Typically, the vulnerability information used by a particular vendor of a VM scanner or analyzer is stored in a database that is designed to work seamlessly with the software. Since standards are usually a few to several years behind industry, none of these databases are alike. The vulnerability data and method of identification vary widely from one product to another—that is, there is no standard.
However, MITRE has driven the idea of a standard for just this type of data structure. It is called the Open Vulnerability and Assessment Language or OVAL®. As the name implies, it is a language that is structured using XML to record the details of the state of a machine (target) that has a particular vulnerability. It employs the state machine approach to identifying a vulnerability, which is a highly structured way of indicating the vulnerable state and the non-vulnerable state. So, let’s examine the OVAL process in Figure 1 to understand its benefits.
We start with the security researcher who discovers a new vulnerability in product X. Having firsthand knowledge of the vulnerability and how it can be identified in a vulnerable target, the researcher encodes the details of that vulnerability in an OVAL-standard-formatted XML document. This document describes exactly how to identify the vulnerability on a target by providing the information of the state of particular items that constitute a vulnerable machine. This method of vulnerability identification is called a test.
Definitions Schema
At a higher level, OVAL consists of three types of documents called schemas. The definitions schema is used to encode the state of various parts of a computer system that must exist in order to be subject to a particular vulnerability. For example, a target system may need to have a Windows 2003 server with Service Pack (SP) 2, IIS, and anonymous Web access configured to be vulnerable to vulnerability XYZ. These schemas provide the framework for encoding such conditions.
Other definitions exist to capture other important information to help round out the VM process. Patch definitions record the specific conditions that must be present in order to be eligible for a patch. The idea is to avoid haphazardly applying patches to a system inappropriately. So, the ability is provided to specify, for example, that a vulnerability that is fixed by Windows 2003 SP 2 is only applied when the target system is in fact Windows 2003 and has only SP1 installed. The patch definition capability can go far beyond this, but this understanding is sufficient for the scope of this book.
An OVAL inventory definition is just what it sounds like: a description of what defines a particular inventory item. If you want to specify that the SNMPv3 service is installed on a router, certain items must be checked to be certain it is present. The inventory definitions provide the XML schema to achieve exactly this. Since vulnerability scanning and automated configuration discovery are so closely related, it makes sense that OVAL should include this capability.
One additional area where the VM industry has very sensibly gone is compliance management. The MITRE team has understood this, and OVAL includes a schema for compliance definitions. Similar to the other schema, compliance specifies the conditions under which a system is compliant with a particular policy. Again, this is a natural extension to VM tools and processes.
System Characteristics Schema
This schema is designed to provide a standard definition of target system characteristics. These system characteristics, once collected, can be analyzed to identify vulnerabilities. When all of the target characteristics are collected, the vulnerability analyzer would compare them to the details in the definitions data to discover vulnerabilities. The design of the system characteristics schema is roughly parallel to that of the definitions schema. Although this schema is vulnerability focused, it also amounts to a list of configuration items in a configuration management database.
Results Schema
This third and final high-level schema is designed to provide a standard structure for recording the results of the vulnerability assessment. The primary benefit is that once a vulnerability is discovered, the details are captured in a format that many other security tools can interpret to properly apply patches, update configurations, initiate change processes, and take other mitigation actions as necessary. The results schema very specifically captures the details of a particular vulnerability on a specific target.
Nuts and Bolts[*]
In the OVAL specification, tests are formatted in the OVAL definitions schema and are defined by a tag. Tests are recorded using three key XML elements: , which is the item being tested; are the values of the objects to be tested; and are the tests to be performed against those objects using the previously mentioned . An ID is assigned to each definition, object, state, and test using a notation resembling reverse DNS entries. Let’s take a look at a partial example of an OVAL definition, which is a check to see whether Windows XP® is installed. This is an abbreviated version, so we do not spend time on details that are not instructive on this topic:
------------------------------------------------
1
2version="3" class="inventory">
3
4Microsoft Windows XP is installed<<br> title><br>5 <reference source="CPE" ref_id="cpe:/<br> o:microsoft:windows_xp"/><br>6 <description> The operating system installed<br> on the system is Microsoft Windows XP. </<br> description><br>7 </metadata><br>8 <criteria operator="AND"><br>9 <criterion comment="the installed operating<br> system is part of the Microsoft Windows<br> family" test_ref="oval:org.mitre.<br> oval:tst:99"/><br>10 <criterion comment="a version of Microsoft<br> Windows XP is installed" test_ref="oval:org.<br> mitre.oval:tst:3"/><br>11 </criteria><br>12 </definition><br>13 </definitions><br>14 <tests><br>15 <family_test id="oval:org.mitre.oval:tst:99"<br> version="1" comment="the installed operating<br> system is part of the Microsoft Windows family"<br> check_existence="at_least_one_exists" check="only<br> one"><br>16 <object object_ref="oval:org.mitre.<br> oval:obj:99"/><br>17 <state state_ref="oval:org.mitre.oval:ste:99"/><br>18 </family_test><br>19 <registry_test id="oval:org.mitre.oval:tst:3"<br> version="1" comment="a version of Microsoft<br> Windows XP is installed" check_existence="at_<br> least_one_exists" check="at least one"><br>20 <object object_ref="oval:org.mitre.<br> oval:obj:123"/><br>21 <state state_ref="oval:org.mitre.oval:ste:3"/><br>22 </registry_test><br>23 </tests><br>24 <objects><br>25 <family_object id="oval:org.mitre.oval:obj:99"<br> version="1" comment="This is the default family<br> object. Only one family object should exist."/><br>26 <registry_object id="oval:org.mitre.oval:obj:123"<br> version="1" comment="Registry key that hold the<br> current windows os version"><br>27 <hive>HKEY_LOCAL_MACHINE</hive><br>28 <key>SOFTWARE\Microsoft\Windows NT\Current<br> Version</key><br>29 <name>CurrentVersion</name><br>30 </registry_object><br>31 </objects><br>32 <states><br>33 <family_state id="oval:org.mitre.oval:ste:99"<br> version="1" comment="Microsoft Windows family"><br>34 <family>windows</family><br>35 </family_state><br>36 <registry_state id="oval:org.mitre.oval:ste:3"<br> version="1" comment="The registry key value is<br> 5.1"><br>37 <value>5.1</value><br>38 </registry_state><br>39 </states></blockquote><p></p><blockquote><p><definitions><definition <br="" id="oval:org.mitre.oval:def:105"><metadata><title>Microsoft Windows XP is installed<<br> title><br>5 <reference source="CPE" ref_id="cpe:/<br> o:microsoft:windows_xp"/><br>6 <description> The operating system installed<br> on the system is Microsoft Windows XP. </<br> description><br>7 </metadata><br>8 <criteria operator="AND"><br>9 <criterion comment="the installed operating<br> system is part of the Microsoft Windows<br> family" test_ref="oval:org.mitre.<br> oval:tst:99"/><br>10 <criterion comment="a version of Microsoft<br> Windows XP is installed" test_ref="oval:org.<br> mitre.oval:tst:3"/><br>11 </criteria><br>12 </definition><br>13 </definitions><br>14 <tests><br>15 <family_test id="oval:org.mitre.oval:tst:99"<br> version="1" comment="the installed operating<br> system is part of the Microsoft Windows family"<br> check_existence="at_least_one_exists" check="only<br> one"><br>16 <object object_ref="oval:org.mitre.<br> oval:obj:99"/><br>17 <state state_ref="oval:org.mitre.oval:ste:99"/><br>18 </family_test><br>19 <registry_test id="oval:org.mitre.oval:tst:3"<br> version="1" comment="a version of Microsoft<br> Windows XP is installed" check_existence="at_<br> least_one_exists" check="at least one"><br>20 <object object_ref="oval:org.mitre.<br> oval:obj:123"/><br>21 <state state_ref="oval:org.mitre.oval:ste:3"/><br>22 </registry_test><br>23 </tests><br>24 <objects><br>25 <family_object id="oval:org.mitre.oval:obj:99"<br> version="1" comment="This is the default family<br> object. Only one family object should exist."/><br>26 <registry_object id="oval:org.mitre.oval:obj:123"<br> version="1" comment="Registry key that hold the<br> current windows os version"><br>27 <hive>HKEY_LOCAL_MACHINE</hive><br>28 <key>SOFTWARE\Microsoft\Windows NT\Current<br> Version</key><br>29 <name>CurrentVersion</name><br>30 </registry_object><br>31 </objects><br>32 <states><br>33 <family_state id="oval:org.mitre.oval:ste:99"<br> version="1" comment="Microsoft Windows family"><br>34 <family>windows</family><br>35 </family_state><br>36 <registry_state id="oval:org.mitre.oval:ste:3"<br> version="1" comment="The registry key value is<br> 5.1"><br>37 <value>5.1</value><br>38 </registry_state><br>39 </states></blockquote><p></p></div><div class="informalexample" id="N109"><pre class="programlisting" id="265-1" style="font-family: 'Courier New', Courier, mono; margin-top: 0.4em; max-width: 800px; overflow-x: auto;"><definitions><definition class="inventory" id="oval:org.mitre.oval:def:105" version="3"><metadata><title>Microsoft Windows XP is installed< title> 5 <reference source="CPE" ref_id="cpe:/ o:microsoft:windows_xp"/> 6 <description> The operating system installed on the system is Microsoft Windows XP. </ description> 7 </metadata> 8 <criteria operator="AND"> 9 <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre. oval:tst:99"/> 10 <criterion comment="a version of Microsoft Windows XP is installed" test_ref="oval:org. mitre.oval:tst:3"/> 11 </criteria> 12 </definition> 13 </definitions> 14 <tests> 15 <family_test id="oval:org.mitre.oval:tst:99" version="1" comment="the installed operating system is part of the Microsoft Windows family" check_existence="at_least_one_exists" check="only one"> 16 <img src="http://img2.blogblog.com/img/video_object.png" style="background-color: #b2b2b2; " class="BLOGGER-object-element tr_noresize tr_placeholder" id="BLOGGER_object_8" data-original-id="BLOGGER_object_8" /> 17 <state state_ref="oval:org.mitre.oval:ste:99"/> 18 </family_test> 19 <registry_test id="oval:org.mitre.oval:tst:3" version="1" comment="a version of Microsoft Windows XP is installed" check_existence="at_ least_one_exists" check="at least one"> 20 <img src="http://img2.blogblog.com/img/video_object.png" style="background-color: #b2b2b2; " class="BLOGGER-object-element tr_noresize tr_placeholder" id="BLOGGER_object_9" data-original-id="BLOGGER_object_9" /> 21 <state state_ref="oval:org.mitre.oval:ste:3"/> 22 </registry_test> 23 </tests> 24 <objects> 25 <family_object id="oval:org.mitre.oval:obj:99" version="1" comment="This is the default family object. Only one family object should exist."/> 26 <registry_object id="oval:org.mitre.oval:obj:123" version="1" comment="Registry key that hold the current windows os version"> 27 <hive>HKEY_LOCAL_MACHINE</hive> 28 <key>SOFTWARE\Microsoft\Windows NT\Current Version</key> 29 <name>CurrentVersion</name> 30 </registry_object> 31 </objects> 32 <states> 33 <family_state id="oval:org.mitre.oval:ste:99" version="1" comment="Microsoft Windows family"> 34 <family>windows</family> 35 </family_state> 36 <registry_state id="oval:org.mitre.oval:ste:3" version="1" comment="The registry key value is 5.1"> 37 <value>5.1</value> 38 </registry_state> 39 </states></pre></div><span class="beginpage" pagenum="120"><a name="266" id="266" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><a name="IDX-120" id="IDX-120" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a></span><div class="section" id="ch04lev3sec90"><h4 class="sect4-title" id="annotationlabel-1" style="margin-top: 0.9em; margin-bottom: 0em; color: rgb(1, 1, 0); "><span class="section-titlelabel"><br></span></h4><h4 class="sect4-title" id="annotationlabel-1" style="margin-top: 0.9em; margin-bottom: 0em; color: rgb(1, 1, 0); "><a name="267" id="267" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><a id="ch04lev3sec90" name="ch04lev3sec90" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><span class="section-titlelabel">1 </span><Definitions></h4><p id="267-1" class="first-para" style="margin-top: 0em; margin-bottom: 0em; ">In this example, there are a few basic components to know: definitions, tests, objects, and states. These are the high-level containers for the parts of a vulnerability check. The definitions come in four different classes as previously described: vulnerability, patch, inventory, and compliance. This example indicates in the “class” that it is an inventory definition in line 2. Line 3 is a metadata tag. This begins a descriptive section that can be used by vulnerability assessment software for the end user who may not need to know exactly what happens in this test. The title and description are not the most significant items here. Notice in the metadata there is a reference source in line 5. This refers to a CPE name. This CPE name will be explained later, but for now suffice it to say that this is a specification for a system enumeration.</p><p class="para" id="267-2" style="margin-top: 0.9em; ">The ultimate goal in this example is to determine whether Windows XP is installed on a target system. The tests, objects, and states that are compared will evaluate to a true or false answer.<span pagenum="121" class="beginpage"><a id="268" name="268" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><a id="IDX-121" name="IDX-121" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a></span></p><p id="268-1" class="para" style="margin-top: 0.9em; ">The criteria tag showing the value of “operator” set to “AND” is on line 8. This is a fundamental breakdown of the logic to be applied in the vulnerability check. If X AND Y, then the result is true. In other words, the result of all tests will have a logical AND operation applied. Following that on lines 9 and 10 are the two criterion type statements to which the operator is applied.</p><p id="268-2" class="para" style="margin-top: 0.9em; ">Each criterion or “criteriontype” has a comment and a “test_ref” reference. This reference points to the details of the test that is to be performed. If the criterion is to be negated, then another item is added within the specific criterion statement. This is the “negate = ‘true’” statement within the criterion. If this is omitted from the criterion type, the value is assumed to be “false” or not negated.</p><p class="last-para" id="268-3" style="margin-top: 0.9em; ">One other item to know about the criterion as in this example: the first criterion indicates that the test referenced as “oval:org.mitre. oval:tst:99” should be performed. This is a reverse-DNS-style notation showing that the test is from <a href="http://www.oval.mitre.org/" class="url" target="_top" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; color: rgb(0, 0, 128); ">oval.mitre.org</a> and is number 99. All of these references start with the word “oval” followed by org.mitre. oval. Since it is a test, the letters “tst” follow. Finally, a colon and an integer of at least one digit is included. Combined, this pattern forms a unique identifier. It is referred to as a “testIDpattern.”</p></div><div class="section" id="ch04lev3sec91"><h4 id="annotationlabel-2" class="sect4-title" style="margin-top: 0.9em; margin-bottom: 0em; color: rgb(1, 1, 0); "><span class="section-titlelabel"><br></span></h4><h4 id="annotationlabel-2" class="sect4-title" style="margin-top: 0.9em; margin-bottom: 0em; color: rgb(1, 1, 0); "><a id="269" name="269" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><a id="ch04lev3sec91" name="ch04lev3sec91" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><span class="section-titlelabel">2 </span><Tests></h4><p class="first-para" id="269-1" style="margin-top: 0em; margin-bottom: 0em; ">After all of the tests are specified in the criteria of a definition, then a new section begins, indicated by the <tests> tag. In this section, the first and very common element is the “family_test” on line 15. Notice that immediately following this element is an ‘id=“oval:org.mitre.oval:tst:99.”’ This is the item to which the earlier criterion reference was pointing. What follows are the objects and states to be compared. If the result of the comparison is true, then this is used in the previous definition to evaluate whether the results meet the goal of the definition. Also in the family_test element are “check_existence=” and “check=.” These are set to the values “at_least_one_exists” and “only one” respectively. This means that there must be exactly one check but no more. In this case, we will check object 99 against state 99, as indicated on lines 16 and 17.</p><p class="last-para" id="269-2" style="margin-top: 0.9em; ">Then, there is one more test to be performed. In this case, it is a registry test on line 19. Lines 20 and 21 are the object and state to be checked. In this case, it is object number 123 and state number 3.<span class="beginpage" pagenum="122"><a id="270" name="270" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><a id="IDX-122" name="IDX-122" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a></span></p></div><div class="section" id="ch04lev3sec92"><h4 class="sect4-title" id="annotationlabel-3" style="margin-top: 0.9em; margin-bottom: 0em; color: rgb(1, 1, 0); "><span class="section-titlelabel"><br></span></h4><h4 class="sect4-title" id="annotationlabel-3" style="margin-top: 0.9em; margin-bottom: 0em; color: rgb(1, 1, 0); "><a id="271" name="271" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><a id="ch04lev3sec92" name="ch04lev3sec92" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><span class="section-titlelabel">3 </span><Objects></h4><p class="first-para" id="271-1" style="margin-top: 0em; margin-bottom: 0em; ">The objects section defines the objects to be tested. In this case, “oval:org.mitre.oval:obj:99” is the reference which is a “family_object” on line 25. This means that the object defines a particular system. It is referenced only by a “family_test” as on line 16. The point is to identify whether the target system is Windows, Mac OS X, UNIX, etc.</p><p class="last-para" id="271-2" style="margin-top: 0.9em; ">The next object is a “registry_object.” This type of object applies only to the Microsoft Windows registry key system. That system has three components: <hive>, <key>, and <name>. If you have ever browsed the Windows registry, you will recognize these details. The structure and function of the Windows registry is beyond the scope of this book. It is sufficient to say that the values specified on lines 27, 28, and 29 are the values used to identify the particular item in the Windows registry that we need to test.</p></div><div class="section" id="ch04lev3sec93"><h4 class="sect4-title" id="annotationlabel-4" style="margin-top: 0.9em; margin-bottom: 0em; color: rgb(1, 1, 0); "><span class="section-titlelabel"><br></span></h4><h4 class="sect4-title" id="annotationlabel-4" style="margin-top: 0.9em; margin-bottom: 0em; color: rgb(1, 1, 0); "><a id="272" name="272" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><a id="ch04lev3sec93" name="ch04lev3sec93" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><span class="section-titlelabel">4 </span><States></h4><p class="first-para" id="272-1" style="margin-top: 0em; margin-bottom: 0em; ">Finally, we have the states, which contain the values needed to test the objects. The first item is the “family_state,” which defines the state of the family of computer system. In the example on line 33, the “family_state” tag tells us that we are dealing with family state number 99. You may recall that the “family_test” described earlier references this state on line 17. Back on line 34, the simple value of the “family” is set to “windows.”</p><p class="para" id="272-2" style="margin-top: 0.9em; ">The one and final state to be defined is the state of the previously mentioned registry key specified in the object on line 26, also known as object 123. To clarify, we are testing that object number 123 (the registry key) has a state number 3 (value 5.1). On line 36, we define the “registry_state” element with a value found on line 37.</p><p class="para" id="272-3" style="margin-top: 0.9em; ">The following summarizes, in a more natural-language style, what the definitions, objects, states, and tests do in this example:</p><div class="informalexample" id="N178"><pre class="programlisting" id="272-4" style="font-family: 'Courier New', Courier, mono; margin-top: 0.4em; overflow-x: auto; max-width: 800px; ">---------------- Definition: Inventory (line 2) This is a Windows OS (test 99, line 9) AND (line 8) Windows XP is installed (test 3, line 10) Test 3: Test the Windows family (line 15) Which has object 99 (line 16) and state 99 (line 17) Test 99: Test Windows XP Which has object 123 (line 20) and state 3 (line 21) Object 99: family_object (line 25) Object 123: registry_object (line 26) Which is "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\CurrentVersion" (lines 27, 28, and 29) State: family_state (line 33) Which is Windows (line 34) State: registry_state (line 36) Which has the value 5.1 (line 37) ------------------</pre></div><span class="beginpage" pagenum="123"><a id="273" name="273" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><a id="IDX-123" name="IDX-123" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a></span><p class="para" id="273-1" style="margin-top: 0.9em; ">Since some tests cannot be performed using a single <state> value, another type of <state> is available in a section called <variables>. This allows the end user to select the value that would constitute compliance.</p><p class="para" id="273-2" style="margin-top: 0.9em; ">The folks at MITRE recognized that they could not be everything to everyone, so they made OVAL extensible using a special XML tag in a <metadata> section.</p><p class="para" id="273-3" style="margin-top: 0.9em; ">The vulnerability scanner uses a collection of these XML documents to identify a vulnerability in a particular target. Before making the comparison, the scanner assesses the state of the target machine and records this state information in a similarly formatted XML document. Then, an analysis is performed using the vulnerability state information and the target state information. The system state information is collected in a format called the OVAL System Characteristics Schema. This XML document has the configuration data for a target system. Having a standard format helps to standardize communication of this information to other systems. For example, system characteristics could be useful in a configuration management tool or an SEIM.</p><p class="para" id="273-4" style="margin-top: 0.9em; ">If a vulnerability scan were to result in the identification of a vulnerability, then that fact and related details are recorded for further processing. It is after this analysis/results step that the real vendor-distinguishing features can be built. But first, the process of identifying the vulnerability is standardized for consistent results. The results are reported consistently by the specification of an XML schema similar to the OVAL definitions schema called, not surprisingly, the OVAL Results Schema.</p><p class="last-para" id="273-5" style="margin-top: 0.9em; ">Note that OVAL only supports authenticated tests that require authorized access to the target. This is a necessary limitation since there may be many innovative ways to perform unauthenticated checks.</p></div></div></div><span class="beginpage" pagenum="" style="font-family: Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); font-size: small; "></span><div class="footnotes" style="font-family: Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); font-size: small; "><div class="footnote" id="ch04footnote05"><p id="273-6"><a id="264" name="264" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; "></a><sup>[<a href="http://www.books24x7.com/assetviewer.aspx?bookid=30514&chunkid=665099775¬eMenuToggle=0&leftMenuState=1#ch04footnote05" name="ftn.ch04footnote05" style="text-decoration: none; outline-style: none; outline-width: initial; outline-color: initial; ">*</a>]</sup> This discussion assumes that you have a basic understanding of HTML and XML. Specifically, you should know how XML tags are constructed. It is also helpful to understand the general idea of an object in the object-oriented design sense of the word.</p></div></div><p></p>