On Thursday, October 21, 1999 10:37 AM Adam Shostack said: > Russ and Scott have commented on the taxonomy issue, so I'll add that > the CVE is also not a database. The closest analogy is either a > multi-lingual dictionary or the latin name for a species (although > this is a bad analogy when you dig deep.) The multi-lingual database makes sense. The latin name for a species is a result of a taxonomy. Its not the same thing. > Similarly, what CERT calls CA-98.11.tooltalk maps onto what ISS calls > tooltalk and aix-ttdbserver. Both map into CVE-1999-0003. That's good and useful, but its not a taxonomy. OK, so what I'm complaining about here is the inappropriate use of the term "Taxonomy". Unless you can make categorical statements such as "All plants have cellulose cell walls", you don't have a system of classification. This is important, because there are classes of animals that don't have the enzymes to digest cellulose and so can't live on plants. Can we make the same kind of classification of vulnerabilities? I suspect so. Buffer over-run implies input buffers, such as command lines. Does the OS support this or not? Does the OS support different levels of protection? Does it have the ability to spawn processes or not? What I'm doing here is looking at things from the point of view of an architecture, and hence a hierarchy. It goes beyond the OS or even the hardware. Perhaps some groupings are inappropriate and useless, such as "the class of all creatures that have four limbs, one in each corner" vs. "the class that has four limbs but not one in each corner". But if you're going to call this a taxonomy and not a enumerated listing, you need classes and criteria to determine if a specific item belongs to a class or not. And conditions for creating new classes. Of course you could just stop calling it a "taxonomy" and I'll stop berating you for it. > The latin name analogy is that for certain common organisms (e. coli), > the name is standardized, and you can lookup things about e. coli. > You can also look things up about h. sapiens, but there are other > names for homo sapiens that might help the average joe at the > library. This analogy fails because the latin names are actually the > last two components (genus and species) of the organisms' taxonomic > classification. With CVE, there is no accepted taxa of > vulnerabilities, and thus, no analogy for the genus and species. Right. Which means it isn't a taxonomy. To my mind the issue is simple. Should it be or not? Personally I think research into the possible lines of categorisation would be useful. See, for example, Fred Cohen's Security database at www.All.net. you may disagree with how he's categorised things, but he has categorised them. > I am very enthusiastic about the CVE not only because it will allow > tools to talk to each other, but has the potential to allow databases > to be cross referenced based on a common key. Yes, that would be a massive advantage. But I wonder how many entries would not have a reference. > That is a critical part of > starting to share information about vulnerabilities in a structured > way. Such sharing of information -- being able to agree on what > you're talking about -- is a critical precursor to doing a scientific > analysis of the problems that exist. (You can do science without it, > but its hard. Damn right. Taxonomy, as many writers on the history of science have pointed out, is the basis of a science. However, there are many pseudo-sciences (e.g. close encounters of the Nth kind) that also employ taxonomy and statistics to bolster their credibility. Having a taxonometric system doesn't make you a science, lacking one doesn't mean you're not a science. Some sciences, for example psychiatry, which overused the category "schizophrenia", have been crippled by inappropriate classification schemes. -------------------------------------------------------------------- Anton J Aylward, CISSP | The Internet is not the greatest System Integrity | threat to information security; InfoSec Auditing & Consulting | stupidity is the greatest threat Voice: (416) 421-8182 | to information security. ajaat_private | Will Spencer <will.spencerat_private>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:34 PDT