[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Universal vs. Environmental Policy, and the "vulnerability" term



Universal and Environmental Policy Violations (aka "Vulnerability" Revisited)
-----------------------------------------------------------------------------

I agree with Elias that we need some terminology to describe the
differences of opinion that we are having.  However, I think "risk" is
inappropriate because it could be regarded as a superset of
"vulnerability," so what name do we give to things that are risks but
not vulnerabilities?

What someone calls a "vulnerability" is definitely an interpretation
of the specific situation in which the vulnerability is being
described.  I believe that the CVE vulnerability definition can be
cleanly separated into two portions: that which everyone appears to
agree to, and the remainder which has been controversial.

I believe that the Editorial Board fundamentally agrees that each of
the following CVE vulnerability definition bullets would be called a
"vulnerability:"

  - (1) allows an entity to bypass the system's normal authentication
    and verification processes to execute arbitrary commands as
    another entity
  - (2) allows an entity to read or modify data belonging to another
    entity, when it is contrary to the specified access restrictions
    for that data
  - (3) allows an entity to pose as another entity without formal or
    informal authorization
  - (4) allows an entity to affect the computing system in a way which
    disrupts the activities of other entities

These deal with states in the system where an attacker can circumvent
the boundaries that have been explicitly defined by the system.  An
attacker can definitely do some sort of damage if they knows that this
state exists.  Whether or not an organization can conceivably prevent
all these problems from occurring, this appears to be a common goal in
most computing environments.

I adapt the above definition and define a "Universal Policy" as
follows:

  "A computing system or network may not have a state that is *KNOWN*
to:
    - (1) allow an entity to bypass the system's normal authentication
      and verification processes to execute arbitrary commands as
      another entity
    - (2) allow an entity to read or modify data belonging to another
      entity, when it is contrary to the specified access restrictions
      for that data
    - (3) allow an entity to pose as another entity without formal or
      informal authorization
    - (4) allow an entity to affect the computing system in a way which
      disrupts the activities of other entities"

If a system is in a state which satisfies one of the above bullets,
then it is in violation of the Universal Policy, i.e. the state is a
"Universal Policy Violation." (UPV).  UPV's would cover many software
flaws, significant configuration problems, and denials of service,
e.g. buffer overflows that allow stack smashing, world-writable
password files, IP fragmentation attacks.  In the real world, an
organization may not be able to *enforce* such a policy, but I believe
that most organizations would like to if they could.


Now let's look at the remainder of the vulnerability definition, where
we've been having all these debates:

  - (5) allows an entity to prevent or limit the tracking of
    activities which attempt to exploit another vulnerability
  - (6) allows an entity to obtain information that increases the
    likelihood for exploiting other vulnerabilities
  - (7) is a primary point of entry that an entity may attempt to use
    to gain access to the system or data"

As recent discussion has shown, some Board members have disagreed with
each of these bullets.  These problems aren't of concern to everyone,
but they can be serious concerns in some environments.

To recognize this fact, I adapt bullets 5-7, wave my magic wand, and
define an Environmental Policy as follows:

  "Within a given environment, one or more of the following states may
be forbidden to a computing system or network:
  - (1) be running a service or application that is not specifically
    authorized
  - (2) allow an entity to prevent or limit the tracking of
    activities which attempt to exploit another vulnerability
  - (3) inadequately track activities of entities on that system
  - (4) allow an entity to obtain information that increases the
    likelihood for exploiting other vulnerabilities
  - (5) contain a point of entry that an entity may attempt to use
    to gain access to the system or data"

If a system has a state that is prohibited by the Environmental
Policy, then it has an Environmental Policy Violation.

Different Environmental Policies may impose different forbidden
states, depending on the environment being covered by the policy.  A
university or ISP may allow finger, but require extensive logging of
user activities.  A prominent web site may forbid running anything but
a small number of authorized services.  An organization may prohibit
the use of a particular brand of software due to a history of past
security flaws.


Are these definitions appropriate for clarifying the types of problems
we're talking about?  Is the terminology agreeable?  Do they need to
be formalized more than they are?

If we can agree that it makes sense to distinguish between Universal
Policy Violations (UPV) and Environmental Policy Violations (EPV),
then is an EPV a "vulnerability"?

- Steve

Page Last Updated or Reviewed: May 22, 2007