|Home > News & Events > MITRE Publications > The MITRE Digest >|
OVAL: A New Language to Determine the Presence of Software Vulnerabilities
You're the system administrator looking at the most recent reports generated by your vulnerability assessment tools and serviceswhich give you conflicting information. One says there are vulnerabilities present in the system, another says there are not. You know what this means: hours of work tracking down text-based descriptions of the vulnerabilities from other sources such as software and tool vendor alerts, Web sites and databases, and government resources. You will look through all this information, make the best guess possible, and hope it's good enough.
Having been in this position in the past, some MITRE IT experts saw the need for a standardized baseline method for identifying the vulnerabilities within systems—a method that could be incorporated into tools and services and that could be plainly understood by system administrators and other security professionals. "MITRE’s Open Vulnerability Assessment Language (OVAL), created by a collaborative effort of the information security community, does exactly that," says MITRE's OVAL Project Manager, Todd Wittbold. "It uses Structured Query Language (SQL) queries to create 'gold standard' tests that definitively determine the presence of vulnerabilities on end systems."
In an OVAL-enabled process, an OVAL-compliant assessment or scanning tool determines which vulnerabilities exist on a system and issues reports. On the basis of these reports, the system administrator may then obtain software patches and fix information from his or her security assessment tools, vendors, or vulnerability research databases and Web sites, and make the repairs. A Reference Query Interpreter is available now from the OVAL Web site; OVAL-compliant tools will be listed on the site as they become available.
"This process provides a consistent and repeatable approach for vulnerability assessment," says MITRE senior information engineer and OVAL Editor Matthew Wojcik, "leading to a more secure system overall."
Open Vulnerability Assessment Language (OVAL)
"OVAL was developed to be a common language for security experts to use to discuss and agree upon the technical details of how to check for the presence of vulnerabilities on computer systems," says Wojcik. "OVAL queries are used to identify the vulnerabilities on the systems." It is these queries, and the official OVAL Schema, that serve to keep queries consistent and standardized, giving the experts a common language.
Both the OVAL Schema and queries are written in SQL, the industry standard database language that is widely understood by numerous computer professionals. Because they are written in SQL, OVAL queries are machine-readable and can be incorporated into host-based vulnerability assessment computer programs or read in hardcopy or electronic form by information security professionals.
"OVAL queries detect the presence of software vulnerabilities in terms of system characteristics and configuration information," says Wojcik. "By specifying logical conditions on the values of system characteristics and configuration attributes, the queries can characterize exactly which systems are susceptible to a given vulnerability." System characteristics include operating system (OS) installed, settings in the OS, software applications installed, and settings in applications. Configuration attributes include registry key settings, file system attributes, and configuration files.
OVAL queries use the vulnerabilities listed in MITRE's Common Vulnerabilities and Exposures (CVE®), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities developed by MITRE in cooperation with the international security community. For each CVE name, there are one or more OVAL queries. OVAL works with Windows, UNIX, and Linux. Refer to the OVAL Web site for the official OS versions supported.
Improving Vulnerability Assessment with OVAL
For system administrators and other end users, OVAL queries provide a baseline check for performing vulnerability assessments. "Until OVAL," says Wojcik, "consistency in this capability did not exist. The widespread availability of OVAL queries will eventually provide the means for standardized vulnerability assessment. It will also result in consistent and reproducible information assurance metrics from an organization's systems."
OVAL benefits those who produce information security products, as well as those who use them. For operating system and application software vendors, the precise definitions of how to detect vulnerabilities found in OVAL queries eliminates the need for exploit code as an assessment tool. For tool vendors, the tests they implement to check for vulnerabilities are frequently closed and proprietary and are often in procedural code not easily read or understood by customers. "With OVAL," says Wojcik, "their customers can understand the SQL on which queries are based and tools can be easily combined with OVAL language content to provide a baseline capability, resulting in more accurate determinations of vulnerability existence for customers and fewer false positives than what currently exists today."
OVAL's Broad Community Participation
Community participation in OVAL comes through the OVAL Board and the OVAL Community Forum. The Board, which approves the official OVAL Schema and assists in the development of OVAL queries, already includes members from 15 organizations from across the information security community (see the OVAL Web site for a current list). MITRE maintains OVAL and provides impartial technical guidance to the Board on all matters related to the ongoing development of OVAL.
The OVAL Community Forum is a public email list forum hosted and moderated by MITRE. Members can discuss the OVAL Schema, OVAL queries currently in development as well as those already posted on the OVAL Web site, and the information security vulnerabilities themselves that affect query writing. The forum ensures that all OVAL vulnerability content reflects the combined expertise of the broadest possible group of security and system administration professionals.
"We expect that OVAL will evolve in a way similar to CVE, through community involvement: that is, users will encourage their vendors to incorporate OVAL into products and services. The vendors will see that using OVAL improves the value of their products. And so, the OVAL effort will grow as organizations adopt tools that use OVAL and vendors incorporate OVAL into their products and services," says Wojcik. "But ongoing community participation in query development is equally important."
"We encourage system administrators, software vendors, security analysts, and other members of the information security community to join the OVAL Community Forum," concludes Wittbold. "As members of the Community Forum they can actively participate at the ground level of this new community effort by submitting new draft queries and discussing and debating the queries already posted on the OVAL Web site."
—by Bob Roberge
Articles and News
Page last updated: February 12, 2004 | Top of page
Solutions That Make a Difference.®