[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability

Stuart Staniford-Chen wrote:

> <SNIP>
> That said, it seems to me that a "same attack" approach to the problem is
> subject to the same ontological slipperiness.  When are two "attacks" the
> same?  Clearly not just because the object code, or the source code, of an
> implementation of an attack is identical.  These details can change and yet
> allow the attack to proceed correctly against a given hole.  (Though there
> are folks creating databases of these attack tools at that level).  Even the
> sequence of system calls (and their arguments), or packets, required to
> implement an attack against a given vulnerability is not uniquely defined.

I'd agree we still have the same type of slipperiness, and we may develop some
fuzzy rules or something for abstracting attacks a bit, or perhaps learn just
what components of an attack are essential to it's success.  Even though we would
still have some problems like this, at least with the "same attack" approach we
would be basing our decisions on observable characteristics.  With "same
codebase", we have as you note some similar problems, plus too often we will not
have access to the actual code and therefore will have to base feed our fuzzy (or
whatever) decision process with guesses, thus compounding our problem.

org:The MITRE Corporation
adr:;;1820 Dolley Madison Blvd;McLean;VA;22102;
title:INFOSEC Engineer
fn:Bill Hill

Page Last Updated or Reviewed: May 22, 2007