[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Universal vs. Environmental Policy, and the "vulnerability" term

>If we can agree that it makes sense to distinguish between Universal
>Policy Violations (UPV) and Environmental Policy Violations (EPV),
>then is an EPV a "vulnerability"?

No, but see below.  A policy violation may result from misplaced trust
(sabotage, incompetence, negligence, etc...) as well as an attack on a
vulnerability.  Therefore EPVs are a superset of what can be done with
vulnerabilities, and other things too.  To be a vulnerability, a fault must
be exploitable to result in a policy violation, but a policy violation does
not necessarily map back to a single specific low-level vulnerability.

There is some confusion in this debate between detecting policy violations
(e.g., service x is running), suggesting low-level policies (e.g., service
x should not be running because its design is unsecure), low-level
vulnerabilities, and macro-system-level vulnerabilities -- let's call those
"macrovulnerabilities".  Let me define macrovulnerabilities as
vulnerabilities that arise from the assembly of services, hardware and
software in a specific environment, while each of those individually does
what it is supposed to do and nothing else.

Let me go back to the fundamental rule of security:  security through
obscurity is not security.  Therefore, services that enable the gathering
of information are not real vulnerabilities or macrovulnerabilities.  If
having them running makes such a difference to your perceived security,
then maybe your systems are not secure.  I am against including those in
the CVE.  If we make the CVE a list of Bad Ideas, it will grow to infinity.

Are services unsecure because they contain vulnerabilities, or because they
are ill-designed services for which no implementation can ever be secure?
In the first case, there should be a CVE entry for those vulnerabilities
but not the service.  If having the latter kind running allows someone to
circumvent other common policies, then the service is a macrovulnerability.
I think that services falling in this category deserve a CVE entry.  In
such a case I believe that there can be a one-to-one mapping between a
macrovulnerability and low-level policy.

Does this make sense?

Microsoft Windows is also a way of thinking - or not thinking, to be more
-- RA Downes  Radsoft Laboratories

Page Last Updated: May 22, 2007