[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Argh! Re: [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
- To: cve-editorial-board-list@lists.mitre.org
- Subject: Argh! Re: [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
- From: Pascal Meunier <pmeunier@purdue.edu>
- Date: Wed, 14 Jun 2000 16:55:46 -0500
- Delivery-Date: Wed Jun 14 18:04:17 2000
- In-Reply-To: <200006130415.AAA14269@basie.mitre.org>
- References: <200006130415.AAA14269@basie.mitre.org>
- Sender: owner-cve-editorial-board-list@lists.mitre.org
>The following content decision (CD) is related to cases in which the >same software flaw appears in multiple executables within the same >software package. > >CD Proposal Date: 6/12/2000 >Voting Period: 7/10/2000 >Final Decision: 7/24/2000 > > >************************************************************************ >CD:SF-EXEC (Software flaws in multiple executables) >************************************************************************ >Type: ABSTRACTION >Version: 1.0 >Proposed: 6/12/2000 >Final Decision: N/A > > > >Short Description >----------------- > >If the same software flaw appears in multiple executables in the same >package, then record it in a single entry. > > >Definitions >----------- > >All definitions are informal. > >A "software package" is loosely defined as a collection of software >that is normally bundled together, provides a single overall >capability, and is offered on the same platform by a single vendor, or >for multiple platforms by the same developer. I hate this CD; it feels like trying to grasp wet corn starch. You think that you have it defined and then it escapes. Lots of things can be bundled together -- e.g., MS Word and Powerpoint are bundled together in MS office. If you don't like this example because of the "single capability" qualifier, the MS Word installation contains "equation editor" and more executables that support MS Word. Where does this start and where does it stop? OS distributions? I see this as a continuum of possibilities with no clear boundaries in the middle. It would make more sense for me to specify that if you can't install something separately without losing its usefulness, then what it is a member of is a software package. A more fundamental problem with this CD is that you need to know all about the similar flaws in all of the executables before voting. The way things have been going, this could significantly delay the acceptance of candidates (information paralysis). Perhaps a solution would be to favor having a speedy CVE entry as the first (or first few) flaw is found, and having "append proposals" that would add to the initial CVE entry, as more information in the flaws of other executables is found. These "append proposals" could be useful in other situations as well, whenever a CVE entry needs updating (e.g., as new vulnerable versions are released). They should carry information that should not result in a new CVE entry. What if a vendor tries to fix all of them, but one of them escapes? You could find yourself in a situation where A says that they fixed CVE-xxxx-xxxx, B saying that it is still there, and scanning software C and D testing for the existence of this CVE vulnerability by different methods that yield opposite results. Another problem is the dependence on changing architectural and software engineering concepts that have to be reverse-engineered (read "guessed at") by us. It is also possible that in the future, these concepts will be obsolete. As an example (perhaps feeble), how would you characterize (classify?) code that is dynamically generated for you from outside your "PC" by a trusted source and then run on your machine, perhaps in a sandbox? Most likely, whether that (binary) code is from a "library", the same or a different "executable" will be transparent to you, and perhaps those concepts would be meaningless -- you subscribed to a "service". That code could be changed every day, perhaps even every time you change preferences. Would you then make a new CD? How do you deal with having to rebuild the CVE with a new CD, or having part of the database be defined by version 1 of a CD and another part defined by version 2? In conclusion, I feel that the less you need to know about a vulnerability to make a CVE entry, the better (aka the 'KISS' principle). This CD is mostly an attempt at optimization of the storage requirements of the CVE, that comes at too high a cost -- it comes close to a classification attempt. I think that this CD should not be adopted, and that we should avoid such complexity, delays and potential confusion as much as possible. Much of what I said here applies also to SF-LOC. "One entry per identifiable instance" Pascal "You cannot build a happy private life in a corrupt society anymore than you can build a house in a muddy ditch." Anonymous Czech woman, from the 2000 Commencement Address by Bill Moyers about the american political system
- References:
- [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
- From: "Steven M. Christey" <coley@linus.mitre.org>
- [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
- Prev by Date: Cybercrime treaty: contact points
- Next by Date: Re: Argh! Re: [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
- Prev by thread: Re: [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
- Next by thread: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
- Index(es):
