VULNERABILITIES MEETING
May 17, 1999
4:00 – 5:00pm
3085 ENG II
In attendance:
Matt Bishop (MB), Tuomas Aura (TA), Keith Herold (KH), Ricardo Gomez
(RG)
TOPICS
News Items
State of Vulnerabilities Database
-
News Items
-
Symbolic Link - work is still in progress
-
Planning to submit Vulnerabilities Analysis paper to RAID conference. Would
like the paper to be reviewed and get feedback of this draft version.
-
Vulnerability classification has in the past had a top-down or tree structure.
This paper states that this does not capture the full richness of the vulnerabilities
-
Includes a review of earlier vulnerabilities classifications
-
Includes text from Dave Bailey
-
Discusses the relationship of vulnerabilities to specifications (section
3) - this area needs to be strengthened
-
David Ladd from Microsoft, director of corporate work in security, said
he would donate 3 workstations.
-
Break in to Dick Walter's machines that totally wiped out his machines.
Every Solaris box running 2.7 or higher. Also took out Physics computers
- found because they tried to implement a second copy of InetD with a back
door in it for using shell.
-
Matt saw some unusual connections on his machine from Norway and Poland.
-
State of Vulnerabilities Database
-
The template is set up - Keith is rewriting the template in Java.
-
There are 80 vulnerabilities in the database, 15 are currently public.
-
Dave Edwards is working on an independent project with attack tools. He
is looking over an attack tool template.
-
FBI gave Matt a call regarding the vulnerabilities database and the signatures
of attacks
-
Interest from Ausser in Austrailia
-
Mitre is building a classification of vulnerabilities - exclusively a numbering
scheme. If they compete with other vulnerability databases, there will
be infighting.
-
Vulnerabilities are listed by different names
-
We need to add a Mitre ID number to our database
-
Mitre will ultimately give decentralized temporary names while it determines
if the vulnerabilities are already in its database.
-
Mitre is having problems distributing information to vendors - viewed as
proprietary information.
-
The signatures of vulnerabilities and attack tools are open. The language
currently has no data.
-
Signatures - when a machine is broken in to, traces from the attack are
left on the system. From these traces, we'd like to determine which attack
tools caused them, so we set up a database of signatures to point back
to the attack tools.
-
Is this feasible?
-
How can it be done? How can they be captured?
-
Can we create a language to map traces on a computer back to the attack
tools?
-
TA: If an attack tool was created for a particular machine, there shouldn't
be any traces. It will clean up any evidence.
-
MB: In practice, you still see traces in the system.
-
TA: The names of hidden files are not very reliable
-
MB: That section of the database would be very unreliable, and probably
one signature would point to many attack tools. But it's a good point for
starting. I'd like to write some of this up to help out others.
-
KH: We have resolved the try/catch thing. Tuomas looked through the specifications
on-line and Keith looked it up in a book.
-
TA: Several catches - Java executes the first match and doesn't look at
any of the others. C and C++ don't jump.