MILE Working Group                                           D. Miyamoto
Internet-Draft                                                    UTokyo
Intended status: Experimental                               T. Takahashi
Expires: August 16, 2014                                            NICT
                                                       February 12, 2014


   Knowledge obtained from the implementation experience of an IODEF-
              capable incident response management system
                 draft-daisuke-iodef-experiment-00.txt

Abstract

   This document explains our observation on the usability of IODEF
   [RFC5070], based on our experiments.  We aim at developing an IODEF-
   capable incident response management systems in order to facilitate
   incident response activities.  We started to design and implement the
   system for our university CERT, however, there are several technical
   issues while implementing and operating the system.  This document
   shares the observation from our proto-type implementation and
   provides new sight from operational aspects.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 16, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents



Miyamoto & Takahashi     Expires August 16, 2014                [Page 1]


Internet-DraftKnowledge obtained from the implementation exFebruary 2014


   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Implementation  . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Operational Issues  . . . . . . . . . . . . . . . . . . . . .   4
     4.1.  type attribute @ Impact class . . . . . . . . . . . . . .   5
     4.2.  category attribute @ NodeRole Class . . . . . . . . . . .   5
     4.3.  action attribute @ Expectation Class  . . . . . . . . . .   5
     4.4.  Potential information leakage . . . . . . . . . . . . . .   5
     4.5.  Configuration of Nodes  . . . . . . . . . . . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   7.  Conclusions . . . . . . . . . . . . . . . . . . . . . . . . .   6
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   The number of incidents in cyber society is growing day by day.
   Incident information needs to be reported, exchanged, and shared
   among organizations in order to cope with the situation.  IODEF
   provides a scheme to describe and exchange incident response
   information among interested parties.

   For our university CERT, we decided to introduce an IODEF-capable
   incident response management system to facilitate incident response
   activities.  Our university has two types of CERT, namely, a central
   CERT and divisional CERTs.  The former is a contact point for
   external organizations, and the latter is a CERT for each division in
   the university.  When the central CERT receives such information, it
   notifies the information to the corresponding divisional CERT who has
   an accountability for decision and actions.

   Our old system employed emails for exchanging the information between
   the central and divisional CERTS, however, we started to employ
   machine-readable message in regard to the growing demand for
   automated incident response systems.  For doing so, we attempted to
   implement an IODEF-capable incident response management system.



Miyamoto & Takahashi     Expires August 16, 2014                [Page 2]


Internet-DraftKnowledge obtained from the implementation exFebruary 2014


   In our implementation, we encountered problems while dealing with XML
   schema.  To save the development cost, we employed code generators
   that build class libraries for accessing values in IODEF elements.
   Due to the complexity of IODEF message format defined in [RFC5070],
   some code generators could not understand its schema.

   We also found some operational problems as well as the implementation
   problem.  Most of the problems were on the choice of values for IODEF
   attributes and/or elemens.

   This draft provides how we evade the implementation problem, and
   explores the suitable value for XML element in regard to the
   incidents.

2.  Terminology

   The terminology used in this document follows the one defined in
   [RFC5070].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Implementation

   Since a code generator for XSD automatically develops useful
   libraries for accessing XML attributes and/or composing messages, we
   tested following generators to build the libraries from RFC 5070
   [RFC5070] .

   o  XML::Pastor [XSD:Perl] (Perl)

   o  RXSD [XSD:Ruby] (Ruby)

   o  PyXB [XSD:Python] (Python)

   o  JAXB [XSD:Java] (Java)

   o  CodeSynthesis XSD [XSD:Cxx] (C++)

   o  Xsd.exe [XSD:CS] (C#)

   We thought we can use them to generate IODEF, but they cannot be
   easily used.  For instance, we have used XML::Pastor, but it could
   not properly understand its schema due to the complexity of IODEF
   XSD.  The same applies to RXSD and JAXB.  Only PyXB, CodeSynthesis
   XSD and Xsd.exe were able to understand the schema.




Miyamoto & Takahashi     Expires August 16, 2014                [Page 3]


Internet-DraftKnowledge obtained from the implementation exFebruary 2014


   To cope with the situation, we have made a trick, which is not
   recommended, but is one option to go through the situation.  That is,
   "XSD2XML2XSD", which means that XSD is converted to XML, and it is
   again converted to XSD.  The resultant XSD was process-able by the
   all tools above.

   Nevertheless, the generated module was unworkable.  This is due to
   the fact that IODEF uses '-' (hyphen) symbols in its classes or
   attributes, listed as follows.

   o  IODEF-Document Class; it is the top level class in the IODEF data
      model described in section 3.1 of [RFC5070].

   o  The vlan-name and vlan-num Attribute; according to section 3.16.2
      of [RFC5070], they are the name and number of Virtual LAN and are
      the attributes for Address class.

   o  Extending the Enumerated Values of Attribute; according to section
      5.1 of [RFC5070], it is a extension techniques to add new
      enumerated values to an attribute, and has a prefix of "ext-",
      e.g., ext-value, ext-category, ext-type, and so on.

   According to the language specification, Perl classes and/or
   functions could not contain '-' symbols in their names.  We replaced
   hyphens with '_' (underscore) symbols to evade this issue.  Before
   outputting an IODEF format message, our system must manually replace
   these renamed characters in its serialization process.

   Aside from the case of Perl, other language tend to evade using any
   hyphens in its name space.  PyXB and CodeSynthesis XSD automatically
   replaced hyphen with underscore symbols, and JAXB and Xsd.exe simply
   removed hyphens.  These tools also might output an exact IODEF
   message format through their serialization process.  RXSD was similar
   to JAXB and Xsd.exe, replaced with hyphens automatically, but did not
   support converting the renamed characters for outputting.

4.  Operational Issues

   This section explains some pitfalls while assigning values for IODEF-
   based XML elements.  Mainly, our central CERT notifies the incident
   information to the issued divisional CERT, and the divisional CERT
   reports the results of forensics.  Based on this situation, we found
   several cases that we were not sure about which attributes should be
   chosen.







Miyamoto & Takahashi     Expires August 16, 2014                [Page 4]


Internet-DraftKnowledge obtained from the implementation exFebruary 2014


4.1.  type attribute @ Impact class

   Various incident classification exist.  For instance, JPCERT proposes
   the following classification: phishing site, page hijack, malware
   propagation, scan, DoS/DDoS, and control systems.  Nevertheless, it
   is hard to fit them into the type attribute of theimpact class.

   For example, phishing site, scan, and DoS/DDoS might be mapped as
   "social-engineering", "recon", and "dos" attributes in respectively.
   In the rest of cases, what the type of the attribute should we
   choose?

4.2.  category attribute @ NodeRole Class

   IODEF has category attribute for NodeRole class.  Though various
   categories are described, they are not enough.  For instance, we
   sometime report the category of "proxy server" in our daily CERT
   operation, but which one am we supposed to choose?  How about web
   mail?  Should we choose "www"? or "mail"?

4.3.  action attribute @ Expectation Class

   Assuming if the notifier sends a message with expecting to forensic
   for the issues, and the reporter answers the result of their
   forensics.  In such cases, the notifiers would choose
   "investigation", but what types of action attribute should the
   reporter choose?  Should the reporter choose "nothing" ?

   When a notifier sends IODEF document, the report wishes to confirm it
   without asking any further actions.  Then what values shall we
   choose?

4.4.  Potential information leakage

   The numbering of Incident ID needs to be considered.  Otherwise,
   information, such as the number of incidents within certain period
   could be observed by document receivers.  For instance, we could
   randomize the assignment of the numbers.

4.5.  Configuration of Nodes

   Node class can describe various information of the system, but the
   level of information granularity there is not defined.  It could be
   that very detailed information is needed, or it could be the
   opposite.  It has the field of the software id and configid, but the
   formats for them are not specifically defined.





Miyamoto & Takahashi     Expires August 16, 2014                [Page 5]


Internet-DraftKnowledge obtained from the implementation exFebruary 2014


   It is natural to guess that we cannot define single, common level of
   information granularity.  Depending on situation and operation, the
   needed level of information granularity differs.

   Thus one approach is using IODEF-SCI, which can choose arbitrary
   schema to describe the details of such information.

5.  Security Considerations

   This document raises no security issues itself.  The potential
   security issues are the vulnerabilities in the class libraries
   constructed by code generators.

6.  IANA Considerations

   This document contains no considerations for IANA.

7.  Conclusions

   The document explains the implemetation issue, the problems raised
   from code generation, and the operational issue, the problems while
   choosing the value in XML elements for IODEF format messages.

8.  Acknowledgements

   Many thanks for feedback from Tomohiro Ishihara for his comments.
   This work is materially supported by the Ministry of Internal Affairs
   and Communication, Japan, and by the European Union Seventh Framework
   Programme (FP7/2007-2013) under grant agreement No. 608533 (NECOMA).

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5070]  Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
              Object Description Exchange Format", RFC 5070, December
              2007.

9.2.  Informative References

   [XSD:Perl]
              Ulsoy, A., "XML::Pastor",
              <http://search.cpan.org/~aulusoy/XML-Pastor-1.0.4/>.





Miyamoto & Takahashi     Expires August 16, 2014                [Page 6]


Internet-DraftKnowledge obtained from the implementation exFebruary 2014


   [XSD:Ruby]
              Morsi, M., "RXSD - XSD / Ruby Translator", <https://
              github.com/movitto/RXSD>.

   [XSD:Python]
              Bigot, P., "PyXB: Python XML Schema Bindings", <https://
              pypi.python.org/pypi/PyXB>.

   [XSD:Java]
              Project Kenai, "JAXB Reference Implementation", <https://
              jaxb.java.net/>.

   [XSD:Cxx]  CodeSynthesis, "XSD - XML Data Binding for C++",
              <http://www.codesynthesis.com/>.

   [XSD:CS]   Microsoft, "XML Schema Definition Tool (Xsd.exe)",
              <http://www.codesynthesis.com/>.

Authors' Addresses

   Daisuke Miyamoto
   The University of Tokyo
   2-11-16 Yayoi Bunkyo-Ku
   113-8658 Tokyo
   Japan

   Phone: +80 3 5841 0836
   Email: daisu-mi@nc.u-tokyo.ac.jp


   Takeshi Takahashi
   National Institute of Information and Communications Technology
   4-2-1 Nukui-Kitamachi Koganei
   184-8795 Tokyo
   Japan

   Phone: +80 423 27 5862
   Email: takeshi_takahashi@nict.go.jp













Miyamoto & Takahashi     Expires August 16, 2014                [Page 7]