Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
> Like the Russian dolls game, casting the enumeration
> of vulnerabilities problems in terms of "same codebase"
> seems to reveal a similar sub-problem. Namely, how does
> one enumerate all codebases? Or putting it another way,
> when are 2 codebases different? Or the same? Is a dll
> a part of (one of) the application(s) it supports or is
> it a seperate codebase? Bishop's question concerning
> changes in the OS affecting a vulnerability in an application
> begs the question of drawing the line between an OS
Forgive me if I'm out of the loop here - I have not been able to keep up with
my email of late, and so I haven't read all of, still less thought carefully
about all of, the email on this list. (I regret that since the discussion
seems to be fascinating).
That said, it seems to me that a "same attack" approach to the problem is
subject to the same ontological slipperiness. When are two "attacks" the
same? Clearly not just because the object code, or the source code, of an
implementation of an attack is identical. These details can change and yet
allow the attack to proceed correctly against a given hole. (Though there
are folks creating databases of these attack tools at that level). Even the
sequence of system calls (and their arguments), or packets, required to
implement an attack against a given vulnerability is not uniquely defined.
Stuart Staniford-Chen --- President --- Silicon Defense
(707) 822-4588 (707) 826-7571 (FAX)