OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Interesting papers about vulnerability classification and a possible proposal to move forward


As I am still trying to get my head around this classification problem we
are working through and I started searching the web for abstracts about
other projects for experience of how others have dealt with it. There are
some wise thoughts from Matt Bishop in the following two papers

http://downloads.securityfocus.com/library/1996-nissc-vn.pdf

http://seclab.cs.ucdavis.edu/secsem2/09-01-99-Matt/matt.ppt

I am leaning (tonight) to thinking the approach suggested in both of
essentially decomposing vulnerabilities into characteristics and organizing
them into a thesaurus that can be used for classifiying issues seems to
resonate with what we are trying to do and would work the best. Essentially
we would group vulnerabilities with "like" characteristics. The
characteristics could be used to create classification schemes.

Essentially this is not a million miles from the original OWASP ASAC.

Characteristics Maybe;

Techniques
            Modify Existing Requests
            New Requests

Attack Surface
            System Boundary
            Component Boundary
            Source Code

Target
            Application Component
            Infrastructure Component
            User

Consequences
            Denial of Service
            Elevated Privileges
            Transfer of Trust
            Spoofed Identity
            Revelation of Additional Data
            Security Requirements Fail

The groups maybe ;

Logic Conditions



Boundary Validation

            Canonicalization

            Modified Existing Requests

                        SQL Injection

LDAP Injection

OS Command Injection

Script Injection

            HTML Injection

                        XSS to call JS

            JavaScript

                        XSS

            ASP Scripts

            PHP Scripts

Addition to Existing Requests

Directory TRaversal





New Requests



Infrastructure Configuration Management

            Insecure Default Configurations

            Security Patches

            Exposed Administration Interfaces



User Privacy



Session Management

            Session Timeout

            Session Hi-Jacking



Access Control

Authentication

Authorization



Data Protection

            Cryptography

            Transport Security



Buffer Overflows

            Heap Overflow

            Stack Overflow

            Format String



Race Conditions



What do people think of this idea ?



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]