Jul 18)
- Re: On classifying attacks Indigo Haze (Jul 16)
- Re: On classifying attacks Steven M. Christey (Jul 18)
- Re: On classifying attacks Dustin D. Trammell (Jul 19)
- RE: On classifying attacks Black, Michael (Jul 19)
- Re: On classifying attacks Crispin Cowan (Jul 19)
- Re: On classifying attacks Technica Forensis (Jul 20)
- Re: On classifying attacks Crispin Cowan (Jul 27)
- Re: On classifying attacks Crispin Cowan (Jul 19)
- RE: On classifying attacks Black, Michael (Jul 27)
- Re: On classifying attacks Crispin Cowan (Jul 28)