VULNERABILITIES MEETING
May 17, 1999
4:00 5:00pm
3085 ENG II

In attendance:
Matt Bishop (MB), Tuomas Aura (TA), Keith Herold (KH), Ricardo Gomez (RG)

TOPICS

    News Items
    State of Vulnerabilities Database
  1. News Items
    1. Symbolic Link - work is still in progress
    2. Planning to submit Vulnerabilities Analysis paper to RAID conference. Would like the paper to be reviewed and get feedback of this draft version.
      1. Vulnerability classification has in the past had a top-down or tree structure. This paper states that this does not capture the full richness of the vulnerabilities
      2. Includes a review of earlier vulnerabilities classifications
      3. Includes text from Dave Bailey
      4. Discusses the relationship of vulnerabilities to specifications (section 3) - this area needs to be strengthened
    3. David Ladd from Microsoft, director of corporate work in security, said he would donate 3 workstations.
    4. Break in to Dick Walter's machines that totally wiped out his machines. Every Solaris box running 2.7 or higher. Also took out Physics computers - found because they tried to implement a second copy of InetD with a back door in it for using shell.
      1. Matt saw some unusual connections on his machine from Norway and Poland.
  2. State of Vulnerabilities Database
    1. The template is set up - Keith is rewriting the template in Java.
    2. There are 80 vulnerabilities in the database, 15 are currently public.
    3. Dave Edwards is working on an independent project with attack tools. He is looking over an attack tool template.
    4. FBI gave Matt a call regarding the vulnerabilities database and the signatures of attacks
    5. Interest from Ausser in Austrailia
      1. Mitre is building a classification of vulnerabilities - exclusively a numbering scheme. If they compete with other vulnerability databases, there will be infighting.
        1. Vulnerabilities are listed by different names
        2. We need to add a Mitre ID number to our database
        3. Mitre will ultimately give decentralized temporary names while it determines if the vulnerabilities are already in its database.
        4. Mitre is having problems distributing information to vendors - viewed as proprietary information.
    6. The signatures of vulnerabilities and attack tools are open. The language currently has no data.
    7. Signatures - when a machine is broken in to, traces from the attack are left on the system. From these traces, we'd like to determine which attack tools caused them, so we set up a database of signatures to point back to the attack tools.
      1. Is this feasible?
      2. How can it be done? How can they be captured?
      3. Can we create a language to map traces on a computer back to the attack tools?
      4. TA: If an attack tool was created for a particular machine, there shouldn't be any traces. It will clean up any evidence.
        1. MB: In practice, you still see traces in the system.
      5. TA: The names of hidden files are not very reliable
        1. MB: That section of the database would be very unreliable, and probably one signature would point to many attack tools. But it's a good point for starting. I'd like to write some of this up to help out others.
    8. KH: We have resolved the try/catch thing. Tuomas looked through the specifications on-line and Keith looked it up in a book.
      1. TA: Several catches - Java executes the first match and doesn't look at any of the others. C and C++ don't jump.