You might try re-using the rather large effort that went into the CERT taxonomy: http://www.cert.org/research/taxonomy_988667.pdf You'll note the complete lack of "local" and "remote" in the taxonomy. The email example of "rm -r /*" being executed would be: Attack: Tool: Information Exchange Vulnerability: Design Action: Delete Target: Data Unauthorized Result: Corruption of Information Remote exploit of Bind (causing "rm -r /*" to be executed): Attack: Tool: User Command Vulnerability: Design Action: Delete Target: Data Unauthorized Result: Corruption of Information Remote exploit of Bind (causing a shell to be opened): Attack: Tool: User Command Vulnerability: Design Action: Bypass Target: Account Unauthorized Result: Increased Access If you really want to stick with "remote" and "local" I think you can define them thusly: Remote -- control/access of resources occurs from outside the machine/network Local -- control/access of resources occurs on the local machine (i.e. no network connection required) Using this definition the email example is local and both bind examples are remote. The bind vulnerabilities are completely solved by unplugging the machines from the network whereas the email machine may still be vulnerable after being disconnected. _______________________________ Michael D. Black, MSIA, CISSP, IAM Information Systems Security Officer Essex Corporation black@xxxxxxxxxxxxx -----Original Message----- From: Crispin Cowan [mailto:crispin@xxxxxxxxxx] Sent: Sunday, July 17, 2005 4:59 AM To: James Longstreet Cc: Derek Martin; bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: On classifying attacks James Longstreet wrote: > On Jul 14, 2005, at 9:39 PM, Derek Martin wrote: > > >> This kind of attack has a name already: it is a trojan horse. > <snip> > >> But is this a remote exploit? > > No, it's not an exploit at all. Systems are not vulnerable to it > unless a local user runs an executable. The only thing it exploits > is trust of email (or similar vector). But it is a remote *attack*. There is no other word for it than "remote" when the attacker is not local. Which is not to say that the distinction Derek raised is invalid; there certainly is a semantic difference between an attack delivered by an e-mail, which does nothing until the user reads it or clicks on something, and a traditional remote attack where the attacker exploits a flaw in a program that is listening. Such a program typically is a server (BIND, Apache, Sendmail) but could also be a client (Gaim). Pushing the boundaries, the program could be a web browser, where the attack does happen immediately, does not involve a Trojan, but does still require the user to do something like click a particular URL. So what we have is a very complicated space full of adjectives: * Attack: doing bad stuff to someone else's stuff. * Vulnerability: an unfortunate software flaw or configuration that enables an attack. It might be very specific, such as a buffer overflow vulnerability in a particular program, or it might be very general, such as "running Outlook with administrator privilege". * Exploit: software that automates attacking a vulnerability. o *Note:* by this definition, an e-mail virus that leverages the common fact that many users run Outlook as administrator is in fact an "exploit", even if it is a weak one. * Remote: attacker is over there somewhere, usually across some kind of network. * Local: attacker and victim are connected to the same computer. o *Note:* in common parlance, this usually means that the attacker must compose a local vulnerability with some other vulnerability that will get them a login shell on the machine to be attacked, or must be granted legitimate access to the machine. These terms are all commonly used in Bugtraq discussions, and I believe these definitions follow common usage. Using these terms precisely is important. Yet none of them capture the distinction Derek pointed out, and so perhaps we need a new term. We could say that attacks against connected programs like BIND and Gaim are "synchronous" and attacks that involve sending now for impact later such as e-mailed malware are "asynchronous". Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Director of Software Engineering, Novell http://novell.com
