1 / 11

OVAL - Open Vulnerability Assessment Language - (brought to you by Mitre, DHS and the Letter C)

OVAL - Open Vulnerability Assessment Language - (brought to you by Mitre, DHS and the Letter C). Jay Beale CanSecWest 2004 Lightning Talk April 22, 2004. The Common Vulnerabilities and Exposures (CVE) Initiative.

miron
Download Presentation

OVAL - Open Vulnerability Assessment Language - (brought to you by Mitre, DHS and the Letter C)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OVAL- Open Vulnerability Assessment Language -(brought to you by Mitre, DHS and the Letter C) Jay Beale CanSecWest 2004 Lightning Talk April 22, 2004

  2. The Common Vulnerabilities and Exposures (CVE) Initiative • An international security community activity led by MITRE focused on developing a list that provides common names for publicly known information security vulnerabilities and exposures. • Key tenets • One name for one vulnerability or exposure • One standardized description for each vulnerability or exposure • Existence as a dictionary rather than a database • Publicly accessible for review or download from the Internet • Industry participation in open forum (editorial board) • The CVE list and information about the CVE effort are available on the CVE web site at [cve.mitre.org]

  3. OVAL Concept • Describe how to test for a vulnerability in XML and SQL. • Human readable • Machine Parseable • Use this to achieve consensus between security peoples about how best to test for the vulnerability. • Tests are host-based…

  4. Host Based? • Host-based means that you can test for vulns that can’t be checked by the network. • Network-based probably can’t test for around half of the vulns we’d like to know about. • Host-based potentially means better accuracy. • Network-based has a much-reduced interaction. • Host-based does present scalability problems.

  5. Scalability of a Host-based System • The OVAL definition interpreters are GPL, while the content is basically freeware. • You could create an infrastructure. One way you might do this: • Place an agent on each host that receives new definitions files, runs an interpreter, and sends back results.xml files. • A central console could receive and parse those results files, allowing you to check for vulnerabilities for which you don’t yet have definitions. • Imagine if the central console pushed all the data covered by the schema, for each machine, into an SQL database.

  6. OVAL Board ArcSight too…

  7. OVAL Schema & Definitions • XML, SQL, & Pseudo Code • Schemas for: • Microsoft Windows • NT 4.0, 2000, XP, 98, & Server 2003 • Sun Solaris 7, 8, 9 • Red Hat Linux • Draft Schemas • Hewlett-Packard UNIX (HP-UX) • Debian Linux • Definitions for above and some applications • IIS 4.0 and 5.0; Internet Explorer 5.01, 5.5, and 6.0; and SQL Server 2000

  8. OVAL Definition: OVAL575 <definitions> <definition id="OVAL575"> <affected family="windows"> <windows:platform>Microsoft Windows 2000</windows:platform> <product>Microsoft Windows Workstation Service</product> </affected> <cveid status="CAN">2003-0812</cveid> <dates> <created date="2003-11-12" /> <modified date="2004-03-09">Changed the status from INTERIM to ACCEPTED and the version from 0 to 1</modified> </dates> <description> Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. </description> <status>ACCEPTED</status> <version>1</version> <criteria> <software operation="AND"> <criterion test_ref="wrt-1" comment="Windows 2000 is installed" /> <criterion test_ref="wft-8" comment="the version of wkssvc.dll is less than 5.00.2195.6862" /> <criterion test_ref="wrt-86" negate="true" comment="the patch q828749 is installed (Hotfix key)" /> </software> <configuration> <criterion test_ref="wrt-71" comment="the workstation service is enabled" /> </configuration> </criteria> </definition> </definitions>

  9. OVAL Definition: OVAL575 - continued <tests> <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <!-- ~~~~~windows file tests ~~~~~~~~~~ --> <file_test id="wft-8" comment="the version of wkssvc.dll is less than 5.00.2195.6862" xmlns="http://oval.mitre.org/XMLSchema/oval#windows"> <path> <component type="registry_value"> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot</component> <component type="literal"> \system32\wkssvc.dll</component> </path> <version datatype="version" operator="less than"> <major>5</major> <minor>00</minor> <build>2195</build> <private>6862</private> </version> </file_test> <!--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <!-- ~~~~~windows registry tests ~~~~~~~~~ --> <registry_test id="wrt-1" comment="Windows 2000 is installed" xmlns="http://oval.mitre.org/XMLSchema/oval#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key> <name>CurrentVersion</name> <value operator="equals">5.0</value> </registry_test> <registry_test id="wrt-71" comment="the workstation service is enabled" xmlns="http://oval.mitre.org/XMLSchema/oval#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SYSTEM\CurrentControlSet\Services\lanmanworkstation</key> <name>Start</name> <value datatype="int" operator="not equal">4</value> </registry_test> <registry_test id="wrt-86" comment="the patch q828748 is installed (Hotfix key)" xmlns="http://oval.mitre.org/XMLSchema/oval#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828749</key> <name>Installed</name> <value datatype="int" operator="equals">1</value> </registry_test> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> </tests>

  10. OVAL Status 660 Total definitions: 251 Accepted;132 Interim; 25 Draft; 252 Initial Submission • Microsoft • Microsoft joined OVAL board • 373 definitions for Windows NT 4.0 and Windows 2000 • 14 definitions for Windows XP • 68 multiple platforms • 172 initial submissions • RedHat Linux • RedHat on OVAL board • 159+ draft definitions • Full coverage of Red Hat 9.0 vulnerability alerts • Full coverage of Red Hat Enterprise Linux 3.0 vulnerability alerts • Solaris • 40 definitions for Solaris 7 and 8 • HP-UX • Collaboration with DLA and BAH • 12 initial submissions • Debian • Draft schema submitted • Vendor representative participating on OVAL board (as of 12 April 2004)

  11. OVAL XML and SQL Definition Interpreters • Mitre has released a “definition interpreter” for Windows NT and 2000 that reads definitions written in SQL. • This program serves as a host-based vulnerability-assessment tool. • Mitre is releasing an XML definition interpreter for Windows and Linux now. • I’ll demo the tool.

More Related