[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [was] Schema Started
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mark, hi all... First (again) a remark about document formats used: *please*, please use interoperable formats for your documents and no word-docs. I am getting kind of tired to "antiword" documents on a regular basis. Even though I am personally not so very easy with DocBook, it is one of the more interoperable formats recommended by OASIS and there are even some templates around (cf. http://www.oasis-open.org/spectools/) and so I think we should stick to that. That said, here you go with some thoughts regarding the implementation of some of the requirements: i18n - I saw that you introduced a "naturalLanguage" element in the spec. Based on experience with a multilingual thesaurus project I would say that this doesnt make much sense. For a working, real multilang support, you need to do the following things: - - make each "natural" text element repetitive - - qualify each occurence with a script (e.g. "latn", "hebr") - - qualify each occurence with a natural language code, preferably with ISO 639-2 (three letter lang code) The "script" qualifier is optional and supportive information for the renderer and to support different transcriptions. Generally each "natural" text element should use Unicode only and should be UTF-8 encoded. The mandatory overall encoding thus should be UTF-8. > The basic question I have (for this mail anyway) is what do we want the > overall structure to look like ? Jeff Williams sent an email out a while > back with a proposal for 5 main sections. > > 1 - basic characteristics of the vulnerability > 2 - security characteristics of the vulnerability > 3 - characteristics related to finding the vulnerability > 4 - characteristics related to exploiting the vulnerability > 5 - characteristics related to remedying the vulnerability I think that the usage of differenc "characteristics" makes much sense after all. - From the outlines what needs to be stored there, I derived a generic model for a single characteristic. This allows for uniform description and simplified search criteria upon retrieval. Based upon that I would propose the attached overall structure of a WAS-core entry: A WASDescription consists of generic information that can be indexed and used to search the database directly as well as of a set of characteristics describing the problem. I modelled that into a proposal as a DTD. From that I generated an XML schema using a patched version of dtd2xs 1.60 (cf. http://puvogel.informatik.med.uni-giessen.de/lumrix/) If you compare them, you'll see that the DTD is much better to read. Since a former mail of mine did not yet reach this list, I would like to repeat a part of that: === snip === Lets try to design the overall structure of the schema using a DTD and then transform it to an XML schema later on. This would have the following advantages: - - the DTD is not an optimal, but much more compact description of the overall structure (e.g. the cardinality information consists only of one symbol rather than of a lengty minOccurs, maxOccurs; lists are better to read etc.) so that the description is better to read and easier to modify. I think we will find that the "advanced" features of XML schema are seldom, if at all, used anyway (only for data types which will be mainly strings) - - we can focus first on structure (rough outline, *what* is needed and fine-tuning of cardinality) and then on detailled typisation later on - - there is a *working* application online, where anybody could play around with the latest schema using an editor to create sample entries. These sample entries are made publicly available and can be reviewed by the rest of the TC (and the rest of the world), so the latest schema proposal could be checked easily for practicability. This application is freely available (SF CVS), based upon DTDescription and could be adapted within less than an hour to any new DTD, but it would cost weeks (i.e. one or two man days) to plug an XML schema parser to it. - - turning the "final" DTD into an XML scheme is not much pain (it just means to bloat it to about 300% with tag-style non-information, which could be performed by a DTD2scheme converter, a very simple script or even a handful of vi commands) > XML schema can be daunting at first. To be honest, XML schema remains daunting, and a slick BNF notation or even ASN.1 would be of much more use, but within this scope I accept that we have to create a schema. ;o) === snap === Mark answered to that: "I think that this maybe counter intuitive as to design the extensibility etc I think it would be easier to use a schema (like most things I am a total novice but based on a furious weeks reading) may make more sense. To use object types and to define object types for reuse etc would seem like design goals from day one?" I would rather say that we need a strong structure much more than strong typisation; most of the types we need here are/will be "String" anyway. Having a full-fledged working online application where the current structure could be tested for practicability seems to me a very strong argument too. Kind regards Ingo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE/XxDjhQivkhmqPSQRAsOpAKCPXAfYj2uiCFLXVPvwgf+/2R0sAwCdE7A3 yMDUVFFu4B+32btO+7kGdZw= =XUsR -----END PGP SIGNATURE-----
<!ELEMENT WASDescription (Name, Copyright, ApplicableTo+, Characteristic*)> <!ATTLIST WASDescription id CDATA #REQUIRED version CDATA #REQUIRED released CDATA #REQUIRED updated CDATA #IMPLIED protocol (HTTP | SOAP | WebDAV) #REQUIRED > <!ELEMENT Name (NaturalText*)> <!ELEMENT Copyright (NaturalText*)> <!ELEMENT ApplicableTo (Platform?, WebServer+, ApplicationServer*)> <!ELEMENT Platform (Arch+)> <!ATTLIST Platform os CDATA #REQUIRED > <!ELEMENT Arch (#PCDATA)> <!ELEMENT WebServer (#PCDATA)> <!ELEMENT ApplicationServer (#PCDATA)> <!ELEMENT Characteristic (Description, Reference*, ThesReference*, Code*, Data*, Test*)> <!ATTLIST Characteristic type (basic | security | remedy | test | exploit) #REQUIRED > <!ELEMENT Description (NaturalText*)> <!ELEMENT Reference EMPTY> <!ATTLIST Reference type (tool | database | whitepaper | other) #REQUIRED name CDATA #REQUIRED URL CDATA #REQUIRED > <!ELEMENT ThesReference EMPTY> <!ATTLIST ThesReference thes CDATA #REQUIRED id CDATA #REQUIRED URL CDATA #IMPLIED > <!ELEMENT Code (#PCDATA)> <!ATTLIST Code lang CDATA #REQUIRED > <!ELEMENT Data (#PCDATA)> <!ATTLIST Data encoding (none | base64 | hex) 'none' > <!-- NOTE: the lang / script enums will be somewhat lengthy, the values here are meant as examples --> <!ELEMENT NaturalText (#PCDATA)> <!ATTLIST NaturalText lang (eng | ger | fra | spa) #REQUIRED script (latn | hebr) 'latn' > <!-- maybe the 'core' part should end here; what follows is the the Test element that describes how to test (black-box-test) for the described vulnerability. This is nearly a copy of the VulnXML test parts. --> <!ELEMENT Test (TriggerOn, Variable*, Connection+)> <!ATTLIST Test protocol (HTTP | SOAP | WebDAV) #REQUIRED mayproxy (true | false) 'false' alert (success | failure) #REQUIRED > <!ELEMENT TriggerOn (Match+)> <!ATTLIST TriggerOn event (authority | path | file | manual) #REQUIRED > <!ELEMENT Match (#PCDATA)> <!ATTLIST Match type (exact | regex) 'exact' > <!ELEMENT Variable (Description, Item+)> <!ATTLIST Variable name CDATA #REQUIRED type CDATA #REQUIRED > <!ELEMENT Item (#PCDATA)> <!ATTLIST Item encoding (none | base64) 'none' > <!ELEMENT Connection (Step+)> <!ATTLIST Connection scheme CDATA #REQUIRED host CDATA #REQUIRED port CDATA #REQUIRED > <!ELEMENT Step (Request, Response, TestCriteria+)> <!ATTLIST Step name CDATA #REQUIRED > <!ELEMENT Request (MessageHeader?, MessageBody?)> <!ELEMENT MessageHeader (Method, URI, Version, Header*)> <!ELEMENT Method (#PCDATA)> <!ATTLIST Method encoding (none | base64) 'none' > <!ELEMENT URI (#PCDATA)> <!ATTLIST URI encoding (none | base64) 'none' > <!ELEMENT Version (#PCDATA)> <!ATTLIST Version encoding (none | base64) 'none' > <!ELEMENT Header (Key, Value)> <!ELEMENT Key (#PCDATA)> <!ATTLIST Key encoding (none | base64) 'none'> <!ELEMENT Value (#PCDATA)> <!ATTLIST Value encoding (none | base64) 'none'> <!ELEMENT MessageBody (Separator, Item+)> <!ELEMENT Separator (#PCDATA)> <!ATTLIST Separator encoding (none | base64) 'none' > <!ELEMENT Response (SetVariable+)> <!ELEMENT SetVariable (Description, Source)> <!ATTLIST SetVariable name CDATA #REQUIRED type (string) #REQUIRED > <!ELEMENT Source (#PCDATA)> <!ATTLIST Source source (status | body | header) #REQUIRED > <!ELEMENT TestCriteria (ErrorMessage?, Compare+)> <!ATTLIST TestCriteria type (success | failure) #REQUIRED > <!ELEMENT ErrorMessage (NaturalText*)> <!ELEMENT Compare (Value, Compare*)> <!ATTLIST Compare variable CDATA #REQUIRED test (eq | neq | cont | ncont | gt | lt) #REQUIRED >
<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="WASDescription"> <xs:complexType> <xs:sequence> <xs:element ref="Name"/> <xs:element ref="Copyright"/> <xs:element maxOccurs="unbounded" ref="ApplicableTo"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="Characteristic"/> </xs:sequence> <xs:attribute name="id" type="xs:string" use="required"/> <xs:attribute name="version" type="xs:string" use="required"/> <xs:attribute name="released" type="xs:string" use="required"/> <xs:attribute name="updated" type="xs:string"/> <xs:attribute name="protocol" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="HTTP"/> <xs:enumeration value="SOAP"/> <xs:enumeration value="WebDAV"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <xs:element name="Name"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" minOccurs="0" ref="NaturalText"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Copyright"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" minOccurs="0" ref="NaturalText"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="ApplicableTo"> <xs:complexType> <xs:sequence> <xs:element minOccurs="0" ref="Platform"/> <xs:element maxOccurs="unbounded" ref="WebServer"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="ApplicationServer"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Platform"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" ref="Arch"/> </xs:sequence> <xs:attribute name="os" type="xs:string" use="required"/> </xs:complexType> </xs:element> <xs:element name="Arch"/> <xs:element name="WebServer"/> <xs:element name="ApplicationServer"/> <xs:element name="Characteristic"> <xs:complexType> <xs:sequence> <xs:element ref="Description"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="Reference"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="ThesReference"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="Code"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="Data"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="Test"/> </xs:sequence> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="basic"/> <xs:enumeration value="security"/> <xs:enumeration value="remedy"/> <xs:enumeration value="test"/> <xs:enumeration value="exploit"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <xs:element name="Description"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" minOccurs="0" ref="NaturalText"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Reference"> <xs:complexType> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="tool"/> <xs:enumeration value="database"/> <xs:enumeration value="whitepaper"/> <xs:enumeration value="other"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="name" type="xs:string" use="required"/> <xs:attribute name="URL" type="xs:string" use="required"/> </xs:complexType> </xs:element> <xs:element name="ThesReference"> <xs:complexType> <xs:attribute name="thes" type="xs:string" use="required"/> <xs:attribute name="id" type="xs:string" use="required"/> <xs:attribute name="URL" type="xs:string"/> </xs:complexType> </xs:element> <xs:element name="Code"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="lang" type="xs:string" use="required"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Data"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="none" name="encoding"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="base64"/> <xs:enumeration value="hex"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="NaturalText"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="lang" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="eng"/> <xs:enumeration value="ger"/> <xs:enumeration value="fra"/> <xs:enumeration value="spa"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute default="latn" name="script"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="latn"/> <xs:enumeration value="hebr"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Test"> <xs:complexType> <xs:sequence> <xs:element ref="TriggerOn"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="Variable"/> <xs:element maxOccurs="unbounded" ref="Connection"/> </xs:sequence> <xs:attribute name="protocol" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="HTTP"/> <xs:enumeration value="SOAP"/> <xs:enumeration value="WebDAV"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute default="false" name="mayproxy"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="true"/> <xs:enumeration value="false"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="alert" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="success"/> <xs:enumeration value="failure"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <xs:element name="TriggerOn"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" ref="Match"/> </xs:sequence> <xs:attribute name="event" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="authority"/> <xs:enumeration value="path"/> <xs:enumeration value="file"/> <xs:enumeration value="manual"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <xs:element name="Match"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="exact" name="type"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="exact"/> <xs:enumeration value="regex"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Variable"> <xs:complexType> <xs:sequence> <xs:element ref="Description"/> <xs:element maxOccurs="unbounded" ref="Item"/> </xs:sequence> <xs:attribute name="name" type="xs:string" use="required"/> <xs:attribute name="type" type="xs:string" use="required"/> </xs:complexType> </xs:element> <xs:element name="Item"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="none" name="encoding"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="base64"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Connection"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" ref="Step"/> </xs:sequence> <xs:attribute name="scheme" type="xs:string" use="required"/> <xs:attribute name="host" type="xs:string" use="required"/> <xs:attribute name="port" type="xs:string" use="required"/> </xs:complexType> </xs:element> <xs:element name="Step"> <xs:complexType> <xs:sequence> <xs:element ref="Request"/> <xs:element ref="Response"/> <xs:element maxOccurs="unbounded" ref="TestCriteria"/> </xs:sequence> <xs:attribute name="name" type="xs:string" use="required"/> </xs:complexType> </xs:element> <xs:element name="Request"> <xs:complexType> <xs:sequence> <xs:element minOccurs="0" ref="MessageHeader"/> <xs:element minOccurs="0" ref="MessageBody"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="MessageHeader"> <xs:complexType> <xs:sequence> <xs:element ref="Method"/> <xs:element ref="URI"/> <xs:element ref="Version"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="Header"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Method"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="none" name="encoding"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="base64"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="URI"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="none" name="encoding"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="base64"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Version"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="none" name="encoding"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="base64"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Header"> <xs:complexType> <xs:sequence> <xs:element ref="Key"/> <xs:element ref="Value"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Key"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="none" name="encoding"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="base64"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Value"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="none" name="encoding"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="base64"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="MessageBody"> <xs:complexType> <xs:sequence> <xs:element ref="Separator"/> <xs:element maxOccurs="unbounded" ref="Item"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Separator"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute default="none" name="encoding"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="base64"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Response"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" ref="SetVariable"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SetVariable"> <xs:complexType> <xs:sequence> <xs:element ref="Description"/> <xs:element ref="Source"/> </xs:sequence> <xs:attribute name="name" type="xs:string" use="required"/> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="string"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <xs:element name="Source"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="source" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="status"/> <xs:enumeration value="body"/> <xs:enumeration value="header"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="TestCriteria"> <xs:complexType> <xs:sequence> <xs:element minOccurs="0" ref="ErrorMessage"/> <xs:element maxOccurs="unbounded" ref="Compare"/> </xs:sequence> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="success"/> <xs:enumeration value="failure"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <xs:element name="ErrorMessage"> <xs:complexType> <xs:sequence> <xs:element maxOccurs="unbounded" minOccurs="0" ref="NaturalText"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Compare"> <xs:complexType> <xs:sequence> <xs:element ref="Value"/> <xs:element maxOccurs="unbounded" minOccurs="0" ref="Compare"/> </xs:sequence> <xs:attribute name="variable" type="xs:string" use="required"/> <xs:attribute name="test" use="required"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="eq"/> <xs:enumeration value="neq"/> <xs:enumeration value="cont"/> <xs:enumeration value="ncont"/> <xs:enumeration value="gt"/> <xs:enumeration value="lt"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> </xs:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]