Secure Coding mailing list archives
Insider threats and software {EOG}
From: gem at cigital.com (Gary McGraw)
Date: Thu, 16 Aug 2007 15:59:50 -0400
Hi Michael, I think thinking about firewalls and protocol analysis is missing the point almost entirely. Remember, the subverted client is behaving itself from the perspective of the server. It's just doing normal game client things...only in the case of a bot it is being driven by outside logic written by the no-longer-present gamer who wants to create virtual wealth while sleeping. How would a host-based firewall help? The GAMER controls the host! Why on earth would the gamer/attacker allow a firewall to get in the way of game client subversion? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Michael S Hines Sent: Thursday, August 16, 2007 11:04 AM To: SC-L at securecoding.org Subject: Re: [SC-L] Insider threats and software Doesn't an execution sandbox serve similar funtions to a firewall, but at the host level? Can't even more control be added to a sandbox than can be set on a firewall? Second, doesn't a host based firewall (even on desktops) provide the security you are talking about (providing they work propery - which is another topic). Am I missing the point? Or are you thinking of something that checks message queues for proper semantics and syntax (since some OS's are message based and work from message queues)? M. ----------------------------- Michael S Hines mshines at purdue.edu -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Pierre Parrend Sent: Thursday, August 16, 2007 4:20 AM To: silky Cc: SC-L at securecoding.org Subject: Re: [SC-L] Insider threats and software Hello all, I do not agree with Mike's point of view. Of course the unique way to cheat a system is to understand how it is working, and to abuse it. But the main difference is that you can hardly talk about protocol in the case of applications: if you have a given protocol, you 'just' need to build a firewall that checks that the protocol is properly working. In the case of software level insider attack, you would therefore need a dedicated firewall for every application you provide, which seem difficult both in term of development and performance cost. The differences I see between the two cases are the following: - attacks are now performed at the applicative level. And no simple interface between the user and the application can be identified, since a heavy client is involved (the interface is no longer a single protocol, but a whole application). - the matter becomes even worse if the systems are dynamic (such as with MIDP, or OSGi, or any plug-in mechanism), which does not yet occurs with online games, but soon could. last case make a shift in the potential attacks quite likely: it is sufficient to make malicious components freely available to perform attacks, even without illegally modifying existing code. The problem of client-based attack is bound with the one of integration of off-the-shelf components: how is it possible to control the execution process for every self-developed of third party, local or remote, piece of code ? Both involve application level 'protocols' to perform insider attacks, which are not so easy to tackle, I.e what Gary is describing is (to my view) not the ultimate insider, but a step toward a worsening of the security state of systems. regards, Pierre P. Quoting silky <michaelslists at gmail.com>:
i really don't see how this is at all an 'insider' attack; given that it is the common attack vector for almost every single remote exploit strategy; look into the inner protocol of the specific app and form your own messages to exploit it. On 8/15/07, Gary McGraw <gem at cigital.com> wrote:Hi sc-l, My darkreading column this month is devoted to insiders, but with a
twist.
In this article, I argue that software components which run on untrusted clients (AJAX anyone? WoW clients?) are an interesting new flavor of insider attack.Check it out: http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1 _1 What do you think? Is this a logical stretch or something obvious? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com _______________________________________________--
-- Pierre Parrend Ph.D. Student, Teaching Assistant INRIA-INSA Lyon, France pierre.parrend at insa-lyon web : http://www.rzo.free.fr _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Insider threats and software Gary McGraw (Aug 14)
- Insider threats and software silky (Aug 14)
- Insider threats and software Gary McGraw (Aug 16)
- Insider threats and software silky (Aug 16)
- Insider threats and software Paco Hope (Aug 17)
- Insider threats and software Crispin Cowan (Aug 28)
- Insider threats and software Gary McGraw (Aug 16)
- Insider threats and software silky (Aug 14)
- <Possible follow-ups>
- Insider threats and software Pierre Parrend (Aug 16)
- Insider threats and software Michael S Hines (Aug 16)
- Insider threats and software {EOG} Gary McGraw (Aug 16)
- Insider threats and software Michael S Hines (Aug 16)