Re: On classifying attacks

• Previous message: Klaus Schwenk: "Re: Installation of software, and security. . ."
• In reply to: James Longstreet: "Re: On classifying attacks"
• Next in thread: Steven M. Christey: "Re: On classifying attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 17 Jul 2005 01:58:40 -0700
To: James Longstreet <jlongs2@uic.edu>

James Longstreet wrote:
> On Jul 14, 2005, at 9:39 PM, Derek Martin wrote:
>
> >> This kind of attack has a name already: it is a trojan horse.
> <snip>
> >> But is this a remote exploit?
>
> No, it's not an exploit at all. Systems are not vulnerable to it
> unless a local user runs an executable. The only thing it exploits
> is trust of email (or similar vector).
But it is a remote *attack*. There is no other word for it than "remote"
when the attacker is not local.

Which is not to say that the distinction Derek raised is invalid; there
certainly is a semantic difference between an attack delivered by an
e-mail, which does nothing until the user reads it or clicks on
something, and a traditional remote attack where the attacker exploits a
flaw in a program that is listening. Such a program typically is a
server (BIND, Apache, Sendmail) but could also be a client (Gaim).
Pushing the boundaries, the program could be a web browser, where the
attack does happen immediately, does not involve a Trojan, but does
still require the user to do something like click a particular URL.

So what we have is a very complicated space full of adjectives:

    * Attack: doing bad stuff to someone else's stuff.
    * Vulnerability: an unfortunate software flaw or configuration that
      enables an attack. It might be very specific, such as a buffer
      overflow vulnerability in a particular program, or it might be
      very general, such as "running Outlook with administrator privilege".
    * Exploit: software that automates attacking a vulnerability.
          o *Note:* by this definition, an e-mail virus that leverages
            the common fact that many users run Outlook as administrator
            is in fact an "exploit", even if it is a weak one.
    * Remote: attacker is over there somewhere, usually across some kind
      of network.
    * Local: attacker and victim are connected to the same computer.
          o *Note:* in common parlance, this usually means that the
            attacker must compose a local vulnerability with some other
            vulnerability that will get them a login shell on the
            machine to be attacked, or must be granted legitimate access
            to the machine.

These terms are all commonly used in Bugtraq discussions, and I believe
these definitions follow common usage. Using these terms precisely is
important.

Yet none of them capture the distinction Derek pointed out, and so
perhaps we need a new term. We could say that attacks against connected
programs like BIND and Gaim are "synchronous" and attacks that involve
sending now for impact later such as e-mailed malware are "asynchronous".

Crispin

-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

• Previous message: Klaus Schwenk: "Re: Installation of software, and security. . ."
• In reply to: James Longstreet: "Re: On classifying attacks"
• Next in thread: Steven M. Christey: "Re: On classifying attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]