[EXT] Queries on some attacks

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[EXT] Queries on some attacks

CODERE Carl-Eric

Greetings,

                 I am a newcomer to this list, I have some questions and doubts on some of the attacks, I am hope I am posting on right list.

 

I would like to discuss a bit on some of the attacks that exist on mobile/desktop, and to ask if they should be included in this list.

 

In CAPEC-167: White Box Reverse engineering, there seems to be some missing elements, no?

 

1. Read sensitive numeric values within an executable: This can be used to discover the location of cryptographic constants in the executable. Does it make sense to add this?

2. Reverse Engineer an Executable to understand its security mechanisms:  Sometimes the first step of an attack is to understand the security mechanisms of the application, if it has any. Should this be a separate entry? Or is this not relevant?

 

Some other points that seems not clear or do not seem to have its descriptions applied to mobile systems:

 

CAPEC-546: Probe Application Memory:  Should definition be extended to apply to mobile and desktop applications and any system just only server. Should we have an entry to probe application memory for cryptographic constant or key material? In the case that is important for us, is dumping of the application memory to retrieve information such as keys or sensitive data.

 

CAPEC-572:  Artificially Inflate File Sizes - (572): Should description be updated to indicate that this could also be used for a DoS attack, no? It can be the case on devices that have limited storage space, or is this unrelated?

 

CAPEC CATEGORY: Collect and Analyze Information:

Not sure where these should be, but there seems to be this one missing?

1. Dump and analysis of application data files / local storage system. Not sure where there should be, but dumping the data files associated with an application or sandbox could be used to retrieve some sensitive information, especially if this not encrypted. This could be done by accessing directly the device or through malware.

2. Shoulder surfing to retrieve the user credentials should probably be somewhere, no?

 

CAPEC-165: File Manipulation

1. Removal of a file: Here if the file is required for operation, it could lead to a DoS attack, but I cannot seem to see this kind of attack anywhere.

 

Other inquiries, Where is function hooking or function intercepting, is it in Code Inclusion - (175) - Inclusion of Code in Existing Process - (640)? Or is it a separate attack?

 

Finally, I cannot find the following types of "attacks", not sure if they apply though?

CAPEC CATEGORY: Collect and Analyze Information

1. Accessing the technical documentation / security mechanism documentation of the Product?

2. Accessing the source code of Product Software?

 

Thanks in advance,

 

Carl Eric Codere

Thales Digital Identity and Security

Mobile Security Product Manager / Mobile Security Officer

 

 

 

 

 

 

 

 

 

 

 


This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Reply | Threaded
Open this post in threaded view
|

Re: [EXT] Queries on some attacks

rpiazza
Administrator

Hi Carl-Eric,

 

You have indeed sent your questions to the “right list”!

 

First, thanks for your interest in CAPEC. 

 

Some general comments about the CAPEC corpus:

 

  • Many of the entries are not “complete”.  We prefer to add an entry even if we only have partial information about it, and then improve it over time.
  • Most CAPEC entries are associated with a software weakness (a CWE).  Needing to associate a CAPEC with a CWE is not an absolute requirement, but highly desirable for CAPECs in the Software domain of attack.  CAPEC has been expanded to include other types of attack patterns, which do not have this requirement – see the Domains of Attack view. 

 

Please see specific comments below.  We will take them into consideration for the next release.

 

                Rich

-- 

Rich Piazza

The MITRE Corporation

781-271-3760

 

signature_1179553494

 

 

From: CODERE Carl-Eric <[hidden email]>
Date: Friday, October 11, 2019 at 9:06 AM
To: CAPEC Researcher Discussion <[hidden email]>
Subject: [EXT] Queries on some attacks

 

Greetings,

                 I am a newcomer to this list, I have some questions and doubts on some of the attacks, I am hope I am posting on right list.

 

I would like to discuss a bit on some of the attacks that exist on mobile/desktop, and to ask if they should be included in this list.

 

In CAPEC-167: White Box Reverse engineering, there seems to be some missing elements, no?

 

1. Read sensitive numeric values within an executable: This can be used to discover the location of cryptographic constants in the executable. Does it make sense to add this?

 

CAPEC-191 - Read Sensitive Strings Within an Executable is similar.  Perhaps we can change this to something like Read Sensitive Constants Within an Executable

 

2. Reverse Engineer an Executable to understand its security mechanisms:  Sometimes the first step of an attack is to understand the security mechanisms of the application, if it has any. Should this be a separate entry? Or is this not relevant?

 

                I’m not sure this needs to be specifically called out. CAPEC-37: Retrieve Embedded Sensitive Data addresses this in part.

 

Some other points that seems not clear or do not seem to have its descriptions applied to mobile systems:

 

CAPEC-546: Probe Application Memory:  Should definition be extended to apply to mobile and desktop applications and any system just only server. Should we have an entry to probe application memory for cryptographic constant or key material? In the case that is important for us, is dumping of the application memory to retrieve information such as keys or sensitive data.

 

                Does CAPEC-37: Retrieve Embedded Sensitive Data not cover this sufficiently?

 

CAPEC-572:  Artificially Inflate File Sizes - (572): Should description be updated to indicate that this could also be used for a DoS attack, no? It can be the case on devices that have limited storage space, or is this unrelated?

 

                This entry is focusing on the altering the malicious file so it is not discovered.  Many different attacks (in addition to a DoS attack) could “follow” this pattern.  Adding “consequences” to this

entry would make it more complete. 

 

I like the concept of making a file too large for a device with limited storage – which 572 doesn’t address directly.  It is possible this could be a detailed child of 572.

 

CAPEC CATEGORY: Collect and Analyze Information:

Not sure where these should be, but there seems to be this one missing?

 

1. Dump and analysis of application data files / local storage system. Not sure where there should be, but dumping the data files associated with an application or sandbox could be used to retrieve some sensitive information, especially if this not encrypted. This could be done by accessing directly the device or through malware.

 

                Does CAPEC-37: Retrieve Embedded Sensitive Data not cover this sufficiently?

 

2. Shoulder surfing to retrieve the user credentials should probably be somewhere, no?

 

                Perhaps this could be included in the Physical Security domain of attack.

 

CAPEC-165: File Manipulation

1. Removal of a file: Here if the file is required for operation, it could lead to a DoS attack, but I cannot seem to see this kind of attack anywhere.

 

                This is something to consider – perhaps as a child of 165.

 

Other inquiries, Where is function hooking or function intercepting, is it in Code Inclusion - (175) - Inclusion of Code in Existing Process - (640)? Or is it a separate attack?

 

                I think those (among others) cover hooking – but the term hooking should probably be included in the descriptions to make them more complete (and searchable).

 

Finally, I cannot find the following types of "attacks", not sure if they apply though?

CAPEC CATEGORY: Collect and Analyze Information

1. Accessing the technical documentation / security mechanism documentation of the Product?

2. Accessing the source code of Product Software?

 

                This information would seem to be proprietary – so it would seem the attack pattern would be something related to CAPEC-115: Authentication Bypass.  Accessing the files

                “follows” the use some 115 related attack.

 

Thanks in advance,

 

Carl Eric Codere

Thales Digital Identity and Security

Mobile Security Product Manager / Mobile Security Officer

 

 

 

 

 

 

 

 

 

 

 


This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Reply | Threaded
Open this post in threaded view
|

RE: [EXT] Queries on some attacks

CODERE Carl-Eric

Greetings,

Thanks for your comments, my additional comments below.

 

Carl Eric Codere

Thales Digital Identity and Security

Mobile Security Product Manager / Mobile Security Officer

 

 

From: Piazza, Rich [mailto:[hidden email]]
Sent: samedi 12 octobre 2019 00:37
To: CODERE Carl-Eric <[hidden email]>; CAPEC Researcher Discussion <[hidden email]>
Subject: Re: [EXT] Queries on some attacks

 

Hi Carl-Eric,

 

You have indeed sent your questions to the “right list”!

 

First, thanks for your interest in CAPEC. 

 

Some general comments about the CAPEC corpus:

 

  • Many of the entries are not “complete”.  We prefer to add an entry even if we only have partial information about it, and then improve it over time.
  • Most CAPEC entries are associated with a software weakness (a CWE).  Needing to associate a CAPEC with a CWE is not an absolute requirement, but highly desirable for CAPECs in the Software domain of attack.  CAPEC has been expanded to include other types of attack patterns, which do not have this requirement – see the Domains of Attack view. 

[CECO]: Ok, So I guess I should try the CWE mapping for each point? And if no CWE is available, try to ask for it to be added, right?

Please see specific comments below.  We will take them into consideration for the next release.

 

                Rich

-- 

Rich Piazza

The MITRE Corporation

781-271-3760

 

signature_1179553494

 

 

From: CODERE Carl-Eric <[hidden email]>
Date: Friday, October 11, 2019 at 9:06 AM
To: CAPEC Researcher Discussion <[hidden email]>
Subject: [EXT] Queries on some attacks

 

Greetings,

                 I am a newcomer to this list, I have some questions and doubts on some of the attacks, I am hope I am posting on right list.

 

I would like to discuss a bit on some of the attacks that exist on mobile/desktop, and to ask if they should be included in this list.

 

In CAPEC-167: White Box Reverse engineering, there seems to be some missing elements, no?

 

1. Read sensitive numeric values within an executable: This can be used to discover the location of cryptographic constants in the executable. Does it make sense to add this?

 

CAPEC-191 - Read Sensitive Strings Within an Executable is similar.  Perhaps we can change this to something like Read Sensitive Constants Within an Executable

 

[CECO]: I don’t mind one or the other, but I think it is important that either the description of CAPEC-191 be changed to also describe this attack, or that a separate attack under White-box reverse engineering be available.

 

2. Reverse Engineer an Executable to understand its security mechanisms:  Sometimes the first step of an attack is to understand the security mechanisms of the application, if it has any. Should this be a separate entry? Or is this not relevant?

 

                I’m not sure this needs to be specifically called out. CAPEC-37: Retrieve Embedded Sensitive Data addresses this in part.

 

[CECO]: So sensitive data could include security algorithms? Should the description be broadened to include this ?  We have seen different types of attacks when doing an analysis, try to find sensitive data which helps directly do an attack, or analyze the actual implementation code to see how the security mechanisms are implemented to circumvent these security mechanisms, typical example is jailbreak detection which is actually a security algorithm that might, but not always sensitive data.

 

Some other points that seems not clear or do not seem to have its descriptions applied to mobile systems:

 

CAPEC-546: Probe Application Memory:  Should definition be extended to apply to mobile and desktop applications and any system just only server. Should we have an entry to probe application memory for cryptographic constant or key material? In the case that is important for us, is dumping of the application memory to retrieve information such as keys or sensitive data.

 

                Does CAPEC-37: Retrieve Embedded Sensitive Data not cover this sufficiently?

 

[CECO]: Good point, I re-read the description of this attack, and it makes sense, I thought though that CAPEC-37 was only related to static analysis, it seems to not be the case, but in that case should description be broadened accordingly? The actual attack I think about was an actual dump of the ram using a debugger or other such tools.

 

CAPEC-572:  Artificially Inflate File Sizes - (572): Should description be updated to indicate that this could also be used for a DoS attack, no? It can be the case on devices that have limited storage space, or is this unrelated?

 

                This entry is focusing on the altering the malicious file so it is not discovered.  Many different attacks (in addition to a DoS attack) could “follow” this pattern.  Adding “consequences” to this

entry would make it more complete. 

 

I like the concept of making a file too large for a device with limited storage – which 572 doesn’t address directly.  It is possible this could be a detailed child of 572.

 

[CECO]: OK, I wait for your final decision on this one.

 

CAPEC CATEGORY: Collect and Analyze Information:

Not sure where these should be, but there seems to be this one missing?

 

1. Dump and analysis of application data files / local storage system. Not sure where there should be, but dumping the data files associated with an application or sandbox could be used to retrieve some sensitive information, especially if this not encrypted. This could be done by accessing directly the device or through malware.

 

                Does CAPEC-37: Retrieve Embedded Sensitive Data not cover this sufficiently?

 

[CECO] Yes, but maybe the description might need to be broadened to explicitly explain this, right?  The general idea on all our comments here is when we do our security risk assessments on our side and define our attack paths, I would like to align myself to standardized terms and vocabularies (The CAPEC one), but if the definition is too broad, it might be difficult to have a 1:1 mapping… but we could actually expand our attack description on our side with a basis on the CAPEC, for example, in this case the attack could be: Retrieve embedded sensitive data by analyzing the local files, but not sure if its ok or not.

 

2. Shoulder surfing to retrieve the user credentials should probably be somewhere, no?

 

                Perhaps this could be included in the Physical Security domain of attack.

 

[CECO]: Ok.

 

CAPEC-165: File Manipulation

1. Removal of a file: Here if the file is required for operation, it could lead to a DoS attack, but I cannot seem to see this kind of attack anywhere.

 

                This is something to consider – perhaps as a child of 165.

 

[CECO]: Ok

 

Other inquiries, Where is function hooking or function intercepting, is it in Code Inclusion - (175) - Inclusion of Code in Existing Process - (640)? Or is it a separate attack?

 

                I think those (among others) cover hooking – but the term hooking should probably be included in the descriptions to make them more complete (and searchable).

[CECO]: Thanks, Yes, the description should be broadened as most mobile attacks today are done through hooking.

 

Finally, I cannot find the following types of "attacks", not sure if they apply though?

CAPEC CATEGORY: Collect and Analyze Information

1. Accessing the technical documentation / security mechanism documentation of the Product?

2. Accessing the source code of Product Software?

 

                This information would seem to be proprietary – so it would seem the attack pattern would be something related to CAPEC-115: Authentication Bypass.  Accessing the files

                “follows” the use some 115 related attack.

 

 

[CECO]: It might be difficult from the title to understand this type of attack though… but I understand that by reading the CAPEC-115 it seems similar…

 

Thanks in advance,

 

Carl Eric Codere

Thales Digital Identity and Security

Mobile Security Product Manager / Mobile Security Officer

 

 

 

 

 

 

 

 

 

 

 


This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.


This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.