Classifying Vulnerabilities for Risk Assessment

From: Solar Designer (solar@private)
Date: Sun Jun 23 2002 - 04:14:17 PDT


Hi,

As some of you might have noticed, I've been trying to provide a
vulnerability Severity rating in Owl change logs whenever there's a
security fix applied to Owl.  So far, I used the following syntax,
as illustrated with a recent example:

2002/05/09	Package: vixie-cron
SECURITY FIX	Severity: none to low, local, active
Ensure all files are closed in crontab(1) when the editor is run.
This fixes the problem pointed out by Paul Starzetz on Bugtraq where
crontab(1) could leak read-only access to /etc/cron.{allow,deny} even
if those files are made readable to just group crontab.

For more examples please refer to the Owl-current change logs under
Owl/doc/CHANGES in the native tree or online:

	http://www.openwall.com/Owl/CHANGES.shtml

Security fixes are always marked specially.  The script producing the
HTML version even uses different colors based on the Severity tag.

Basically, there're three fields: Risk Impact (either worst case or a
range of possibilities, always for default settings and worst case),
physical/local/remote classification of the level of access required
in order to exploit the vulnerability, and passive/active classification
depending on whether an attacker has to wait for an opportunity to use
the vulnerability or may perform an active attack whenever they want.

However, I feel that such a convention for specifying vulnerability
severities is still not as good as we can make it with little effort.
It doesn't let one specify the Risk Type (that goes into the change
description and, with the above scheme, may also affect the declared
Risk Impact) and Risk Probability (which, while typically very
subjective and often environment-specific, is still a useful measure).

What I am thinking to use from now on is a more verbose syntax:

Type: integrity/confidentiality/availability (more than one allowed)
Class: (physical/local to) physical/local/remote, (passive to) passive/active
Impact: (none/low/medium to) low/medium/high
Probability: (none/low/medium to) low/medium/high
Confidence (Uncertainty?): low/medium/high

I'd like some feedback on whether others think this is worth it and,
if yes, advice on the following:

Should Risk Type continue to affect the declared Risk Impact, despite
also being specified separately?  Right now, I wouldn't set Risk Impact
to high if I know a vulnerability is just a local DoS.  But once that
is specified separately (with "Type: availability" and "Class: local"),
it could make sense to set "Impact: high" for a complete DoS of the
entire OS and "Impact: low" for something limiting the ability to use
just the affected service.  Opinions?

Would it be better to use "sensitivity" instead of "confidentiality"?
I've seen both used in the same book and with the same meaning.

The Confidence I meant to indicate the degree of confidence in the
above four elements.  For example, the Probability estimate, while
always subjective, could be based on detailed analysis of vulnerable
code and attempts at exploiting the vulnerability (high confidence),
or could be based on attacks happening so far (medium), or could be
just a guess (low).

Would Uncertainty be better than Confidence?  Again, both terms are
used (to mean exactly the opposite).

There still exist vulnerabilities which don't fit the above syntax
well.  A real example:

2002/03/05	Package: openssh
SECURITY FIX	Severity: high, local/remote, active/passive
Patched an off by one channel id check bug discovered by Joost Pol.
The bug could be exploited by either a user able to login into a
vulnerable OpenSSH server or a malicious SSH server attacking a
vulnerable OpenSSH client.  If successful, this could let one execute
arbitrary code in the context of the remote server or client process.

That is, there exist attacks which are local and active, and there
exist attacks which are remote, but passive.  If I specified remote
and active (worst case for each kind of classification), that would
make the vulnerability appear much worse than it really is.

I don't know of a perfect way to deal with that kind of thing.  Is my
use of slashes in the example above clear enough without further
explanation?  With the new syntax it would be:

Type: integrity, confidentiality, availability
Class: local/remote, active/passive
Impact: high
Probability: high/low
Confidence: high

Is that clear?  Also that the "high" Probability refers to "local"
attacks only?  Would it be better to use two Severity tags (making the
change log entry _much_ longer, 10 lines where there used to be 1)?

Should I maybe use a brief form similar to the old syntax, all on one
line, and explain the order of fields in a separate document (there
needs to be one to explain their exact meaning anyway)?

Should some Risk Types imply others, less significant ones?  There
could be a vulnerability which allows for write-only access to data
that does not include something the modification of which allows for
further attacks, which means "integrity" and "availability", but not
"confidentiality".

Ideally, I would like to define a classification scheme that would be
usable by more than just Owl and more than just OS distributions, but
also by various vulnerability databases (CVE, SecurityFocus', others).

-- 
/sd



This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:16 PST