MILE Working Group                                           S. Banghart
Internet-Draft                                                      NIST
Intended status: Informational                            March 28,                             July 20, 2019
Expires: September 29, 2019 January 21, 2020

            Definition of the ROLIE Vulnerability Extension
                     draft-ietf-mile-rolie-vuln-00
                     draft-ietf-mile-rolie-vuln-01

Abstract

   This document extends the Resource-Oriented Lightweight Information
   Exchange (ROLIE) core to add the information type categories and
   related requirements needed to support Vulnerability use cases.
   Additional categories, properties, and requirements based on content
   type enables a higher level of interoperability between ROLIE
   implementations, and richer metadata for ROLIE consumers.  In
   particular, usage of the Common Vulnerability Enumeration (CVE) [cve]
   format and the draft Vulnerability Description Ontology (VDO) [vdo]
   are is discussed.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 29, 2019. January 21, 2020.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2   3
   3.  The "vulnerability" information type  . . . . . . . . . . . .   3
   4.  Data Format Requirements  . . . . . . . . . . . . . . . . . .   3
     4.1.  CVE  Common Vulnerability Enumeration (CVE) Format . . . . . . . . . . . . . . . . . . . . . . .   4
       4.1.1.
     4.1.  Description . . . . . . . . . . . . . . . . . . . . .   4
       4.1.2.  Requirements  . . . . . . . . . . . . . . . . . . . .   4
     4.2.  VDO Format  . . . . . . . . . . . . . . . . . . . . . . .   5
       4.2.1.  Description . . . . . . . . . . . . . . . . . . . . .   5
       4.2.2.  Usage . .  Requirements  . . . . . . . . . . . . . . . . . . . . . .   5
   5.  Use of the atom:link element  . . . . . . . . . . . . . . . .   5
     5.1.  Link relations for the 'vulnerability'
       information-type  . . . . . . . . . . . . . . . . . . . .   6 . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
     6.1.  information-type registrations  . . . . . . . . . . . . .   6
       6.1.1.  vulnerability information-type  . . . . . . . . . . .   6
     6.2.  rolie:property name registrations . . . . . . . . . . . .   6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   8.  Normative References  . . . . . . . . . . . . . . . . . . . .   7
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8   7

1.  Introduction

   Vulnerability data is used in a wide variety of security use cases.
   Researchers, CSIRTs, enterprises,

   As our software vendors, becomes more complex and consumers all interconnected, the number
   of software vulnerabilities exploitable by actors with mal-intent has
   skyrocketed.  Huge amounts of resources have been poured into the
   preemptive discovery, description, and remediation of these
   vulnerabilities, but it is often a need challenge to share and communicate about computer vulnerabilities.  Today, a
   number
   the results of formats are used to describe these vulnerabilities, some efforts.  While bad-actors have vast
   collaboration networks that enable widespread knowledge of
   them any
   vulnerability, the defensive community at large has no sharing
   consortium as prevalent.  If we are standardized, some to keep up with the rising
   difficulty of them are proprietary, defending our systems, we must increase our ability to
   quickly, efficiently, and some of them
   are as rudimentary as automatically share information about
   vulnerabilities.

   The Resource-Oriented Lightweight Information Exchange (ROLIE)
   [RFC8322] provides a vaguely descriptive email message.

   This extension does not attempt means to solve the vulnerability share computer security information
   with an eye towards automation and efficiency.  By utilizing ROLIE to
   share vulnerability data, we get one step closer to establishing
   automated communication between each party involved in fighting
   vulnerabilities.  A security researcher can send a newly discovered
   vulnerability to a vulnerability repository, where it is
   automatically retrieved and consumed by enterprise systems.  At this
   final stage, the enterprise can cross-reference against their
   enterprise wide software load to begin mitigating the issue.

   This extension to ROLIE introduces new requirements and IANA
   registrations to allow ROLIE repositories to share vulnerability data
   in a standardized and compatible way.

   This extension does not attempt to solve the vulnerability data
   format issue, this work is being done across standards groups and
   industry consortiums.  Instead, this extension serves to address the
   problem of sharing these data formats to downstream consumers in a
   automated and efficient fashion.

2.  Terminology

   The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
   "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   As an extension of [RFC8322], this document refers to many terms
   defined in that document.  In particular, the use of "Entry" and
   "Feed" are aligned with the definitions presented there.

   Several places in this document refer to the "information-type" of a
   Resource (Entry or Feed).  This refers to the "term" attribute of an
   "atom:category" element whose scheme is
   "urn:ietf:params:rolie:category:information-type".  For an Entry,
   this value can be inherited from it's containing Feed as per
   [RFC8322].

3.  The "vulnerability" information type

   When an "atom:category" element has a "scheme" attribute equal to
   "urn:ietf:params:rolie:category:information-type", the "term"
   attribute defines the information type of the associated resource.  A
   new valid value for this attribute: "vulnerability", is described in
   this section, and registered in Section 6.1.1.  When this value is
   used, the resource in question is considered to have an information-
   type of "vulnerability" as per [RFC8322] Section 7.1.2.

   The "vulnerability" information-type represents any information
   describing or pertaining to a computer security vulnerability.  This
   document uses the definition of vulnerability provided by [RFC4949].
   Provided below is a non-exhaustive list of information that may be
   considered to be of a vulnerability information type.

   o  Fundamental identifying information, such as a global ID or
      number, that identifies a given vulnerability.

   o  Descriptive information, including but not limited to:

      *  Severity scoring - using some standardized scoring algorithm or
         otherwise,

      *  Execution details - how the vulnerability is exploited

      *  Impact - what the consequences are of this vulnerability

      *  History and provenance data - when was the vulnerability
         discovered, when was it reported and to whom,

      *  Plain text description of any of the above

   o  Metadata attached to a vulnerability, such as information about
      the entity that discovered or described the vulnerability.

   Note again that this list is not exhaustive, any information that in
   is the abstract realm of an a vulnerability should be classified under
   this information-type.

4.  Data Format Requirements

   This section defines usage guidance and additional requirements
   related to data formats above and beyond those specified in
   [RFC8322].  The following formats are expected to be commonly used final decision as to
   express software descriptor information.  For this reason, this
   document specifies additional requirements the information type
   of an Entry is up to ensure
   interoperability.

4.1.  CVE the provider and author of the Entry.

4.  Common Vulnerability Enumeration (CVE) Format

4.1.1.

4.1.  Description

   The Common Vulnerability Enumeration (CVE) provides a globally unique
   identifier for vulnerabilities.  Each CVE provides a CVE-ID, by which
   a vulnerability can be referred to in any context, as well as
   descriptive information about that vulnerability.

   For more information and in-depth specifications, please see [cve].

   CVE provides a valuable set of information fields, but itself does
   not provide a standardized data format.  This extension is
   standardized provides
   standardization around two common serializations of the CVE standard,
   both used by the National Institute of Standards and Technology
   (NIST) National Vulnerability Database (NVD).  The NVD provides a
   repository of "CVE Entries" available in either serialization format.
   The first format is XML-based: the NIST NVD CVE Entry format [nvdcvexml].  There
   is a second format using
   [nvdcvexml], and the CVE information fields, defined in second is JSON
   Schema 1.0 based: NIST NVD JSON CVE Entry
   Format [nvdcvejson].  These two representations of a CVE are
   equivalent, so either are valid when used and can be losslessly converted.

   This section defines usage guidance and additional requirements above
   and beyond those specified in a ROLIE [RFC8322] that apply when CVE Entry.

4.1.2. data
   formats are in use.

4.2.  Requirements

   For an Entry to be considered as a "CVE Entry", it MUST fulfill the
   following conditions:

   o  The information-type of the Entry is "vulnerability".  For a
      typical Entry, this is derived from the information type of the
      Feed it is contained in.  For a standalone Entry, this is provided
      by an "atom:category" element.

   o  The document linked to by the "ref" attribute of the
      "atom:content" element is a CVE Entry as defined by either
      [nvdcvexml] or [nvdcvejson].  Other well-defined CVE
      serializations would be valid but would not be subject to the
      following requirements, reducing their interoperability.

   The XML and JSON NVD formats follow different requirements.  From here on
   out we will refer to "CVE Entry" which is defined above, and is in
   the XML or JSON formats, "XML CVE Entry", which is defined in the XML
   format, and "JSON CVE Entry", which is defined in the JSON format.

   A "XML CVE Entry" MUST conform to the following requirements:

   o  The value of the "type" attribute of the "atom:content" element
      MUST be "application/xml".

   o  There MUST be one "rolie:property" with the "name" attribute equal
      to "urn:ietf:params:rolie:property:content-id" and the "value"
      attribute exactly equal to the "<name>" element in the attached
      CVE Entry.  This allows for ROLIE consumers to more easily search
      for CVE Entries without needing to download the entry itself.

   A "JSON CVE Entry" MUST conform to the following requirements:

   o  The value of the "type" attribute of the "atom:content" element
      MUST be "application/json".

   o  There MUST be one "rolie:property" with the "name" attribute equal
      to "urn:ietf:params:rolie:property:content-id" and the "value"
      attribute exactly equal to the "cve:{cve_data_meta":{ID}}" element
      in the attached CVE Entry.  This allows for ROLIE consumers to
      more easily search for CVE Entries without needing to download the
      entry itself.

4.2.  VDO Format

4.2.1.  Description

   The Vulnerability Description Ontology (VDO) provides a dictionary
   and ontology for standardizing human language descriptions of
   vulnerabilities.  CVEs expose a decent amount of information, but one
   of those fields is a plain text description.  The VDO provides a
   means of completing this description in a way that makes it machine
   parsable and universally understandable across organizations.

   The VDO is currently defined in a draft National Institute of
   Standards and Technology (NIST) internal report.  As this draft is
   not yet fully stable, this document will provide only guidance on
   using the VDO inside a ROLIE repository.

   For more in depth information please find the draft at [vdo]

4.2.2.  Usage

   There is currently no standardized data format for the VDO, as such,
   there can be no ROLIE "VDO Entry".  Instead, the VDO can be utilized
   in plain text fields in an Entry.  ROLIE properties can contain long
   strings of text, exposing human language information.  In the
   vulnerability context, these human language fields can be filled in
   using the VDO.

   It is not recommended that the content element be populated with some
   plain text format using the VDO.

5.  Use of the atom:link element

   These sections define requirements for atom:link elements in Entries.
   Note that the requirements are determined by the information type
   that appears in either the Entry or in the parent Feed.

5.1.  Link relations for the 'vulnerability' information-type

   The atom:link element contains a "rel" attribute that describes the
   semantic meaning of the given link.

   If the category of an Entry is the vulnerability information type,
   then the following requirements link relations MUST be followed for support respected, that is, not
   removed, by the server.  Implementations can provide extra
   functionality by understanding the semantic meaning of
   atom:link elements. these
   relations.

   +----------+--------------------------------------------------------+
   | Name     | Description                                            |
   +----------+--------------------------------------------------------+
   | severity | Links to a document describing or scoring the severity |
   |          | of this vulnerability.                                 |
   +----------+--------------------------------------------------------+

    Table 1: Link Relations for Resource-Oriented Lightweight Indicator
                                 Exchange

6.  IANA Considerations

6.1.  information-type registrations

   IANA has added the following entries to the "ROLIE Security Resource
   Information Type Sub-Registry" registry located at
   <https://www.iana.org/assignments/rolie/category/information-type> .

6.1.1.  vulnerability information-type

   The entry is as follows:

      name: vulnerability

      index: TBD

      reference: This document, Section 3

6.2.  rolie:property name registrations

   IANA has added the following entries to the "ROLIE URN Parameters"
   registry located in <https://www.iana.org/assignments/rolie/>.

7.  Security Considerations

   All security considerations of the core ROLIE document apply to use
   of this extension.

   The use of this particular extension implies the use of ROLIE in
   sharing vulnerability information.  In automated use cases,
   downstream consumers may be dynamically acquiring and acting on
   vulnerabilities posted to a ROLIE repository.  In this case, a
   compromised server could serve up false vulnerability information to
   trigger dangerous activity in automated consumers.  Automatic
   remediation solutions that consume shared vulnerability information
   in high risk use cases should take care to verify data before taking
   action.  If some global ID, such as a CVE-ID, is included, this
   verification should be trivial.

8.  Normative References

   [cve]      "Common Vulnerability Enumeration", <cve.mitre.org>.

   [nvdcvejson]
              "NVD CVE Entry JSON Schema",
              <https://csrc.nist.gov/schema/nvd/feed/1.0/
              nvd_cve_feed_json_1.0.schema>.

   [nvdcvexml]
              "NVD CVE Entry XML Schema",
              <https://csrc.nist.gov/schema/nvd/nvdcve.xsdf>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4287]  Nottingham, M., Ed. and R. Sayre, Ed., "The Atom
              Syndication Format", RFC 4287, DOI 10.17487/RFC4287,
              December 2005, <https://www.rfc-editor.org/info/rfc4287>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <https://www.rfc-editor.org/info/rfc4949>.

   [RFC5023]  Gregorio, J., Ed. and B. de hOra, Ed., "The Atom
              Publishing Protocol", RFC 5023, DOI 10.17487/RFC5023,
              October 2007, <https://www.rfc-editor.org/info/rfc5023>.

   [RFC8322]  Field, J., Banghart, S., and D. Waltermire, "Resource-
              Oriented Lightweight Information Exchange (ROLIE)",
              RFC 8322, DOI 10.17487/RFC8322, February 2018,
              <https://www.rfc-editor.org/info/rfc8322>.

   [vdo]      "Vulnerability Description Ontology", <https://csrc.nist.g
              ov/CSRC/media/Publications/nistir/8138/draft/documents/
              nistir_8138_draft.pdf>.

Author's Address
   Stephen A. Banghart
   National Institute of Standards and Technology
   100 Bureau Drive
   Gaithersburg, Maryland
   USA

   Phone: (301)975-4288
   Email: stephen.banghart@nist.gov