[39732] in bugtraq
Re: On classifying attacks
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Tue Jul 19 16:35:51 2005
Message-ID: <42DD033D.3080705@novell.com>
Date: Tue, 19 Jul 2005 06:42:21 -0700
From: Crispin Cowan <crispin@novell.com>
MIME-Version: 1.0
To: "Black, Michael" <black@EssexCorp.com>
Cc: James Longstreet <jlongs2@uic.edu>, Derek Martin <code@pizzashack.org>,
bugtraq@securityfocus.com
In-Reply-To: <599093BB9416BA4F93619FAE038A031A03D33565@exchange.essexcorp.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Black, Michael wrote:
>You might try re-using the rather large effort that went into the CERT
>taxonomy:
>http://www.cert.org/research/taxonomy_988667.pdf
>
>You'll note the complete lack of "local" and "remote" in the taxonomy.
>
That pretty much tells me everything I need to know about whether I want
to use that taxonomy :)
>Remote exploit of Bind (causing "rm -r /*" to be executed):
>Attack:
> Tool: User Command
> Vulnerability: Design
>
"Design"?!
>If you really want to stick with "remote" and "local" I think you can
>define them thusly:
>Remote -- control/access of resources occurs from outside the
>machine/network
>Local -- control/access of resources occurs on the local machine (i.e.
>no network connection required)
>
Ok, but I had no trouble with those definitions in the first place, and
so far you have not captured the distinction Derek was asking about.
>Using this definition the email example is local and both bind examples
>are remote.
.. and any definition that classifies the e-mail example as "local" is
just broken.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Director of Software Engineering, Novell http://novell.com
