Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

[2600] DoS threats: remove from the PPs?

To: STDS-2600@xxxxxxxxxxxxxxxxx
Subject: [2600] DoS threats: remove from the PPs?
From: Brian Smithson <Brian.Smithson@xxxxxxxxxxxxx>
Date: Thu, 30 Nov 2006 16:36:17 -0800
List-Help: <http://listserv.ieee.org/cgi-bin/wa?LIST=STDS-2600>, <mailto:LISTSERV@LISTSERV.IEEE.ORG?body=INFO STDS-2600>
List-Owner: <mailto:STDS-2600-request@LISTSERV.IEEE.ORG>
List-Subscribe: <mailto:STDS-2600-subscribe-request@LISTSERV.IEEE.ORG>
List-Unsubscribe: <mailto:STDS-2600-unsubscribe-request@LISTSERV.IEEE.ORG>
Reply-To: Brian.Smithson@xxxxxxxxxxxxx

Some of the implementers who have been reviewing P2600 are concerned about
the inclusion of denial-of-service threats and their associated objectives
and requirements in the P2600 PPs. I think that their concerns are valid.
In particular:

Identifying DoS threats is a problem, because it is often not possible to
distinguish between a deliberate attack and a valid (although perhaps
unusual) condition. How can the TOE distinguish between (1) a deliberate
attempt to overwhelm the HCD with job volume, and (2) someone printing 25
copies of IEEE Std. P2600? How can it distinguish between (1) jobs that
are deliberately crafted to cause the print engine to loop or crash, and
(2) errors in print language or bugs in the print engine software? How can
it distinguish between (1) a deliberate attack that causes the fax modem
to continuously retrain, and (2) a really noisy telephone connection?

Even if you can identify DoS attacks, mitigation remains a problem. Yes,
you can reduce the likelihood of some network DoS attacks by controlling
network flow and by having a well managed network, but there's little else
you can do. For fax and print DoS attacks, there's literally nothing you
can do. That's why we came up with O.RESILIENT -- the TOE must grit its
teeth and wait for the attack to end.

Assuming that you can reduce some attacks and be resilient to others, how
do you test it? Our definition of DoS attacks is necessarily vague
(actually, I think it may be too specific as they are currently written),
because DoS attacks are quite varied and often exploit implementation
idiosyncrasies. One might be able to analyze the code to see how a TOE
will handle different kinds of DoS attacks, but at EAL2 or EAL3, source
code analysis doesn't really apply.

Yes, the mitigation techniques that we recommend in the P2600 clauses are
worthwhile and should be used. But can we really require them in the PPs?
It is not merely coincidence that we haven't found an SFR for O.RESILIENT.


I propose that we remove the T.DOS threats, O.RESILIENT, and any
references to DoS attacks, from all PPs. I will also submit a shorter
version of this via the Comment Tool.

Regards,
--
Brian Smithson
Project Manager
PMP, SSCP, CISSP, CISA
Advanced Imaging and Network Technologies
Ricoh Corporation
(408)346-4435

Prev by Date: Re: [2600] DoS threats: remove from the PPs?
Next by Date: Re: [2600] CIM news
Prev by thread: [2600] PP - comments from IPA/Sharp
Next by thread: Re: [2600] DoS threats: remove from the PPs?
Index(es):
- Date
- Thread