[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Survey: Use of Same Attack/Same Codebase content decision inVDB's

>The following is from Matt Bishop.
>   DOVES probably uses a "same attack" approach, given your terminology.
>My focus is on the nature of the vulnerability: what preconditions
>must exist for the vulnerability to exist (and therefore, in my lexicon,
>for the attack to work). Hence my opinion that it's a "same attack"
>   I've been silent for a while, though, because I question whether
>either an attack or a codebase approach is correct.
>   Let's take the example being bandied about: program version 1 has
>a vulnerbility that lets you crash the computer. In version 2, that
>same program, when sent the same attack, gives you supervisor privileges.
>Both a crash and a supervisor privilege put the system into an
>unauthorized state. They began when the system was in a vulnerable state,
>and executed the same commands to reach the unauthorized state. Hence
>the attacks were the same. But the state transitions are different; other-
>wise, the resultant (unauthorized) states would be the same. Hence I
>view this as two different vulnerabilities.

I like this, and it matches the "same results" modification I previously
mentionned -- I you think of the results as state transitions.

>From Steve's original email:
"Same attack, same software flaw = same vulnerability."

"Same attack, same results of the attack = same record".

So, I'm afraid there are really three choices.

Page Last Updated or Reviewed: May 22, 2007