« Return to Thread: Some asking about CWE.
Re: Some asking about CWE.
by Steven M. Christey-2
::
Rate this Message:
On Mon, 25 Aug 2008, Tadashi Yamagishi wrote:
> Question1:About Hierarchy diagram.
> I made CWE-635(Weaknesses Used by NVD) a hierarchy diagram
> referring to cwe_classification_tree.pdf.
> The hierarchy diagram is appended.
> cwe_classification_tree.pdf shows the following.
> CWE-20 is a child of CWE-19.
> CWE-22 is a child of CWE-21.
> CWE-134 is a child of CWE-133.
> However, CWE-1000(Natural Hierarchy) shows another parents.
> I am confused. Are two or more parents permitted in CWE ?
Yes. This is for two reasons:
(1) there are multiple ways of looking at the same weakness, so we want
to support these different ways. So, different views can express
different relationships.
(2) Some weaknesses can be fairly complex, so they can be classified in
different ways, even within the same view. Ideally, it would be
good to have a view in which every weakness can have only one
parent. This is very difficult to achieve in practice; we think
that the concept of chains and composites helps to explain why
this classification is so difficult. We are making significant
progress within the "natural hierarchy" (view 1000), but we
will not have this finished by the release of CWE 1.0.
> Question2:About the classification of Dos( Denial of Service ).
> DoS is not classified in CWE.
DoS is not classified because it's a "consequence" of some weakness - just
like "loss of integrity" is a consequence. In CWE 1.0, we will have
multiple ways of trying to determine which weaknesses can lead to a DoS:
- a new OWASP Top Ten 2004 view has category A9, Denial of Service.
- as a result of schema changes in 1.0, our Consequence element has
been improved so that you will be able to search CWE for
Consequence_Scope = Availability.
> How do you classify it when the cause of the DoS is not understood
> in the vulnerability report?
This is a very difficult question, and I'm not sure how to handle it. In
the case of databases of public vulnerabilities (like NVD), the databases
often don't have solid information about the underlying weaknesses that
led to the vulnerability. Sometimes, the only vulnerability information
is something like "Product X can crash from a malformed packet" - you
might see this in a software vendor advisory, for example.
Since the "DoS" phrase alone doesn't talk about any specific weakness, CWE
is not currently capable of modeling it.
This is an example of a challenge: how should you map to CWE when you're
dealing with issues that aren't exactly weaknesses? We hope to be able to
develop methods of handling these kinds of issues. In fact, one of the
upcoming white papers will cover some of the common difficulties that
people will face when mapping to CWE. In addition, sometime after the
release of CWE 1.0, we will try to improve the current NVD classifications
so that they are more suitable for handling incomplete vulnerability
information. Hopefully we will be able to address this issue somehow.
- Steve
> Question1:About Hierarchy diagram.
> I made CWE-635(Weaknesses Used by NVD) a hierarchy diagram
> referring to cwe_classification_tree.pdf.
> The hierarchy diagram is appended.
> cwe_classification_tree.pdf shows the following.
> CWE-20 is a child of CWE-19.
> CWE-22 is a child of CWE-21.
> CWE-134 is a child of CWE-133.
> However, CWE-1000(Natural Hierarchy) shows another parents.
> I am confused. Are two or more parents permitted in CWE ?
Yes. This is for two reasons:
(1) there are multiple ways of looking at the same weakness, so we want
to support these different ways. So, different views can express
different relationships.
(2) Some weaknesses can be fairly complex, so they can be classified in
different ways, even within the same view. Ideally, it would be
good to have a view in which every weakness can have only one
parent. This is very difficult to achieve in practice; we think
that the concept of chains and composites helps to explain why
this classification is so difficult. We are making significant
progress within the "natural hierarchy" (view 1000), but we
will not have this finished by the release of CWE 1.0.
> Question2:About the classification of Dos( Denial of Service ).
> DoS is not classified in CWE.
DoS is not classified because it's a "consequence" of some weakness - just
like "loss of integrity" is a consequence. In CWE 1.0, we will have
multiple ways of trying to determine which weaknesses can lead to a DoS:
- a new OWASP Top Ten 2004 view has category A9, Denial of Service.
- as a result of schema changes in 1.0, our Consequence element has
been improved so that you will be able to search CWE for
Consequence_Scope = Availability.
> How do you classify it when the cause of the DoS is not understood
> in the vulnerability report?
This is a very difficult question, and I'm not sure how to handle it. In
the case of databases of public vulnerabilities (like NVD), the databases
often don't have solid information about the underlying weaknesses that
led to the vulnerability. Sometimes, the only vulnerability information
is something like "Product X can crash from a malformed packet" - you
might see this in a software vendor advisory, for example.
Since the "DoS" phrase alone doesn't talk about any specific weakness, CWE
is not currently capable of modeling it.
This is an example of a challenge: how should you map to CWE when you're
dealing with issues that aren't exactly weaknesses? We hope to be able to
develop methods of handling these kinds of issues. In fact, one of the
upcoming white papers will cover some of the common difficulties that
people will face when mapping to CWE. In addition, sometime after the
release of CWE 1.0, we will try to improve the current NVD classifications
so that they are more suitable for handling incomplete vulnerability
information. Hopefully we will be able to address this issue somehow.
- Steve
« Return to Thread: Some asking about CWE.
| Free embeddable forum powered by Nabble | Forum Help |
