Introduction to OVAL: A new language to determine the presence of software vulnerabilities Matthew Wojcik / Tiffany Bergeron / Robert Roberge November 2003 The MITRE Corporation
Table of Contents Introduction 1 Open Vulnerability Assessment Language (OVAL) 1 An OVAL-Enabled Process 2 Improving Vulnerability Assessment with OVAL 2 System Administrators and Other End Users 3 Software and Tool Vendors 3 Community Involvement and Support 4 An OVAL Board of Industry, Academia, and Government Organizations 4 Broad Industry Participation via the OVAL Community Forum 5 A Community-Developed OVAL Schema 5 Creating OVAL Queries 5 Reference Query Interpreter 7 How the Query Interpreter Works 7 OVAL Query Syntax Checker 8 Other Implementations and Uses of OVAL Actively Encouraged 8 Value of OVAL's CVE-Compatibility 8 MITRE's Role 9 Summary of OVAL Benefits 10 Conclusion 10 iii
Introduction to OVAL: A new language to determine the presence of software vulnerabilities Matthew Wojcik / Tiffany Bergeron / Todd Wittbold / Robert Roberge The MITRE Corporation Introduction As recently as 2002, there was no structured means for network and system administrators to determine in a definitive way if software vulnerabilities existed on their local computer systems. This was a major concern for organizations of all types and sizes, as vulnerabilities are the entry points for hackers and if not fixed may result in significant recovery expenses if a compromise occurs. Although some of the required information was and remains available as text-based vulnerability descriptions from vulnerability knowledge sources such as software and tool vendors, government agencies, and security consulting firms, it is a labor-intensive and errorprone process for system administrators to read and interpret this unstructured information and then make an accurate determination that a vulnerability truly exists on the system. This paper outlines MITRE s Open Vulnerability Assessment Language (OVAL ) concept, an information security community effort that solves this problem by using SQL queries to create "gold standard" tests that definitively determine the presence of vulnerabilities on end systems. Open Vulnerability Assessment Language (OVAL) OVAL is the common language for security experts to discuss and agree upon technical details about how to check for the presence of vulnerabilities on a computer system. The end results of the discussions are OVAL queries, which perform the checks to identify the vulnerabilities. OVAL queries are written in SQL and use a collaboratively developed and standardized SQL schema as the basis for each query. SQL stands for Structured Query Language, the industry standard database language that is widely understood by numerous computer professionals. OVAL queries detect the presence of software vulnerabilities in terms of system characteristics and configuration information, without requiring software exploit code. By specifying logical conditions on the values of system characteristics and configuration attributes, OVAL queries characterize exactly which systems are susceptible to a given vulnerability. System characteristics include operating system (OS) installed, settings in the OS, software applications installed, and settings in applications, while configuration attributes include registry key settings, file system attributes, and configuration files. OVAL queries are based primarily on the known vulnerabilities identified in Common Vulnerabilities and Exposures (CVE ), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures developed by The MITRE Corporation in cooperation with the international security community (http://cve.mitre.org). CVE common names make it easier to share data across separate network security databases and tools that are CVE-compatible. CVE also provides a baseline Open Vulnerability Assessment Language 1
for evaluating the coverage of an organization's security tools, including the security advisories it receives. For each CVE name, there are one or more OVAL queries. The official common OVAL Schema is the framework on which OVAL queries are based. It was approved by the OVAL Board, which includes representatives from a broad spectrum of industry, academia, and government organizations. At the time of this writing, OVAL's initially supported platforms are: Microsoft Windows 2000; Microsoft Windows NT 4.0; and Sun Solaris 7, 8, and 9. Draft and not-yet-approved schema for Red Hat Linux, Debian Linux, Microsoft Windows XP, Microsoft Server 2003, and Hewlett-Packard UNIX (HP-UX) are also included. An OVAL-Enabled Process First, an OVAL-compliant assessment or scanning tool determines which vulnerabilities exist on your system and issues reports. (You may also use the OVAL queries themselves to perform this function manually.) Based upon these reports, you may then obtain appropriate software patches and fix information for remediation from the security assessment tools, your vendors, or vulnerability research databases and Web sites, and make the repairs. This process enables a consistent and repeatable approach for vulnerability assessment, leading to a more secure system. See figure 1. Figure 1. How OVAL leads to a more secure system Improving Vulnerability Assessment with OVAL The OVAL effort aims to provide a baseline method for performing vulnerability assessments on local computer systems. CVE has already improved the process by establishing a common name for each vulnerability or exposure so that security assessment tools are checking for the same issue. However, the ways in which the various tools perform the checks are different for each tool. If a computer is compared to a building and a vulnerability a way to get into the building, one tool checks for a door and declares its very existence a vulnerability. Another Open Vulnerability Assessment Language 2
tool checks to see if the door exists but also whether it is open or closed before declaring it a vulnerability. And yet another tool looks for large windows as well as doors. These differences make it especially difficult to make a truly definitive determination of whether or not a vulnerability is present. See figure 2. Figure 2. Tools check for vulnerabilities in different ways, making a definitive vulnerability determination difficult System Administrators and Other End Users The current process of vulnerability assessment is labor-intensive and error-prone. Much of the information required to verify that a vulnerability exists can be found as text-based descriptions from vulnerability knowledge sources such as the tool and software vendors themselves, government agencies, and security consulting firms. However, you must then assemble, read, and interpret this unstructured information to make the determination of whether or not the vulnerability actually does exist on the system. OVAL solves this problem. OVAL queries, which can be read manually or incorporated into vulnerability assessment tools, provide a collaboratively developed baseline check. Until OVAL, consistency in this capability did not exist. The widespread availability of OVAL queries will eventually provide the means for standardized vulnerability assessment. It will also result in consistent and reproducible information assurance metrics from your systems. Since OVAL queries express security problems in a language familiar to system administrators, they will have a concrete and actionable impact on your security remediation efforts. Software and Tool Vendors For operating system and application software vendors, the precise definitions of how to detect vulnerabilities found in OVAL queries eliminates the need for exploit code as an assessment tool. For tool vendors, there is no way to ensure customers are using your tools properly. The tests you implement to check for the vulnerabilities are frequently closed and proprietary, and are often in procedural code that is not easily read or understood by your customers, creating further usage difficulties. OVAL addresses these problems. Tools for collecting configuration information can be combined with OVAL language content to provide a baseline vulnerability assessment capability, resulting in more accurate determinations of existence for your customers and Open Vulnerability Assessment Language 3
fewer false positives than what currently exists today. The SQL on which OVAL queries are based can be easily converted into your tool's proprietary code or language. It will also allow your customers to compare the coverage of your OVAL-compliant tool using percentage of vulnerabilities found. Community Involvement and Support Community involvement is an integral component of the OVAL effort. OVAL is industryendorsed via the OVAL Board and OVAL Community Forum, ensuring that the OVAL Schema and all OVAL queries reflect the combined expertise of the broadest possible group of security and system administration professionals. An OVAL Board of Industry, Academia, and Government Organizations The OVAL Board includes members from major operating system vendors, commercial information security tool vendors, academia, government agencies, and research institutions (see Table 1). Other information security experts will be invited to participate on the Board on an as-needed basis based upon recommendations from Board members. The MITRE Corporation maintains OVAL and provides impartial technical guidance to the OVAL Board on all matters related to the ongoing development of OVAL. Archives of Board meetings and discussions are available for review and comment on the OVAL Web site. Table 1. OVAL Board Member Organizations Academic/Educational CERIAS/Purdue University Information Providers SANS Institute Operating System/Software Vendors Debian IBM Microsoft Red Hat Other Security Experts Bastille Linux Center for Internet Security CERT/CC (Software Engineering Institute, Carnegie Mellon University) Defense Information Systems Agency (DISA) National Security Agency (NSA) MITRE Corporation Tool Vendors BindView Corporation Cisco Systems Citadel Security Software Harris Corporation Internet Security Systems Symantec Open Vulnerability Assessment Language 4
Broad Industry Participation via the OVAL Community Forum The OVAL Community Forum Email List is a public forum for discussing the OVAL Schema, the OVAL queries posted on the OVAL Web site, and the information security vulnerabilities themselves that affect query writing. An archive of discussions is available for review. System administrators, software vendors, security analysts, tool developers, and other members of the information security community are actively invited to join the Forum on the OVAL Web site and at industry conferences and other events. Benefits of the OVAL Community Forum: Personal and organizational participation in a security community effort Opportunity to discuss and debate Initial Submission, Draft, Interim, and Accepted queries with other security and system administration professionals Assist in the development of the official OVAL Schema for the OSs of your choice Up-to-date, breaking information on the Initial Submission, Draft, Interim, and Accepted queries posted on the OVAL Web site An easy-to-use, lightly-moderated email discussion list Easy reference and review of Forum Discussion Archives OVAL queries that reflect the insights and combined expertise of the broadest possible collection of security professionals A Community-Developed OVAL Schema The official OVAL Schema is a standard, common schema approved by the OVAL Board to serve as the language framework for writing OVAL queries. MITRE chose SQL as the framework because it allows a wide range of computer security professionals to discuss vulnerabilities in technical detail. The declarative nature of SQL brings focus to the logic of presence or absence of a vulnerability on a local system. Because they are written in SQL, OVAL queries are machine readable and can be used as part of host-based vulnerability assessment computer programs, or read in hardcopy or electronic form by information security professionals such as system administrators, security analysts, etc. For tool vendors, SQL is a specification and not an implementation requirement. The SQL information in OVAL can be converted into whatever implementation structure or format necessary for your tool. There is an official schema for each of the operating systems supported, which as of this writing includes: Windows 2000; Windows NT 4.0; and Solaris 7, 8, and 9. Also included are draft schemas for Red Hat Linux, Debian Linux, Windows XP, Microsoft Server 2003, and HP-UX. OVAL's standardized schema allows a wide range of computer security professionals to discuss the technical details of determining whether a vulnerability is present on a system. In addition, tool vendors or developers of security software may download the schema as input for OVAL-compliant scanning and assessment tools. Creating OVAL Queries Draft queries for CVE entries or configuration issues not yet included in CVE are written by MITRE, members of the OVAL Board, or other members of the information security Open Vulnerability Assessment Language 5
community and submitted to MITRE for public comment and review. Public comments on the drafts are made on the OVAL Community Forum, the public email list created by MITRE for discussing the queries and the vulnerabilities on which they are based. Each individual OVAL query includes metadata, a high-level summary, and the detailed query. Query metadata provides the OVAL-ID, status of the query (Initial Submission, Draft, Interim, or Accepted), the version of the official OVAL Schema the query works with, the CVE name or candidate number, and a brief description of the security issue covered in the query. The high-level summary includes two sections: "Vulnerable software exists," which states the specific OS, the name of the file with the vulnerability in it, application version, and patch status; and "Vulnerable configuration," which indicates if the service is running or not, specific configuration settings, and workarounds. The detailed portion of queries includes the CVE name on which the query (or queries) is based, and provides the logic for checking for the system characteristics (OS installed, settings in the OS, software applications installed, and settings in applications) to indicate that vulnerable software exists, and configuration attributes (registry key values, file system attributes, and configuration files) to indicate that a vulnerable configuration exists. Once Community Forum discussion about an Initial Submission query has subsided, MITRE and the OVAL Board review and refine the queries, and then the queries are posted on the OVAL Queries page with a status of "Draft." Review and discussion continue as the query moves to "Interim," and finally to "Accepted" status (see Figure 3). Figure 3. Stages of an OVAL Query Queries may still need to be modified over time. For example, changes may be made when more information is learned about a vulnerability, vendor patches and service packs are released, or because of other factors not known when the queries were originally accepted. Public discussions for all Draft, Interim, and Accepted OVAL queries will always be ongoing. Open Vulnerability Assessment Language 6
Reference Query Interpreter Demonstrating the effectiveness of OVAL was an important first step of the OVAL effort. To do this, MITRE created a reference implementation of an "OVAL Query Interpreter" (QI) that shows how information can be collected and used to evaluate OVAL queries. MITRE developed the QI specifically to demonstrate the usability of OVAL queries, and to help query writers ensure correct syntax and adherence to the OVAL Schema during the development of draft queries. While it is effective, the QI is not a fully functional scanning tool and has a simplistic user interface, but running it will display a list of CVE entries determined by OVAL to be present on the system. How the Query Interpreter Works QI evaluates OVAL queries by (1) instantiating the OVAL Schema in an SQLite database; (2) populating this schema by collecting information about registry keys, process information, etc.; (3) evaluating the queries against the schema; and (4) providing a list of the CVE identifiers determined by OVAL to be present on the system. Step 1: To run QI, open a command window in the system s installation directory (QI is a command-line utility) and enter the MD5 hash/checksum from the OVAL Web site. This verifies that the data file being used is the same as the one currently available on the site. MITRE uses MD5 hash/checksum verification to ensure that installation program and data files for QI have not been modified in any manner. Once verification has been completed, QI builds an empty database and creates the tables as defined in the OVAL Schema for that platform. SQLite (http://www.sqlite.org/), an embedded freeware database engine that reads and writes directly to a file on the disk. The small size and ease of use made SQLite the best choice for QI. Step 2: After creating the empty tables, QI then collects the system configuration data. It is this information that will be used against the OVAL queries in Step 3. Depending upon the data being collected, QI may or may not collect all the information from the system. For example, data for a Process Table (i.e., process ID, command line of the executable, etc.) would be simple to collect while data for a File Attributes Table (i.e., owner, file size, etc.) or Registry Keys (i.e., entry value, type, etc.) would be more complex because of the sheer volume of that type of information. To address this problem, OVAL uses "Insert Statements" that are freely provided on the OVAL Web site for review or download along with the OVAL queries and which together are part of our regularly updated QI Data Files. Insert Statements identify the "certain files" and "certain registry keys" that the queries will need to execute properly; once read by QI, they direct the SQLite database to collect only that specific data. For example, an Insert Statement may specify the path name of a file so that QI will know to look up the version of only that file. Open Vulnerability Assessment Language 7
Step 3: Once the data has been collected and stored in the SQLite database, QI reads the OVAL queries from the Data Files then compares them against the system configuration data stored in the SQLite database. Step 4: If an OVAL query determines that a vulnerability is present on the system, QI displays onscreen the OVAL-ID of the query and CVE name that the particular query addresses. A list of OVAL-IDs/CVE names will be displayed if one or more vulnerabilities are found to be present. In addition to this list of "Vulnerabilities Found," QI will also display a list of the OVAL-IDs of the "Vulnerabilities Not Found." This second list, when combined with the results from the first, allow users to identify all of the queries that have been run against their system. QI can also display an informational "Errors" list of software patches and other information that the OVAL queries were looking for and could not locate. For example, when a particular application or software component is not installed on the system the Insert Statements cannot find the specified "certain files" and "certain registry keys" for which they are looking. Since installed patches are often determined by the existence of particular registry keys, if a patch is not installed then the registry key will obviously not exist. It is in this way that QI can determine if a patch is or is not installed. As with the "Vulnerabilities Found" list and the "Vulnerabilities Not Found" list, this information can be displayed onscreen on QI's simplistic user interface but users will need to run the specific command line option for printing all information and error messages to view it. OVAL Query Syntax Checker QI can also be used by query writers to ensure correct syntax during the development of draft queries and for adherence to the OVAL Schema. To use QI in this manner, you must choose the option for running the interpreter without requiring the MD5 checksum/hash at the command line. Running the interpreter with this option disables the important checksum verification security feature. However, it does allow you to test your draft queries with the interpreter before submitting them to the OVAL Community Forum for public review. Complete instructions for using QI are included in the Read Me file, which is posted on the OVAL Web site and included in the interpreter download. Other Implementations and Uses of OVAL Actively Encouraged MITRE's Reference Query Interpreter is, of course, only one implementation of OVAL. Numerous other uses and implementations are possible, and we strongly encourage tool developers and others to create them. Towards that end, all OVAL vulnerability content is freely available on the OVAL Web site, as are the OVAL Reference Query Interpreter itself and its source code. Finally, in addition to the OVAL Community Forum for query development, we also offer an email discussion list specifically for developers dedicated to OVAL implementation issues. Sign-up is available for both lists on the OVAL Web site. Open Vulnerability Assessment Language 8
Value of OVAL's CVE-Compatibility The OVAL Web site is "CVE-compatible," which means that it uses CVE names in a manner that allows it to be cross-referenced with other Web sites, tools, databases, and other security products or services that also employ CVE names. All OVAL queries are based on the publicly known vulnerabilities identified in the CVE List, including both official CVE entries and CVE candidates. Official CVE entries (also referred to as a CVE "name") include the name, a brief description of the security vulnerability or exposure, and any pertinent references. Candidates, or "CANs," are assigned special numbers to distinguish them from CVE entries, but as with official entries each candidate includes a description of the issue and references. If a candidate defined by an OVAL query becomes an official CVE entry, the candidate number will be replaced with the official CVE name in all OVAL queries. When a new CVE version is released, all changes to CVE candidate and entry names included on the OVAL Web site are updated. System administrators can take advantage of OVAL's CVE compatibility by searching the queries posted on the OVAL Web site by a specific CVE entry or CVE candidate number. You can then use the query to see if your system has that vulnerability, or to verify that an OVALcompliant scanner has truly discovered the problem. OVAL's CVE compatibility also means tool vendors can immediately identify the queries they need to incorporate into their proprietary tools by the CVE or the CAN, and software vendors can include the OVAL-ID number along with the CVE or CAN in their product alerts. Tool and software vendors are also encouraged to submit draft queries for their own products and services. MITRE's Role MITRE developed the OVAL concept, created the OVAL Board, maintains OVAL with assistance from the Board, moderates the OVAL Community Forum Email List, manages the evolution of all OVAL queries and the ongoing work of the OVAL Web site, and provides neutral guidance throughout the process to ensure that OVAL serves the public interest. In partnership with government clients, The MITRE Corporation (MITRE) is a not-for-profit corporation working in the public interest. It addresses issues of critical national importance, combining systems engineering and information technology to develop innovative solutions that make a difference. MITRE's work is focused within three Federally Funded Research and Development Centers (FFRDCs). One FFRDC performs systems engineering and integration work for Department of Defense C3I. A second performs systems research and development work for the Federal Aviation Administration and other civil aviation authorities. The third FFRDC provides strategic, technical and program management advice to the Internal Revenue Service and the Treasury Department. In accordance with its mission, MITRE has traditionally acted in the public interest. Its unique role allows it to provide an objective perspective to this community effort. MITRE will maintain OVAL as long as it serves the community to do so. Open Vulnerability Assessment Language 9
Summary of OVAL Benefits A simple and straightforward way to determine if a vulnerability exists on a given system A standard, common schema of security-relevant configuration information For each CVE entry, one or more SQL queries precisely demonstrate that the vulnerability exists Reduces need for disclosure of exploit code as an assessment tool An open alternative to closed, proprietary, and replicated efforts A community effort of security experts, system administrators, software developers, and other experts Freely available vulnerability content for public review, comment, or download from the Internet Industry-endorsed via the OVAL Board and OVAL Community Forum Conclusion The OVAL effort will continue to grow as organizations adopt tools that use OVAL as well as encourage their vendors to incorporate OVAL into their products and services. Ongoing community participation in query development is also important. System administrators, software vendors, security analysts, developers, and other members of the information security community are encouraged to join the OVAL Community Forum at http://oval.mitre.org/community/forum/ to submit new queries, as well as to discuss and debate the queries currently posted on the OVAL Web site (http://oval.mitre.org). 2003 The MITRE Corporation. All rights reserved. Open Vulnerability Assessment Language 10