Skip to content

Proposal: Make CybOX Objects Top Level Entities

Jump to bottom
Ivan Kirillov edited this page Aug 24, 2015 · 6 revisions

Status: CLOSED
Comment Period Closes: August 20th, 2015
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/108

Background Information

Currently, MAEC allows CybOX Objects (defined with the cybox:ObjectType) to be used in two distinct ways in a MAEC document: they can be defined in place, or used to reference another Object via its ID. While this offers a great deal of flexibility for producers of MAEC content, it also results in several issues, including those relating to the semantics of how Malware Subjects are defined and then referenced. Accordingly, to solve these issues and simplify how Objects are captured and represented in MAEC, we propose making Objects top-level entities - that is, they would only be allowed to be defined in a single location and must be referenced for all other uses.

Related Proposals

This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-a-concept-and-output-format) https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Collections-Top-Level-Entities https://github.com/MAECProject/schemas/wiki/Proposal:-Rename-Malware_Instance_Object_Attributes-Field https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Malware-Actions

Proposal

The core of this proposal revolves around the replacement of all uses of CybOX Objects in MAEC with Object References, and allow for a single top-level Objects list in the MAEC Package where the Objects themselves will be defined. Doing so will have the following benefits:

  • It will serve as a container for any Objects that have yet to be analyzed or verified as being malware, thus better aligning with the general malware analysis process of first triaging unknown samples and then deciding whether to perform further analysis upon them (i.e., as Malware Subjects).
  • It will eliminate any confusion as to when Objects should be defined inline or referenced, since this will now be enforced via the data model. All Objects will be defined in the top-level Objects list of the Package and then referenced elsewhere.
  • It will eliminate any ambiguities and issues with Actions that reference Objects used in Malware Subjects. Currently, an Action that operates on a the Object used in a Malware_Subject (for example, if the Action creates the Object used in the Malware_Subject) must reference the Malware_Instance_Object_Attributes of the Malware_Subject (rather than the Malware_Subject directly) via its ID. This is ambiguous because the Action is referencing the Malware_Instance_Object_Attributes rather than another Object, so it's unclear if this should be treated equivalently to referencing an Object or as a special case. Accordingly, with top-level Objects, we'll have the unambiguous Action -> Object reference.
  • It will make it easier to extract and manipulate Objects, since they will all be in one place.

The main addition with regards to this change is a new field in the PackageType of the MAEC Package schema, for capturing all defined CybOX Objects in a MAEC document:

Field Type Multiplicity Description
Objects maecCore:ObjectListType 0-1 The Objects field captures any defined CybOX Objects that are then referenced elsewhere throughout the MAEC document.

The following schema types would be modified:

MAEC Package

  • In the MalwareSubjectType, the type of the Instance_Properties field would be changed from cybox:ObjectType to maecCore:ObjectReferenceType.
  • In the MinorVariantListType, the type of the Minor_Variant field would be changed from cybox:ObjectType to maecCore:ObjectReferenceType.
  • In the MalwareConfigurationStorageDetailsType, the type of the File field would be changed from FileObj:FileObjectType to maecCore:ObjectReferenceType. Accordingly, the annotation for this field would be updated to state that it MUST reference a File Object.
  • In the MalwareConfigurationStorageDetailsType, the type of the URL field would be changed from URIObj:URIObjectType to maecCore:ObjectReferenceType. Accordingly, the annotation for this field would be updated to state that it MUST reference a URI Object.
  • In the MalwareDevelopmentEnvironmentType, the type of the Debugging_File field would be changed from FileObj:FileObjectType to maecCore:ObjectReferenceType. Accordingly, the annotation for this field would be updated to state that it MUST reference a File Object.

MAEC Core (formerly MAEC Bundle)

  • In the ActionImplementationType, the type of the Code field would be changed from CodeObj:CodeObjectType to maecCore:ObjectReferenceType. Accordingly, the annotation for this field would be updated to state that it MUST reference a Code Object.
  • In the AssociatedCodeType, the type of the Code_Snippet field would be changed from CodeObj:CodeObjectType to maecCore:ObjectReferenceType. Accordingly, the annotation for this field would be updated to state that it MUST reference a Code Object.

Example

Before this change - MAEC 4.1

<MAEC_Package>
  <Malware_Subjects>
    <Malware_Subject id="malware-subject-1">
      <Malware_Instance_Object_Attributes id="inst-1">
        <Properties xsi:type="FileObj:FileObjectType">
          <FileObj:File_Name>abcd.dll</FileObj:File_Name>
        </Properties>
      </Malware_Instance_Object_Attributes>
    </Malware_Subject>

    <Malware_Subject id="malware-subject-2">
      <Malware_Instance_Object_Attributes id="inst-2">
        <Properties xsi:type="FileObj:FileObjectType">
          <FileObj:File_Name>spl0itz.exe</FileObj:File_Name>
        </Properties>
      </Malware_Instance_Object_Attributes>
    </Malware_Subject>
  </Malware_Subjects>
</MAEC_Package>

After this change (and the others listed in the related proposals) - MAEC 5.0

<MAEC_Package>
  <Malware_Subjects>
    <Malware_Subject id="malware-subject-1">
      <Instance_Object object_idref="object-1"/>
    </Malware_Subject>

    <Malware_Subject id="malware-subject-2">
      <Instance_Object object_idref="object-2">
    </Malware_Subject>
  </Malware_Subjects>

  <Objects>
    <Object id="object-1">
      <Properties xsi:type="FileObj:FileObjectType">
        <FileObj:File_Name>abcd.dll</FileObj:File_Name>
      </Properties>
    </Object>
    <Object id="object-2">
      <Properties xsi:type="FileObj:FileObjectType">
        <FileObj:File_Name>spl0itz.exe</FileObj:File_Name>
      </Properties>
    </Object>
  </Objects>
</MAEC_Package>

Impact

This change will not be backward compatible and is one of several revisions planned in new major version.

Requested Feedback

  1. Should Objects be top-level entities?
  2. Do the changes to the existing types in the MAEC Package and MAEC Core (formerly MAEC Bundle) schemas make sense?
Clone this wiki locally