Thursday, July 28, 2005

Classifying network attacks

Some of the Lincoln Lab work that I was involved in back around 1998 got brought up again on Bugtraq. I finally felt compelled to post there again. For brevity I made a much shorter post, but here's the full rambling text before I managed to edit it down a bit. Context: The discussion was how to categorize attacks. Historically the industry has used the words "local" to definte an attack that gets someone super-user privileges when they are a normal user on the system, and "remote" allows someone who merely has network access to the machine to gain actual permissions on it. Crispin Cowan wrote: > I participated in that Lincoln Labs study, and my recollection is > that the remote/local distinction was already popular on bugtraq at > the time. I was working on that project, and Dr. Cowan's recollection matches mine. Talks of "local" and "remote" were already in use somewhat on Bugtraq, although I don't think they had yet become universal. (I'd like to claim that the Lincoln studies helped push use of those terms along, but the concepts are so simple and elegant that their universal use was inevitable.) One of the mental models involved in those 1998 classifications of attacks was a "presence" of an attacker -- is the attacker outside your network, on your network, or on your machine as a non-privileged user? This model doesn't necessarily fit in well with some of today's most common attacks, as was mentioned when this thread started. It's not that trojan horses (whether you interpret that to mean just hostile applications, or hostile data run by vulnerable applications) weren't known about in 1998. It's that those attacks weren't considered all that important when compared to things that were more common at the time -- smurf attacks, pings of death, Sendmail buffer overflows, SYN queue starvation. I've seen a lot of classification schemes proposed on Bugtraq in the intervening years, some of them quite good. (Search the archives for "taxonomy" or "classification".) But unless they are -very- simple to use, they won't be taken up by the community. If you can come up with a single word that imputes the concept of "malicious data that I can easily get onto the victim's machine and in front of the victim's eyes but requires him to run it," that would be a great step forward. Simplicity is key. (Unlike this posting, which I did not have time to make shorter and simpler.) But a foolish consistency is the hobgoblin of taxonomies. How do phishing attacks fit in with that 1998 taxonomy? I could suppose it's called local-to-root, but a better response would be to a) come up with a better taxonomy, or b) accept that every possible "attack" in the world may not fit into a given taxonomy. It seems the CVE folks have just accepted that exact fits aren't going to happen and are living with a bit of imprecisenss. Trying to come up with a perfect taxonomy will drive you insane, especially as you are dealing with the classification of the actions of very creative humans. And on the subject of compound attacks, there was also some work coming out of Rome Labs at about the same time that was doing some formalizing the chaining of, say, remote-to-local with local-to-root attacks to make a remote-to-root attack.


Blogger Dan Weber said...

And now I get the flood of broken auto-responders, vacation reminders in a dozen different languages, and "mailbox full" messages.

Ah, Bugtraq. How I missed thee.

7:04 AM  

Post a Comment

<< Home