OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [was] Blended threats

I think that we need to limit our focus to the "entry attack", as you put
it.

For example, what about an attack that allows for "shell command injection".
How would you describe or define what the attacker is able to do with access
to a shell? That is almost arbitrarily complex, I would think. 

Unless you are trying to come up with an "effects" *category*, rather than
detailed effect.

E.g. "arbitrary shell access", "arbitrary SQL command execution"

That could be combined with a "permission" attribute, to obtain:

E.g. "Arbitrary shell access as root", "arbitrary SQL command execution as
sa", 

which would give a pretty good indication of the extent of the problem. 

I don't think that it really makes sense to try to take this further than
the entry point, though.

Rogan

> -----Original Message-----
> From: Jeremy Poteet [mailto:jeremy@poteet.com] 
> Sent: 17 July 2003 09:50 PM
> To: was@lists.oasis-open.org
> Subject: Re: [was] Blended threats
> 
> 
> On 7/17/03 1:35 PM, "Nasseam Elkarra" <nelkarra@opensec.org> wrote:
> 
> > It is more than a buffer overflow as someone mentioned in 
> the call and
> > can fit into more than one category. However, blended 
> threats usually
> > have an entry point. In this case, the buffer overflow 
> provided CodeRed
> > the necessary privileges to perform the latter attacks. In scenarios
> > like this, we can try to classify the threat in multiple 
> categories or
> > simply focus on the entry attack.
> 
> I think this idea of whether we focus on only the entry 
> attack or not is an
> important issue.  For example a SQL Injection attack can be 
> used to launch
> all sorts of other attacks.

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre@Deloitte.co.za.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]