-
Notifications
You must be signed in to change notification settings - Fork 18
Proposal: Make CybOX Objects Top Level Entities
Status: CLOSED
Comment Period Closes: August 20th, 2015
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/108
Currently, MAEC allows CybOX Objects (defined with the cybox:ObjectType
) to be used in two distinct ways in a MAEC document: they can be defined in place, or used to reference another Object via its ID. While this offers a great deal of flexibility for producers of MAEC content, it also results in several issues, including those relating to the semantics of how Malware Subjects are defined and then referenced. Accordingly, to solve these issues and simplify how Objects are captured and represented in MAEC, we propose making Objects top-level entities - that is, they would only be allowed to be defined in a single location and must be referenced for all other uses.
This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-a-concept-and-output-format) https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Collections-Top-Level-Entities https://github.com/MAECProject/schemas/wiki/Proposal:-Rename-Malware_Instance_Object_Attributes-Field https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Malware-Actions
The core of this proposal revolves around the replacement of all uses of CybOX Objects in MAEC with Object References, and allow for a single top-level Objects
list in the MAEC Package where the Objects themselves will be defined. Doing so will have the following benefits:
- It will serve as a container for any Objects that have yet to be analyzed or verified as being malware, thus better aligning with the general malware analysis process of first triaging unknown samples and then deciding whether to perform further analysis upon them (i.e., as Malware Subjects).
- It will eliminate any confusion as to when Objects should be defined inline or referenced, since this will now be enforced via the data model. All Objects will be defined in the top-level Objects list of the Package and then referenced elsewhere.
- It will eliminate any ambiguities and issues with Actions that reference Objects used in Malware Subjects. Currently, an Action that operates on a the Object used in a Malware_Subject (for example, if the Action creates the Object used in the Malware_Subject) must reference the Malware_Instance_Object_Attributes of the Malware_Subject (rather than the Malware_Subject directly) via its ID. This is ambiguous because the Action is referencing the Malware_Instance_Object_Attributes rather than another Object, so it's unclear if this should be treated equivalently to referencing an Object or as a special case. Accordingly, with top-level Objects, we'll have the unambiguous Action -> Object reference.
- It will make it easier to extract and manipulate Objects, since they will all be in one place.
The main addition with regards to this change is a new field in the PackageType
of the MAEC Package schema, for capturing all defined CybOX Objects in a MAEC document:
Field | Type | Multiplicity | Description |
---|---|---|---|
Objects | maecCore:ObjectListType |
0-1 | The Objects field captures any defined CybOX Objects that are then referenced elsewhere throughout the MAEC document. |
The following schema types would be modified:
MAEC Package
- In the
MalwareSubjectType
, the type of theInstance_Properties
field would be changed fromcybox:ObjectType
tomaecCore:ObjectReferenceType
. - In the
MinorVariantListType
, the type of theMinor_Variant
field would be changed fromcybox:ObjectType
tomaecCore:ObjectReferenceType
. - In the
MalwareConfigurationStorageDetailsType
, the type of theFile
field would be changed fromFileObj:FileObjectType
tomaecCore:ObjectReferenceType
. Accordingly, the annotation for this field would be updated to state that it MUST reference a File Object. - In the
MalwareConfigurationStorageDetailsType
, the type of theURL
field would be changed fromURIObj:URIObjectType
tomaecCore:ObjectReferenceType
. Accordingly, the annotation for this field would be updated to state that it MUST reference a URI Object. - In the
MalwareDevelopmentEnvironmentType
, the type of theDebugging_File
field would be changed fromFileObj:FileObjectType
tomaecCore:ObjectReferenceType
. Accordingly, the annotation for this field would be updated to state that it MUST reference a File Object.
MAEC Core (formerly MAEC Bundle)
- In the
ActionImplementationType
, the type of theCode
field would be changed fromCodeObj:CodeObjectType
tomaecCore:ObjectReferenceType
. Accordingly, the annotation for this field would be updated to state that it MUST reference a Code Object. - In the
AssociatedCodeType
, the type of theCode_Snippet
field would be changed fromCodeObj:CodeObjectType
tomaecCore:ObjectReferenceType
. Accordingly, the annotation for this field would be updated to state that it MUST reference a Code Object.
Before this change - MAEC 4.1
<MAEC_Package>
<Malware_Subjects>
<Malware_Subject id="malware-subject-1">
<Malware_Instance_Object_Attributes id="inst-1">
<Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>abcd.dll</FileObj:File_Name>
</Properties>
</Malware_Instance_Object_Attributes>
</Malware_Subject>
<Malware_Subject id="malware-subject-2">
<Malware_Instance_Object_Attributes id="inst-2">
<Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>spl0itz.exe</FileObj:File_Name>
</Properties>
</Malware_Instance_Object_Attributes>
</Malware_Subject>
</Malware_Subjects>
</MAEC_Package>
After this change (and the others listed in the related proposals) - MAEC 5.0
<MAEC_Package>
<Malware_Subjects>
<Malware_Subject id="malware-subject-1">
<Instance_Object object_idref="object-1"/>
</Malware_Subject>
<Malware_Subject id="malware-subject-2">
<Instance_Object object_idref="object-2">
</Malware_Subject>
</Malware_Subjects>
<Objects>
<Object id="object-1">
<Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>abcd.dll</FileObj:File_Name>
</Properties>
</Object>
<Object id="object-2">
<Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>spl0itz.exe</FileObj:File_Name>
</Properties>
</Object>
</Objects>
</MAEC_Package>
This change will not be backward compatible and is one of several revisions planned in new major version.
- Should Objects be top-level entities?
- Do the changes to the existing types in the MAEC Package and MAEC Core (formerly MAEC Bundle) schemas make sense?