The National Institute of Standards and Technology has released a framework on making information in cybersecurity vulnerability disclosure more precise, as the first step in launching a series of publications aimed at promoting an increased understanding of security failures across the vulnerability management ecosystem.
“The Bugs Framework (BF) is a classification of security bugs and related faults that features a formal language for the unambiguous specification of software and hardware security weaknesses and vulnerabilities,” NIST says in the Tuesday publication.
The publication explains, “The goal of BF is to help better understand and detect software, firmware, or hardware security weaknesses and vulnerabilities, as well as to resolve or mitigate them. Both cybersecurity experts and automated systems need precise descriptions of the publicly disclosed vulnerabilities and the weakness types related to them.”
The publication falls under NIST’s responsibilities from the 2014 Federal Information Security Modernization Act, according to the agency, and is poised to change how vulnerabilities are managed by federal agencies.
The development of the framework was led by NIST computer scientist Irena Bojanova, as part of the Software Assurance Metrics and Tool Evaluation project under the agency’s broader Software Quality Group.
NIST dives into how the application of the new framework can enhance the “current state of the art in describing security weaknesses and vulnerabilities” by addressing limitations of the Common Weakness Enumeration and Common Vulnerabilities and Exposures lists.
The CWE and CVE lists are run by MITRE, with support from the Cybersecurity and Infrastructure Security Agency. The CWE list tracks weaknesses that can “contribute to the introduction of vulnerabilities,” MITRE’s CWE page says, while the CVE list is for publicly disclosed cyber vulnerabilities.
The NIST publication describes the “hierarchical” approaches of the CWE and CVE as “one-dimensional,” outlining limitations that stem from a lack of precision. NIST says, “Many of the CWE and CVE descriptions are not sufficient, accurate, or precise enough; have unclear causality; and include programming language and domain-specific notions.”
Imprecision and a “lack of explainability” can make CWEs and CVEs difficult to use in a cybersecurity research setting, the publication says. The CWE program has “gaps and overlaps” in its coverage, NIST explains, and CVEs often fail to “describe the entire chain of weaknesses underlying the vulnerability.”
NIST argues the same limitations flow downstream to CISA’s Known Exploited Vulnerabilities library and NIST’s National Vulnerability Database, which both rely on CWE and CVE information.
NIST says, “Additionally, the CWE and CVE do not exhibit strict methodologies for tracking the weaknesses underlying a vulnerability, systematic comprehensive vulnerability labeling, or backward root cause identification from a security failure. There are no tools to aid the creation and visualization of weakness and vulnerability descriptions.”
The new framework addresses issues with the CWE and CVE programs by providing “a structured multidimensional classification of security bugs and related faults” that makes the cause-and-effect relationship between weaknesses and their consequences clearer, according to NIST.
Formalizing the language used for vulnerability management “guarantees precise descriptions with clear causality of weaknesses (including CWE) and vulnerabilities (including CVE) and complete, orthogonal, and context-free weakness-type coverage,” NIST says, and ensures that lessons can be applied in any programming language or technology.
The new language offered in the framework can also allow for the vulnerability management community to define secure coding principles in a formalized way that does not depend on the properties of any specific programming language, according to NIST. The publication specifically points to the potential for eliminating memory safety vulnerabilities through using formal methods.
Moving forward, NIST will be releasing eight publications to support the new framework:
- SP 800-231A, Bugs Framework: Security Concepts
- SP 800-231B, Bugs Framework: Bugs Models
- SPs 800-231Cx, Bugs Framework: _yyy Taxonomy, where _yyy is a BF class type
- SP 800-231D, Bugs Framework: Vulnerability Models
- SP 800-231E, Bugs Framework: Formal Language
- SP 800-231F, Bugs Framework: Tools and APIs
- SP 800-231G, Bugs Framework: Secure Coding Principles
- SP 800-231I, Bugs Framework: Datasets and Applications
More information about the NIST project is available on GitHub, where Bojanova describes NIST’s approach to the development of the framework, outlines the application of software security concepts and details the structure of the formal language. -- Jacob Livesay (jlivesay@iwpnews.com)