Wednesday, August 17, 2005

National Vulnerability Database and how further

Yes, the National Institute of Standards and Technology has created a great new database: the National Vulnerabilities Database. This database has over 20.000 known software vulnerabilities listed for a slew of programs. All the reports are built on the official CVE terminology. This is great, because it gives systemadministrators a known and trusted source on vulnerabilities for most of their software.

Though this is great I do wish we can take this initiative a step further. What I would like to see is a database where peoples home systems could check whether there are (security)updates for their software and hardware. We really really need such a system. I'll try to frame the problem and than I will give you an idea of my solution.

A growing problem in ICT security is that we get more and more intelligent systems connected to networks that one way or another can access the internet. Think of Tivo's, Mediacenters, Axis Network cams, DSL-modems, Wifi access points, Philips Streamium, set top boxes, fridges?? etc. All of these come equipped with their own embedded operating system, webserver for maintenance etc. This makes them very scary from a security point of view. If we're unlucky the software for these systems is buggy and can be exploited by hackers. Don't think it is not possible... Axis Network cams were hacked the moment they were hooked up to the Hacking At Large 2001 network. The trouble is we install these machines in our homenetwork and tend to never look at them again. We might take care of our home PC, but how many people update their ADSL modem or their wireless router? And the really bad thing is, where our pc nowadays notifies us that Windows or OSX needs to be updated, these machines stay always on and always quiet. They are the perfect target for hackers.

My solution is: Have all systems and all software on them register centrally with a local "hackable systems database" (need a cool name) with device name, type, software version and a hash of each of the current installed files . In an office setting this could be at the IT-department, at home this could be the home pc. This way you have a view of what is within your organisation and hooked up to the network. Now the "hackable systems database" could check with a central database and check the information it has on record to known vulnerable files and software versions. This way sysadmins and people at home can know automagically whether or not their systems are vulnerable. This system can also be used by the software and hardware to check whether there might be updates and update themselves automagically.

We're already doing this on one system. Debian apt-get is world renowned for it. Microsoft tries to the same. Now do it for the whole house/company.

  1. A standardized interface for systems and software to report their existence to one or more central systems ( "hackable systems database") on startup and/or when asked.
  2. A standardized interface between the central database and the "hackable systems database"
  3. A central database for software developers and system designers to report their software and subsequent updates to. My idea would be to organize this per economic region, much like the Regional Internet Registries. This way it feels more local to developers, which might help them report their software. NIST and the European Network and Information Security Agency seem like good candidates.
  4. A low barrier to register the software and the updates, but with good security. The system should be free to use, so a good task for governments.
  5. A cool name! TWAIN is already taken... but something like it... people should want it!!
Who should do this?
Industry together with standardization institutions like IETF, NIST, IEEE and security organisations like CERT's and ENISA.

Update: Saw a great presentaton by Michiel de Bruijn who goes into the underlying problem: Everything You Know About Client Security Is Wrong (Or: What It Would Take To Build A Secure OS Your Mother Could Use) He goes into the underlying errors on computer system. Follow the link


file organization said...
This comment has been removed by a blog administrator.
Anonymous said...


I think you're right on, although its interesting to see how the platform leaders (i.e. Microsoft in your scenario and Intel in mine) are only now recognizing the value of the NVD.

Intel, for instance, is working with ISV's to grow the market by offering them the "Intel Certified" badge; think 'Intel Inside' extended to business applications, which include placement on a global software marketplace, etc.

Where did they look to find the most accurate, relevant source of security vulnerabilities? The NVD.
To your point, Rudolph, the NVD software audit is free, which checks either ISV or internal application code for known vulnerabilities:

But to subscribe to the annual security notification service -- and get your application promoted through Intel -- well, that costs extra.

Still, Intel's endorsement is timely and to your point, realizes the NVD's potential.