draft-ietf-mile-rolie-vuln-00.txt   draft-ietf-mile-rolie-vuln-01.txt 
MILE Working Group S. Banghart MILE Working Group S. Banghart
Internet-Draft NIST Internet-Draft NIST
Intended status: Informational March 28, 2019 Intended status: Informational July 20, 2019
Expires: September 29, 2019 Expires: January 21, 2020
Definition of the ROLIE Vulnerability Extension Definition of the ROLIE Vulnerability Extension
draft-ietf-mile-rolie-vuln-00 draft-ietf-mile-rolie-vuln-01
Abstract Abstract
This document extends the Resource-Oriented Lightweight Information This document extends the Resource-Oriented Lightweight Information
Exchange (ROLIE) core to add the information type categories and Exchange (ROLIE) core to add the information type categories and
related requirements needed to support Vulnerability use cases. related requirements needed to support Vulnerability use cases.
Additional categories, properties, and requirements based on content Additional categories, properties, and requirements based on content
type enables a higher level of interoperability between ROLIE type enables a higher level of interoperability between ROLIE
implementations, and richer metadata for ROLIE consumers. In implementations, and richer metadata for ROLIE consumers. In
particular, usage of the Common Vulnerability Enumeration (CVE) [cve] particular, usage of the Common Vulnerability Enumeration (CVE) [cve]
format and the draft Vulnerability Description Ontology (VDO) [vdo] format is discussed.
are discussed.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 29, 2019. This Internet-Draft will expire on January 21, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The "vulnerability" information type . . . . . . . . . . . . 3 3. The "vulnerability" information type . . . . . . . . . . . . 3
4. Data Format Requirements . . . . . . . . . . . . . . . . . . 3 4. Common Vulnerability Enumeration (CVE) Format . . . . . . . . 4
4.1. CVE Format . . . . . . . . . . . . . . . . . . . . . . . 4 4.1. Description . . . . . . . . . . . . . . . . . . . . . . . 4
4.1.1. Description . . . . . . . . . . . . . . . . . . . . . 4 4.2. Requirements . . . . . . . . . . . . . . . . . . . . . . 5
4.1.2. Requirements . . . . . . . . . . . . . . . . . . . . 4 5. Link relations for the 'vulnerability'
4.2. VDO Format . . . . . . . . . . . . . . . . . . . . . . . 5 information-type . . . . . . . . . . . . . . . . . . . . . . 5
4.2.1. Description . . . . . . . . . . . . . . . . . . . . . 5
4.2.2. Usage . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Use of the atom:link element . . . . . . . . . . . . . . . . 5
5.1. Link relations for the 'vulnerability'
information-type . . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6.1. information-type registrations . . . . . . . . . . . . . 6 6.1. information-type registrations . . . . . . . . . . . . . 6
6.1.1. vulnerability information-type . . . . . . . . . . . 6 6.1.1. vulnerability information-type . . . . . . . . . . . 6
6.2. rolie:property name registrations . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6
8. Normative References . . . . . . . . . . . . . . . . . . . . 7 8. Normative References . . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
Vulnerability data is used in a wide variety of security use cases. As our software becomes more complex and interconnected, the number
Researchers, CSIRTs, enterprises, software vendors, and consumers all of software vulnerabilities exploitable by actors with mal-intent has
have a need to communicate about computer vulnerabilities. Today, a skyrocketed. Huge amounts of resources have been poured into the
number of formats are used to describe these vulnerabilities, some of preemptive discovery, description, and remediation of these
them are standardized, some of them are proprietary, and some of them vulnerabilities, but it is often a challenge to share and communicate
are as rudimentary as a vaguely descriptive email message. the results of these efforts. While bad-actors have vast
collaboration networks that enable widespread knowledge of any
vulnerability, the defensive community at large has no sharing
consortium as prevalent. If we are to keep up with the rising
difficulty of defending our systems, we must increase our ability to
quickly, efficiently, and automatically share information about
vulnerabilities.
The Resource-Oriented Lightweight Information Exchange (ROLIE)
[RFC8322] provides a means to share computer security information
with an eye towards automation and efficiency. By utilizing ROLIE to
share vulnerability data, we get one step closer to establishing
automated communication between each party involved in fighting
vulnerabilities. A security researcher can send a newly discovered
vulnerability to a vulnerability repository, where it is
automatically retrieved and consumed by enterprise systems. At this
final stage, the enterprise can cross-reference against their
enterprise wide software load to begin mitigating the issue.
This extension to ROLIE introduces new requirements and IANA
registrations to allow ROLIE repositories to share vulnerability data
in a standardized and compatible way.
This extension does not attempt to solve the vulnerability data This extension does not attempt to solve the vulnerability data
format issue, this work is being done across standards groups and format issue, this work is being done across standards groups and
industry consortiums. Instead, this extension serves to address the industry consortiums. Instead, this extension serves to address the
problem of sharing these data formats to downstream consumers in a problem of sharing these data formats to downstream consumers in a
automated and efficient fashion. automated and efficient fashion.
2. Terminology 2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
As an extension of [RFC8322], this document refers to many terms
defined in that document. In particular, the use of "Entry" and
"Feed" are aligned with the definitions presented there.
Several places in this document refer to the "information-type" of a
Resource (Entry or Feed). This refers to the "term" attribute of an
"atom:category" element whose scheme is
"urn:ietf:params:rolie:category:information-type". For an Entry,
this value can be inherited from it's containing Feed as per
[RFC8322].
3. The "vulnerability" information type 3. The "vulnerability" information type
When an "atom:category" element has a "scheme" attribute equal to When an "atom:category" element has a "scheme" attribute equal to
"urn:ietf:params:rolie:category:information-type", the "term" "urn:ietf:params:rolie:category:information-type", the "term"
attribute defines the information type of the associated resource. A attribute defines the information type of the associated resource. A
new valid value for this attribute: "vulnerability", is described in new valid value for this attribute: "vulnerability", is described in
this section, and registered in Section 6.1.1. When this value is this section, and registered in Section 6.1.1. When this value is
used, the resource in question is considered to have an information- used, the resource in question is considered to have an information-
type of "vulnerability" as per [RFC8322] Section 7.1.2. type of "vulnerability" as per [RFC8322] Section 7.1.2.
skipping to change at page 3, line 42 skipping to change at page 4, line 21
* History and provenance data - when was the vulnerability * History and provenance data - when was the vulnerability
discovered, when was it reported and to whom, discovered, when was it reported and to whom,
* Plain text description of any of the above * Plain text description of any of the above
o Metadata attached to a vulnerability, such as information about o Metadata attached to a vulnerability, such as information about
the entity that discovered or described the vulnerability. the entity that discovered or described the vulnerability.
Note again that this list is not exhaustive, any information that in Note again that this list is not exhaustive, any information that in
is the abstract realm of an vulnerability should be classified under is the abstract realm of a vulnerability should be classified under
this information-type. this information-type. The final decision as to the information type
of an Entry is up to the provider and author of the Entry.
4. Data Format Requirements
This section defines usage guidance and additional requirements
related to data formats above and beyond those specified in
[RFC8322]. The following formats are expected to be commonly used to
express software descriptor information. For this reason, this
document specifies additional requirements to ensure
interoperability.
4.1. CVE Format 4. Common Vulnerability Enumeration (CVE) Format
4.1.1. Description 4.1. Description
The Common Vulnerability Enumeration (CVE) provides a globally unique The Common Vulnerability Enumeration (CVE) provides a globally unique
identifier for vulnerabilities. Each CVE provides a CVE-ID, by which identifier for vulnerabilities. Each CVE provides a CVE-ID, by which
a vulnerability can be referred to in any context, as well as a vulnerability can be referred to in any context, as well as
descriptive information about that vulnerability. descriptive information about that vulnerability.
For more information and in-depth specifications, please see [cve]. For more information and in-depth specifications, please see [cve].
CVE provides a valuable set of information fields, but itself does CVE provides a valuable set of information fields, but itself does
not provide a standardized data format. This extension is not provide a standardized data format. This extension provides
standardized around the NIST NVD CVE Entry format [nvdcvexml]. There standardization around two common serializations of the CVE standard,
is a second format using the CVE information fields, defined in JSON both used by the National Institute of Standards and Technology
Schema 1.0 [nvdcvejson]. These two representations of a CVE are (NIST) National Vulnerability Database (NVD). The NVD provides a
equivalent, so either are valid when used in a ROLIE CVE Entry. repository of "CVE Entries" available in either serialization format.
The first format is XML-based: the NIST NVD CVE Entry format
[nvdcvexml], and the second is JSON based: NIST NVD JSON CVE Entry
Format [nvdcvejson]. These two representations of a CVE are
equivalent, and can be losslessly converted.
4.1.2. Requirements This section defines usage guidance and additional requirements above
and beyond those specified in [RFC8322] that apply when CVE data
formats are in use.
For an Entry to be considered as a "CVE Entry", it MUST fulfill the 4.2. Requirements
For an Entry to be considered a "CVE Entry", it MUST fulfill the
following conditions: following conditions:
o The information-type of the Entry is "vulnerability". For a o The information-type of the Entry is "vulnerability". For a
typical Entry, this is derived from the information type of the typical Entry, this is derived from the information type of the
Feed it is contained in. For a standalone Entry, this is provided Feed it is contained in. For a standalone Entry, this is provided
by an "atom:category" element. by an "atom:category" element.
o The document linked to by the "ref" attribute of the o The document linked to by the "ref" attribute of the
"atom:content" element is a CVE Entry as defined by either "atom:content" element is a CVE Entry as defined by either
[nvdcvexml] or [nvdcvejson]. [nvdcvexml] or [nvdcvejson]. Other well-defined CVE
serializations would be valid but would not be subject to the
following requirements, reducing their interoperability.
The XML and JSON formats follow different requirements. From here on The XML and JSON NVD formats follow different requirements.
out we will refer to "CVE Entry" which is defined above, and is in
the XML or JSON formats, "XML CVE Entry", which is defined in the XML
format, and "JSON CVE Entry", which is defined in the JSON format.
A "XML CVE Entry" MUST conform to the following requirements: A "XML CVE Entry" MUST conform to the following requirements:
o The value of the "type" attribute of the "atom:content" element o The value of the "type" attribute of the "atom:content" element
MUST be "application/xml". MUST be "application/xml".
o There MUST be one "rolie:property" with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:content-id" and the "value" to "urn:ietf:params:rolie:property:content-id" and the "value"
attribute exactly equal to the "<name>" element in the attached attribute exactly equal to the "<name>" element in the attached
CVE Entry. This allows for ROLIE consumers to more easily search CVE Entry. This allows for ROLIE consumers to more easily search
skipping to change at page 5, line 17 skipping to change at page 5, line 46
o The value of the "type" attribute of the "atom:content" element o The value of the "type" attribute of the "atom:content" element
MUST be "application/json". MUST be "application/json".
o There MUST be one "rolie:property" with the "name" attribute equal o There MUST be one "rolie:property" with the "name" attribute equal
to "urn:ietf:params:rolie:property:content-id" and the "value" to "urn:ietf:params:rolie:property:content-id" and the "value"
attribute exactly equal to the "cve:{cve_data_meta":{ID}}" element attribute exactly equal to the "cve:{cve_data_meta":{ID}}" element
in the attached CVE Entry. This allows for ROLIE consumers to in the attached CVE Entry. This allows for ROLIE consumers to
more easily search for CVE Entries without needing to download the more easily search for CVE Entries without needing to download the
entry itself. entry itself.
4.2. VDO Format 5. Link relations for the 'vulnerability' information-type
4.2.1. Description
The Vulnerability Description Ontology (VDO) provides a dictionary
and ontology for standardizing human language descriptions of
vulnerabilities. CVEs expose a decent amount of information, but one
of those fields is a plain text description. The VDO provides a
means of completing this description in a way that makes it machine
parsable and universally understandable across organizations.
The VDO is currently defined in a draft National Institute of
Standards and Technology (NIST) internal report. As this draft is
not yet fully stable, this document will provide only guidance on
using the VDO inside a ROLIE repository.
For more in depth information please find the draft at [vdo]
4.2.2. Usage
There is currently no standardized data format for the VDO, as such,
there can be no ROLIE "VDO Entry". Instead, the VDO can be utilized
in plain text fields in an Entry. ROLIE properties can contain long
strings of text, exposing human language information. In the
vulnerability context, these human language fields can be filled in
using the VDO.
It is not recommended that the content element be populated with some
plain text format using the VDO.
5. Use of the atom:link element
These sections define requirements for atom:link elements in Entries.
Note that the requirements are determined by the information type
that appears in either the Entry or in the parent Feed.
5.1. Link relations for the 'vulnerability' information-type The atom:link element contains a "rel" attribute that describes the
semantic meaning of the given link.
If the category of an Entry is the vulnerability information type, If the category of an Entry is the vulnerability information type,
then the following requirements MUST be followed for support of then the following link relations MUST be respected, that is, not
atom:link elements. removed, by the server. Implementations can provide extra
functionality by understanding the semantic meaning of these
relations.
+----------+--------------------------------------------------------+ +----------+--------------------------------------------------------+
| Name | Description | | Name | Description |
+----------+--------------------------------------------------------+ +----------+--------------------------------------------------------+
| severity | Links to a document describing or scoring the severity | | severity | Links to a document describing or scoring the severity |
| | of this vulnerability. | | | of this vulnerability. |
+----------+--------------------------------------------------------+ +----------+--------------------------------------------------------+
Table 1: Link Relations for Resource-Oriented Lightweight Indicator Table 1: Link Relations for Resource-Oriented Lightweight Indicator
Exchange Exchange
skipping to change at page 6, line 39 skipping to change at page 6, line 36
6.1.1. vulnerability information-type 6.1.1. vulnerability information-type
The entry is as follows: The entry is as follows:
name: vulnerability name: vulnerability
index: TBD index: TBD
reference: This document, Section 3 reference: This document, Section 3
6.2. rolie:property name registrations
IANA has added the following entries to the "ROLIE URN Parameters"
registry located in <https://www.iana.org/assignments/rolie/>.
7. Security Considerations 7. Security Considerations
All security considerations of the core ROLIE document apply to use All security considerations of the core ROLIE document apply to use
of this extension. of this extension.
The use of this particular extension implies the use of ROLIE in The use of this particular extension implies the use of ROLIE in
sharing vulnerability information. In automated use cases, sharing vulnerability information. In automated use cases,
downstream consumers may be dynamically acquiring and acting on downstream consumers may be dynamically acquiring and acting on
vulnerabilities posted to a ROLIE repository. In this case, a vulnerabilities posted to a ROLIE repository. In this case, a
compromised server could serve up false vulnerability information to compromised server could serve up false vulnerability information to
 End of changes. 22 change blocks. 
93 lines changed or deleted 81 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/