RE: The Common Vulnerabilities and Exposures taxonomy

["Anton J Aylward" <anton () the-wire com>]

On Thursday, October 21, 1999 10:37 AM Adam Shostack said:

> Russ and Scott have commented on the taxonomy issue, so I'll add that
> the CVE is also not a database.  The closest analogy is either a
> multi-lingual dictionary or the latin name for a species (although
> this is a bad analogy when you dig deep.)

The multi-lingual database makes sense.
The latin name for a species is a result of a taxonomy.
Its not the same thing.

> Similarly, what CERT calls CA-98.11.tooltalk maps onto what ISS calls
> tooltalk and aix-ttdbserver.  Both map into CVE-1999-0003.

That's good and useful, but its not a taxonomy.

OK, so what I'm complaining about here is the inappropriate use of the term
"Taxonomy".  Unless you can make categorical statements such as "All plants
have cellulose cell walls", you don't have a system of classification.
This is important, because there are classes of animals that don't have
the enzymes to digest cellulose and so can't live on plants.

Can we make the same kind of classification of vulnerabilities?
I suspect so.  Buffer over-run implies input buffers, such as 
command lines.  Does the OS support this or not?  Does the OS
support different levels of protection?  Does it have the ability
to spawn processes or not?   

What I'm doing here is looking at things from the point of view
of an architecture, and hence a hierarchy.  It goes beyond the
OS or even the hardware.  

Perhaps some groupings are inappropriate and useless, such as "the class
of all creatures that have four limbs, one in each corner" vs. "the
class that has four limbs but not one in each corner".  But if you're
going to call this a taxonomy and not a enumerated listing, you need 
classes and criteria to determine if a specific item belongs to a class
or not.  And conditions for creating new classes.

Of course you could just stop calling it a "taxonomy" and I'll stop
berating you for it.

> The latin name analogy is that for certain common organisms (e. coli), 
> the name is standardized, and you can lookup things about e. coli.
> You can also look things up about h. sapiens, but there are other
> names for homo sapiens that might help the average joe at the
> library.  This analogy fails because the latin names are actually the
> last two components (genus and species) of the organisms' taxonomic
> classification.  With CVE, there is no accepted taxa of
> vulnerabilities, and thus, no analogy for the genus and species.

Right.
Which means it isn't a taxonomy.
To my mind the issue is simple.  Should it be or not?
Personally I think research into the possible lines of categorisation
would be useful.  See, for example, Fred Cohen's Security database
at www.All.net.  you may disagree with how he's categorised things,
but he has categorised them.

> I am very enthusiastic about the CVE not only because it will allow
> tools to talk to each other, but has the potential to allow databases
> to be cross referenced based on a common key.  

Yes, that would be a massive advantage.
But I wonder how many entries would not have a reference.

> That is a critical part of
> starting to share information about vulnerabilities in a structured
> way.  Such sharing of information -- being able to agree on what
> you're talking about -- is a critical precursor to doing a scientific
> analysis of the problems that exist.  (You can do science without it,
> but its hard.

Damn right.
Taxonomy, as many writers on the history of science have pointed out,
is the basis of a science.   However, there are many pseudo-sciences
(e.g. close encounters of the Nth kind) that also employ taxonomy
and statistics to bolster their credibility.  Having a taxonometric system
doesn't make you a science, lacking one doesn't mean you're not a science.
Some sciences, for example psychiatry, which overused the category "schizophrenia",
have been crippled by inappropriate classification schemes.

--------------------------------------------------------------------
Anton J Aylward, CISSP          | The Internet is not the greatest 
System Integrity                        | threat to information security; 
InfoSec Auditing & Consulting   | stupidity is the greatest threat 
Voice: (416) 421-8182           | to information security. 
aja () si on ca                         |   Will Spencer <will.spencer () gte net>