[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2-tiered case Re: Expediency or Correctness WAS: Level ofAbstraction
- To: cve-review@linus.mitre.org
- Subject: 2-tiered case Re: Expediency or Correctness WAS: Level ofAbstraction
- From: Pascal Meunier <pascalm@cup.hp.com>
- Date: Sat, 10 Jul 1999 12:18:26 -0800
- In-Reply-To: <37849FCA.CE8ADCAD@mitre.org>
- References: <61143C10CC8AD211A2F10000F878E6830D51E1@ns.rc.on.ca>
>Russ wrote: >> If you want something that's simple, has fewer entries, and is less >> subject to criticism, I'll shut up. > >At the risk of incorrectly speaking for MITRE (Bill >and Steve and a host of others may disagree with me >on anything I say!), I think what MITRE wants is to >help facilitate whatever is best for the community. >That's not a platitude. It really is the driving >charter of MITRE. > >If the right thing for the community is for there >to be something that is more complex, has more >entries (and is more work for us all to produce) and >is subject to less criticism, then by all means, now >is the time to speak. Below is an example of a vulnerability that needs to be described at two different "levels of abstraction", IMHO. >================================= >Candidate: CAN-1999-0216 >Published: >Final-Decision: >Interim-Decision: >Modified: >Announced: 19990630 >Assigned: 19990607 >Category: SF > >Denial of service of inetd on Linux through SYN and RST packets. > >VOTE: RECAST The location of the vulnerability, whether in the Linux kernel or the application, is debatable. Any program making the same (reasonnable) assumption is vulnerable, i.e., implements the same vulnerability: "Assumption that TCP-three-way handshake is complete after calling Linux kernel function accept(), which returns socket after getting SYN. Result is process death by SIGPIPE" Moreover, whether it results in DOS (to third parties) depends on the process that made the assumption. Since I can't think of a way to represent this by a single entry, the present entry should be split, one entry for every application that implements the vulnerability (really describing threat instances, which is what other people think about when we talk about vulnerabilities), and one entry for the Linux kernel that allows the vulnerability to happen. So, one level of abstraction is the "threat instance" (my choice of words) -- each application that implements the flaw, and this is the "useful for sysadmins" level. The other describes the fundamental miscommunication in assumptions -- the kernel assumes it's the application's job to make sure the handshake is finished, whereas the applications think it's the kernel's job, and this is the vulnerability that will (should) be entered in research-oriented vulnerability databases. Pascal
- References:
- RE: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- From: Russ <Russ.Cooper@rc.on.ca>
- Expediency or Correctness WAS: Level of Abstraction
- From: Dave Mann <damann@mitre.org>
- RE: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- Prev by Date: Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- Next by Date: Test, Ignore
- Prev by thread: Expediency or Correctness WAS: Level of Abstraction
- Next by thread: FINAL CONTENT DECISION: Use "Same Codebase" LOA for Software Flaws
- Index(es):
