From: "Vladimir Z. Nuri" <vznuri@netcom.com>
Date: Mon, 16 Oct 95 14:33:53 PDT
To: williams@va.arca.com
Subject: Re: proposal: "security spectrum scale" (SSS)
In-Reply-To: <2648899582.57910054@va.arca.com>
Message-ID: <199510162132.OAA25544@netcom5.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



>> it seems to me what is lacking in all this is a *security spectrum*.
>> unfortunately security experts sometimes have a tendency to equate
>> *any* security weakness with a catastrophic one. while this is a good
>> approach in general, i.e. to be as conservative as possible, in 
>> practice there can be no doubt that some security weaknesses are far
>> less severe than others.
>
>Unfortunately, severity is a question of perspective.  In some
>environments, an operating system crash could be considered catastrophic.
>In others, it just means reboot and continue.  I'm not a policy wonk,
>but security is relative to what you care about.

I gave some examples in the initial message. the rating would not
be overly sophisticated, but would cover situations where it is 
pretty obvious which is more insecure than something else. for example
submitting arbitrary code is far worse than merely crashing a server.
or, messing up a client is generally less severe than
crashing a server (which potentially affects a lot more people).
being able to do something *undetected* is
much worse than being detected (during or after the fact). 
viruses are pretty much worse than stuff that can't repropagate
itself, etc.

an example of this is that one article compared netscape
buffer overflows to the Morris internet worm. this was pretty
obviously way out of line IMHO.

>The only way to unify security rankings is to constrain the problem by
>assuming an environment and intended uses for the system.  It sounds
>like you are assuming a low assurance workstation with an internet
>connection which is used for non-critical home or business purposes.

well, this would be a ranking for the general public to help them
understand security problems, so yes, I think it would generally
apply to commercial or internet type environments.

the orange book rating is a reasonable start as you mention. also,
thanks for the paper reference. actually what I am hoping is that
someone from, say, CERT picks up the idea and uses it in their
security bulletins. this would be a good place to bootstrap it
into security consciousness.

>Any flaw rating system needs to consider how it will deal with advancing
>protection technology.  For example, susceptability to viruses is much less
>critical than it would be if there were no anti-virus software available.

I disagree. this rating would apply to potential problems. a virus is
a very serious matter regardless of anti-virus protection software.
but you raise a good point in that the same bug could have different
seriousness in different environments (say one where the virus checking
is good). that's more complexity than the rating would try to address,
I would imagine.

>Similarly, having a microkernel operating system makes me less susceptable to
>crashes.  Should a flaw rating decrease as technology adapts to deal with it?

my example would be the recent netscape bug. an article might say
the bug was rated G2 on some systems, and say it could be potentially
as bad as A6 on some operating systems. "for comparison, the internet
worm was ranked A2".

>Also, how do you rate situations where flaws are combined to mount an attack?
>For example, I crack a weak password to get a guest account.  Then I snag an
>unprotected password file and crack it to get root.  Then I leave an
>undetected
>trapdoor to get back in later.

the rating would only apply to flaws. if you have more than one flaw,
a different rating would apply to each flaw. what you are showing is
that again, system configuration could make the same flaw much worse
on one system than another. I don't deny, this is a very tricky
rating scheme. it is only meant to be general however and give the
public an idea of how bad a weakness is. 

the security rating would not be particularly useful to security experts,
other than giving a rough idea of the potential severity of the problem.

again I still believe that
major security categories are being conflated to the point that it
might sound, to Joe Sixpack, that the latest netscape bug could bring
down the entire internet. this gross misperception is easily rectified.

I find this kind of alarmism very counterproductive to improving 
the internet. the internet will not gain widespread acceptance if
there is a *perception* that it is unsafe (regardless of how 
solid it really is). this rating would be an attempt to help the
public understand security issues beyond a very rocky level of
granularity. if something is not done to help convey accurate information,
a void occurs and potentially "urban myths" 
such as "the internet steals your credit cards" would tend to 
arise.