Need improved and extended abilities to express contextual details around software such as its build, configuration, and deployment #583
Description
Background
UCO currently has very limited expressive capabilities for characterizing information around software.
There is a need for some basic capabilities around software contextualization.
There are currently 10 observable object classes (Software, Application, Library, OperatingSystem, Process, ProcessThread, WindowsThread, WindowsTask, Service, WindowsService) defined for characterizing various types of software independent of any context. These are also currently just peers without any explicit semantic hierarchy identifying them as software. These existing software classes should be normalized as subclasses of Software and a small number added relevant to software contextualization.
There is also a very limited expressive capability defined within the Tool namespace to characterize limited information about the build of a software tool. Several of these structures within the Tool namespace duplicate structures already defined elsewhere.
This significant overlap in the Tool namespace has been an issue needing resolution for a long time. This seems like an opportune time to address it as part of cleaning up and extending UCO capabilities for characterizing contextual details around software.
UCO does not currently contain any action subclasses relevant to software contextualization beyond the general Action class. There is a need for at least of basic set of common action subclasses in support of clear and consistent software contextualization.
UCO does not currently provide expressive capability for characterizing details of software build activities or results. There is a need for at least an initial basic set of capabilities in this area to express software build actions and to express details of an actual software build.
UCO does not currently provide expressive capability for characterizing details of software configuration activities or results (or the configuration of other relevant concepts as described below) beyond the general Configuration class. There is a need for at least an initial basic set of capabilities in this area to explicitly express software configuration actions and to express details of an actual software configuration.
UCO does not currently provide expressive capability for characterizing details of software environments where software can contextually exist and operate. There is a need for at least an initial basic set of capabilities in this area to explicitly express environments, their characterization, and their configuration.
UCO does not currently provide expressive capability for characterizing details of cyber infrastructures that can support deployment and operation of software environments where software can contextually exist and operate. There is a need for at least an initial basic set of capabilities in this area to explicitly express infrastructures, their characterization, their configuration, and their management.
There is a need within at least the adversary engagement, the cyber threat intelligence, supply chain modeling, and the security operations application domains for the ability to express details about cyber infrastructures and physical infrastructures.
UCO does not currently provide expressive capability for characterizing details of software deployment activities and results. This is also true of deployment at a more general level of ObservableObjects. There is a need for at least an initial basic set of capabilities in this area to express software deployment actions and to express details of an actual software deployment.
The addition of these expressive capabilities for environments, infrastructures, build, configuration, deployment as well as explicit clarity and consistency on software contextualization actions and objects are necessary for a wide range of software related use cases for a wide range of application domains including security operations, cyber investigation, cyber threat intelligence, adversary engagement, security assurance, supply chain modeling, bills of material, etc.
In the diagrams throughout this Change Proposal blue colored bubbles are new classes, solid arrow connectors are properties, and dashed arrow connectors are simple proxies for Relationship objects.
An extremely simple overview of how adding basic support for software build, configuration, deployment, environment, and infrastructure could hang together is provided here. Further detail for each of these areas will be provided in the Solution suggestion areas below.
.
.
.
.
.
.
.
Requirements
Requirement 1
Ability to characterize common actions related to software
At a minimum this should include Alert, Beacon, Build, Configure, Deploy, Evaluate, Execute, Manage, Plan, Implement, Respond, and Obfuscate.
Requirement 2
Ability to characterize different types of software objects
At a minimum this should include Software, Code, Application, Script, Library, Package, Process, Compiler, BuildUtility, SoftwareBuild, OperatingSystem, and ServicePack.
Requirement 3
Ability to characterize action of building software
Requirement 4
Ability to characterize a specific software build
Requirement 5
Ability to characterize common types of configurations.
At a minimum this should include ObservableObjectConfiguration, SoftwareConfiguration, EnvironmentConfiguration, SoftwareEnvironmentConfiguration, InfrastructureConfiguration, CyberInfrastructureConfiguration, and DeploymentConfiguration.
Requirement 6
Ability to characterize action of configuring an ObservableObject
Requirement 6.1
Ability to characterize action of configuring Software
Requirement 6.1.1
Ability to characterize action of reconfiguring deployed Software
Requirement 7
Ability to to characterize that an ObservableObject has a particular configuration
Requirement 7.1
Ability to characterize that a Software has a particular configuration
Requirement 8
Ability to characterize an environment where something exists or operates
Requirement 8.1
Ability to characterize an environment where a Software exists or operates
Requirement 8.2
Ability to characterize environment prerequisites for a Software to exist or operate
Requirement 9
Ability to characterize an infrastructure that supports something existing or operating
Requirement 9.1
Ability to characterize a physical infrastructure that supports something existing or operating
Requirement 9.2
Ability to characterize an cyber infrastructure that supports something existing or operating
Requirement 9.3
Ability to characterize infrastructure prerequisites for supporting something to exist or operate
Requirement 10
Ability to characterize common infrastructure management actions (deploy, configure, start, stop, etc.)
Requirement 11
Ability to characterize the action of deploying an ObservableObject
Requirement 11.1
Ability to characterize the action of deploying a Software
Requirement 11.1.1
Ability to characterize the action of deploying a Software with a particular configuration
Requirement 11.1.2
Ability to characterize the action of deploying a Software to a software environment
Requirement 11.1.3
Ability to characterize the action of deploying a Software on a cyber infrastructure
Requirement 11.1.4
Ability to characterize the action of deploying a Software using particular instruments
Requirement 11.2
Ability to characterize the action of deploying an observable object.
This is indirectly related to software contextualization but is needed by applications domains including adversary engagement, security operations, and cyber threat intelligence. It leverages the same fundamental concepts and mechanisms covered here for software contextualization and so should be addressed as part of the same overall CP.
Requirement 12
Ability to characterize a specific deployment
Requirement 13
Ability to characterize tools in a consistent and non-duplicative manner
Risk / Benefit analysis
Benefits
- Clarity and consistency of different forms of software observable objects
- Clarity and consistency of different types of software contextualization actions
- Cleanup of duplicative and confusing Tool namespace
- Ability to characterize software within its broader context
- How it was/is/could be built
- How it was/is/could be configured
- How and where it was/is/could be deployed including relevant environments and infrastructures
- Very significantly enriches the ability to express details around software
Risks
- Any implementations currently leveraing the Tool class will need to be updated
Solution suggestion
Addressing requirements (illustrations)
Requirement 1
Ability to characterize common actions related to software
At a minimum this should include Alert, Beacon, Build, Configure, Deploy, Evaluate, Execute, Manage, Plan, Implement, Respond, and Obfuscate.
Optimally, it should include the set of specific actions in blue in the below diagram.
Requirement 2
Ability to characterize different types of software objects
At a minimum this should include Software, Code, Application, Script, Library, Package, Process, Compiler, BuildUtility, SoftwareBuild, OperatingSystem, and ServicePack.
Requirement 3 and Requirement 4
Ability to characterize action of building software
Ability to characterize a specific software build
Requirement 5
Ability to characterize common types of configurations.
At a minimum this should include ObservableObjectConfiguration, SoftwareConfiguration, EnvironmentConfiguration, SoftwareEnvironmentConfiguration, InfrastructureConfiguration, CyberInfrastructureConfiguration, and DeploymentConfiguration.
Requirement 6 and Requirement 7
Ability to characterize action of configuring an ObservableObject
Ability to characterize action of configuring Software
Ability to to characterize that an ObservableObject has a particular configuration
Ability to characterize that a Software has a particular configuration
Requirement 6.1.1
Ability to characterize action of reconfiguring deployed Software
Requirement 8
Ability to characterize an environment where something exists or operates
Ability to characterize an environment where a Software exists or operates
Requirement 8.2 and Requirement 9.3
Ability to characterize environment prerequisites for a Software to exist or operate
Ability to characterize infrastructure prerequisites for supporting something to exist or operate
Requirement 9
Ability to characterize an infrastructure that supports something existing or operating
Ability to characterize a physical infrastructure that supports something existing or operating
Ability to characterize an cyber infrastructure that supports something existing or operating
Requirement 10
Ability to characterize common infrastructure management actions (deploy, configure, start, stop, etc.)
Requirement 11
Ability to characterize the action of deploying an ObservableObject
Requirement 11.1
Ability to characterize the action of deploying a Software
Ability to characterize the action of deploying a Software with a particular configuration
Ability to characterize the action of deploying a Software to a software environment
Ability to characterize the action of deploying a Software on a cyber infrastructure
Ability to characterize the action of deploying a Software using particular instruments
Requirement 11.2
Ability to characterize the action of deploying an observable object.
This is indirectly related to software contextualization but is needed by applications domains including adversary engagement, security operations, and cyber threat intelligence. It leverages the same fundamental concepts and mechanisms covered here for software contextualization and so should be addressed as part of the same overall CP.
The orange bubbles in the below diagram are classes defined within the Adversary Engagement Ontology.
Requirement 12
Ability to characterize a specific deployment
Requirement 13
Ability to characterize tools in a consistent and non-duplicative manner
Explicit proposed changes
Action namespace
- Add subclasses of Action for the following
- Plan
- Implement
- Respond
- Obfuscate
Observable namespace
- Add subclasses of ObservableAction for the following
- Alert
- Beacon
- Build
- Configure
- ConfigureSoftware
- ConfigureEnvironment
- ConfigureInfrastructure
- ConifgureCyberInfrastructure
- SetConfigurationEntry
- SetEnvironmentConfigurationEntry
- SetCyberEnvironmentConfigurationEntry
- Deploy
- DeploySoftware
- RollbackSoftwareDeployment
- DeployInfrasctucture
- DeployCyberInfrastructure
- DeployArtifact
- Evaluate
- VerifySoftwareDeployment
- Execute
- ExecuteSoftware
- ExecuteScript
- ExecuteSoftwareDeploymentScript
- ExecuteScript
- ExecuteSoftware
- Manage
- ManageSoftware
- ManageEnvironment
- ManageInfrastructure
- StartCyberInfrastructure
- StopCyberInfrastructure
- Add the following properties with relevant property shapes on Configure
- toConfiguration: Configuration (0..many)
- Add the following properties with relevant property shapes on Deploy
- targetEnvironment: Environment (0..many)
- targetInfrastructure: Infrastructure (0..many)
- Add subclasses of Software for the following
- Script
- DeploymentScript
- Package
- Compiler
- BuildUtility
- SoftwareBuild
- ServicePack
- Script
- Add subclass of Process for the following
- Task
- LinuxTask
- Service
- Task
- Modify WindowsTask to be a subclass of Task rather than ObservableObject
- Modify WindowsService to be a subclass of Service rather than ObservableObject
- Modify the following to be subclasses of Software ratherthan ObservableObject
- Code
- Application
- Library
- Process
- OperatingSystem
- Modify ProcessThread to be a subclass of Process rather than ObservableObject
- Modify WindowsService to be a subclass of Service rather than ObservableObject
- Add property shape for 'version' to DeviceFacet
- Add SoftwareBuildFacet
- Add the following properties with relevant property shapes on SoftwareBuildFacet
- buildOutputLog: String (0..1)
- buildProject: String (0..1)
- compilationDate: DateTime (0..1)
- buildScript: Script (0..1)
- buildUtility: BuildUtility (0..many)
- compiler: Compiler (0..many)
- library: Library (0..many)
- package: Package (0..many)
Configuration namespace
- Add subclasses of Conifguration for the following
- ObservableObjectConfiguration
- SoftwareConfiguration
- ServiceConfiguration
- EnvironmentConfiguration
- SoftwareEnvironmentConfiguration
- InfrastructureConfiguration
- CyberInfrastructureConfiguration
- DeploymentConfiguration
- ObservableObjectConfiguration
Environment namespace
- Add new Environment namespace
- Add new Environment class as subclass of UcoObject
- Add new SoftwareEnvironment subclass of Environment
- Add the following properties with relevant property shapes on Environment
- hasCharacterization: UcoObject (0..many)
Infrastructure namespace
- Add new Infrastructure namespace
- Add new Infrastructure class as subclass of UcoObject
- Add new CyberInfrastructure subclass of Infrastructure
- Add new PhysicalInfrastructure subclass of Infrastructure
Deployment namespace
- Add new Deployment namespace
- Add new Deployment class as subclass of UcoObject
- Add new SoftwareDeployment subclass of Deployment
- Add new ArtifactDeployment as subclass of Deployment
- Add the following properties with relevant property shapes on Deployment
- deploymentAction: Deploy (0..1)
- deploymentObject: ObservableObject (0..many)
- deploymentContext: UcoObject (0..many)
Tool namespace
- Add the following properties with relevant property shapes on Tool
- hasCharacterization: ObservableObject (0..many)
- Remove the following properties and their related property shapes
- creator
- references
- servicePack
- version
- buildID
- buildLabel
- Remove property shapes for the following properties from BuildInformationType and add relevant property shapes to SofwareBuildFacet
- buildOutputLog: String (0..many)
- buildProject: String (0..1)
- buildScript: Script (0..1)
- buildUtility: BuildUtility (0..many)
- buildVersion: String (0..1)
- compilationDate: DateTime (0..1)
- compilers: Compiler (0..many)
- libraries: Library (0..many)
- Add the following properties with relevant property shapes on SoftwareBuildFacet
- package: Package (0..many)
- Remove BuildInformationType
- Remove the following properties and their related property shapes
- buildUtilityName
- cpeid
- swid
- compilerInformalDescription
- libraryName
- libraryVersion
- Remove BuildUtilityType class
- Remove CompilerType class
- Remove LibraryType class
Proposed changes to the Tool namespace are outlined in the below mapping table
| Old Tool content | New Form |
|---|---|
| Tool class | Unchanged except 4 properties removed and 1 property added |
| - creator | REMOVED - Now represented using DeviceFacet/manufacturer or SoftwareFacet/ |
| - references | REMOVED - Now represented using UcoObject/externalReference |
| - servicePack | REMOVED - Now represented using SoftwareFacet/version |
| - toolType | UNCHANGED |
| - version | REMOVED - Now represented using DeviceFacet/model or SoftwareFacet/version |
| (NEW) - hasCharacterization (references the Software or Device that make up the actual tool) | |
| BuildInformationType class | REMOVED |
| - buildConfiguration | REMOVED - Now represented using BuildUtility -> hasConfiguration -> Configuration |
| - buildID | REMOVED - Now represented using SoftwareBuildFacet/externalReference/externalIdentifier |
| - buildLabel | REMOVED - Now represented using SoftwareBuildFacet/tag |
| - buildOutputLog | MOVED - Now represented using SoftwareBuildFacet/buildOutputLog |
| - buildProject | MOVED - Now represented using SoftwareBuildFacet/buildProject |
| - buildScript | MOVED - Now represented using SoftwareBuildFacet/buildScript |
| - buildUtility | MOVED - Now represented using SoftwareBuildFacet/buildUtility |
| - buildVersion | MOVED - Now represented using SoftwareBuildFacet/version |
| - compilationDate | MOVED - Now represented using SoftwareBuildFacet/compilationDate |
| - compilers | MOVED - Now represented using SoftwareBuildFacet/compiler |
| - libraries | MOVED - Now represented using SoftwareBuildFacet/library |
| (NEW) - SoftwareBuildFacet/package | |
| BuildUtilityType class | REMOVED |
| - buildUtilityName | REMOVED - Now represented using BuildUtilityFacet/name |
| - cpeid | REMOVED - Now represented using BuildUtilityFacet/cpeid |
| - swid | REMOVED - Now represented using BuildUtilityFacet/swid |
| CompilerType class | REMOVED |
| - compilerInformalDescription | REMOVED - Now represented using CompilerFacet/description |
| - cpeid | REMOVED - Now represented using CompilerFacet/cpeid |
| - swid | REMOVED - Now represented using CompilerFacet/swid |
| LibraryType class | REMOVED |
| - libraryName | REMOVED - Now represented using LibraryFacet/name |
| - libraryVersion | REMOVED - Now represented using LibraryFacet/version |