Re: Universal vs. Environmental Policy, and the "vulnerability" term

To: cve-editorial-board-list@lists.mitre.org
Subject: Re: Universal vs. Environmental Policy, and the "vulnerability" term
From: Pascal Meunier <pmeunier@purdue.edu>
Date: Thu, 5 Aug 1999 12:48:50 -0500
In-Reply-To: <199908042248.SAA16296@basie.mitre.org>
Sender: owner-cve-editorial-board-list@lists.mitre.org

>If we can agree that it makes sense to distinguish between Universal
>Policy Violations (UPV) and Environmental Policy Violations (EPV),
>then is an EPV a "vulnerability"?

No, but see below.  A policy violation may result from misplaced trust
(sabotage, incompetence, negligence, etc...) as well as an attack on a
vulnerability.  Therefore EPVs are a superset of what can be done with
vulnerabilities, and other things too.  To be a vulnerability, a fault must
be exploitable to result in a policy violation, but a policy violation does
not necessarily map back to a single specific low-level vulnerability.

There is some confusion in this debate between detecting policy violations
(e.g., service x is running), suggesting low-level policies (e.g., service
x should not be running because its design is unsecure), low-level
vulnerabilities, and macro-system-level vulnerabilities -- let's call those
"macrovulnerabilities".  Let me define macrovulnerabilities as
vulnerabilities that arise from the assembly of services, hardware and
software in a specific environment, while each of those individually does
what it is supposed to do and nothing else.

Let me go back to the fundamental rule of security:  security through
obscurity is not security.  Therefore, services that enable the gathering
of information are not real vulnerabilities or macrovulnerabilities.  If
having them running makes such a difference to your perceived security,
then maybe your systems are not secure.  I am against including those in
the CVE.  If we make the CVE a list of Bad Ideas, it will grow to infinity.


Are services unsecure because they contain vulnerabilities, or because they
are ill-designed services for which no implementation can ever be secure?
In the first case, there should be a CVE entry for those vulnerabilities
but not the service.  If having the latter kind running allows someone to
circumvent other common policies, then the service is a macrovulnerability.
I think that services falling in this category deserve a CVE entry.  In
such a case I believe that there can be a one-to-one mapping between a
macrovulnerability and low-level policy.

Does this make sense?
Pascal

Microsoft Windows is also a way of thinking - or not thinking, to be more
exact.
-- RA Downes  Radsoft Laboratories

Follow-Ups:
- Re: Universal vs. Environmental Policy, and the "vulnerability" term
  - From: Dave Mann <damann@mitre.org>

References:
- Universal vs. Environmental Policy, and the "vulnerability" term
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: Review of vendor mappings at next week's CVE Review Meeting
Next by Date: RE: CONTENT DECISION: Presence of Services or Applications (SA)
Prev by thread: Universal vs. Environmental Policy, and the "vulnerability" term
Next by thread: Re: Universal vs. Environmental Policy, and the "vulnerability" term
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: Universal vs. Environmental Policy, and the "vulnerability" term