Copyright © 2009 Open Geospatial Consortium, Inc. 101
As potentially many clients share the same MUC it is required to ensure privacy preventing to exploit other clients in the MUC.
9.8 Rate the attacks for the Baseline Services
A rating of the attacks that have been identified in the previous sections can be undertaken from different viewpoints:
Which attacks does have the most likelihood to be exercised. Which of the attacks does have the highest chance to complete successfully.
Which of the attacks has the highest impact. Which of the attacks can be exercised where the attacker cannot be unveiled.
Which of the attacks are based on information that can be obtained easily. Which of the attacks require a network compromise or address fraud.
9.8.1 Likelihood to exercise an attack and likelihood of success
For the context of this ER, two different kinds of likelihood are important: the likelihood that an attack can be exercised at all, and
the likelihood that an exercised attack is actually successful. In general, it is difficult to estimate the absolute likelihood as it depends on many factors.
One factor is how the service implementation works. Therefore, the absolute likelihood for the same attack exercised on different service implementations could be totally
different. One good example here is how an SPS creates the task IDs. If it is a strong random number, generated with a very high entropy, the guessing of valid task ids is
much harder as if the task IDs are natural numbers in ascending order. Another factor is the correctness and the actuality of the information required to exercise the attack. This
becomes in particular important, if the attacker has gathered the information from different sources over a longer time window. For example, the attacker is using task id
information from an eavesdropping attack that was running over quite some time. By re- using fetched task ids, a likelihood exists that they are outdated by the time the attack is
excercised.
Even though it might be impossible to estimate absolute likelihoods for attacks, it sounds reasonable to provide an estimation of relative likelihood between attacks. This
estimation can be used to create a kind of ranking between the different attacks. This can be helpful to determine which of the attacks needs to be taken care of first or with which
priority and monetary resources.
In order to rank the attacks by estimating the relative likelihood among them, one important factor is whether the attacker does have all information at hand by simply
reading the service specification or if information gathering is required. For the latter, the likelihood drops the more service interactions are required to obtain all required
102 Copyright © 2009 Open Geospatial Consortium, Inc.
information. The likelihood drops dramatically further if interactions to other service are required for the gathering of required information.
For example, for all SS actually all OGC Web Services the GetCapabilities request can be submitted by reading the OWS Common specification. The only information
required is the service URL, which can often be obtained from a catalogue service or a Google search. But the cancellation of an assignment with the SPS requires knowing a
valid task ID. In order to gather a valid task ID, the attacker has to eavesdrop communication with the service with the goal of fetching task IDs. As the attacker cannot
know if the wire-taping attack will unveil a task ID at all, an alternative approach might be challenged: By submitting a number of Submit requests to the SPS with invalid
parameters, each response will contain a task ID and ―rejected‖. From those responses, the attacker might guess task IDs with a good certainty and start exercising the actual
attacks. Another factor is determined by the difficulty of gathering the required information. The
easiest way is to read the specification as it is publically available and does contain many examples. If those examples e.g. for task IDs are screenshots from inputoutput from
prototype implementations, the attacker has ease of use. If other attacks need to succeed, it is certainly easier to succeed with attacks that do not require compromising the network
than attacks that require a specific network configuration tampering.
9.8.2 Impact Discussion