[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Level of Abstraction Issue: Similar Applications, "Same"Vulnerability

Pascal Meunier wrote:
> The "Same attack, same software flaw = same vulnerability" is an empirical
> approach based on observable phenotypes, and as was shown in Biology, is
> sometimes wrong.  I want to impress that the question, "are they the same
> or not" can't be answered without a classification scheme, and a
> specification of the abstraction level within that classification ("are
> they of the same *what*;  family, species, genus?") -- that is, it can't be
> answered without a nomenclature.  

1) Nomenclature may be an overloaded term.  I consider the CVE as
establishing a name space for vulnerabilities. I call that a nomenclature
(and I could be using the term incorrectly).  The word I use for what
I think you are describing is a taxonomy. Taxonomies have multiple
classifications (levels of abstraction) and within each classification,
an enumerated set of taxa (names, if you will).

2) I think a more accurate way of describing the relationship between
classification schemes and the question "are they the same or not" is
to say that the answer to the question is always relative to your
classification scheme.  That is to say, the empirical approach 
of biological classification based on phenotypes is not wrong if 
you have no knowledge of genotypes!!

> It seems to me that the real question is, "do we need separate entries to
> list these two vulnerabilities", instead of "are they the same
> vulnerability".  One approach grounded in the observables is to use "Same
> attack, same results of the attack, for all attacks = same record".  This
> is because the results of an attack may be different, although the attack
> "works" on both (i.e., both systems are vulnerable to the same attack in a
> different way).  My recommendation would be that if you don't have any
> observables with which to differentiate the vulnerabilities, then use the
> same record, be flexible when new data becomes available, and don't assume
> that there is always an absolute equivalence between vulnerabilities and
> records.  It's a "best effort" system mixed with the principle of Occam's
> razor.

I may be reading what you are saying with hopeful (and tired) eyes.
If you are saying what I think you are saying, I am agreement with 
this. Let me clarify (or muddle the waters further)

It seems to me (and I think I have a Chomsky quote kicking around
to support this) that you can only get a well defined taxonomy if
the object of study has within it, some sort of structure. For example,
in zoology, we have the process of natural selection and the genisis
of new species.  Observable phenotypes were a good close approximation.
But ultimately, it is genotype that decides (for the most part)
zoological classification. And note, the zoological classifications
are reflective of the history of the genisis of species.  In the
world of chemistry, the periodic table of elements reflects the
atomic structure of the elements.  The point here is that these
objects of study have inherent structure which admits a cannonical
classification scheme.

I think the open question here is whether or not vulnerabilities
have this sort of built in structure?  

If I can be so bold, I would suggest that a better model for
thinking about categorization issues may lie with things like
the Library of Congress approach for categorizing published books.
This is not to suggest tossing in the towel in terms of reaching
for some set of decision rules. Quite the contrary. I only suggest
caution about expecting too much from the rule set. We may have
to live with a rule set that admits conflicting levels of abstraction
in places and ambiguous categorizations.

> level of abstraction, *and* have a nomenclature.  My thesis is that if you
> have a nomenclature, then you have different levels of abstractions, and
> therefore your database should have different types of objects -- at least
> one type per level of abstraction, and links between the different levels

I think the history of taxonomies and classifications is that 
flat, 1-dimensional enumerations precede good categorizations.
The first enumerations (generally abandoned) serve as a vehicle
for discussion. We are pushing the issue here pretty hard. 
But perhaps our attempt at nailing down a "vulnerability"
enumeration is forcing us to admit that we really need to
deal with security information at (at least) 2 different
levels of abstraction.  If this is the case, then we had
better come up with names for the different levels of
abstraction (like genus, family, specie) and avoid words
like vulnerability (similar to animal) that are ambiguous
with respect the level of abstraction being referenced. Either
that, or we need to fix vulnerability at one level of abstraction
an come up with a different name for the other level.

Of course, I just badly contradicted what I said earlier.
I'm not sure we know enough yet to do this.  We may just
need to settle for a vulnerability enumeration and admit
to ourselves that it contains all of the ambiguities with
respect to levels of abstraction as an animal enumeration
might contain. 



David Mann                     ||  phone: (781) 271 - 2252
INFOSEC Engineer/Scientist, Sr || 
Enterprise Security Solutions  ||    fax: (781) 271 - 3957
The MITRE Corporation          ||
Bedford, Mass 01730            || e-mail: damann@mitre.org

Page Last Updated or Reviewed: May 22, 2007