|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Survey: Use of Same Attack/Same Codebase content decision inVDB's
>The following is from Matt Bishop. >Steve, > DOVES probably uses a "same attack" approach, given your terminology. >My focus is on the nature of the vulnerability: what preconditions >must exist for the vulnerability to exist (and therefore, in my lexicon, >for the attack to work). Hence my opinion that it's a "same attack" >approach. > I've been silent for a while, though, because I question whether >either an attack or a codebase approach is correct. > Let's take the example being bandied about: program version 1 has >a vulnerbility that lets you crash the computer. In version 2, that >same program, when sent the same attack, gives you supervisor privileges. >Both a crash and a supervisor privilege put the system into an >unauthorized state. They began when the system was in a vulnerable state, >and executed the same commands to reach the unauthorized state. Hence >the attacks were the same. But the state transitions are different; other- >wise, the resultant (unauthorized) states would be the same. Hence I >view this as two different vulnerabilities. I like this, and it matches the "same results" modification I previously mentionned -- I you think of the results as state transitions. >From Steve's original email: "Same attack, same software flaw = same vulnerability." modification: "Same attack, same results of the attack = same record". So, I'm afraid there are really three choices. Pascal
|
||||
