Insider threats and software

[mshines at purdue.edu (Michael S Hines)]

Doesn't an execution sandbox serve similar funtions to a firewall, but at
the host level?  Can't even more control be added to a sandbox than can be
set on a firewall?

Second, doesn't a host based firewall (even on desktops) provide the
security you are talking about (providing they work propery - which is
another topic).

Am I missing the point?

Or are you thinking of something that checks message queues for proper
semantics and syntax (since some OS's are message based and work from
message queues)?

M.
-----------------------------
Michael S Hines
mshines at purdue.edu

-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On Behalf Of Pierre Parrend
Sent: Thursday, August 16, 2007 4:20 AM
To: silky
Cc: SC-L at securecoding.org
Subject: Re: [SC-L] Insider threats and software


Hello all,

 I do not agree with Mike's point of view. Of course the unique way to cheat
a system is to understand how it is working, and to abuse it. But the main
difference is that you can hardly talk about protocol in the case of
applications: if you have a given protocol, you 'just' need to build a
firewall that checks that the protocol is properly working. In the case of
software level insider attack, you would therefore need a dedicated firewall
for every application you provide, which seem difficult both in term of
development and performance cost.

The differences I see between the two cases are the following:

- attacks are now performed at the applicative level. And no simple
interface between the user and the application can be identified, since a
heavy client is involved (the interface is no longer a single protocol, but
a whole application).

- the matter becomes even worse if the systems are dynamic (such as with
MIDP, or OSGi, or any plug-in mechanism), which does not yet occurs with
online games, but soon could.

last case make a shift in the potential attacks quite likely: it is
sufficient to make malicious components freely available to perform attacks,
even without illegally modifying existing code. The problem of client-based
attack is bound with the one of integration of off-the-shelf components: how
is it possible to control the execution process for every self-developed of
third party, local or remote, piece of code ? Both involve application level
'protocols' to perform insider attacks, which are not so easy to tackle,

I.e what Gary is describing is (to my view) not the ultimate insider, but a
step toward a worsening of the security state of systems.

regards,

Pierre P.


Quoting silky <michaelslists at gmail.com>:

> i really don't see how this is at all an 'insider' attack; given that
> it is the common attack vector for almost every single remote exploit
> strategy; look into the inner protocol of the specific app and form
> your own messages to exploit it.
>
>
>
> On 8/15/07, Gary McGraw <gem at cigital.com> wrote:
> > Hi sc-l,
> >
> > My darkreading column this month is devoted to insiders, but with a
twist.
> In this article, I argue that software components which run on
> untrusted clients (AJAX anyone?  WoW clients?) are an interesting new
> flavor of insider attack.
> > Check it out:
> > http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1
> > _1
> >
> > What do you think?  Is this a logical stretch or something obvious?
> >
> > gem
> >
> > company www.cigital.com
> > podcast www.cigital.com/silverbullet blog
> > www.cigital.com/justiceleague book www.swsec.com
> >
> > _______________________________________________
>
>
> --



--
Pierre Parrend
Ph.D. Student, Teaching Assistant
INRIA-INSA Lyon, France
pierre.parrend at insa-lyon
web : http://www.rzo.free.fr
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________