Hi Michael, I think thinking about firewalls and protocol analysis is missing the point almost entirely. Remember, the subverted client is behaving itself from the perspective of the server. It's just doing normal game client things...only in the case of a bot it is being driven by outside logic written by the no-longer-present gamer who wants to create virtual wealth while sleeping.
How would a host-based firewall help? The GAMER controls the host! Why on earth would the gamer/attacker allow a firewall to get in the way of game client subversion? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael S Hines Sent: Thursday, August 16, 2007 11:04 AM To: SC-L@securecoding.org Subject: Re: [SC-L] Insider threats and software Doesn't an execution sandbox serve similar funtions to a firewall, but at the host level? Can't even more control be added to a sandbox than can be set on a firewall? Second, doesn't a host based firewall (even on desktops) provide the security you are talking about (providing they work propery - which is another topic). Am I missing the point? Or are you thinking of something that checks message queues for proper semantics and syntax (since some OS's are message based and work from message queues)? M. ----------------------------- Michael S Hines [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pierre Parrend Sent: Thursday, August 16, 2007 4:20 AM To: silky Cc: SC-L@securecoding.org Subject: Re: [SC-L] Insider threats and software Hello all, I do not agree with Mike's point of view. Of course the unique way to cheat a system is to understand how it is working, and to abuse it. But the main difference is that you can hardly talk about protocol in the case of applications: if you have a given protocol, you 'just' need to build a firewall that checks that the protocol is properly working. In the case of software level insider attack, you would therefore need a dedicated firewall for every application you provide, which seem difficult both in term of development and performance cost. The differences I see between the two cases are the following: - attacks are now performed at the applicative level. And no simple interface between the user and the application can be identified, since a heavy client is involved (the interface is no longer a single protocol, but a whole application). - the matter becomes even worse if the systems are dynamic (such as with MIDP, or OSGi, or any plug-in mechanism), which does not yet occurs with online games, but soon could. last case make a shift in the potential attacks quite likely: it is sufficient to make malicious components freely available to perform attacks, even without illegally modifying existing code. The problem of client-based attack is bound with the one of integration of off-the-shelf components: how is it possible to control the execution process for every self-developed of third party, local or remote, piece of code ? Both involve application level 'protocols' to perform insider attacks, which are not so easy to tackle, I.e what Gary is describing is (to my view) not the ultimate insider, but a step toward a worsening of the security state of systems. regards, Pierre P. Quoting silky <[EMAIL PROTECTED]>: > i really don't see how this is at all an 'insider' attack; given that > it is the common attack vector for almost every single remote exploit > strategy; look into the inner protocol of the specific app and form > your own messages to exploit it. > > > > On 8/15/07, Gary McGraw <[EMAIL PROTECTED]> wrote: > > Hi sc-l, > > > > My darkreading column this month is devoted to insiders, but with a twist. > In this article, I argue that software components which run on > untrusted clients (AJAX anyone? WoW clients?) are an interesting new > flavor of insider attack. > > > > Check it out: > > http://www.darkreading.com/document.asp?doc_id=131477&WT.svl=column1 > > _1 > > > > What do you think? Is this a logical stretch or something obvious? > > > > gem > > > > company www.cigital.com > > podcast www.cigital.com/silverbullet blog > > www.cigital.com/justiceleague book www.swsec.com > > > > _______________________________________________ > > > -- -- Pierre Parrend Ph.D. Student, Teaching Assistant INRIA-INSA Lyon, France [EMAIL PROTECTED] web : http://www.rzo.free.fr _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________