[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVEPRI] Editorial Board Meeting Summary - March 15-16, 2001
Following is the summary for the CVE Editorial Board meeting. I apologize for taking so long to write this up, but as you will see, there were good reasons for the delay. Thanks to everyone who made this one of the liveliest Board meetings yet. It was also one of the most critical. Many important topics were discussed at the meeting. The most important and timely issues will be moved to the mailing list over the next month or so. Those issues are: the numbering scheme for legacy candidates, the verification/voting requirements for CVE entries, and the definition of Board roles, tasks, and expectations. - Steve **************************************************************** CVE Editorial Board Meeting Summary - March 15-16, 2001 **************************************************************** Members of the CVE Editorial Board met at Cisco in Austin, Texas, USA on March 15 and 16, 2001. The attendees of the face-to-face meeting were: Andy Balinsky (Cisco) Troy Bollinger (IBM) Tim Collins (NFR) John Flowers (Hiverworld) Andre Frech (ISS) Scott Lawler (DOD-CERT) Jim Magdych (NAI) Pascal Meunier (Purdue CERIAS) Ron Nguyen (Ernst & Young) Mike Prosser (Symantec) John Rhodes (DOE-CIAC) Kevin Ziese (Cisco) Sean McAllister (DOD-CERT; not a Board member) Ryan Walters (Symantec; not a Board member) Participating by teleconference were: Larry Oliver (IBM) Craig Ozancin (Symantec) MITRE participants were: David Baker Steve Christey Bob Martin Bill Hill (via teleconference) Margie Zuk (via teleconference) CVE Content Update ------------------ The Board was presented with a progress report on assigning candidate numbers to legacy issues. (See http://cve.mitre.org/board/archives/2000-07/msg00024.html for an explanation of terms). Due to some errors, previous statistics had not been accurate. The number of legacy submissions that need to be processed is 7794. As of the meeting, 7696 of those submissions had been matched against each other. In January, only 1500 had been matched. All matching is expected to be completed by April 2, which will be more than 2 months ahead of the target date of June 15. (A set of submissions from Cisco had been improperly imported, and thus were not matched properly; Cisco provided an updated list of submissions, which will be matched by April 2). Some optimizations were made in the matching process in order to significantly reduce the amount of time spent matching. However, the new approach increases the risk of producing duplicate candidates. Where possible, MITRE will try to mitigate the risk of duplication with the resulting legacy candidates. If a duplicate still arises, it could be caught in the Editorial Board review process. Currently, the matched submissions have produced approximately 4200 submission groups (small groups of submissions from multiple sources, all of which describe the same vulnerability, or closely related vulnerabilities.) Approximately 3500 of those groups have no matching CVE entry or candidate. This means that approximately 3500 more legacy candidates could be created from those groups. The actual number is difficult to predict due to idiosyncracies in the matching process and differences in the level of abstraction of submissions in comparison with CVE content decisions. There is also progress in MITRE's processing of new security issues as they are publicly announced. Over 100 candidates have been reserved for use in the initial public announcement of vulnerabilities. Approximately 80 of those reserved candidates have already been publicized. Some affected software vendors, e.g. Microsoft, are becoming more involved in reserving candidates for vulnerabilities in their own products; other vendors will also be contacted and asked to participate. Approximately 1200 "new" submissions - i.e. submissions for vulnerabilities that were discovered after November 1999 - still need to be processed. However, many of those submissions are for the most recently discovered vulnerabilities. The Board was presented with the individual tasks being undertaken by the CVE content team. Barbara Pease and Jeff Taylor are refining the legacy submissions. Christine Walzer is performing submission matching on new, incoming submissions. Ramsay Key is matching and refining new submissions. Jean-Paul Otin is working on creating candidates for Windows NT-based configuration problems. Numbering Scheme For Legacy Candidates -------------------------------------- Since members of the CVE content team are now performing submission refinement, MITRE will begin to produce legacy legacy candidates on a regular basis. There are several numbering schemes for candidates that could be adopted. The Board discussed several options. However, since each proposed solution had strengths and weaknesses, no decision was made. The current approach for numbering candidates is CAN-YYYY-NNNN, where YYYY is the year in which the candidate number is assigned - *not* the year in which the vulnerability is publicized. (The same applies to CVE entry names, in which the CAN- prefix is converted to CVE-, but the rest of the identifier remains the same). If applied to legacy candidates, the current approach would produce many vulnerabilities that have CAN-2001-NNNN names, but were publicized in 1999 and earlier. Many people may have the perception that the "year" slot in the CVE name is actually related to the year in which the vulnerability is publicized. In addition, there may be an "aesthetic" desire to have the candidate name reflect the year of publication, as a high-level means of managing vulnerability information based on how old it is. Regardless of the public's misconception of the meaning of the year in the CVE name, many of the candidates/entries with 1999-NNNN names were actually announced earlier than 1999. For the most part, CVE items with 2000-NNNN names were publicized in 2000, but some 2000-NNNN names are for older issues. Similarly, some problems discovered in November and December 2000 have 2001-NNNN names. So, many of the current CVE/CAN names are already inconsistent with respect to the year of publication for the associated vulnerabilities. However, depending on the number of new vulnerabilities discovered this year, and the number of legacy candidates that MITRE produces, it is possible that more than 10,000 candidate names will need to be assigned this year. The name space only supports up to 9999 different names per yer. (This is being referred to as "the CAN-10K problem"). There are ways of extending the name space if necessary; for example, by moving to a hexadecimal numbering scheme instead of decimal, 65536 different vulnerabilities could be assigned per year without changing the number of characters in the name. However, it is not known whether such a change would adversely impact how some CVE-compatible products may store the CVE names. There are several factors that need to be considered when selecting a naming scheme for legacy candidates: 1) It was suggested that to help users manage CVE based on date of publication, that a separate field could be added which lists such a date. However, this information is currently in other databases, and thus increases the risk of CVE's competition with those databases. In addition, the date of publication would rarely help someone in mapping a specific vulnerability to a CVE name, although it is occasionally useful in discriminating between extremely similar vulnerabilities in the same product. The references and description, on the other hand, are essential for looking up the CVE name for a problem. 2) If a naming scheme is adopted which encodes the year of publication in the name, then all the entries or candidates that currently exist should *NOT* be renamed just to make things consistent, since there is such a large number of CAN/CVE-1999-NNNN items that were not discovered in 1999. The maintenance costs would be high for CVE users and compatible vendors. Thus, even if the Board adopts a "publication-based" encoding, it will not apply to all CVE items. 3) If a publication-based encoding is not used, then users will need to be able to distinguish between new candidates and legacy candidates. This information could be provided in reports that are accessible on the CVE web site. Following are the different approaches that were discussed by the Board. 1) Assignment-based encoding: continue to use the current approach, i.e. assign CAN-2001-NNNN (or CVE-2001-NNNN) to the issue, since 2001 is the year in which the candidate is assigned. Pro: emphasizes that the encoding of the year in the CVE name is not related to the year of announcement. Simplest to implement. Con: increases the possibility of misuse by consumers. For example, consumers might focus on the last 200 CAN-2001-NNNN candidates, mistakenly believing that they are the most recent issues that have been discovered. Con: susceptible to the CAN-10K problem. 2) Publication-based encoding: assign YYYY-NNNN, where YYYY is the year in which the issue was first publicized. Pro: more likely to address common public misconceptions. Pro: least susceptible to the CAN-10K problem. Pro: will be accurate for all issues that are publicized in 2002 and later. Con: 1999-NNNN, and portions of 2000-NNNN and 2001-NNNN, will not be consistent with the approach. Con: some complications if a vulnerability is publicized one year, a candidate is created, and then it becomes clear that the problem was actually publicized in earlier years. 3) Hybrid encoding. If the problem was published in 1999 or earlier, use 1999-NNNN; otherwise, use the year of publication. Pro: emphasizes that the encoding of the year in the CVE name is not related to the year of publication, for any issues that were publicized in 1999 or earlier. Pro: For 2002 and later years - and all but the first 150 candidates of 2001 - the year of publication will be encoded in the CVE name. Con: For 2000 and 2001, some candidate names will not include the year of publication. Con: most susceptible to the CAN-10K problem, because there may be more than 10,000 vulnerabilities from 1999 and earlier that ultimately require names. To help end users better manage or discriminate between new and legacy issues, and highlight the differences for purposes of user education, it was suggested that legacy candidates be assigned names with the highest sequence numbers available. For example, one could start at CAN-2001-9999, CAN-2001-9998, etc. for legacy candidates that are created in 2001. An alternate scheme was proposed in which legacy issues could be assigned CAN-2001-5000 and advanced upward. However, it is possible that these significant gaps could cause confusion. In addition, some people may be using the highest-numbered candidate for other purposes, which could have unexpected consequences. For example, it was noted that some people mirror individual CVE entries and candidates on the CVE web site by requesting information up to 100 "sequence numbers" above the most recent candidate; such mirrors might immediately attempt to download 10,000 candidates for 2001, instead of the current number of about 250. Regardless of which approach is adopted, users will need to be educated about it. It is likely that additional information will be needed on the CVE site; in addition, CVE-compatible vendors will need to address user misconceptions. Also, MITRE will not be able to start proposing legacy candidates until the numbering scheme is finalized. MITRE's CVE Content Goals ------------------------- MITRE's CVE content goals were presented. The last CVE version was released in January, but there are sufficient votes to promote at least 100 more candidates to official CVE entries. A new CVE version will be released within a month. Some CVE entries will be deprecated due to duplication. Other entries will be modified, e.g. to add new references. Some candidates - mostly duplicates - will be rejected. To address the needs of people who would like candidates to come out more rapidly for new issues, MITRE has set a goal to create and propose candidates for new security issues every 2 weeks. Candidates for legacy issues will be created and proposed on a regular basis. Other longer-term goals remain. By July 1, all submissions for issues discovered in 1999 should be refined into candidates. By December 2001, all legacy submissions should be refined into legacy candidates. Threatened Lawsuit Regarding CVE Content ---------------------------------------- A software vendor has threatened to sue MITRE based on some CVE content. A CVE candidate describes a reported vulnerability (denial of service) in the vendor's product. The vendor says that the reported problem is not in the product, but rather in the improper use of the product by system administrators, who do not use OS-provided resource limitations to reduce the effects of a DoS attack. The vendor says that many products who rely on OS-provided resource limitations are also affected. There are technical arguments on both sides regarding whether the reported vulnerability is in the software or in the operating system; this disagreement is reflected in the long discussions on the vendor's mailing list regarding the reported problem. There also was disagreement by participating Board members during the meeting. The software vendor appears to be considering lawsuits against owners of other databases that list the reported problem in the vendor's product. In addition, it appears that several security tools list the reported problem in their products; thus, the software vendor's lawsuit might extend to other organizations. MITRE's lawyers are preparing a response. Specific details (i.e. the vendor and claimed vulnerability) were provided to the Board members who participated in the meeting. Other members may obtain details from Steve Christey. Ultimately, other affected software vendors may attempt similar lawsuits. There was some discussion of the potential chill that such lawsuits might pose for vulnerability research and reporting. Verification Requirements for CVE Candidates -------------------------------------------- In the past 9 months, the Board has had several discussions regarding how much verification of a candidate must be performed before the candidate can be promoted to an official CVE entry. (See http://cve.mitre.org/board/archives/2000-06/msg00054.html as well as the "Editorial Board Voting Status and Issues" section in http://cve.mitre.org/board/archives/2001-01/msg00010.html for some details.) Ultimately, the guidelines for voting can not be completed until the verification criteria for official CVE entries is determined. According to one point of view held by some Board members, the official CVE list should act solely as a "dictionary," i.e. a set of agreed-upon names that are used to describe reported security problems, independent of whether those problems are real or not. External databases or vendors could clarify whether the reported issues are real. In some cases, it would be useful to have a CVE name for an issue, even if it turns out to be false; for example, an issue might be publicized in one forum, but refuted in another. If the issue does not have a CVE name, but it has been deleted from various databases, then some consumers might still think that the problem is real. It was noted that CVE candidates could be used to record all reported vulnerabilities, and the voting record could include a refutation if the initial report is discovered to be wrong. Other Board members believe that official CVE list should be well-reviewed, and there should be some level of verification that ensures that the issues being identified are real. They argued that while many databases or products may have a mixture of "real," "potential," and "incorrect" issues in them, CVE should strive to be more correct. It was also argued that the candidates, by their nature, already imply a level of uncertainty, and there would be little difference between entries and candidates otherwise (with the exception of duplication and level of abstraction problems). Also, there is already a public perception that because of the review process, CVE entries have been sufficiently validated. That is not necessarily the case currently; in addition, the small number of votes increases the risk that an incorrectly reported issue will become an official CVE entry. A more stringent requirement for verification of CVE entries could result in a large number of "permanent candidates" that are never refuted or rejected, but never gain enough ACCEPT votes. There are already some candidates like this. The original idea of candidates was that they would be temporary numbers that formed the "to-do" list for Editorial Board members to review. Permanent candidates, if they arose, would need to be managed differently. It was proposed that if less stringent requirements are adopted, then the Board could publicize the fact that there is still a community-wide need for strong verification of vulnerabilities, but CVE will not be able to fill that need. Current Voting Activities ------------------------- In the January teleconference, MITRE had noted that the number of voters, and the total number of votes taking place, had dropped sharply in recent months. Some of the decline was related to the more stringent guidance in Fall 2000 with respect to the level of verification that is necessary before Board members should vote to accept a candidate. There has not been a noticeable increase in voting since January. The Board has almost 40 members, and it is difficult to get 2 or 3 votes on a timely basis. This delay is noticeable to the public. Only 4 members vote regularly; another 15 members vote on a periodic basis, usually once every 4 to 6 months. This is insufficient for current needs, and will become even worse when legacy candidates are added. Since voting is the most critical task for Board members, the lack of voting needs to be addressed. Unless current Board members can contribute more often, MITRE will need to keep adding Board members - or increase minimum expectations for existing members - to ensure that there is sufficient review of candidates in the future. Board members did not object to the idea of expanding the Board further; in earlier meetings, some members had expressed concerns that the Board could get too big. It was proposed that voting records could be better publicized, so that CVE end users could know which Board members are voting actively. Voting activity can be inferred from current public information, but it is not easily accessible. There were no objections to this proposal. MITRE will consider how (and when) to most effectively publicize this information, once the other significant voting issues are resolved. Since voting is affected by the verification requirements for CVE entries, voting activities will be revisited once that issue has been addressed. Proposed Voting Guidelines -------------------------- The following guidelines for voting was proposed and discussed. A voter could only ACCEPT or MODIFY a candidate if: (1) The vendor has acknowledged the problem. (2) The voter, or the voter's organization, has been able to replicate the problem. (3) Someone that the voter trusts has verified the problem. This could include the original researcher, if the researcher is trusted by the Board member. (4) There is independent confirmation of the issue, i.e. 2 different sources claim to have reproduced the problem (such as an initial Bugtraq post and multiple follow-ups). Participating Board members agreed that the first two requirements were acceptable. It was noted that "vendor acknowledgement" needed to be clear; for example, it might not be sufficient acknowledgement if a researcher says that there's a patch, unless that patch is tested, or the vendor says that the patch fixes the problem being reviewed. Some concerns were raised with respect to the trusted verification issue. For example, if the voting Board members all trusted the same person or organization, then there would be a greater likelihood of an incorrectly reported candidate being promoted to an official entry. Some members said that this would not be a problem, because only researchers who have established a strong reputation would be trusted by many members. An incorrect report could also reduce the overall trust in future reports by the researcher. There may be other cases in which a Board member trusts "too many" people. Also, only the trust of the members who vote will be taken into account; thus the ultimate contents of CVE could vary, depending on who is voting. Previously, it had been proposed that Board members could publicize who they trusted. This could address some of the concerns outlined above; however, members might not be willing or able to provide such information. In general, however, the Board agreed that "third party trust" should be sufficient reason to accept a candidate. This approach utilizes the resources of others in the security community who are not on the Editorial Board. Due to time limitations, the Board did not discuss whether independent confirmation should be included in the guidelines, or how it might be measured. Until the voting question is resolved, MITRE will only accept candidates that satisfy the first 3 voting guidelines as described above, i.e. vendor acknowledgement, verification by a Board member, or verification by a party that the Board member trusts. The voting guidelines, once finalized, will be publicized in order to clear up any misconceptions that CVE users may have. Other Voting Issues ------------------- There was a concern that by voting to accept a candidate, a Board member might be held liable if their vote is interpreted as stating that they believe the problem is real. This issue could be exacerbated by situations like the potential lawsuit related to CVE content, as described in a previous section of this summary. Limitations of the current set of votes (Accept, Modify, No Opinion, Reject, Recast, Reviewing) were also discussed. It was proposed that an additional "UNCERTAIN" vote could be used to state that a voter believes that the candidate description and references accurately reflect all available information, but the voter does not have sufficient knowledge about whether the reported problem is real. Board members disagreed with this proposal, since it implied a level of confidence, and it was already decided that confidence levels should not be included in CVE. A different situation arose in which a candidate described a vulnerability that was refuted by the vendor; however, in the past, the researcher had discovered other vulnerabilities that had been fixed by vendors. The voter did not trust the researcher and believed that since the vendor disagreed with the issue, there should be more confidence before accepting the candidate. However, none of the possible votes adequately described the voter's intent. Formalizing Editorial Board Tasks and Roles ------------------------------------------- For various reasons to be described below, MITRE is formalizing the roles, tasks, and expectations for current and future Board members. The Board discussed several related issues. Over time, the Editorial Board has evolved. The Board started out as an informal organization. An interview and review process was put in place in late 1999. Starting in late 2000, the expectations for new members were more clearly defined and publicized. Most recruitment activities for Board members were performed by MITRE. In rare cases, a prospective member was nominated by an existing Board member, or the prospective member established initial contact. However, the number and type of participants in the Editorial Board has changed over the years. In addition, outsider requests for Board membership has increased significantly. More of the initial inquiries come from marketing personnel instead of technical workers. More prospective members are not known to MITRE, or they are not qualified to participate. Editorial Board membership is sometimes mentioned in marketing materials or personal biographies. While these conditions reflect a growing acceptance and prominence of CVE, they also indicate a need to ensure that membership on the Editorial Board is not used inappropriately. Without a clear description of the tasks that are performed by the Board, and without a more formal review mechanism, it is becoming more difficult for MITRE to manage the incoming requests, to clearly identify expectations of prospective members, and to fairly assess the prospective member. It also makes it difficult to assess the level of participation of current membets. Some current members have not been able to contribute at the level which was agreed to when they first joined the Board. Other members who have been on the Board since fall 1999 did not join through the current process; as such, there was never a formal discussion or recruitment period which would describe the tasks and expectations, which evolved as CVE has changed. In an attempt to clearly identify how current Board members participate in CVE activities, MITRE has developed a spreadsheet which outlines the level of contribution which each Board member has made, in a number of different tasks. The purpose of the spreadsheet is to clarify how each Board member contributes, and how often; to be used as a basis of one-on-one discussion with each member on their own expectations for how they participate in Board activities; and to clarify what minimum expectations could be. In the next few weeks, each Board member will be contacted, and their roles and tasks will be discussed. In turn, this will help all Board members to collectively decide on future expectations for Board members, and to formalize such expectations. Ultimately, each member's tasks, roles, and expectations will be publicized to the rest of the Board, and possibly the public as a whole. Board Member Roles ------------------ The following roles were discussed by the Editorial Board. It is believed that most members would have a single, primary role on the Board. By identifying the role of each member, the associated tasks and expectations could be clarified. Some MITRE-specific roles were identified. The CVE Editor is responsible for CVE content. The Chair is responsible for Editorial Board structure, recruitment, and activities. Both roles are currently performed by Steve Christey. Technical contributors include task leaders (i.e. Margie Zuk, Pete Tasker, Bob Martin, Bill Hill, and Dave Baker), members of the content team (Barbara Pease, Ramsay Key, Chris Walzer, Jean-Paul Otin, Dave Goldberg, and Jeff Taylor), and other supporting personnel. Four roles for Editorial Board members were identified. Technical members participate in the design, review, and maintenance of CVE and/or its usage. Expectations include consistent participation in one or more technical tasks, such as voting, ad hoc consultation, or definition of CVE processes. Liaisons represent a significant constituency, related to or affected by CVE, in an area which does not necessarily have technical representation on the Board. This role may include software vendors. Liaisons would need to be visible and active in their own community. They bring a diverse perspective, a broader awareness, and community-specific needs for CVE to the Editorial Board. The primary expectation for liaisons would be consistent participation in Board activities that directly affect the liaison's community. Advocates actively support or promote CVE in a highly visible fashion. This role would be reserved for respected leaders in the security community. They help bring credibility to the CVE Initiative, and they may give CVE a "wider reach" outside of the community. They might participate in strategic planning for CVE, but they wouldn't necessarily participate at a technical level. A current Board member was proposed as an example Advocate. It was suggested that the term "Ambassador" could also be used to describe this role. Editorial Board members agreed that the Advocate role is important for the CVE Initiative, and it is appropriate to include advocates on the Board. There was some discussion regarding how a member might be assigned an advocate role, as it may be difficult to outline specific requirements. Advocates could be appointed with a vote by a significant percentage of Board members, but this approach was not discussed in detail. The fourth role is Emeritus, which is an individual who was formerly active and influential in the CVE Initiative, and maintains an "honorary" position as a result. The expectations for the member are minimal. One concern was raised that the Board should only include active members, and as such, it might not be appropriate to include an Emeritus. However, in some cases, an Emeritus may continue to participate on an ad hoc basis. While this role was not discussed extensively, Board members agreed that it might be appropriate for MITRE to choose which members can retain Emeritus status. Editorial Board Member Tasks ---------------------------- The following tasks were discussed by the Editorial Board. Members agreed that their CVE-related activities were covered by one or more of these tasks. 1) Voting on candidates. Some members vote regularly; others vote on an ad hoc basis, e.g. when there is an effort to reach a specific content goal. 2) Meetings. Some members participate actively in face-to-face meetings and teleconferences. 3) Ad hoc/offline consultation. Sometimes, members are consulted "behind the scenes." Their contributions, while valuable, may not be visible to the public or even to other Board members. 4) CVE process definition. Activities may include discussions related to content decisions, the review and voting process, Board structure, etc. 5) Content provider. Several Board members have provided their vulnerability databases for conversion into candidates, which ensures that CVE content is complete. Note that this task is also performed by some organizations that are not on the Editorial Board. 6) IDS/CIEL. In some cases, CVE does not identify events that are captured by intrusion detection systems. Some Board members will be participating in the review and development of the Common Intrusion Event List (CIEL), which is currently being drafted by MITRE. 7) Candidate Reservation. Some members use candidates in their security advisories, or they are prospective Candidate Numbering Authorities (CNA's). Note that this task is also performed by some organizations that are not on the Editorial Board. 8) CVE compatibility. Some members participate in the definition of requirements or the evaluation process for CVE compatible products. Note that this task is also performed by some organizations that are not on the Editorial Board. 9) Non-CVE activities. Occasionally, an activity that is not directly related to CVE is undertaken by the Editorial Board. The most prominent example is the CyberCrime Treaty Statement, which was drafted in May and June 2000. 10) Liaison. It is expected that the tasks for a liaison will be ad hoc. 11) CVE promotion. Some members are active, visible promoters of CVE. 12) Education about CVE. Since the amount of participation by each Board member varies, as well as the specific tasks that the member performs, it is difficult to determine what the minimum level of participation should be for each member. There was little discussion on this topic during the meeting. However, it will be revisited in the near future as Board members evaluate their own roles, tasks, and expectations. Organizations with Multiple Members ----------------------------------- Some organizations have 2 members on the Editorial Board. In some cases, one member is active, but the other is not. It was proposed that organizations with multiple members should have a level of activity which exceeds the minimum expectations for one member. However, meeting participants advocated that the requirement should be made more stringent, and each Board member should meet the minimum requirements for participation. This requirement was accepted by all participating members who were in multi-member organizations. It was agreed that there should be allowances for extenuating circumstances; for example, one Board member was recently injured in an accident. New Member Recruitment Process ------------------------------ The Board discussed the process by which prospective members could be recruited, evaluated, and added to the Editorial Board. MITRE's current process was described as follows. A prospect is first identified in one of three ways. Some prospects ask MITRE about membership. Other prospects are actively recruited by MITRE, often to fill a gap in Board representation. Other prospects are nominated by current Editorial Board members. Once identified, the prospect is given a short description of Editorial Board tasks and the expected amount of time that needs to be committed. An interview then takes place between MITRE and the prospect. The interview allows MITRE to determine if the prospect has the appropriate technical knowledge to contribute to CVE, and to identify the specific roles and tasks that the prospect will undertake. The prospect can obtain more information about Board activities and expectations. During any of these phases, MITRE or the prospect may decide that membership is not appropriate. If MITRE decides to add the prospect, the prospect provides a short professional biography. The prospect is then announced to the Editorial Board as a new member. The announcement describes how the new member will be able to contribute to CVE, lists the member's bio, and identifies the specific tasks that the member is expected to perform. The prospect is then sent an introductory documentation package that describes recent news, voting, technical rationales for CVE, etc. While Board members were satisfied with the types of people that MITRE has added to the Board, there was some concern that Editorial Board members are not included in the evaluation process. As more and more people request membership, there is an increased risk that a MITRE-only recruitment process might add a Board member who is inappropriate. Some members advocated an approach in which MITRE "screens" prospective members, then consults the Board for feedback on those prospects who pass the screening. During the screening, MITRE should ensure that prospects have a clear understanding of expectations; while MITRE currently does this, it will be easier to describe when the roles and tasks are well-defined. The Editorial Board could provide feedback via a discussion period and a formal vote. It was proposed that a minimum 50% of members could be required to accept a prospect, but given the size of the Board, and the lack of consistent participation by most members, this number is probably too high. A minimum 5 votes might be more reasonable, and it still represents a little more than 10% of all members. There would need to be a minimum review period to give members enough time to review the prospect, perhaps a month. It was agreed that a private mailing list would be needed for discussion and voting on prospective members, if such an approach is adopted. It was proposed that prospects should be visible or known to the Editorial Board. However, some current Board members were not well-known to other members. In addition, some members act as liaisons for other groups, but may not be well-known if they are not directly involved in the security industry. Some lesser-known Board members have made significant contributions. Many members agreed that the prospect could be required to submit a "resume" that outlines specific qualifications for Board membership, in light of the tasks that the prospect is expected to perform. This would allow all Board members to evaluate the prospect, even if they do not know the person. Guidelines for a minimum amount of experience were discussed. There was general agreement that between 3 and 5 years' minimum experience in information security should be required, unless the individual has made a recognizable contribution to the information security community. Some concern was raised that a more formal voting process could make the Editorial Board a more exclusionary organization. However, MITRE's current recruitment and screening process could reduce this risk. There was also some side discussion regarding the diversity of the individual members of Board, especially with respect to the lack of women; the small percentage of women in information security may be a factor. There is currently one woman on the Board, but she is expected to leave soon. MITRE's management, content, and support teams include women, but they are not on the Board. Some potential members were identified, and they will be evaluated and recruited through the established process. Once the tasks, roles, and expectations have been more clearly defined, the Board will be able decide on the new approach to recruitment and evaluation of new Board members. Trial Membership ---------------- MITRE proposed the possibility of establishing a "trial membership," or review period, for new members. This could be used to ensure that new Board members would be able to participate as actively as expected. In some cases, new members would join the Board, but they would not be able contribute at the level that was expected. Trial membership might be useful to ensure that the new member is active, at least during the review period; however, it does not necessarily guarantee the level of activity after the trial period. Trial membership could also limit the number of prospective members who join the Board solely for marketing or promotional purposes. Board members disagreed with this proposal. Instead, they suggested that the vetting process should be improved to minimize the risk of "under-performing" new members. As the roles, tasks, and expectations are formalized, it will also be easier to request that some Board members resign if they are not able to participate at the expected level. Other Board Business -------------------- At several points during the meeting, it was noted that a non-public mailing list could be useful for Board members to discuss certain issues that would be inappropriate for the normal Editorial Board mailing list, which is publicly archived. While the Board has committed to making its deliberations public, there has always been a consideration that there might be a need to support private discussions. Members will need to be careful that the private list is not used for any discussions which should be publicly archived. The frequency of Board teleconferences was also discussed. Currently, teleconferences are held every 2 to 3 months. Some members suggested creating a single time slot for weekly discussions. If members had a planned time slot, it could allow them to participate more regularly, and receive more timely updates. A staggered schedule was also proposed, since a single time slot could prevent some members from participating at all, if they had other regular meetings that occurred at the same time. However, members believed that a single time would be more easily manageable. The topics for the meeting could be ad hoc, and there would not need to be a formal agenda or report afterward. If the tasks and roles for Board membership begin to require more involvement, more frequent teleconferences could help ensure that everyone is up-to-date. Since the face-to-face meetings are consistently more productive than the teleconferences (probably due to the personal dynamics involved in face-to-face interactions), MITRE is considering increasing the frequency of face-to-face meetings to every 4 months, instead of every 6 months. There was no discussion of the date and location for the next face-to-face meeting. Future CVE Activities --------------------- Because the level of verification required for voting on candidates has not been decided yet, it was difficult to set specific CVE content goals. The two main goals that were scheduled for discussion were to reach 1600 entries by June 1, and to reach 2000 entries by December 1. Many CVE goals in the past have been quantitative, focused on the number of entries and/or candidates. The Board identified some qualitative goals, including: - making significant progress in the CIEL effort - making CVE content more "real time" by creating candidates more quickly and updating CVE versions more often - increasing international reach by translating CVE into other languages and adding more international Board members - establishing working relationships with the various Information Sharing and Analysis Centers (ISAC's) - adding other types of members to the Board, such as end users, auditing organizations, and security services. Other future efforts were discussed. Some upcoming conference presentations were described; most of them will be for a different audience than previous presentations. Also, MITRE plans to collect case studies in which CVE users discuss how they have integrated CVE into their work. Board members were asked to contribute case studies. Senior Advisory Council Update ------------------------------ The Board was updated on the CVE Senior Advisory Council, which is composed of senior executives in U.S. government agencies, many of which provide funding for CVE. MITRE has been developing the Advisory Council for almost a year. A list of current council members was presented to attendees during the Editorial Board meeting. The Council held its first meeting on January 25, 2001, in Washington, DC. Since then, the charter has been finalized and sent to the Editorial Board mailing list. The Council will hold face-to-face meetings on a quarterly basis. Some meetings might include presentations from Editorial Board members. A web page on the Advisory Council will be added to the CVE web site. There were some questions about the lack of commercial involvement in the Council. MITRE had attempted to find commercial supporters in the early stages. However, it was unable to find the appropriate executives who might be interested in participating. Editorial Board members also suggested involving the ISAC's in the Advisory Council. The Council has decided to limit membership to government, but it recognizes that commercial involvement is important. However, there may be cases in which a commercial organization's membership on the Editorial Board is not appropriate to the specific tasks. MITRE may create a separate organization with an industry focus on CVE. The Editorial Board was also briefed on CVE's funding status. With respect to CVE itself, one of the Council's main roles will be in providing strategic guidance for the direction of CVE. For example, the Council has encouraged MITRE to involve the ISAC's more closely in CVE, conduct outreach to large organizations outside of the security industry, define qualitative goals, and concentrate more on CIEL. Board members expressed an interest in receiving regular updates regarding the status of the Advisory Council. Issues With CVE Content Decisions --------------------------------- MITRE presented its rationales for modifying some of the most common and complex content decisions (CD's) in CVE. (Content decisions are criteria that determine which items should be included in the CVE list, and the appropriate level of abstraction to use.) Some CD's are difficult to describe and formalize. In some cases, CD's can not be applied consistently due to the lack of available information, source code, and/or individual expertise. Some members have suggested taking an ad hoc approach to each candidate. However, now that additional members of MITRE's content team are producing candidates, and more people are reserving candidates for use in initial public announcements, there is a growing need to make CD's easy to describe, while defining them in a way that allows them to be applied consistently to each CVE candidate. For example, CD:SF-LOC ("software flaws/different lines of code") suggests how many candidates should be created when there may be multiple failure points (bugs) in a single product version. When applying the SF-LOC content decision, an analyst might encounter cases in which it is difficult to identify how many failure points exist. For example, the vulnerable product might not have source code which could tell the analyst if several different attack vectors ultimately reach the same failure point. As a result, the CD would be inconsistently applied to different vulnerabilities, depending on the amount of information available. In addition, later discoveries could force a change in the level of abstraction, which would require renumbering candidates or entries, increasing maintenance costs. In previous discussions, the Editorial Board had suggested taking a simple "split-by-default" approach in cases of uncertainty: i.e., if there is insufficient information to be sure that 2 issues are the same, then create separate candidates. Since MITRE adopted this approach, it produced a larger number of candidates than before, moved CVE to a lower level of abstraction than that used by most databases and tools, and made the effects of incomplete information even more severe. A more detailed description of these issues was posted to the Editorial Board mailing list on March 13. It is archived at http://cve.mitre.org/board/archives/2001-03/threads.html with the subject: [CD] Reconsidering "split-by-default" in content decisions To address the problems described above, MITRE has since adopted a middle-of-the road approach which is less dependent on the amount of information that is available at the time of analysis. The approach is: (a) separate reported issues by the type of the vulnerability; (b) if there appear to be multiple failure points of the same type - e.g. buffer overflow - then they should be combined into the same candidate; (c) write the CVE description, and use CVE's "dot notation," to indicate the possibility of multiple vulnerabilities of the same type; (d) if one vulnerability appears in a different product version than another, then they should be separated. Participants agreed that this approach, while not perfect, was satisfactory. Some members were concerned that the level of abstraction as specified by CVE content decisions is too high for some uses, e.g. academic study. In turn, this reduces CVE's utility to such users. Some people wanted CVE to be more precise (i.e. use a lower level of abstraction), as there are no other data sources that use that level. It is believed that CVE's "dot notation" could satisfy the needs of those users while maintaining the higher level of abstraction. However, there may be several ways in which a CVE item could be broken down into smaller parts, e.g. by individual failure points, or by the different scripts that are available for exploiting the vulnerability. Dot notation was originally accepted by the Editorial Board under the assumption that only one type of abstraction would be needed below CVE. The concept might be extended to support multiple types of abstraction. However, it will be important to ensure that each abstraction type has only one official notation. There are other cases in which the level of abstraction used by CVE is too low. For example, a single patch could fix multiple vulnerabilities. Many system administrators might prefer that only one CVE entry be used to cover all the possible issues. This problem is not being addressed at this time. For each candidate, MITRE records the content decisions that affect that candidate. This information is accessible to Board members, but it is not easily obtained by the public (although it is included in candidate voting ballots, which are recorded in the mailing list archives). MITRE intends to make this information more easily accessible to those people who wish to understand which candidates were affected by such approaches to content decisions. The data will probably be provided as a separate extension, like reference maps. CVE Compatibility ----------------- MITRE provided the Board with an update on its evolving process for establishing CVE compatibility and providing the appropriate branding, and recent issues that have come to light. Bob Martin of MITRE is the task leader for CVE compatibility. Some vendors have unquired about CVE compatibility for products whose first versions were still in beta or alpha development. To reduce the risk of including CVE compatibility declarations for "vaporware," MITRE has decided to only post declarations for products that have had at least one full public release. (There is no such restriction for products in beta development for which previous versions have already been released.) It was suggested that vendors with other CVE-compatible products could be exempt from this restriction when they are ready to release a new product line. An additional requirement will be added in which the vendor's product documentation must include a description of how the product uses CVE names. CVE-related documentation will be useful for MITRE to perform its evaluation. It will also help end users, because each product will implement CVE compatibility in a different manner. Board members did not object to this additional requirement. A new category of CVE-compatible "product" is also emerging - security services. Such services often use tools from multiple vendors, and they provide reports to their customers. The high-level requirements (searchibility, output, and mapping accuracy) still apply to services. However, the implementation of "searchability" is not necessarily clear for services. The current thinking is that a service is CVE-searchable if either (a) it can provide the customer with a list of CVE names for vulnerabilities that are identified by the service, or (b) if a user provides a list of CVE names to the service vendor, the vendor can list which of those CVE names are identified by the service. As the number of categories has grown - tools, databases, web sites, and now services - the current requirements document is getting larger and less easy to manage. The requirements document will be modified accordingly, possibly by creating separate implementation documents for each type of product. There was a question regarding whether compatibility applied to a specific product and CVE version. MITRE's evaluation of a specific product will occur relative to a particular version, but as long as the vendor follows the appropriate requirements for remaining up-to-date and accurate with the product's mappings to CVE, then the product remains compatible. Thus, compatibility reflects the functional implementation and the process of maintaining accuracy, instead of being associated with a specific version. However, there are still some issues with respect to how CVE versions should be properly handled and advertised within the product itself. In cases of abuse, the requirements allow MITRE to revoke CVE compatibility. It was suggested that MITRE could provide an external "complaint" mechanism for handling user's problems related to a product's CVE compatibility; however, most problems should be handled by the vendor's technical support capability. MITRE is also considering performing a periodic renewal of compatibility for a product, possibly at the vendor's request. Process for CVE compatibility evaluation and branding ----------------------------------------------------- MITRE's current approach for establishing compatibility involves two stages. Stage 1 includes: - the vendor's declaration of intent for compatibility - an endorsement quote from the vendor (if desired) - review of the declaration by a knowledgeable CVE team member - publication of the declaration on the CVE web site Stage 1 is currently implemented for all products. However, it does not result in an official evaluation by MITRE that a product is CVE-compatible. The second stage, which MITRE is now developing, identifies this process. Stage 2 includes: - MITRE provides the vendor with a questionnaire in which the vendor provides details on how the requirements have been implemented in the product. - The vendor provides MITRE with a written statement of compatibility, i.e. the completed questionnaire. - The vendor provides MITRE with the CVE-related user documentation for the product. - The vendor provides MITRE with the mapping from product-specific vulnerability items to CVE names. - MITRE verifies the accuracy of the mapping, possibly by analyzing a random sample. - MITRE evaluates the vendor's statement of compatibility to ensure that it addresses the requirements by examining user documentation or screen shots, and/or running the tool itself - If the mapping is accurate, and the statement of compatibility and other materials satisfy the requirements, then MITRE establishes a concurrence with the statement. - MITRE provides the vendor with access to a CVE-compatible logo and other CVE promotional materials, possibly through a restricted web site. - The vendor's statement, and MITRE's concurrence, is posted on the public CVE web site. If the vendor wishes, MITRE will be able to sign a non-disclosure agreement during the second stage, until the final statement is published. The process is designed to minimize the expense for vendors and MITRE in evaluating compatibility. MITRE wants to avoid an expensive evaluation process that makes it too expensive for freeware or smaller software vendors to obtain compatibility. The questionnaire and statement of compatibility are designed so that the vendor properly understands and implements the requirements. The publication of the vendor's statement on the CVE web site allows end users to compare how different products satisfy the requirements; the market could then decide which specific implementations are best. There were no objections to publicizing the statements of compatibility. The Editorial Board agreed with this high-level approach. MITRE will continue to implement the details of the process. Candidate Reservation and Candidate Numbering Authorities (CNA's) ----------------------------------------------------------------- MITRE discussed the current process for candidate reservation, i.e. the means by which vulnerability researchers, vendors, or third parties can obtain CVE candidate numbers for inclusion in public announcements of vulnerabilities. Candidate reservation begins with a requester, i.e. the researcher, vendor, or third party. The requester, if new, will typically inquire about the process; MITRE provides a description and rationale for the process. MITRE also asks for details of the vulnerability, in order to apply content decisions to determine how many candidate numbers must be assigned. MITRE does not require such details, however; there may be reasons why the requester is unwilling or unable to provide such details, e.g. because of an NDA with the affected vendor. If the requester does not provide any details, MITRE still provides a candidate (this is referred to as blind candidate reservation). Blind reservation has some benefits because the public has immediate access to the candidate number when the issue is first publicized. Also, there is a reduced risk of accidental disclosure, since MITRE does not have the information. However, there is an increased risk that the requester will use an incorrect number of candidates, or use a candidate for a rediscovered issue that already has a CVE name. Once all available details are provided, MITRE checks to see if the problem is new, applies the CVE content decisions, and determines the number of candidates necessary. This may require further consultation with the requester. MITRE then sends the candidates to the requester, along with descriptive text that could be included in the resulting advisory. Related communications, along with details of the vulnerability, are then either encrypted or destroyed in order to reduce the risk of accidental information exposure. MITRE then publishes the candidates on the CVE web site. The description indicates that the candidate was reserved, but it does not contain any details about the problem (since the issue hasn't been published yet). Sometime later, the requester publicizes the vulnerability (e.g. in a security advisory or in a mailing list post). The requester includes the candidate number in the publication and notifies MITRE. MITRE then updates the CVE web site with the specific vulnerability details. Since there is a delay between the publication of the vulnerability and the update of the CVE web site, there is an increased reliance on the requester to notify MITRE of publication; however, this does not always happen in practice. If the candidate was reserved blindly, it may take longer to update it, since the vulnerability analysis must be performed after publication. The candidate is eventually proposed to the Editorial Board for review and commentary, along with other candidates that are created through the submission stage as described earlier in this document. If the candidate becomes an official entry, then MITRE notifies the requester, who updates the advisory with the new CVE number, if possible. (This is not feasible in the case of mailing list archives). Blind Candidate Reservation Discussions --------------------------------------- The Editorial Board provided some feedback on the current process, especially the role of blind candidate reservation. Some members expressed concerns that blind candidate reservation could cause too many problems and weaken the credibility of CVE, especially if the candidates are at the wrong level of abstraction relative to CVE. While statistics are not available, of the 100 candidates that were reserved, approximately 20 to 25 of those reservations were blind. There has already been a case in which blind reservation produced an inappropriate number of candidates relative to CVE's content decisions. There was also a separate case in which a candidate was obtained for an issue that already had another candidate number (though it did not take place through blind reservation). CVE diligence levels could partially address such concerns, since a requester who uses candidates inappropriately could get a lower diligence level, and eventually may not be allowed to reserve candidates again. However, some members said that diligence levels would not help, because the candidates would already be public and CVE's credibility would be affected even if the requester is not allowed to obtain more candidates. In addition, some of these errors have been made by major researchers. There could also be a credibility problem if researchers obtain candidates for vulnerability reports that turn out to be false, but Board members did not discuss this problem in detail. It was suggested that MITRE should not perform blind candidate reservation unless the requester can show that they understand CVE content decisions well enough that they can request the appropriate number of candidates. Board members agreed that this was a good approach, and that the risks of blind candidate reservation outweighed the benefits. It was also suggested that if blind reservation occurs, then the candidate should be clearly identified as such, so that educated CVE users can understand that the level of abstraction may be inappropriate. There was some discussion regarding why some organizations do not use blind candidate reservation, even if they have established that they use candidates reliably. Some requesters believe that providing MITRE with such non-public information is an acceptable risk. The additional review by an outsider increases the chances of detecting a duplicate issue that was already publicized. MITRE also becomes a "test subject" for the advisory that is being drafted, and as such can identify potentially confusing descriptions. Since there are some subtleties with respect to content decisions in which the guidelines are not necessarily clear, there is greater assurance of consistency with MITRE's involvement. Other Candidate Reservation Issues ---------------------------------- There was some discussion of situations in which multiple requesters ask for candidates for the same issue. This problem had been addressed before. Since newly discovered and unpublicized vulnerabilities are competitive information, MITRE cannot make the requesters aware that they have discovered the same problem. MITRE also cannot provide the same candidate to both requesters, because the later requester may be able to tell that the candidate had already been reserved. A specific example was provided, in which ISS and NAI both discovered buffer overflows in Network Monitor, and 2 candidates were provided (CAN-2000-0817, CAN-2000-0885). Including the affected product vendor in the candidate reservation process would minimize this risk of duplication, since the vendor would know about the duplicate, and could provide the same candidate number to both parties. Since the publicized information uses candidate numbers, educated CVE users would understand the risk of duplication; in addition, the candidate voting process would be able to publicly document and address the duplication. Some members expressed concerns that candidates were being assigned to issues too early. There was some discussion regarding the role of Bugtraq ID's and CVE candidates with respect to early vulnerability information, as well as the process by which Bugtraq ID's are assigned, but the members at the meeting did not know enough details to have a substanive discussion. It was also observed that the reservation process document that is sent to the researcher, which advocates using the SecurityFocus VulnHelp service to provide a Bugtraq ID (BID), might cause a problem because SecurityFocus is a commercial organization. The document currently recommends obtaining the BID for several reasons: (a) it is one of the most commonly used references, which ultimately helps end users when mapping to CVE names; (b) it is expected that as the number of people reserving candidates increases, more and more people will not follow the normal process of resonsible disclosure; thus the VulnHelp recommendation may increase the chance for responsible disclosure; and (c) there are no other commercial organizations at this time that provide such a service and offer a commonly used identifier. However, CERT/CC is not recommended as an option in the current documentation. The documentation will be reviewed and modified to address such concerns. The Board also discussed the distinction between Bugtraq ID's and CVE candidates. The difference is difficult to describe easily, and reflects the partial overlap between how the two are used, especially in the early stages of vulnerability information. Much of the discussion was hampered because critical members were not able to participate in the meeting. However, the distinction may become more clearly defined as time goes on. Candidate Numbering Authorities ------------------------------- MITRE discussed some of its plans for creating additional Candidate Numbering Authorities (CNA's). Certain organizations could be given the ability to reserve a collection of candidate numbers (a "pool") which they could assign and use in the initial disclosure of vulnerabilities. CNA's could increase the number of candidates that are used in initial vulnerability announcements, without involving MITRE as an additional party and increasing the risk of accidental disclosure. CNA's could increase the speed with which candidates are assigned to new problems and publicized. This is presently difficult for MITRE because it needs to process the large backlog of legacy submissions before it can concentrate solely on new vulnerabilities. Finally, if CNA's are the same organizations who are currently involved in vulnerability disclosure, then they might be able to integrate candidates into their own processes more easily than if MITRE were directly involved. Software vendors and certain third parties could be CNA's. In recent months, Microsoft has been obtaining pools of candidate numbers for its own security bulletins, and as such is effectively a CNA already. MITRE has begun exploring this option with other potential vendor CNA's, primarily major operating system vendors. Third parties who act as an interface between the researcher and the vendor - e.g. CERT/CC and SecurityFocus - could also be CNA's. While it is expected that third party CNA's should be well-known and trusted, there are special issues with third party CNA's that need to be addressed. There are several issues related to general CNA operations that need to be resolved. Proper coordination across all involved parties is necessary, to ensure that the same candidate number is used by all parties. This could be difficult for cases in which multiple vendors, researchers, or CNA's are involved. There is also an increased risk of duplicate candidates as more organizations become involved. If diligence levels are formally adopted, then all CNA's will need to be able to have access to that information, and possibly help maintain it. (Diligence levels, as currently written, need to be simplified.) It may be difficult to publicize which CNA's, vendors, and researchers use candidates, or to properly educate those who don't. In addition, the exchange of CVE names may not fit well with the current practice in which vulnerability information is shared before publication. CNA's will also need to follow CVE content decisions, which are not well documented or finalized yet. (An approach was developed with Microsoft which ensured consistency with CVE content decisions.) There are also potential risks of abuse by CNA's that are also commercial organizations, whether they are vendor or third party CNA's. There may be complications if a vendor CNA disagrees with a researcher's assessment of a vulnerability; in that case, the researcher could contact MITRE or another CNA if necessary. The discussion of CNA's was cut short due to time restrictions and the lack of appropriate Board members who could best discuss the topic. The idea will be developed in future discussions. CVE Maintenance Issues ---------------------- The process for modifying and deprecating existing CVE entries, and rejecting candidates, was briefly reviewed. More details are in the January teleconference summary at http://cve.mitre.org/board/archives/2001-01/msg00010.html. Since CVE currently has some duplicate entries, those entries will be proposed for deprecation before the next version. Similarly, a number of entries will be modified, and several candidates will be rejected (mostly because they are duplicates). Rethinking the CVE naming scheme -------------------------------- There was also some discussion regarding the current CVE naming scheme. There are two basic problems: (a) CVE names are normally not considered atomic, and as such are not easily found by most search mechanisms; and (b) the differing candidate and CVE numbering schemes cause maintenance and search problems. The current naming scheme for CVE entries is CVE-YYYY-NNNN; for candidates, it is CAN-YYYY-NNNN. However, many search engines separate the name into 3 different terms (CAN, YYYY, NNNN) because the hyphen is considered a word separator. This makes it difficult to easily find CVE information via search engines. In other cases, special quoting may be necessary. For example, a database query for a CVE name might need to quote the hyphen; otherwise, the query might return items that do *not* match the YYYY or NNNN portions of the name. Finally, the encoding of the year in the name may cause some problems with misuse, as indicated in a previous section on determining a numbering scheme for legacy candidates. Dot notation, depending on how it is implemented, could cause additional problems for searchability. Problems also arise because the candidate naming scheme (CAN-YYYY-NNNN) is slightly different than the CVE naming scheme (CVE-YYYY-NNNN). While the name visually tells a user about the status of a CVE item (candidate or entry), it can also cause some problems. For example, when a candidate becomes an official entry, all CVE-compatible vendors would need to update their databases to convert the candidate number to a CVE number. This could be labor intensive. In addition, users might still search for the candidate number instead of the CVE number; most CVE-compatible products will not find the associated CVE entry if the user uses the candidate number in the search. To avoid this problem, each CVE-compatible product would need to implement a specialized function. Some products omit the CAN- and CVE- prefixes outright, but this prevents the user from knowing whether the item is a candidate or an entry. The CVE web site handles these discrepancies flexibly, but it requires some special code. Many CVE-compatible tools are not as flexible, and such a capability is not required because CVE compatibility does not require use of candidates. A solution is to construct the CVE names in a way that minimizes these types of implementation problems. Using just a number would not be appropriate, because numbers are so commonly used in so many databases and search engines. A scheme like the one used by the arachNIDS IDS signature database, e.g. IDS297, might be better. If such a scheme is adopted, then the status of a CVE item - whether candidate or entry - could be noted as a separate field in CVE. There were no objections to this proposal. No decisions were made with respect to changing the CVE numbering scheme. It is uncertain how many products or web pages currently use the existing names, and how the names are actually implemented. There will be high maintenance costs in some cases, along with additional education of the public. However, in the long term, it may be appropriate to use a different numbering scheme. These problems could be reduced if candidates are promoted to CVE entries faster. However, that would require more active participation by the Editorial Board in voting. Also, if stringent verification requirements are adopted for CVE entries, there may be permanent candidates. Common Intrusion Event List (CIEL) ---------------------------------- A dynamic discussion was held regarding the progress of the Common Intrusion Event List (CIEL), which is being developed by Bill Hill and Steve Christey at MITRE, with additional support from other MITRE personnel. CIEL is sometimes informally described as "a CVE for intrusion detection." It is intended to provide a naming scheme for events - whether on a network or on a host - that may be useful in detecting intruder activities, but are not directly associated with CVE items. For example, port mapping, ping mapping, legally structured network requests, or failed binary integrity checks do not easily map to CVE entries. In addition, the process that is being used for assigning CVE names might not be appropriate for IDS events. MITRE has produced a draft CIEL which contains 37 entries, most of them at a high level of abstraction, with additional fields that support lower levels of detail. MITRE has begun mapping various IDS signatures to CIEL names and using those mappings for analysis. In one experiment, MITRE was able to reduce the number of reported events by 15 percent, by converting the logged events to CIEL names and removing duplicates. MITRE has been observing the development of the data models of the IETF Intrusion Detection Working Group (IDWG) to identify possible conflicts with CIEL. The IDWG efforts are more comprehensive in scope. A common attack name is a small but important part of the data models, which specifically mention CVE and the Bugtraq ID as potential naming schemes. CIEL Assumptions and Rationales ------------------------------- MITRE presented the assumptions and rationales for its approach in developing the draft CIEL. Since intrusion detection is event-focused instead of vulnerability-focused, MITRE decided to develop it independently of CVE. Various "CVE lessons learned" were used to guide the creation of the draft CIEL, but the expected use of CIEL drove its development. MITRE's own research and operational efforts in intrusion detection provided additional guidance. The initial focus was on network-based events; however, CIEL is expected to include host-based events as well. Several assumptions were made during development of the draft CIEL: - there is a wider variety of IDS events than vulnerabilities - there is more variety across IDS's in the level of abstraction (or level of detail) than there is in vulnerability scanners and databases. - there is not much well-defined and commonly accepted terminology in IDS CIEL Discoveries ---------------- It was often difficult to understand how an IDS examined and identified an event, as details were rarely provided. This was often critical in deciding how to name the event. It was recognized that the actual method of detection might be competitive information. Since those details may not be publicly available, users should be able to assign a CIEL name without them. Thus it was decided to create CIEL entries for each event as it is reported, independent of how the IDS identifies the event. However, the lack of information could make it difficult for non-vendors to create CIEL mappings, which would limit the end user's ability to make an IDS "CIEL-compatible." This problem is not so serious in vulnerability scanners and databases. MITRE examined the construction of CIEL for satisfying two main purposes: normalizing data in order to facilitate quantitative analysis (e.g. for comparing tools by counting how many CIEL entries they have), and supporting the exchange of information across tools. Often an approach would be useful for one purpose but not the other. With the varying levels of abstraction used by tools, CIEL's use as a data normalizer could be limited. The focus for creating CIEL was therefore on supporting information exchange, and the approach addressed several important issues that were encountered in the draft CIEL's creation. However, this approach may have an impact on CIEL's use in metrics. CIEL "Content Decisions" ------------------------ Part of CVE's success is due to its simplicity. MITRE decided that this should be a requirement for CIEL as well. While the CIEL name has multiple components and is different than a CVE name, it is still basic enough that it can be represented with a simple syntax. Since IDSes operate at more widely varying levels of abstraction, it was decided that CIEL would need to support multiple levels of abstraction. Thus, most CIEL entries are hierarchical in nature. However, there were cases in which a type of event was unique to a type of attack, application, or protocol. It was decided that such unique characteristics, if reported by IDSes, would need to be captured by a CIEL entry, even if the entry was at a lower level of abstraction. For example, the FTP bounce attack is specific to the FTP protocol, and could not be easily described by CIEL entries that were at a higher level of abstraction. Some difficulties in creating the first CIEL entries involved the types of events that are reported by today's IDS technology, in comparison with events that might only be detectable by future IDSes. It was decided that the focus should remain on the types of events that can be detected by current IDS technology. CIEL Entry Data --------------- The following information is included with each entry in the draft CIEL. 1) Name - the CIEL name, of the form CIELn, where n is a unique number. 2) Description - a short description of the entry. 3) Context fields - additional fields that provide additional information that may help distinguish events at a lower level of abstraction. Up to 3 different context fields can be used for each CIEL entry. The types and values of each field are dependent on the specific CIEL entry. Context fields could allow IDSes that operate at different levels of abstraction to share information at a high level, via the same base identifier (the CIEL name). In some cases, context fields were used to handle cases in which it was infeasible to use separate CIEL names for each "instance" of an event type. For example, there is a single draft CIEL entry that is related to Trojan horse activity, with a context field whose value indicates the specific Trojan horse being used. Many context fields in the draft CIEL would require normalized values. CIEL will need to include such "value mappings" to ensure consistency across IDSes. (For example, one IDS might report "Tribe Flood Network," whereas another one reports "TFN"; such information, which may be recorded in a context field, needs to be normalized.) 4) Notes - background information on the rationale behind the CIEL entry, or a description of which context fields would need normalized values. A short symbolic name was also provided for ease of use in mappings, and may be included in later CIEL versions. Most items in the draft CIEL did not have good references that would describe the type of attack in more detail; thus, references were not included. Review of Draft CIEL Entries ---------------------------- MITRE presented several draft CIEL entries for discussion. The examples were posted to the Editorial Board mailing list, and are archived at http://cve.mitre.org/board/archives/2001-03/threads.html with the subject "[CIEL] Extracts from the Draft CIEL" 1) CIEL1, which is used to describe all types of ICMP events (ping, netmask request, etc.). The context fields are used to identify the type and code, as defined in the ICMP RFC. 2) CIEL2, which describes TCP related activities. The context field captures the source and destination number. One problem with respect to this entry is that some IDSes may detect and report services on nonstandard ports. 3) CIEL22, which identifies attacks on specific vulnerabilities in the targeted systems. The context fields include the name source (e.g. CVE), and the actual name (e.g. CVE-1999-0067). The allowance for multiple naming schemes is currently being used in IETF Intrusion Detection Working Group (IDWG) standardization efforts, so it made sense to support it here. 4) CIEL23, which describes Trojan Horse activity. The context fields include the name of the Trojan, the specific action being taken, and any arguments that may be extracted or identified. 5) Some lower-level entries. Board members believed that these entries might be captured by other higher-level CIEL entries in the draft CIEL; or, additional high-level entries could be constructed. Some Board members questioned the use of a single CIEL entry, CIEL22, to describe all possible attacks on specific vulnerabilities. This reflects MITRE's decision to design CIEL for interoperability instead of metrics. Some IDS'es may detect hundreds of vulnerability exploits, but they would only be covered by one high-level CIEL entry. However, interoperability is still possible by using the context fields that identify the name of the vulnerability being exploited. It was posited that all items covered in an IDS could be described by some vulnerability or exposure, and as such would always have some CVE name associated with it. Future efforts in CIEL (and CVE) will show whether or not this is the case. Some Board members said that the draft CIEL as presented makes it difficult to determine the CIEL name for events that fall under the higher-level CIEL entries, i.e. events that can only be described using context fields. Strong networking knowledge or research is often needed. For example, to determine the CIEL name for an ICMP echo request (ping), the CIEL user would need to know that the type is 0 and the code is 8. This significantly reduces the usability of the draft CIEL as currently written. A reference document could be created that matches well-known events (such as ping) with their CIEL names to increase usability. It was also proposed that a naming system similar to the Dewey decimal system could be adopted; the CIEL name, in conjunction with its context fields, may be similar. Many participating Board members, especially the IDS vendors, found that the high-level draft CIEL entries did not seem to describe same categories that they might have used. In some cases, the problem may have been due to MITRE's lack of information on the precise way in which some signatures were detected. As such, the draft CIEL may represent more of an end-user perspective than a vendor's perspective. Board members also discussed some CIEL entries that were at a much lower level of abstraction than others. Members believed that they could create a higher-level entry which would include the lower-level items. Overall, the Board agreed with the hierarchical nature of the draft CIEL. CIEL Future Work ---------------- MITRE will create a CIEL working group and mailing list that is part of the CVE Editorial Board. MITRE plans to add other members to the Board for the purposes of the working group. The group may be expanded to include other individuals or organizations who are not part of the Editorial Board. MITRE will provide the working group with the full draft CIEL as a starting point for further discussions. Board members discussed adapting the draft CIEL to reflect a more natural classification of IDS-reported events. Each member could provide a representative list of approximately 20 signatures from their products, and a proposal for high-level CIEL entries that would cover those signatures. The end result could be a draft CIEL that is better suited to interoperability of IDS products. MITRE will continue to use its draft CIEL to create mappings, perform some analytical tasks, and share lessons learned with the working group.