From: "Todd Heberlein" 
To: "Ricardo Anguiano" ,
        "Peter Mell" ,
        "Nikhil Ashok Joshi" ,
        "Matt Bishop" ,
        "L. Todd Heberlein" ,
        "David O'Brien" ,
        "Howard Liuh" ,
        "Steve Samorodin" 
Subject: Vulnerabilities minutes, 29 Oct 1997
Date: Tue, 4 Nov 1997 10:58:34 -0600


Minutes from the Vulnerabilities meeting on 29 Oct 1997 Attendees: Matt Bishop, Howard Liuh (sp?), David O'Brien, Peter Mell, Ricardo Anguiano, Nik Joshi, and Todd Heberlein.
The vulnerabilities meeting, initially held Wednesday afternoon, has been changed to Wednesday at 10am (except for the next meeting, 5 Nov 97, which is to be held at 9am). The change in meeting time was in part to accommodate Steve Samorodin which had a time conflict for today's (29 Oct) meeting. The next vulnerabilities meeting (5 Nov) is at 9am in the third-floor conference room. The earlier meeting time is to allow Matt Bishop to attend another meeting in the Bay Area. The Boeing meeting, which is normally held at 9am, will be held at 10am. Note, this schedule is a one time event. [NOTE: Since last week's meeting, Steven Samorodin told me that last week's conflict was a one time event, and his normal meeting with Raju is at 10am, which of course conflicts with the new vulnerabilities meeting schedule. We need to iron this out]
Matt would like to keep the database in the SGML format. SGML is a general structured document format language, and it is used to define the HTML language used in the WWW. There are several tools to convert documents kept in SGML format into other document formats including HTML, Word, and Framemaker. Thus, we can export the vulnerabilities information into a number of different document formats. Matt also wants to keep links from the vulnerabilities descriptions in SGML to the actual attacks. [MATT: Could you bring some examples of SGML documents, as well as conversions of those documents into Word?]
We would also like to put much of the analysis and data organization available on the Web. Ideally, the HTML pages for the web will simply be generated from the SGML pages from the database.. Actual attack tools and executable code, however, must be kept on the isolated network. Even if these attack tools are already available on the Internet (which they most probably will be), we do not want to be known as the one-stop-shopping locations for hackers. [NOTE: We have yet to identify a Web-master (mistress) for this project]
Initially we will try to focus on network-based attacks (i.e., attacks not launched once you have a login shell). Part of the reasoning is that attacks launched from a command line are easy to mask to avoid detection. We also want to focus on attacks against Solaris (DoD customer), HP-UX (they donated HP equipment and may become more involved with our activities), and Windows NT and 95 (Intel customer). Other customers for this work are the actual intrusion detection projects (e.g., Boeing and GrIDS). These projects need to be able to actually launch the attacks and observer the packets generated by the attack, so they can tune their particular detection mechanisms. They also need to be able to demonstrate to their customers that they can actually detect the attacks (e.g., by launching the attacks and having their system raise an alarm).
Because these attacks may involve only particular versions of the OS (e.g., Solaris 2.4), and because these attacks may corrupt the OS itself (e.g., some attacks against NT may require a reinstall of the OS), Matt is looking into a CD-ROM maker. The ideas is that we can make an image of a disk containing an OS on the CD-ROM, and then a reinstall of the OS would "simply" require us to copy the image of the OS from the CD back to the disk. I am not sure how simple this procedure is, but Lincoln Labs does this. We need to identify exact procedures for the various OSes. A CD-ROM burner is now in the "few hundred" dollars range, and writeable CDs are in the "few" dollars range. We have yet to identify a funding source for purchasing a CD-ROM burner, but the actual CDs can probably be absorbed in overhead.
David put together an extensive list of Web sites associated with attacks and vulnerabilities. We are now faced with several issues, including: (1) finding actual attacks that we can compile and run and (2) determining how we can "add value" to the vast amount of data already available. Since we are still trying to search for a direction on how to do this, we have decided that each of us should start by trying to find some attacks on our own and report back on our findings. Once we have a handle on what is really available to us, we can move forward from there. Matt is going to try to contact CERT to see if they can give us some attack tools along with any analysis they may have already have. Once we have a handle on what is out there and have a source of attacks, we will try to present/analyze 2-3 attacks and the vulnerabilities they exploit each week.
Another goal is to publish our work. Publishing helps focus our work, wins brownie points at the University, and it helps promote visibility (especially to potential sponsors). One potential conference is the "National" conference (National Information Systems Security Conference, NISSC), held October 5-9 in Crystal City, VA (Washington DC area). Submissions are due Feb 2, 1998. Since the meeting, I have received some mail announcing an IEEE Computer special issue on Network Security to be published August 1998. Submission deadline is Jan 15, 1998.
David O'Brien will update the vulnerabilities mailing list. The mail alias is vulner@cs.ucdavis.edu.
Todd