2nd Workshop on Research with Security Vulnerability Databases
January 21 and 22, 1999
Purdue University, West Lafayette Indiana

by Mahesh V. Tripunitara (mahesh@ipo.att.com)
AT&T Labs and CERIAS, Purdue University

Introduction

On January 21 and 22, 1999, the Center for Research and Education in
Information Assurance and Security (CERIAS) conducted the 2nd Workshop on
Research with Security Vulnerability Databases. This report summarizes the
happenings from the workshop.

A security vulnerability, or simply, vulnerability, in a system is a
characteristic that renders it susceptible to a security compromise. A
security vulnerability database catalogues details on such vulnerabilities
so that analysis, taxonomy and classification of those vulnerabilities is
facilitated. Recently, Ivan Krsul completed his PhD dissertation from
Purdue University titled "Software Vulnerability Analysis" that discusses
how to build and use such databases effectively.

The workshop was a follow-up to the 1st workshop that was held in
conjunction with NIST in 1996, and to the dissertation work by Ivan. About
100 people from about 50 organizations attended the workshop. The
organizations represented included governmental institutions, such as NIST
and NSA, commercial organizations, such as IBM, Cisco and Secure Computing,
and educational institutions, such as Iowa State University.

The workshop was split into two days. The first day consisted mostly of the
presentation of eight papers and a demonstration of the vulnerability
database from the Computer Operations Audit and Security Technology (COAST)
lab. The eight papers were chosen from submissions of extended abstracts
and full papers by a program committee. The papers are available in the
proceedings published for the workshop. Ivan Krsul's PhD dissertation is
also part of the proceedings. Ivan also submitted a note titled
"Experiences in the Development of the COAST Vulnerability Database" to the
workshop.

Thursday

In his welcoming remarks, Prof. Gene Spafford, the Director of CERIAS,
spoke about the need to follow up on the important initiatives in the area
of vulnerability databases. He indicated that the need for such databases
is widespread, and effective use of such databases will revolutionize
software engineering. He spoke about the motivation behind the workshop: to
bring about a confluence of those that saw the pressing need to establish
standards on this front, and establish such databases.

The first talk was based on a paper by Dave Bailey, Fred Smith and Bob
Abbott, who represent over 100 years of combined information security
experience. Their paper is titled "Vulnerability Data: the Case for
Sharing." They made the case for sharing of such data by pointing out the
benefits from such sharing and the dangers from not sharing. The benefits
from sharing are that security flaws, that seem to reappear every few
years, can be eliminated, and that software development can be made more
rapid by analysis of such flaws. They also discussed the Year 2000 problem
as an instantiation of such a flaw and used it as an example to indicate
the potential legal issues arising from such security flaws.

The second presentation was based on a paper titled "VulDa: A Vulnerability
Database" by D. Alessandri and M. Dacier of IBM-Zurich. They spoke about
the vulnerability database from IBM and used sample entries from the
database to demonstrate how it is populated and used for imparting
information on such vulnerabilities and for analysis. They also discussed
how the vulnerability database is used in their research in intrusion
detection, and the conditions under which they would be willing to share
the database with others.

The third presentation was based on a paper by Aaron Schwartzbard and Anup
K. Ghosh from Reliable Software Technologies titled "Establishing Common
Exploit Information for Intrusion Detection." They spoke about data
necessary for effective intrusion detection. In doing so, they related
vulnerability and attack data to data needed for intrusion detection. They
made the case for a common repository for such information, and effective
tools and techniques to mine for and analyze data in such a repository.

The fourth presentation was based on a paper titled "Mapping Attacks to
Vulnerabilities" by Mahesh Tripunitara of Purdue University. He spoke about
the problem of relating the vulnerabilities that are exploited, to the
attacks that exploit them. He used a formal model for attacks in two
examples to discuss the relationship between the set of attacks and the set
of vulnerabilities they exploit.

It was then time for the lunch break, which gave the participants a good
opportunity to informally discuss several of their ideas, interests and
intentions in vulnerability databases.

The first presentation after lunch was by Thomas Daniels of Purdue
University. He gave a demonstration of the COAST vulnerability database,
which generated considered interest from the audience. He demonstrated the
graphical user interface used to query and enter data into the database. He
also picked a few examples to illustrate the fields based on which
vulnerability data is stored and discussed tools for analysis of the data
in the database.

The sixth presentation was based on a paper titled "Towards a Common
Enumeration of Vulnerabilities" by David E. Mann and Steven M. Christey
from the MITRE Corporation. This presentation also generated considerable
interest from the audience. They tackled the problem of dealing with
several heterogeneous vulnerability databases and presented the Common
Vulnerability Enumeration (CVE) mechanism for sharing of vulnerability
data. They related the CVE to current practices on vulnerability data
sharing.

The seventh presentation was based on a paper titled "Use of a
Vulnerability Database for Writing Security Requirements" by Jim Williams
of the MITRE Corporation. He presented his efforts in automating the
specification of security requirements. The security requirements he spoke
about are of the type indicated in the Common Criteria (CC.) He discussed a
database that stores mappings from high level organizational security
policies and requirements, to detailed attacks, vulnerabilities and
countermeasures.

The eighth presentation was based on a paper titled "The Proper Usage,
Possible Benefits, and Risks of Open Vulnerability Databases" by Pascal
Meunier of Purdue University. He discussed an open model for vulnerability
databases with vulnerability data being freely shared and added. He then
raised several contentious issues relating to such a model. He also
presented his notion of the "ideal" open vulnerability database.

The final presentation was based on a paper titled "Thoughts on Potential
Sources of Error and Bias in Vulnerability Databases" by Ken Olthoff. He
focussed on the problem of the possible corruption of vulnerability
databases, either accidentally or maliciously. He also discussed some
possible countermeasures from such corruption.

Friday

The first day concluded with the formation of working groups for the second
day. Five working groups were established, with the participants in the
workshop deciding for themselves which of the working groups each wanted to
participate in. Working groups 1 through 4 dealt with various models and
architectures for vulnerability databases. Working group 5 looked at issues
fundamental to vulnerability databases, immaterial of the model used to
construct them.

Working group 1 dealt with the "fully available" or "open" model. This is a
database that anyone can add to and read from. Copies are allowed to be
made freely and the data and copies of the database can be used in whatever
manner desired.

Working group 2 dealt with the "centralized" model. This involves a
database of which there is only one copy and is managed and controlled by a
single agency or group. There may be some distribution in the access or
update of data in the database, but there is always a "master copy."

Working group 3 dealt with the "federated" model. This is a model in which
there are several distributed databases, but with some centrality. The
databases use a common schema or fields to store data, but the data is not
necessarily replicated across all databases. The sharing of data occurs in
an organized manner.

Working group 4 dealt with the "balkanized" model. It was also called the
"status quo" model because there was general agreement that this model
indicates what currently exists. The model involves several databases,
different both in terms of the data in them and in terms of how the data is
organized. Access methods to each database are also different and sharing
is not structured.

Working group 5 dealt with overall issues for vulnerability databases, such
as terminology, classifications, schema and storage. The group also dealt
with issues on what data a vulnerability database should include.

Each working group met for about 5 hours on the second day, dealing with
such issues as ease of access and update in the model, intellectual
property rights, access control, fault tolerance, expandability and
flexibility, trans-national use, maintenance, location and staffing,
scalability and longevity. The issues were dealt with both from a "model"
standpoint and an "architecture" standpoint.

Towards the end of the day, one person from each group made a presentation
based on the respective discussions. Some of the presenters presented an
analysis of their model, while others made a case for the model they had
worked with. Each of the working groups is currently working on the final
reports from the meetings for submission to a body of "main" editors that
has the responsibility of consolidating the reports in to a single report.
A standards document is in the offing.

Concluding Remarks

The workshop's goals were to set an agenda for standardization in all
aspects related to vulnerability databases and initiate the building of the
infrastructure to promote sharing of such data. Based on the enthusiastic
participation and from preliminary feedback, the workshop was a success.
Follow up work in now being conducted and those interested in involving
themselves with the effort are encouraged to contact Prof. Gene Spafford
(spaf@cs.purdue.edu.)