Bugtraq mailing list archives
Re: On classifying attacks
From: Crispin Cowan <crispin () novell com>
Date: Sun, 17 Jul 2005 01:58:40 -0700
James Longstreet wrote:
On Jul 14, 2005, at 9:39 PM, Derek Martin wrote:This kind of attack has a name already: it is a trojan horse.<snip>But is this a remote exploit?No, it's not an exploit at all. Systems are not vulnerable to it unless a local user runs an executable. The only thing it exploits is trust of email (or similar vector).
But it is a remote *attack*. There is no other word for it than "remote" when the attacker is not local. Which is not to say that the distinction Derek raised is invalid; there certainly is a semantic difference between an attack delivered by an e-mail, which does nothing until the user reads it or clicks on something, and a traditional remote attack where the attacker exploits a flaw in a program that is listening. Such a program typically is a server (BIND, Apache, Sendmail) but could also be a client (Gaim). Pushing the boundaries, the program could be a web browser, where the attack does happen immediately, does not involve a Trojan, but does still require the user to do something like click a particular URL. So what we have is a very complicated space full of adjectives: * Attack: doing bad stuff to someone else's stuff. * Vulnerability: an unfortunate software flaw or configuration that enables an attack. It might be very specific, such as a buffer overflow vulnerability in a particular program, or it might be very general, such as "running Outlook with administrator privilege". * Exploit: software that automates attacking a vulnerability. o *Note:* by this definition, an e-mail virus that leverages the common fact that many users run Outlook as administrator is in fact an "exploit", even if it is a weak one. * Remote: attacker is over there somewhere, usually across some kind of network. * Local: attacker and victim are connected to the same computer. o *Note:* in common parlance, this usually means that the attacker must compose a local vulnerability with some other vulnerability that will get them a login shell on the machine to be attacked, or must be granted legitimate access to the machine. These terms are all commonly used in Bugtraq discussions, and I believe these definitions follow common usage. Using these terms precisely is important. Yet none of them capture the distinction Derek pointed out, and so perhaps we need a new term. We could say that attacks against connected programs like BIND and Gaim are "synchronous" and attacks that involve sending now for impact later such as e-mailed malware are "asynchronous". Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Director of Software Engineering, Novell http://novell.com
Current thread:
- On classifying attacks Derek Martin (Jul 15)
- RE: On classifying attacks Bryan McAninch (Jul 15)
- Re: On classifying attacks James Longstreet (Jul 16)
- Re: On classifying attacks Derek Martin (Jul 16)
- Re: On classifying attacks Godwin Stewart (Jul 18)
- Re: On classifying attacks James Longstreet (Jul 18)
- Re: On classifying attacks Adam Shostack (Jul 19)
- Re: On classifying attacks Mihai Amarandei-Stavila (Jul 18)
- Re: On classifying attacks Derek Martin (Jul 16)
- Re: On classifying attacks Crispin Cowan (Jul 18)
- Re: On classifying attacks Indigo Haze (Jul 16)
- <Possible follow-ups>
- Re: On classifying attacks Steven M. Christey (Jul 18)
- Re: On classifying attacks Dustin D. Trammell (Jul 19)
- RE: On classifying attacks Black, Michael (Jul 19)
- Re: On classifying attacks Crispin Cowan (Jul 19)
- Re: On classifying attacks Technica Forensis (Jul 20)
- Re: On classifying attacks Crispin Cowan (Jul 27)
- Re: On classifying attacks Crispin Cowan (Jul 19)
- Re: On classifying attacks Crispin Cowan (Jul 28)