Discussion point: CONSPEC - Context-specific Issues

> variety of use cases that counts. Size and scope can be effectively
> managed with views.
>
> That is my 1 cent for now (I don't currently have time to throw two
> pennies in the ring).
>
> Sean Barnum
> Cigital, Inc.
>
> -----Original Message-----
> From: owner-cwe-research-list@...
> [mailto:owner-cwe-research-list@...] On Behalf Of Steven

> Well, while I don't necessarily agree from a knowledge architecture perspective, we can definitely agree on the beer and the difficulty of discussing this kind of issue in depth through email. Verbal discussion of this kind of detailed issue can be much more effective.
> Anytime you want to call a CWE brew forum, I will be there. :-)
>
>
> sean
>
> -----Original Message-----
> From: Jarzombek, Joe [mailto:Joe.Jarzombek@...]
> Sent: Wednesday, November 14, 2007 12:44 PM
> To: Sean Barnum; Jarzombek, Joe; ldw
> Cc: cwe-research-list@...
> Subject: RE: some challenges for CWE -- "discernible" characteristics in descriptions
>
> More generality in the unique CWE ID with a description that still
> includes a "discernible" characteristic could still provide that
> requisite granularity in the decomposition/details within the CWE ID.
>
> For instance, if we specified the "discernible" characteristics for
> patterns associated with integer coercion and path traversal, then each
> characteristic could provide the basis for a unique CWE ID.  Of course,
> the level of granularity for each meaningfully "discernible"
> characteristic might be the basis for determining meaningful "views"
> that need to be reflected in the details.
>
> This is just thinking 'out loud' -- the subject would be better
> discussed in an open (but small) group -- perhaps with a beer in hand.
>
> v/r,
>
> Joe
>
> Joe Jarzombek, PMP
> Director for Software Assurance
> National Cyber Security Division
> Office of Assistant Secretary
>    for Cyber Security & Communications
> Department of Homeland Security
>
> e-mail:  Joe.Jarzombek@...
> Cell Phone:  703 627-4644
> Business Phone:  703 235-5126
> Fax:  703 235-5961
> http://www.us-cert.gov/swa/  "Build Security In"
> https://buildsecurityin.us-cert.gov
>
>
> -----Original Message-----
> From: Sean Barnum [mailto:sbarnum@...]
> Sent: Wednesday, November 14, 2007 12:19 PM
> To: Jarzombek, Joe; ldw
> Cc: cwe-research-list@...
> Subject: RE: Patr Traversal and some challenges for CWE
>
> Joe, I am not sure I understand what you are trying to say.
> Are you arguing for more granularity or more generality?
>
> sean
>
> -----Original Message-----
> From: Jarzombek, Joe [mailto:Joe.Jarzombek@...]
> Sent: Wednesday, November 14, 2007 12:04 PM
> To: Sean Barnum; ldw
> Cc: cwe-research-list@...
> Subject: RE: Patr Traversal and some challenges for CWE
>
> These nuances should cause us to more effectively address naming
> conventions with decomposition details that could offer the requisite
> granularity as part of the description/examples of each CWE ID.
>
> As such, I would rather see a smaller number of more generalized entries
> for CWE descriptions.  How many unique CWE IDs are truly useful for
> integer coercion and path traversal?  What would be wrong with the
> desired granularity being in the details that could be structured to
> enable unique "sub-IDs" within the CWE ID?
>
> It would seem that keeping the granularity contained within details,
> such that the descriptions reflected in further decomposition could me
> more useful to a broader stakeholder community.
>
> v/r,
>
> Joe
>
> Joe Jarzombek, PMP
> Director for Software Assurance
> National Cyber Security Division
> Office of Assistant Secretary
>    for Cyber Security & Communications
> Department of Homeland Security
>
>
> -----Original Message-----
> From: owner-cwe-research-list@...
> [mailto:owner-cwe-research-list@...] On Behalf Of Sean
> Barnum
> Sent: Wednesday, November 14, 2007 11:18 AM
> To: ldw; cwe-research-list@...
> Subject: RE: Patr Traversal and some challenges for CWE
>
> One example of why this granularity is important is for people assessing
> tools and developing tools.
>
> For people assessing tools, it is a matter of precision. If several
> variations of a weakness are generalized up into the description of a
> higher level weakness, then there is no way to assert, measure or track
> which of the variations the tool finds and how well. It becomes a binary
> condition and the assessor would need to decide if a 'yes' on whether
> that weakness was covered was determined by the fact that all variations
> were covered or that even a single one in the list was covered. There
> would be no in-between.
>
> For people developing tools, it is a matter of configuration management.
> Let's assume that at Time0, a given abstraction node lists 5 variations
> in its description and a tool vendor has ensured they cover all of those
> variations and thus can claim coverage of the CWE. If at Time1, 5 new
> variations are determined to be appropriate and the description field is
> simply modified to yield a list of 10, it becomes a more difficult thing
> for the tool vendor and all users of the CWE to manage the configuration
> issue than if each variation was a sub-node. Higher granularity of nodes
> does not fully solve the configuration problem but makes it a lot
> easier.
>
> By keeping the granularity in the CWE but using views to only display
> the desired granularity to each user, we serve the needs of the users
> who need the higher granularity without putting undue clutter on those
> who wish a more minimal set.
> As I stated before, I don't believe we have any responsibility to make
> sure that all possible variations are covered (the slippery slope) but
> only the common (as in CWE) ones that people report they look for (tool
> vendors and tool users).
>
> Sean
>
> ________________________________________
> From: owner-cwe-research-list@...
> [owner-cwe-research-list@...] On Behalf Of ldw
> [larry.wagoner@...]
> Sent: Wednesday, November 14, 2007 9:50 AM
> To: cwe-research-list@...
> Subject: RE: Patr Traversal and some challenges for CWE
>
> I would rather see a smaller number of more generalized entries.  The
> path
> traversal
> is a good example of why additional entries should not be.  Absolute
> path
> traversal
> and relative path traversal should be the limit to the granularity.
> Details
> can be part
> of the description/examples of each.  If we did the same with integer
> coercion as
> has been done with path traversal , where would the entries end?
>
> I'm not arguing against the granularity, but rather keeping the
> granularity
> contained
> within the descriptions.  I agree with Sean that the granularity could
> be
> useful.
> But I do not see a reason for a huge number of entries that will
> ultimately
> come
> down to a splitting of hairs in many instances.
>
>
> Sean Barnum wrote:
>> Sure. I will argue for inclusion rather than exclusion.
>> This does not mean that I would argue for a "complete" exposition or
>> capture of all combinatorics, but fully believe than more granularity
> and
>> precision is better where it is applicable and makes sense.
>> If specific variations/cases have been identified through practical
>> experience by researchers, security analysts, tool vendors, and
> others,
>> then it makes sense to capture all of these as CWEs with appropriate
>> abstraction relationships defined. To not keep this granularity where
> it
>> has already been identified is throwing away potentially useful
> knowledge.
>> I would argue that in many of these cases (but not necessarily all),
> this
>> more granular information is useful for tool vendors (or those
> assessing
>> tools) and for security analysts performing both automated and manual
>> analysis of software. The potential solutions to things like path
>> traversal can vary and while there are some solutions that should
> solve
>> the problem for most if not all variations, there are numerous
> solutions
>> that will only catch some of the variations and not others. Removing
> this
>> differential by abstracting them all up into one higher level node is
>> doing the community a disservice.
>>
>> The solution to the problem is using views. With appropriate views, if
> you
>> don't want to see that level of granularity, you don't have to. If you
> do,
>> then you can. The full set of underlying information should be left
>> unmolested unless absolutely necessary. The number of CWE IDs should
> not
>> be a concern. It is the utility and accessability of the information
> for a
>> variety of use cases that counts. Size and scope can be effectively
>> managed with views.
>>
>> That is my 1 cent for now (I don't currently have time to throw two
>> pennies in the ring).
>>
>> Sean Barnum
>> Cigital, Inc.
>>
>> -----Original Message-----
>> From: owner-cwe-research-list@...
>> [mailto:owner-cwe-research-list@...] On Behalf Of Steven
> M.
>> Christey
>> Sent: Monday, October 22, 2007 4:36 PM
>> To: Jarzombek, Joe
>> Cc: CWE-RESEARCH-LIST@...; Pascal Meunier
>> Subject: RE: Patr Traversal and some challenges for CWE
>>
>> On Thu, 18 Oct 2007, Jarzombek, Joe wrote:
>>
>>> I, too, like the idea of avoiding a large number of CWE IDs that vary
> on
>>> a single, simple detail that could be easily abstracted and stored.
>> Are there others on this list who either agree or disagree?  For those
> who
>> advocate a greater level of detail with more CWE IDs, what is the
> use-case
>> that makes this important for you?
>>
>>> Let's discuss the desired solution/selected implementation at our
>>> upcoming Software Assurance Working Group session on Technology,
> Tools
>>> and Product Evaluation, 4 Dec in Arlington, VA.  Since CWE provides
> the
>>> foundation for our SwA Ecosystem, we would also provide a short
>>> out-brief during the plenary session on 5 Dec.
>> We will ensure that we capture the different proposals and relevant
>> use-cases, and we will summarize the results of that meeting to this
> list.
>> My hope is that, with CWE's hierarchical layout and some
> well-constructed
>> views, we can come up with a representation that addresses everybody's
>> needs.  An 'ecosystem view' might only go to a certain depth of the
> tree,
>> hiding some nodes that are too low-level for that particular view.
>>
>> For us to ensure that CWE can meet the diverse needs of the community,
> we
>> need to be sure that everybody on this list speaks up, publicly or
>> privately, pro or con, even if it's a "me too" statement :)  I'm glad
> for
>> the responses we're getting, but even more would be better.
>>
>> Thanks all,
>> Steve
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Discussion-point%3A-CONSPEC---Context-specific-Iss
> ues-tf4470811.html#a13473503
> Sent from the CWE Research List mailing list archive at Nabble.com.

> One example of why this granularity is important is for people assessing tools and developing tools.
>
> For people assessing tools, it is a matter of precision. If several variations of a weakness are generalized up into the description of a higher level weakness, then there is no way to assert, measure or track which of the variations the tool finds and how well. It becomes a binary condition and the assessor would need to decide if a 'yes' on whether that weakness was covered was determined by the fact that all variations were covered or that even a single one in the list was covered. There would be no in-between.
>
> For people developing tools, it is a matter of configuration management. Let's assume that at Time0, a given abstraction node lists 5 variations in its description and a tool vendor has ensured they cover all of those variations and thus can claim coverage of the CWE. If at Time1, 5 new variations are determined to be appropriate and the description field is simply modified to yield a list of 10, it becomes a more difficult thing for the tool vendor and all users of the CWE to manage the configuration issue than if each variation was a sub-node. Higher granularity of nodes does not fully solve the configuration problem but makes it a lot easier.
>
> By keeping the granularity in the CWE but using views to only display the desired granularity to each user, we serve the needs of the users who need the higher granularity without putting undue clutter on those who wish a more minimal set.
> As I stated before, I don't believe we have any responsibility to make sure that all possible variations are covered (the slippery slope) but only the common (as in CWE) ones that people report they look for (tool vendors and tool users).
>
> Sean
>
> ________________________________________
> From: owner-cwe-research-list@... [owner-cwe-research-list@...] On Behalf Of ldw [larry.wagoner@...]
> Sent: Wednesday, November 14, 2007 9:50 AM
> To: cwe-research-list@...
> Subject: RE: Patr Traversal and some challenges for CWE
>
> I would rather see a smaller number of more generalized entries.  The path
> traversal
> is a good example of why additional entries should not be.  Absolute path
> traversal
> and relative path traversal should be the limit to the granularity.  Details
> can be part
> of the description/examples of each.  If we did the same with integer
> coercion as
> has been done with path traversal , where would the entries end?
>
> I'm not arguing against the granularity, but rather keeping the granularity
> contained
> within the descriptions.  I agree with Sean that the granularity could be
> useful.
> But I do not see a reason for a huge number of entries that will ultimately
> come
> down to a splitting of hairs in many instances.
>
>
> Sean Barnum wrote:
>> Sure. I will argue for inclusion rather than exclusion.
>> This does not mean that I would argue for a "complete" exposition or
>> capture of all combinatorics, but fully believe than more granularity and
>> precision is better where it is applicable and makes sense.
>> If specific variations/cases have been identified through practical
>> experience by researchers, security analysts, tool vendors, and others,
>> then it makes sense to capture all of these as CWEs with appropriate
>> abstraction relationships defined. To not keep this granularity where it
>> has already been identified is throwing away potentially useful knowledge.
>> I would argue that in many of these cases (but not necessarily all), this
>> more granular information is useful for tool vendors (or those assessing
>> tools) and for security analysts performing both automated and manual
>> analysis of software. The potential solutions to things like path
>> traversal can vary and while there are some solutions that should solve
>> the problem for most if not all variations, there are numerous solutions
>> that will only catch some of the variations and not others. Removing this
>> differential by abstracting them all up into one higher level node is
>> doing the community a disservice.
>>
>> The solution to the problem is using views. With appropriate views, if you
>> don't want to see that level of granularity, you don't have to. If you do,
>> then you can. The full set of underlying information should be left
>> unmolested unless absolutely necessary. The number of CWE IDs should not
>> be a concern. It is the utility and accessability of the information for a
>> variety of use cases that counts. Size and scope can be effectively
>> managed with views.
>>
>> That is my 1 cent for now (I don't currently have time to throw two
>> pennies in the ring).
>>
>> Sean Barnum
>> Cigital, Inc.
>>
>> -----Original Message-----
>> From: owner-cwe-research-list@...
>> [mailto:owner-cwe-research-list@...] On Behalf Of Steven M.
>> Christey
>> Sent: Monday, October 22, 2007 4:36 PM
>> To: Jarzombek, Joe
>> Cc: CWE-RESEARCH-LIST@...; Pascal Meunier
>> Subject: RE: Patr Traversal and some challenges for CWE
>>
>> On Thu, 18 Oct 2007, Jarzombek, Joe wrote:
>>
>>> I, too, like the idea of avoiding a large number of CWE IDs that vary on
>>> a single, simple detail that could be easily abstracted and stored.
>> Are there others on this list who either agree or disagree?  For those who
>> advocate a greater level of detail with more CWE IDs, what is the use-case
>> that makes this important for you?
>>
>>> Let's discuss the desired solution/selected implementation at our
>>> upcoming Software Assurance Working Group session on Technology, Tools
>>> and Product Evaluation, 4 Dec in Arlington, VA.  Since CWE provides the
>>> foundation for our SwA Ecosystem, we would also provide a short
>>> out-brief during the plenary session on 5 Dec.
>> We will ensure that we capture the different proposals and relevant
>> use-cases, and we will summarize the results of that meeting to this list.
>>
>> My hope is that, with CWE's hierarchical layout and some well-constructed
>> views, we can come up with a representation that addresses everybody's
>> needs.  An 'ecosystem view' might only go to a certain depth of the tree,
>> hiding some nodes that are too low-level for that particular view.
>>
>> For us to ensure that CWE can meet the diverse needs of the community, we
>> need to be sure that everybody on this list speaks up, publicly or
>> privately, pro or con, even if it's a "me too" statement :)  I'm glad for
>> the responses we're getting, but even more would be better.
>>
>> Thanks all,
>> Steve
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Discussion-point%3A-CONSPEC---Context-specific-Issues-tf4470811.html#a13473503
> Sent from the CWE Research List mailing list archive at Nabble.com.

> As an example of the danger, imagine the scenario:  You have tool A that
> can cover a particular weakness, for example path traversal with '/', in
> a myriad of contexts programming contexts.  However, tool A doesn't find
> '\\' traversal problems.  Another tool, B, has covers all path traversal
> issues but only covers them in the narrowest interpretation of each of
> the weakness complexities and thus doesn't find nearly the breadth of
> issues that will actually arise in code.  Breaking the CWEs down to
> fine-grained weaknesses would give tool B an artificially high and
> dubious evaluation rating.  Due to this, tool vendors will have more
> incentive to build tools like B rather than A.

>
> I think your chains have to be made at a consistent lower level.  For
> instance, a buffer overflow is not a fundamental weakness, but a
> combination of several weaknesses that together allow a system to be
> comprimised.  This is an idea that has been around for quite a while
> (see Matt Bishop's paper "Vulnerability Analysis"
> (http://nob.cs.ucdavis.edu/bishop/papers/1999-raid/similar ) and has
> been talked about lately in the Intro. to Vulnerability Theory paper.
> That is, a buffer overflow, integer coercion, path traversal, etc. are
> instantiations of a combination of weaknesses or primitive flaws.
> Frequently if one of the underlying flaws are removed, then the  
> weakness
> (as currently in CWE) is no longer a vulnerability.  For example, if
> some of the components of the buffer overflow weakness are eliminated
> such as if one does not have unvalidated input, a language that  
> doesn't
> do bounds checking, and a system that allows return addresses to be
> modified, then a buffer overflow cannot occur.  Therefore, the "real"
> leaf nodes in CWE should be "allows unvalidated input" "language that
> does not do array bounds checking" "return addresses can be modified"
> (no doubt better names could be created).  Buffer overflow would be a
> parent to these three nodes.  And tying this to the view strategy that
> CWE wants to move to, then under a Java or Pascal view, the leaf node
> "language that does not do array bounds checking" would not appear in
> that view, but "allows unvalidated input" would.  Path traversal would
> also be a parent of "allows unvalidated input."  Integer coercion  
> would
> be very interesting to reduce to its fundamental components -- such as
> "allows data casting," "allows unsigned data," etc.
>
> Those fundamental entries and the links to them would solve several
> problems:
> 1. Would allow tools to make claims about the real weaknesses.
> Languages or even hardware platforms could also make claims ("Wow,  
> look
> at how much of the CWE tree disappears when you use Acme")
> 2. Would make generation of views easier -- any node that is a  
> parent to
> "allows unsigned data" could be eliminated a Java view
> 3. Would reduce (likely not eliminate, unfortunately) the problem of  
> one
> tool calling it one weakness and another tool calling it another
> weakness and both being argubly right -- this would put things at a  
> more
> fundamental level where things are, at the least, a little more
> definitive
> 4. Would address the real problem at the lowest level possible
> 5. Would likely expose other weaknesses
>
> Larry
>
>
>
> <quote author="Steven M. Christey-2">
> On Wed, 14 Nov 2007, Chris Telfer wrote:
>
>> There are usually a huge number of different ways for a programmer to
>> produce the same type of weakness.  We already acknowledge this in
> some
>> part through the notion of "complexities" that color a flaw (ala
>> SAMATE).  I believe that different ways to express the same weakness
>> (e.g. '/' vs '\\' as a path separator) are simply "complexities"  
>> for a
>> weakness that don't apply generally across all weakness types.
>
> Lately, Bob Martin and I have begun exploring certain concepts of
> "chains"
> of weaknesses, as well as "composites" of properties whose combination
> forms a weakness.
>
> An increasingly-reported "chain" would be an integer overflow that
> causes
> insufficient allocation of memory, which then leads to a buffer
> overflow.
> A second chain involging integer overflow would lead to an infinite
> loop,
> and could be independent of memory allocation altogether (we see
> examples
> of this in CVE).
>
> The "weakness that is better known by the attack term 'Symbolic Link
> Following'" can be thought of as a composite in which one needs
> predictability (of filenames), a race condition, path equivalence  
> (where
> two paths ultimately point to the same file object), and a shared
> directory to exist all at once, in order to be present.  Removing any
> one
> of these elements would prevent the issue or, at worst, significantly
> reduce its scope.
>
> Many of the CWE path traversal variants are probably reflections of
> different chains and/or composites.  This gets closer to understanding
> the
> variety of ways for programmers to cause the same problem.
>
> Note: Bob and I are only in the early stages of developing these
> concepts.
>
> - Steve
>
> </quote>

>  
> I think your chains have to be made at a consistent lower level.  For
> instance, a buffer overflow is not a fundamental weakness, but a
> combination of several weaknesses that together allow a system to be
> comprimised.  This is an idea that has been around for quite a while
> (see Matt Bishop's paper "Vulnerability Analysis"
> (http://nob.cs.ucdavis.edu/bishop/papers/1999-raid/similar ) and has
> been talked about lately in the Intro. to Vulnerability Theory paper.
> That is, a buffer overflow, integer coercion, path traversal, etc. are
> instantiations of a combination of weaknesses or primitive flaws.
> Frequently if one of the underlying flaws are removed, then the weakness
> (as currently in CWE) is no longer a vulnerability.  For example, if
> some of the components of the buffer overflow weakness are eliminated
> such as if one does not have unvalidated input, a language that doesn't
> do bounds checking, and a system that allows return addresses to be
> modified, then a buffer overflow cannot occur.  Therefore, the "real"
> leaf nodes in CWE should be "allows unvalidated input" "language that
> does not do array bounds checking" "return addresses can be modified"
> (no doubt better names could be created).  Buffer overflow would be a
> parent to these three nodes.  And tying this to the view strategy that
> CWE wants to move to, then under a Java or Pascal view, the leaf node
> "language that does not do array bounds checking" would not appear in
> that view, but "allows unvalidated input" would.  Path traversal would
> also be a parent of "allows unvalidated input."  Integer coercion would
> be very interesting to reduce to its fundamental components -- such as
> "allows data casting," "allows unsigned data," etc.