Comments on: Do Kings Play Chess on Folding Glass Stools? http://emergentchaos.com/archives/2006/10/do-kings-play-chess-on-folding-glass-stools.html The Emergent Chaos Jazz Combo Tue, 27 Jul 2010 23:33:25 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: SteveChristey http://emergentchaos.com/archives/2006/10/do-kings-play-chess-on-folding-glass-stools.html/comment-page-1#comment-2743 SteveChristey Thu, 12 Oct 2006 19:45:02 +0000 http://emergentchaos.com/?p=2005#comment-2743 Having thought quite a bit about taxonomies as part of the CWE project and general CVE-ness, I think one of the biggest challenges for vulnerability classification is that most vulns are not 'atomic'. Think of symlink issues, which combine randomness, race conditions (sometimes), permissions, and non-atomic actions (making a temp file in 2 steps instead of one), not to mention API/design limitations that make symlink issues possible in the first place. Or directory traversal which, if you get beyond just "..", brings in elements of canonicalization or order-of-operations. You could also argue that what I'm talking about are attacks instead of vulns. For many issues, there can be several sequences of actions and conditions that, when combined, form a vuln. In some ways integer overflows are related to buffer overflows, but only if they occur in parts of the code that deal with copying data; there's no reason why an integer overflow can't be part of a numeric comparison that decides whether someone should get special privileges. And then think about the fact that if an integer overflow occurs, *a mistake was already made* somewhere earlier. And, XSS and exploitable buffer overflows both share the property of mixing data and code. Now maybe we just haven't identified the correct properties to form the ideal taxonomy for uniquely identifying vulns, and I have some emerging thoughts on that, but I think we still have a good way to go. Having thought quite a bit about taxonomies as part of the CWE project and general CVE-ness, I think one of the biggest challenges for vulnerability classification is that most vulns are not ‘atomic’. Think of symlink issues, which combine randomness, race conditions (sometimes), permissions, and non-atomic actions (making a temp file in 2 steps instead of one), not to mention API/design limitations that make symlink issues possible in the first place. Or directory traversal which, if you get beyond just “..”, brings in elements of canonicalization or order-of-operations. You could also argue that what I’m talking about are attacks instead of vulns. For many issues, there can be several sequences of actions and conditions that, when combined, form a vuln. In some ways integer overflows are related to buffer overflows, but only if they occur in parts of the code that deal with copying data; there’s no reason why an integer overflow can’t be part of a numeric comparison that decides whether someone should get special privileges. And then think about the fact that if an integer overflow occurs, *a mistake was already made* somewhere earlier. And, XSS and exploitable buffer overflows both share the property of mixing data and code. Now maybe we just haven’t identified the correct properties to form the ideal taxonomy for uniquely identifying vulns, and I have some emerging thoughts on that, but I think we still have a good way to go.

]]> By: Iang http://emergentchaos.com/archives/2006/10/do-kings-play-chess-on-folding-glass-stools.html/comment-page-1#comment-2742 Iang Thu, 12 Oct 2006 15:24:39 +0000 http://emergentchaos.com/?p=2005#comment-2742 for some reason ... I am reminded of today's post from 'Cubicle: <blockquote><i>Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven’t previously considered and accounted for.</i></blockquote> <a href="http://thurston.halfcat.org/blog/2006/10/11/the-last-security-analogy-youll-ever-need" rel="nofollow">Not Bad for a Cubicle :-)</a> for some reason … I am reminded of today’s post from ‘Cubicle:

Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven’t previously considered and accounted for.

Not Bad for a Cubicle :-)

]]>