Firewall Wizards mailing list archives
Re: Application-level Attacks
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Sun, 30 Jan 2005 21:58:26 +0530
On 29/01/05 11:02 -0800, Crispin Cowan wrote:
Marcus J. Ranum wrote:So, I guess what I am saying is that, in Marcus-land, almost all attacks are application level. :) They always have been.This assertion begs the question of "what is an application". I'm sympathetic to this argument. I have argued to my marketing dweebs :) that an "application" is everything that is not the kernel. That is the software person's perspective. At the opposite extreme, the business perspective is that an "application" is stuff that you purchased or wrote to stick on top of your Red Hat or SuSE installation, i.e. an "application" is something that does not normally come with a distro. Both of these views are extreme. I think that a sound case can be made that things like sshd, telnetd, and bind are really part of the OS and
Which OS? Unix? Windows?
not "applications", even though they do not run in kernel space. Conversely, an argument can be made that things like Mozilla and OpenOffice are applications, even though they come with the distro. What makes it tough to decide is gray-area programs like Apache and MySQL. Some would call them "applications", while others would call them "infrastructure" on top of which you place applications.
Infrastructure is still applications :). Applications on top of other applications. "Like any system, it depends on another".
All of which, while interesting, is not the question I was trying to answer :) I'm looking for global epidemiological trends that would substantiate the conjecture that attacks are migrating from the OS end of the spectrum to the application end of the spectrum. This conjectured trend is independent of where you personally draw the line between "OS" and "application", unless you are MJR and they have all been applications since the dawn of time :)
What I am seeing is a highlighting of issues like SQL injection and cross site scripting as opposed to the old buffer overflow stuff which was prevalent two years ago. This does not mean that the vulnerability spectrum has shifted, just that a different class of attacks is showing up more in the public eye because of a greater impact. Most of the vulnerabilities are in web applications, which cause damage simply because they are the flavoured application type of the month. Buzzword Compliant Applications usually show this symptom, for any value of buzzword. "We do all this complex stuff with XML, PHP, XML-RPC and MySQL using a browser based user interface and SOAP on the backend." is a recipe for being part of the highlighted application spectrum. It would also be interesting to find out how many vulnerabilities of the same type are being found in similar types of applications and which of those are being actively exploited. "Buffer overflow in IE" has a very different impact from "cross site scripting hole in $random PHP application" has a very different impact from "formmail.pl from MSA does not do access control and allows for spam to be sent". Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Application-level Attacks, (continued)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Paul D. Robertson (Jan 29)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Paul D. Robertson (Jan 29)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Paul D. Robertson (Jan 29)
- Re: Application-level Attacks M. Dodge Mumford (Jan 30)
- Re: Application-level Attacks Marcus J. Ranum (Jan 30)
- Re: Application-level Attacks Crispin Cowan (Jan 30)
- Re: Application-level Attacks Stephen P. Berry (Jan 30)
- Re: Application-level Attacks Marcus J. Ranum (Jan 29)
- Re: Application-level Attacks Devdas Bhagat (Jan 30)