Vulnerabilities
Vulnerabilities can emerge at every level of program design and implementation. The following systematization of vulnerabilities is taken from the book "Exploiting Software" by Greg Hoglund and McGraw. There are of course many other approaches, the one presented here is nevertheless preferred by the authors.
We distinguish:
- Bugs
- Flaws
- Configuration errors
Bugs are errors that are done at the implementation level. A well known example are buffer overflows.
A very good description of buffer overflows has been written by Aleph One "Smashing the Stack for fun and profit".
Bugs are usually relativly easy to find and fix (Codescanners do this very well).
Vulnerabilities that emerge at the design level are referenced as flaws. Flaws are usually very difficult to find as they appear in the "philosophy" of the program and merely in one line of code. Examples of design flaws are
- ethernet can be sniffed
- unencrypted communication protocols (smtp, telnet, pop3)
Design flaws can emerge at the reason of environment changes. The protocols smtp and pop3 are good examples for this. In the time they were designed, encryption was unnecessary, there were few hosts and only a small "community". Security concerns were therefore mostly irrelevant. But it can be considered a Configuration Error to use these protocols in the modern "aggressive" environment.
Configuration Errors are kind of "boring" because they are done by the "user", which is seldom profitable to blame.
They are nevertheless very common reasons for compromised systems and should be therefore regarded as a serious problem. Examples for these problems are:
- bad passwords
- default configurations are often optimized for functionality and not for security
- unneeded but running services, which disclose too much information
- wrong file permissions
- wrong firewall/gateway configurations