Intrusion Detection Systems: Re: The CVE (WAS: RE: RE: Ramping up for another review)

[bakerd () mitre org (David Baker)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Dug Song wrote:
> > honestly, do you really think that Cisco and ISS are going to screw
> > up, say, an attack on wu-ftpd and confuse it with something else?
> no, i'm saying that we don't have a common way to describe attacks now,
> which is a major hinderance to any REAL interoperability. the problem with
> simply enumerating attacks, as the CVE does, is that not everyone counts
> them the same way - what one IDS calls "overlapping IP fragments" another
> may call "teardrop", and yet another "newtear". how useful are these names
> by themselves?
Not to pick points too much, but CVE is NOT an enumeration of attacks or
attack signatures.  CVE is an enumeration of vulnerabilities.  While
attacks exploit vulnerabilities, it is incorrect to label the attack as
the vulnerability.  You may also attack a vulnerability in more than one
way, with differing results.   The CVE approach is vulnerability focused
and  continues to be so.  While the CVE editorial board has been asked
to extend to IDS signatures (and people have assumed it would include
signatures) for even "non vulnerability" attacks like ping mapping, the
decision has been made to remain concentrated on vulnerabilities.  At
the March 2000 Board meeting, participating members (including IDS
vendors) agreed that at the moment, it is most effective to concentrate
on vulnerabilities and exposures.  There was some fear that taking this
additional work on, at the moment, could become too distracting from the
vulnerability effort.  Additionally, there will be questions as to the
best way to implement such a thing.  (E.g. should they have "CVE" names
or something else, and if they have CVE names, will CVE extend CVE to
allow people to separate between vulnerabilities and signatures, etc.)

> > What I was looking at a year ago was typical of academia land: debate
> > the 10,000ft view and theoretical proofs of something until you are
> > blue in the face and never implement anything worthwhile.
> the UC Davis Seclab Vulnerabilities project, Krsul's thesis at Purdue,
> Ulf Lindquist's taxonomy in IDLE, etc. all provided open frameworks for
> describing and classifying vulnerabilities and attacks; it's a shame
> nothing more became of them, but then the CVE really didn't have to start
> from scratch...
> > >     http://www.commoncriteria.org/
> > I'm not qualified to comment on this one.  :)
> the CC is at least as lame as any other certification program
> (technically, perhaps even worse), but at least it pretends to be based on
> some kind of sound engineering and testing principles, if that's really
> what you're looking to the CVE to provide.
Firstly, the common criteria doesn't really address enumerating
vulnerabilities or attack signatures, but only provides a
capability/evaluation criteria for systems.  Second, CVE is not a
certification program and I don't think it was ever meant to be one.

As to enumerating/naming vulnerabilities, all of the vulnerability
taxonomy efforts were considered, but none were actually adopted across
the field.  The primary purpose for CVE was to benefit the end user. 
One reason CVE started from scratch was the difficulty in obtaining any
kind of consensus across the information security community in giving a
vulnerability a name.  By dispensing with a real name ( and using an
identifier), experts from a variety of disciplines (or communities of
interest) in the information security field could actually agree that a
particular vulnerability does exist, that it is different from another
vulnerability and that it was at the right ( or best) level of
abstraction ( or granularity ), and that it should be included in the
list.  The primary goal of CVE is to enable correlation of vulnerability
related data between different sources of that information, to include
vulnerability scanners, vulnerability databases, and yes (where
possible) IDS.  While not yet fully mature, CVE already lists 815
vulnerabilities with 705 active candidates pending.  A total of 9924
vulnerability submissions have been made.  
 
> i'm just concerned that we've given up on real testing and evaluation
> methodology in favor of simple marketing feature checklists; i suppose
> this is a problem with the software industry in general, but i hate to see
> computer security follow the trend.
    CVE is not a testing or evaluation methodology, nor was it meant to
be, but it will probably be used by someone conducting tests/evaluations
as one item in an evaluation.  It was not meant ot be a marketing
checklist either, although I am sure it will be used that way.
    CVE was intended to help out the end user of security products and
data sources.  The participation in CVE by people active in this
community, including (in no particular order) Eugene Spafford
(Purdue/CERIAS), Matt Bishop (UC Davis), Elias Levy (Bugtraq), Russ
Cooper (NT Bugtraq), Marcus Ranum, Ken Williams, David LeBlanc, CERT,
nearly every major IDS and scanner vendor, Cisco, Sun, Microsoft, and
many others from the user arena, attests to the need and the seriousness
of the CVE effort.  CVE is not meant to be the answer for everything,
but it is an enabler.

-- 
 ------------------------------------------------------------
 David W. Baker
 Senior INFOSEC Engineer                   bakerd () mitre org
 G023 - Secure Information Technology      
 The MITRE Corporation                     
 1820 Dolley Madison Blvd, Mailstop W435    McLean, VA, 22102
 ------------------------------------------------------------
 "Cyberspace. A consensual hallucination experienced daily by
 billions of legitimate operators, in every nation, by 
 children being taught mathematical concepts... A graphic
 representation of data abstracted from the banks of every
 computer in the human system.  Unthinkable complexity.  Lines 
 of light ranged in the nonspace of the mind, clusters and
 constellations of data.  Like city lights, receding..."
 - William Gibson, "Neuromancer" 
 
 "640K ought to be enough for anybody." - Bill Gates, 1981 
 -------------------------------------------------------------