Re: [sacm] [mile] iodef:SoftwareType
"Adam W. Montville" <adam.w.montville@gmail.com> Wed, 01 April 2015 16:38 UTC
Return-Path: <adam.w.montville@gmail.com>
X-Original-To: sacm@ietfa.amsl.com
Delivered-To: sacm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF57F1A905E; Wed, 1 Apr 2015 09:38:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B81QKG65ysGO; Wed, 1 Apr 2015 09:38:05 -0700 (PDT)
Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com [IPv6:2607:f8b0:400e:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E02B1A9131; Wed, 1 Apr 2015 09:38:05 -0700 (PDT)
Received: by pacgg7 with SMTP id gg7so57002862pac.0; Wed, 01 Apr 2015 09:38:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=jHvr81gVQDApjPEHHbz+0n2O/rquTB6hXfJ8VhxOoeY=; b=V6ctwRBL3j3yA4YsiP5ZgEEplWdwLzWdxZtapwkdo7mjSXtYKsIWrJZlRX9luNc43Q j7DvXJbOJa+3jUdPBQpa2LUyKOBXCQW1cG1Am4vtJb1TpIKqZyViV0nDqG07FSDdoK5H jNuIX9Bv20y7PfZOOnIUAcEn2kxSf2vPhk++jtA3kT6sDYgIQYzogR8ZkoUllRvG2ySu g2MfKjCYvc5lleZ6lFAd/Hhy84oTiHP4oPNViCyPCyFI+QRV9Y7NKZdONm+2jDRyJPK6 SuQt4B3wgzacbTkF7RKvco9OamZGYtPwGvrfRLFyff4NBKD5CCSWxEt5xAa5/XA+XJHI rgvw==
X-Received: by 10.68.182.132 with SMTP id ee4mr47535052pbc.24.1427906284565; Wed, 01 Apr 2015 09:38:04 -0700 (PDT)
Received: from ?IPv6:2602:306:3406:4f00:2d74:e5c1:6b77:ba0e? ([2602:306:3406:4f00:2d74:e5c1:6b77:ba0e]) by mx.google.com with ESMTPSA id d4sm2623669pdm.50.2015.04.01.09.38.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 01 Apr 2015 09:38:03 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_8C100F87-1054-4020-9400-56526B7B7052"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: "Adam W. Montville" <adam.w.montville@gmail.com>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFCD93D88B0@marathon>
Date: Wed, 01 Apr 2015 11:37:59 -0500
Message-Id: <D5A13F25-14BC-4F3A-ADC5-EDF6A6C143F7@gmail.com>
References: <B551AB38-A9E5-48C0-8049-F44122AF24AE@gmail.com> <551308DD.4040908@ThreatGuard.com> <9F61CC8E6ED7BC4DBA90C13F25D29C002DA5752B@umechpanz.easf.csd.disa.mil> <CAA=AuEdcmXdCe+iUfgLN3wnp98MZnNw5ULMmKnk+5wdrOA=Zmg@mail.gmail.com> <9F61CC8E6ED7BC4DBA90C13F25D29C002DA57678@umechpanz.easf.csd.disa.mil> <, > <CAA=AuEcBh3s6Hbkj_4G-OQCyGHHF0QkbusRXGbSWoatwgCtt=Q@mail.gmail.com> <359EC4B99E040048A7131E0F4E113AFCD93D88B0@marathon>
To: "Roman D. Danyliw" <rdd@cert.org>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/sacm/g-0Sig5hzMpwsO_EZlOr01z16Fo>
Cc: MILE IETF <mile@ietf.org>, "sacm@ietf.org" <sacm@ietf.org>
Subject: Re: [sacm] [mile] iodef:SoftwareType
X-BeenThere: sacm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SACM WG mail list <sacm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sacm>, <mailto:sacm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sacm/>
List-Post: <mailto:sacm@ietf.org>
List-Help: <mailto:sacm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sacm>, <mailto:sacm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 16:38:10 -0000
All: It’s come to my attention that there is such a thing as the “ENUM Registry” (I honestly didn’t know it existed), which has caused some confusion outside of our working groups [1]. Because we now have a named registry, it may be better to call it by that name or some variant thereof (Security External Enumeration Registry - SEER). Regards, Adam [1] https://en.wikipedia.org/wiki/Telephone_number_mapping <https://en.wikipedia.org/wiki/Telephone_number_mapping> > On Mar 26, 2015, at 11:20 AM, Roman D. Danyliw <rdd@cert.org> wrote: > > (Reposting to SACM already on MILE) > Hello! > > The original thread on the MILE list [1] about iodef:SoftwareType, this thread, and an illuminating offline explanation by Adam Montville and Dave Waltermire, highlighted an important distinction as we consider how to reuse the existing information models. There is a difference between (a) an identifier into an enumeration; and (b) a blob which is the entirety of the information. In both (a) and (b), a reference to the underlying specification is necessary. > > The ENUM [2] draft provides support for (a). The current iodef:SoftwareType of RFC5070bis [3] supports neither. Section 4.4 of IODEF-SCI [4] supports both (a) and (b). The caveats for using IODEF-SCI for (b) is that the blob has to be XML. Likewise, the approach for (a) uses the @ContentID attribute and/or the now replaced iodefv1:Reference class (It was replaced by ENUM and Takeshi Takahashi, the editor, has noted this needs to be updated after 5070bis is complete in an earlier posting to this thread). > > Support for multiple approaches to identifying software was voiced several times. The two most actively discussed options were CPE and swid. CPE is an instance of (a) and swid is an instance for (b). > > Thinking through the needs, the representation for software should: > (1) support (a) and (b) > (2) support public extensions (with an IANA registry) and private approaches > (3) blobs in formats other than XML? > (4) support the ability to convey the configuration of the software? > (5) ability to reason about software at different levels of versioning (x.x.x vs. x.x.* vs. x.*.*)? > others? > > To the notion of public extensions in (2), which IANA registry should be used? IODEF-SCI uses a single registry for a collection of classes that are semantically different. Should a dedicated registry(ies) be used to track standards/formats that describe software? If a dedicated registry is not used, how should implementers know which of the entries in the registry are valid software description standards/formats? > > Roman > > [1] http://www.ietf.org/mail-archive/web/mile/current/msg01660.html > [2] draft-ietf-mile-enum-reference-format-14 > [3] draft-ietf-mile-rfc5070-bis-11 > [4] RFC 7203 > > > ________________________________________ > From: mile [mile-bounces@ietf.org] on behalf of Jerome Athias [athiasjerome@gmail.com] > Sent: Wednesday, March 25, 2015 5:16 PM > To: Wolfkiel, Joseph L CIV DISA ID (US) > Cc: Gunnar Engelbach; MILE IETF; sacm@ietf.org > Subject: Re: [mile] [sacm] iodef:SoftwareType > > so that would be better covered by OVAL (with CPE embedded), and/or > some kind of MITRE MAEC (YARA included)/CybOX capabilities (mutex and > in memory opcodes needed?) > > 2015-03-25 22:00 GMT+01:00 Wolfkiel, Joseph L CIV DISA ID (US) > <joseph.l.wolfkiel.civ@mail.mil>: >> I expect the MILE use case would also need to be able to deal with software for which the only available data is the name of a file and an execution path (e.g. "c:/program files/baddexec.jar"). This is out of the CPE case altogether, but would be critical to assist in either forensic analysis or malware detection. >> >> Joseph L. Wolfkiel >> SCM Engineering Lead >> DISA ID52 >> (301) 225-8820 >> Joseph.L.Wolfkiel.civ@mail.mil >> >> >> >> -----Original Message----- >> From: Jerome Athias [mailto:athiasjerome@gmail.com] >> Sent: Wednesday, March 25, 2015 4:28 PM >> To: Wolfkiel, Joseph L CIV DISA ID (US) >> Cc: Gunnar Engelbach; Adam W. Montville; MILE IETF; sacm@ietf.org >> Subject: Re: [sacm] iodef:SoftwareType >> >> Hi, >> >> using CPEs, for example, in this case would be ok since using the >> first part of it (application 'name', before the version - or with >> '*') could cover the use case. (for SWID, I don't know) >> Then, that's right that if we want, for MILE, to cover use cases like >> Policy P1 (e.g. CIS X Level 1) for Application A1 on Asset A1, and >> Policy P2 (e.g. CIS X Level 2) for Application A1 (the same) on Asset >> A2, etc. >> it's a different story (ID, UID, GUID, context...) >> Same for use cases where Software S1 + Software S2 is an issue, but >> not when S1 used without S2, etc. >> (context/groups) >> >> A model for Software/Application/Components (e.g. libraries) and >> combinations of/relationships between them would have to provide the >> granularity wanted/needed. >> But this could be covered step by step. >> >> >> >> >> >> 2015-03-25 20:50 GMT+01:00 Wolfkiel, Joseph L CIV DISA ID (US) >> <joseph.l.wolfkiel.civ@mail.mil>: >>> We write most of our policies to the individual application level, but generally don't go to version. If the MILE requirement includes the ability to specify to a given software instance on a particular device and you think the softwareType element needs to be able to deal with both constructs, then you'll definitely need the ability to handle different levels of granularity and be able to specify which type of identification you're making. >>> >>> Joseph L. Wolfkiel >>> SCM Engineering Lead >>> DISA ID52 >>> (301) 225-8820 >>> Joseph.L.Wolfkiel.civ@mail.mil >>> >>> >>> >>> -----Original Message----- >>> From: sacm [mailto:sacm-bounces@ietf.org] On Behalf Of Gunnar Engelbach >>> Sent: Wednesday, March 25, 2015 3:14 PM >>> To: Adam W. Montville; MILE IETF >>> Cc: sacm@ietf.org >>> Subject: Re: [sacm] iodef:SoftwareType >>> >>> >>> As you say, it depends on the usage for the software identifier. >>> >>> For SACM that usage isn't likely to go beyond determining applicability >>> because when it comes time to do the security checks then the policy >>> implementation is likely to specify the particular endpoint attributes >>> to be collected and not rely on any data associated with the software >>> identification. >>> >>> It seems obvious to me that, with the goal of being able to support >>> multiple software identification systems, that SACM would embed the raw >>> identifier information below a tag that indicates which identifier type >>> it is. >>> >>> As far as applicability checking goes, I can see two primary principles: >>> >>> 1) Avoiding false negatives >>> 2) Efficiency >>> >>> Presumably a check system that has the ability to collect endpoint >>> attributes and calculate security results from that also has the ability >>> to self-determine its own applicability. With that as a fallback, then >>> the worst case is that every policy is attempted to be applied to every >>> endpoint and execution halted for each found to self-determine >>> non-applicability. >>> >>> Following from all that, if the decision point where policy assessment >>> assignment is occurring is capable of parsing a particular software >>> identifier well enough to positively remove a particular policy from the >>> list of potentials, that should suffice. >>> >>> >>> At first glance, this is not a very interoperable approach. But from a >>> practical usage standpoint the goal isn't to be perfect, it's to reduce >>> resource utilization for security assessments below the threshold where >>> it affects business operations. I think it likely that the number of >>> formats necessary to achieve that will be fairly small. And adding >>> support for new ones relatively simple. >>> >>> >>> --gun >>> >>> >>> >>> On 3/25/2015 2:42 PM, Adam W. Montville wrote: >>>> I’m cross-posting to SACM because this is a relevant discussion to that WG also. >>>> >>>> During today’s MILE session we discussed some options with respect to iodef:SoftwareType. The room seemed to favor looking for a way to allow referencing software using more than one software identification mechanism. It was also acknowledged that SACM might find use in being able to use different mechanisms of software identification. >>>> >>>> It could be easy enough to submit a given specification/data feed for expert review to the ENUM registry. But, is this sufficient for our software identification needs? >>>> >>>> The potential issue is how the software identification will be relied upon downstream. If we want to take the software identification component at face value, then using the ENUM registry would likely be sufficient. If, however, we need to specifically interpret or specifically apply portions of the software identification component, we need more information about (or a priori knowledge of) how to handle that type of software identification component. >>>> >>>> Perhaps it’s sufficient to rely on encapsulating the software identification element in another construct, which could potentially make this a non-issue. For example, if we needed installation information for applicability, we could bundle the SoftwareType within a larger class which would have any corresponding information (e.g. exact location of the software on an endpoint) required for the particular case. >>>> >>>> Still, for cases (if they exist) where a fully specified software identification component is intended to be used to identify a broader software class, we may run into underspecification issues. The same is true where a software identification component intended to classify software is needed for instance-level identification. >>>> >>>> It seems that some cases of software identification would require specification over and above that which would be obtained by simply using the ENUM registry. >>>> >>>> Thoughts? >>>> >>>> Adam >>>> _______________________________________________ >>>> sacm mailing list >>>> sacm@ietf.org >>>> https://www.ietf.org/mailman/listinfo/sacm >>> >>> _______________________________________________ >>> sacm mailing list >>> sacm@ietf.org >>> https://www.ietf.org/mailman/listinfo/sacm >>> >>> _______________________________________________ >>> sacm mailing list >>> sacm@ietf.org >>> https://www.ietf.org/mailman/listinfo/sacm >>> > > _______________________________________________ > mile mailing list > mile@ietf.org > https://www.ietf.org/mailman/listinfo/mile > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm
- [sacm] iodef:SoftwareType Adam W. Montville
- Re: [sacm] iodef:SoftwareType Gunnar Engelbach
- Re: [sacm] iodef:SoftwareType Wolfkiel, Joseph L CIV DISA ID (US)
- Re: [sacm] iodef:SoftwareType Jerome Athias
- Re: [sacm] iodef:SoftwareType Wolfkiel, Joseph L CIV DISA ID (US)
- Re: [sacm] iodef:SoftwareType Jerome Athias
- Re: [sacm] [mile] iodef:SoftwareType Roman D. Danyliw
- Re: [sacm] [mile] iodef:SoftwareType Gunnar Engelbach
- Re: [sacm] [mile] iodef:SoftwareType Adam W. Montville