Re: Survey: Use of Same Attack/Same Codebase content decision inVDB's
>The following is from Matt Bishop.
> DOVES probably uses a "same attack" approach, given your terminology.
>My focus is on the nature of the vulnerability: what preconditions
>must exist for the vulnerability to exist (and therefore, in my lexicon,
>for the attack to work). Hence my opinion that it's a "same attack"
> I've been silent for a while, though, because I question whether
>either an attack or a codebase approach is correct.
> Let's take the example being bandied about: program version 1 has
>a vulnerbility that lets you crash the computer. In version 2, that
>same program, when sent the same attack, gives you supervisor privileges.
>Both a crash and a supervisor privilege put the system into an
>unauthorized state. They began when the system was in a vulnerable state,
>and executed the same commands to reach the unauthorized state. Hence
>the attacks were the same. But the state transitions are different; other-
>wise, the resultant (unauthorized) states would be the same. Hence I
>view this as two different vulnerabilities.
I like this, and it matches the "same results" modification I previously
mentionned -- I you think of the results as state transitions.
>From Steve's original email:
"Same attack, same software flaw = same vulnerability."
"Same attack, same results of the attack = same record".
So, I'm afraid there are really three choices.