On 8/17/07, Gary McGraw [EMAIL PROTECTED] wrote:
Hi,
The point here is NOT to pull a person-in-the-middle attack against the
protocol, but rather to subvert the client completely and have the subverted
client do all of your talking for you. The most advanced (game)bot
techniques that we describe in EOG work by shimming (in an almost invisible
way) the game client, then setting up a communication channel with another
processor after a hardware interrupt in the main game thread is thrown. For
those of you with the book, see pages 228-230.
A less hairy approach is to attach to the game client as a debugger and just
call methods like there's no tomorrow. The only problem with that approach
is it is like stomping around in the mud puddle and you are likely to be
detected.
Effectively then, you ARE the client. That's why I think it's more of an
insider attack
than your standard BO sploit.
how is this different then sending malformed packets to an rpc
interface? the rpc would normally take it's protocol from some app;
but what you, as the smart attacker, have done is to review the app,
exploit it's weakness's in client-side protocol assumptions (client
will always send correctly formed packets) and profit. seems like the
classic remote exploit development strategy.
you are also 'mixing in' a bot as an exploit. it's not an exploit
of the game in terms of compromising it, what you're actually
compromising if the in-game protocols (not
out-of-game-and-operating-system protocols).
for example, there is a korean game for which you can buy a physical
device that you attach to your mouse that plays the game for you. what
sort of attack is this? it isn't any sort of classical attack. it's a
automation of the game. which is a problem; granted, but not an
'insider attack'.
why blur the line on what insider attack means? it will only make life
worse/easier for CTO's to fob it off as too hard.
if you specifically define it it can be acted on and solved. expanding
the definition will only complicate matters, imho.
gem
p.s. I added a little bit of data on the justice league blog about this:
http://www.cigital.com/justiceleague/2007/08/16/software-the-new-insider-threat/
-Original Message-
From: silky [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 14, 2007 7:44 PM
To: Gary McGraw
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] Insider threats and software
i really don't see how this is at all an 'insider' attack; given that
it is the common attack vector for almost every single remote exploit
strategy; look into the inner protocol of the specific app and form
your own messages to exploit it.
On 8/15/07, Gary McGraw [EMAIL PROTECTED] wrote:
Hi sc-l,
My darkreading column this month is devoted to insiders, but with a twist.
In this article, I argue that software components which run on untrusted
clients (AJAX anyone? WoW clients?) are an interesting new flavor of
insider attack.
Check it out:
http://www.darkreading.com/document.asp?doc_id=131477WT.svl=column1_1
What do you think? Is this a logical stretch or something obvious?
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
--
mike
http://lets.coozi.com.au/
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
--
mike
http://lets.coozi.com.au/
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___