Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: On classifying attacks

from [Adam Shostack] Network Security [Permanent Link]
Subject: Re: On classifying attacks
Date: Mon, 18 Jul 2005 21:20:37 -0400 
On Mon, Jul 18, 2005 at 10:49:00AM -0500, James Longstreet wrote:
| > We disagree here.  The vulnerability is neither truly remote nor
| > local, in the normal senses as we have defined them here.  It is a
| > different kind of vulnerability altogether.  The vulnerability is one
| > to automatically triggering trojan horses....  Just as in the case of
| > the fabled Trojan Horse, there is no vulnerability at all until the
| > local users make a decision to trust something (data in this case,
| > rather than a hollowed out horse-shaped monument) from an outside
| > source.  In this case, the trust is given implicitly rather than
| > explicitly.  This is no different than if I handed you a disk, told
| > you to run the program on the disk, and you did so -- resulting in the
| > destruction of your hard drive.  Would you call this a remote
| > vulnerability?  Of course not.  But the mechanism is exactly the
| > same... except that some of the minor details are different.
| 
| It's completely different.  If you gave me a program on a disk, I wouldn't
| run it, because I know that programs that I run can do whatever they want
| on my system.  That's not because of a bug, it's because that's what a
| computer does -- run programs.

Just as an aside, no.

Operating systems run programs and control access to resources.  The
idea that any program can do anything to your system is a strange
one.  Systems like Goldberg and Wagner's Janus, or Cowan and co.'s
Subdomain, or heck, even the Java security manager, impose limits on
what a program that you run can do.

That most commercial operating systems lack these sorts of controls is
unfortunate.  I would really like to be able to limit what files and
directories my mail client or web browser can touch.

| If you gave me a program on disk and I ran it, I am giving you permission
| to run arbitrary code on my system.  Therefore, there is no bug.  The
| blame lies solely on me, not on my operating system, computer, or the
| program itself.

Again, the blame lies on your operating system for not letting you do
what you want in a common situation.

That's neither here nor there with regards to the local/remote or
credentialed/anonymous discussion.  But I think that on a security
list, we should not udnerestimate the value of OS features.

Adam
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  HPSBUX01164 SSRT4884 rev.4 - HP-UX TCP/IP Remote Denial of Service (DoS), Security Alert
Next by Date:  Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein, 3APA3A
Previous by Thread:  Re: On classifying attacks, James Longstreet
Next by Thread:  Re: On classifying attacks, Mihai Amarandei-Stavila
Indexes:  [Date] [Thread] [Top] [All Lists]