Re: Application-level Attacks

[Devdas Bhagat <devdas () dvb homelinux org>]

On 29/01/05 11:02 -0800, Crispin Cowan wrote:
> Marcus J. Ranum wrote:
>
> > So, I guess what I am saying is that, in Marcus-land, almost all
> > attacks are application level. :)   They always have been.
> >  
> This assertion begs the question of "what is an application".
>
> I'm sympathetic to this argument. I have argued to my marketing dweebs 
> :) that an "application" is everything that is not the kernel. That is 
> the software person's perspective.
>
> At the opposite extreme, the business perspective is that an 
> "application" is stuff that you purchased or wrote to stick on top of 
> your Red Hat or SuSE installation, i.e. an "application" is something 
> that does not normally come with a distro.
>
> Both of these views are extreme. I think that a sound case can be made 
> that things like sshd, telnetd, and bind are really part of the OS and 

Which OS? Unix? Windows? 

> not "applications", even though they do not run in kernel space. 
> Conversely, an argument can be made that things like Mozilla and 
> OpenOffice are applications, even though they come with the distro.
>
> What makes it tough to decide is gray-area programs like Apache and 
> MySQL. Some would call them "applications", while others would call them 
> "infrastructure" on top of which you place applications.

Infrastructure is still applications :). Applications on top of other
applications. "Like any system, it depends on another".

> All of which, while interesting, is not the question I was trying to 
> answer :) I'm looking for global epidemiological trends that would 
> substantiate the conjecture that attacks are migrating from the OS end 
> of the spectrum to the application end of the spectrum. This conjectured 
> trend is independent of where you personally draw the line between "OS" 
> and "application", unless you are MJR and they have all been 
> applications since the dawn of time :)

What I am seeing is a highlighting of issues like SQL injection and
cross site scripting as opposed to the old buffer overflow stuff which
was prevalent two years ago.

This does not mean that the vulnerability spectrum has shifted, just
that a different class of attacks is showing up more in the public eye
because of a greater impact. Most of the vulnerabilities are in web
applications, which cause damage simply because they are the flavoured
application type of the month.

Buzzword Compliant Applications usually show this symptom, for
any value of buzzword. "We do all this complex stuff with XML, PHP,
XML-RPC and MySQL using a browser based user interface and SOAP on the
backend." is a recipe for being part of the highlighted application
spectrum.

It would also be interesting to find out how many vulnerabilities of the
same type are being found in similar types of applications and which of
those are being actively exploited. "Buffer overflow in IE" has a very
different impact from "cross site scripting hole in $random PHP
application" has a very different impact from "formmail.pl from MSA does
not do access control and allows for spam to be sent".

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards