Insider threats and software {EOG}

[gem at cigital.com (Gary McGraw)]

Hi Michael,

I think thinking about firewalls and protocol analysis is missing the point almost entirely.  Remember, the subverted 
client is behaving itself from the perspective of the server.  It's just doing normal game client things...only in the 
case of a bot it is being driven by outside logic written by the no-longer-present gamer who wants to create virtual 
wealth while sleeping.

How would a host-based firewall help?  The GAMER controls the host!  Why on earth would the gamer/attacker allow a 
firewall to get in the way of game client subversion?

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Michael S Hines
Sent: Thursday, August 16, 2007 11:04 AM
To: SC-L at securecoding.org
Subject: Re: [SC-L] Insider threats and software

Doesn't an execution sandbox serve similar funtions to a firewall, but at
the host level?  Can't even more control be added to a sandbox than can be
set on a firewall?

Second, doesn't a host based firewall (even on desktops) provide the
security you are talking about (providing they work propery - which is
another topic).

Am I missing the point?

Or are you thinking of something that checks message queues for proper
semantics and syntax (since some OS's are message based and work from
message queues)?

M.
-----------------------------
Michael S Hines
mshines at purdue.edu

-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On Behalf Of Pierre Parrend
Sent: Thursday, August 16, 2007 4:20 AM
To: silky
Cc: SC-L at securecoding.org
Subject: Re: [SC-L] Insider threats and software


Hello all,

 I do not agree with Mike's point of view. Of course the unique way to cheat
a system is to understand how it is working, and to abuse it. But the main
difference is that you can hardly talk about protocol in the case of
applications: if you have a given protocol, you 'just' need to build a
firewall that checks that the protocol is properly working. In the case of
software level insider attack, you would therefore need a dedicated firewall
for every application you provide, which seem difficult both in term of
development and performance cost.

The differences I see between the two cases are the following:

- attacks are now performed at the applicative level. And no simple
interface between the user and the application can be identified, since a
heavy client is involved (the interface is no longer a single protocol, but
a whole application).

- the matter becomes even worse if the systems are dynamic (such as with
MIDP, or OSGi, or any plug-in mechanism), which does not yet occurs with
online games, but soon could.

last case make a shift in the potential attacks quite likely: it is
sufficient to make malicious components freely available to perform attacks,
even without illegally modifying existing code. The problem of client-based
attack is bound with the one of integration of off-the-shelf components: how
is it possible to control the execution process for every self-developed of
third party, local or remote, piece of code ? Both involve application level
'protocols' to perform insider attacks, which are not so easy to tackle,

I.e what Gary is describing is (to my view) not the ultimate insider, but a
step toward a worsening of the security state of systems.

regards,

Pierre P.


Quoting silky <michaelslists at gmail.com>:

> i really don't see how this is at all an 'insider' attack; given that
> it is the common attack vector for almost every single remote exploit
> strategy; look into the inner protocol of the specific app and form
> your own messages to exploit it.
>
>
>
> On 8/15/07, Gary McGraw <gem at cigital.com> wrote:
> > Hi sc-l,
> >
> > My darkreading column this month is devoted to insiders, but with a
twist.
> In this article, I argue that software components which run on
> untrusted clients (AJAX anyone?  WoW clients?) are an interesting new
> flavor of insider attack.
> > Check it out:
> > http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1
> > _1
> >
> > What do you think?  Is this a logical stretch or something obvious?
> >
> > gem
> >
> > company www.cigital.com
> > podcast www.cigital.com/silverbullet blog
> > www.cigital.com/justiceleague book www.swsec.com
> >
> > _______________________________________________
>
>
> --



--
Pierre Parrend
Ph.D. Student, Teaching Assistant
INRIA-INSA Lyon, France
pierre.parrend at insa-lyon
web : http://www.rzo.free.fr
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________


_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________