Vlad Nuri writes:
it seems to me what is lacking in all this is a *security spectrum*. unfortunately security experts sometimes have a tendency to equate *any* security weakness with a catastrophic one. while this is a good approach in general, i.e. to be as conservative as possible, in practice there can be no doubt that some security weaknesses are far less severe than others.
Unfortunately, severity is a question of perspective. In some environments, an operating system crash could be considered catastrophic. In others, it just means reboot and continue. I'm not a policy wonk, but security is relative to what you care about.
to aid this serious problem, I propose the creation of a UNIFIED SECURITY SPECTRUM RANKING.
There already was a USSR, but I think it ultimately failed :-} For some starters, you should check out: A Taxonomy of Computer Program Security Flaws Landwehr, C.E., Bull, A.R., McDermott, J.P., and Choi, W.S. ACM Computing Surveys, Volume 26 Number 3, September 1994 Which organizes flaws according to how they enter a system, when during the lifecycle they enter, and where in the system they manifest themselves. Some additional papers are available at the NRL web site.
this would be a list of all the different types of security weaknesses a system can have, and their LEVEL OF SEVERITY. it would attempt to rank every type of security breach possible. then, when a new security weakness is discovered, it could be ranked A1 or B5 or C6 or whatever. this would be a sort of technological "richter scale" that would allow the novice to immediately understand that a given bug that was recently discovered (say, the recent netscape bugs) was, say, not really as potentially severe as the Morris worm.
To whom? The only way to unify security rankings is to constrain the problem by assuming an environment and intended uses for the system. It sounds like you are assuming a low assurance workstation with an internet connection which is used for non-critical home or business purposes. Ironically, the digraphs you propose look sort of like Orange Book ratings. Evaluation results, however, tell you something (not everything by a long shot) about how trustworthy a product is. Your rating seems to indicate the exact opposite. How about a B2 product with a G3 flaw? I believe that that flaw rating is *exactly* the same problem as product security rating. But that's a different discussion.
however, if we do this, I hope that a good scale that is pretty general and doesn't need extensions can be done from the start, before its widespread usage, so that later changes do not confuse users. there is already confusion in the media about two slightly different richter scales, this is a pity.
Any flaw rating system needs to consider how it will deal with advancing protection technology. For example, susceptability to viruses is much less critical than it would be if there were no anti-virus software available. Similarly, having a microkernel operating system makes me less susceptable to crashes. Should a flaw rating decrease as technology adapts to deal with it? Also, how do you rate situations where flaws are combined to mount an attack? For example, I crack a weak password to get a guest account. Then I snag an unprotected password file and crack it to get root. Then I leave an undetected trapdoor to get back in later. --Jeff Williams <mailto:williams@arca.com>