From: williams@va.arca.com (Jeff Williams)
To: vznuri@netcom.com
Message Hash: a0ff2a1d853c56d17c58fde6f0b6b2a479ee96691eba79e4011adaba5964f307
Message ID: <2648899582.57910054@va.arca.com>
Reply To: N/A
UTC Datetime: 1995-10-16 18:58:16 UTC
Raw Date: Mon, 16 Oct 95 11:58:16 PDT
From: williams@va.arca.com (Jeff Williams)
Date: Mon, 16 Oct 95 11:58:16 PDT
To: vznuri@netcom.com
Subject: Re: proposal: "security spectrum scale" (SSS)
Message-ID: <2648899582.57910054@va.arca.com>
MIME-Version: 1.0
Content-Type: text/plain
Vlad Nuri writes:
> it seems to me what is lacking in all this is a *security spectrum*.
> unfortunately security experts sometimes have a tendency to equate
> *any* security weakness with a catastrophic one. while this is a good
> approach in general, i.e. to be as conservative as possible, in
> practice there can be no doubt that some security weaknesses are far
> less severe than others.
Unfortunately, severity is a question of perspective. In some
environments, an operating system crash could be considered catastrophic.
In others, it just means reboot and continue. I'm not a policy wonk,
but security is relative to what you care about.
> to aid this serious problem, I propose the creation of a
> UNIFIED SECURITY SPECTRUM RANKING.
There already was a USSR, but I think it ultimately failed :-}
For some starters, you should check out:
A Taxonomy of Computer Program Security Flaws
Landwehr, C.E., Bull, A.R., McDermott, J.P., and Choi, W.S.
ACM Computing Surveys, Volume 26 Number 3, September 1994
Which organizes flaws according to how they enter a system, when
during the lifecycle they enter, and where in the system they
manifest themselves. Some additional papers are available at the
NRL web site.
> this would be a list of all the different types of security weaknesses
> a system can have, and their LEVEL OF SEVERITY. it would attempt to
> rank every type of security breach possible. then, when a new
> security weakness is discovered, it could be ranked A1 or B5 or C6
> or whatever. this would be a sort of technological "richter scale"
> that would allow the novice to immediately understand that a given
> bug that was recently discovered (say, the recent netscape bugs)
> was, say, not really as potentially severe as the Morris worm.
To whom?
The only way to unify security rankings is to constrain the problem by
assuming an environment and intended uses for the system. It sounds
like you are assuming a low assurance workstation with an internet
connection which is used for non-critical home or business purposes.
Ironically, the digraphs you propose look sort of like Orange Book
ratings. Evaluation results, however, tell you something (not everything
by a long shot) about how trustworthy a product is. Your rating seems
to indicate the exact opposite. How about a B2 product with a G3 flaw?
I believe that that flaw rating is *exactly* the same problem as product
security rating. But that's a different discussion.
> however, if we do this, I hope that a good scale that is pretty general
> and doesn't need extensions can be done from the start, before its
widespread
> usage, so that later changes do not confuse users. there is already
> confusion in the media about two slightly different richter scales, this
> is a pity.
Any flaw rating system needs to consider how it will deal with advancing
protection technology. For example, susceptability to viruses is much less
critical than it would be if there were no anti-virus software available.
Similarly, having a microkernel operating system makes me less susceptable to
crashes. Should a flaw rating decrease as technology adapts to deal with it?
Also, how do you rate situations where flaws are combined to mount an attack?
For example, I crack a weak password to get a guest account. Then I snag an
unprotected password file and crack it to get root. Then I leave an
undetected
trapdoor to get back in later.
--Jeff Williams <mailto:williams@arca.com>
Return to October 1995
Return to “williams@va.arca.com (Jeff Williams)”