the common platform enumeration cpe
play

The Common Platform Enumeration (CPE) September, 2008 David - PowerPoint PPT Presentation

Oct 04, 2023 •286 likes •652 views

The Common Platform Enumeration (CPE) September, 2008 David Waltermire Discussion Points Technical Use Cases CPE Overview Enterprise Use Cases Current Issues Technical Use Cases Identification Matching and Querying

  1. The Common Platform Enumeration (CPE) September, 2008 David Waltermire

  2. Discussion Points • Technical Use Cases • CPE Overview • Enterprise Use Cases • Current Issues

  3. Technical Use Cases • Identification • Matching and Querying • Product inventory

  4. CPE provides a standardized naming scheme for products allowing identification • All applications share a common product vocabulary allowing interoperability • Allows identification of products at a standardized level of granularity • Data can be associated with products by referencing a CPE Name

  5. CPE provides powerful querying capabilities • Allows searching of products based on abstract CPE Name based search criteria • The CPE Language provides matching capabilities using logical groupings of products

  6. CPE provides automation capabilities for asset inventory • Use of inventory definitions provides a technical mechanism for determining the presence of products on an asset • Mappings to/from CPE names allows integration into legacy architectures that do not speak CPE

  7. CPE Overview • CPE Name Format • CPE Name matching and the CPE Language • CPE Dictionary

  8. A CPE name is a special type of URI The URI scheme • Identifies that the URI is a CPE name • The “cpe” scheme has not been registered with IANA The scheme specific part • Uses special syntax specific to CPE • A URI may contain only ASCII characters • Hierarchical by nature • Each component is separated by a colon cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

  9. The part component classifies the CPE name Possible values are: h – Hardware o – Operating System a – Application cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

  10. The vendor component is the supplier of the product • Each vendor organization has a unique name • Generally represents the highest organization-specific label of the organization’s DNS name • Products developed by individuals outside of an organization can use the creator’s name Organization’s Full Name DNS Domain Vendor Component The National Institute for nist.gov nist Standards and Technology Acme Corporation acme.com acme The Acme Organization acme.org acme.org John Doe john_doe cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

  11. The product component is the name of the product • Generally represents the most common and recognizable name for the product • Multi-word names should be spelled out in full, replacing spaces with underscores “_” For example: • application_server • linux_kernel • windows_xp cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

  12. The version component is the version of the product • Should be the same format as what is seen within the product and on the system For example: • 5.1 • 2.1.4.254 cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

  13. The update component represents a sub-release of a specific product version • Used to represent beta, release candidates and service packs • The “ga”, for general availability, placeholder may be used to represent an initial release without an update specified For example: • ga • beta2 • rc1 • sp3 cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

  14. The edition component represents a specific flavor of a product • Often used to represent the target OS/software, architecture, and/or feature set of a product For example: • x86 • x64 • linux_i386 • professional cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

  15. The language component indicates a language specific release of a product • Any valid language tag defined by the IETF RFC 4646 • Generally only language and region codes are necessary For example: • en_US – US English • en_GB – UK English • es – Spanish • ja – Japanese • zh - Chinese cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

  16. Matching is used to determine if two CPE names refer to the same set of products • Applies a recursive algorithm that evaluates the CPE names hierarchical structure • Blank components match any value For example: cpe:/o::linux_kernel:2.6.27::i586 Would match: cpe:/o:kernel.org:linux_kernel:2.6.27:rc6:i586 cpe:/o:fedora:linux_kernel:2.6.27:rc1:i586 cpe:/o:redhat:linux_kernel:2.6.27:ga:i586

  17. The CPE Language allows arbitrary logical groupings of CPE names to be evaluated using the matching algorithm • Defines a collection of products • Uses CPE name matching for evaluation For example: <cpe:platform id=“abc123”> <cpe:title>Microsoft Windows XP SP3 x64 Edition, US English release AND Microsoft Internet Explorer 7.0 Beta 3</cpe:title> <cpe:logical-test operator=“AND” negate=“FALSE”> <cpe:fact-ref name=“cpe:/o:microsoft:windows_xp::sp3” /> <cpe:fact-ref name=“cpe:/a:microsoft:ie:7.0 </cpe:logical-test> </cpe:platform> Would match the set of products: cpe:/o:microsoft:windows_xp::sp3:x64:en_US cpe:/a:microsoft:ie:7.0:beta3

  18. The CPE Dictionary is an enumeration of CPE Names • Currently contains 15,000+ CPE names • Represents 3000+ products from 200+ vendors

  19. The CPE Dictionary is a large XML catalog CPE Name <cpe-item name="cpe:/a:microsoft:.net_framework:2.0"> <title xml:lang="en-US">Microsoft .NET Framework 2.0</title> Internationalized <check Title system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="http://oval.mitre.org/repository/data/DownloadDefinition..."> oval:org.mitre.oval:def:310</check> <meta:item-metadata modification-date="2008-04-15T19:55:43.797-04:00" status="FINAL" nvd-id="61877" /> </cpe-item> Check Reference Repository Metadata

  20. The CPE Dictionary also contains component metadata Vendor <meta:component-tree> <meta:vendor value="adobe"> <meta:title xml:lang="en-US">Adobe Systems Product Incorporated</meta:title> <meta:product value="acrobat_reader" part="a"> <meta:title xml:lang="en-US">Acrobat Reader</meta:title> <meta:version value="7.0" /> <meta:version value="7.0.1" /> Versions <meta:version value="7.0.2" /> <meta:version value="7.0.3" /> <meta:version value="7.0.4" /> <meta:version value="7.0.5" /> <meta:version value="7.0.6" /> <meta:version value="7.0.7" /> <meta:version value="7.0.8" /> <meta:version value="7.0.9" /> <meta:version value="8.0" /> <meta:version value="8.1" /> </meta:product> </meta:vendor> </meta:component-tree>

  21. Enterprise Use Cases • Vulnerability Management • Configuration Management • Asset Reporting

  22. Vulnerability Management 1) Inventory assets to collect deployed products 2) Query vulnerabilities for inventoried products Vulnerability Database 3) Assess the presence of each vulnerability 4) Remediate identified vulnerabilities 5) Re-assess CPE Data CPE Data Asset Database CPE Data Network Scanner CPE Data CPE Data Vulnerability CPE Data Analysis Tool Host-Based Agents or Scanners Remediation Wide Area Network Tool

  23. Configuration Management 1) Inventory assets to collect deployed products 2) Query configuration policy for inventoried products Configuration Policy 3) Assess compliance with policy 4) Remediate non-compliant products 5) Re-assess CPE Data CPE Data Asset Database CPE Data Network Scanner CPE Data CPE Data Compliance CPE Data Tool Host-Based Agents or Scanners Remediation Wide Area Network Tool

  24. Asset Reporting •CPE Names identify products that compose an asset •Metadata can be associated with CPE names to identify: • Function of a product (i.e. web server, DNS server, etc.) • Existence of product vulnerabilities • Product configuration compliance • Product license usage

  25. Current Issues • Fully qualified CPE Names • Complexity of the specification • Version matching • Tagging • Non-computing CPE Names

  26. Problem: Fully Qualified CPE Names are needed for product identification The CPE Name: cpe:/a:sun:staroffice:8.0 Matches ALL updates, editions, and languages

  27. Solution: Differentiate between fully qualified and abstract CPE names • All components used • Use of “nil” for unused components • Add discrete=“true|false” metadata tag to differentiate fully qualified vs. abstract CPE names Now the CPE Name: cpe:/a:sun:staroffice:8.0:nil:nil:nil Matches NO updates, editions, and languages

  28. Problem: The CPE specification contains many parts that change independently of each other • CPE Name • CPE Matching • CPE Language • CPE Dictionary • Each capability within CPE is at a different maturity level • Clarifications regularly needed on CPE naming conventions • The CPE Name specification should not imply that the only valid CPE names are those specified in the dictionary

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
When I grow up, I want to be a platform DIOGO LUCAS SIDNEY SHEK Common user experiences

When I grow up, I want to be a platform DIOGO LUCAS SIDNEY SHEK Common user experiences

When I grow up, I want to be a platform DIOGO LUCAS SIDNEY SHEK Common user experiences Ecosystem &amp; Enterprise &amp; Product Platform Identity Marketplace Admin Front-end Mobile Core Platform Services API gateway Event bus Task

862 views • 61 slides
common ground Patagonia Common Ground is a web platform paired with a physical product strategy

common ground Patagonia Common Ground is a web platform paired with a physical product strategy

common ground Patagonia Common Ground is a web platform paired with a physical product strategy that enables Patagonias growing customer base to take action on environmental fights for public land in their region through petitions. By

330 views • 19 slides
SP SPEC ECIF IFICA ICATIONS TIONS Philippine Government Common Platform Dennis Reyes, Ph.D.

SP SPEC ECIF IFICA ICATIONS TIONS Philippine Government Common Platform Dennis Reyes, Ph.D.

ST STAND NDARD ARD DATA SH SHARING ING SP SPEC ECIF IFICA ICATIONS TIONS Philippine Government Common Platform Dennis Reyes, Ph.D. iGov Enterprise Solutions Architect 1 OVERVIEW: GOVERNMENT COMMON PLATFORM 2 Context Of Applied

246 views • 10 slides
Chapter 7 Utilities for High-Level Descriptions 1 Type Declarations and Usage Enumeration

Chapter 7 Utilities for High-Level Descriptions 1 Type Declarations and Usage Enumeration

Chapter 7 Utilities for High-Level Descriptions 1 Type Declarations and Usage Enumeration types Physical types Array types Record types 2 Enumeration Types Enumeration is basic scalar type Enumeration is defined

522 views • 39 slides
DSF: A Common Platform For Distributed Systems Research and Development Chunqiang (CQ) Tang IBM

DSF: A Common Platform For Distributed Systems Research and Development Chunqiang (CQ) Tang IBM

IBM Research DSF: A Common Platform For Distributed Systems Research and Development Chunqiang (CQ) Tang IBM Research December 4, 2009 IBM Research IBM Research Motivation: a Personal but Common Experience I develop production-quality

480 views • 16 slides
Introduction Outline 1. Strings and Graphs 2. Our String Problem: Enumerating Maximal Common

Introduction Outline 1. Strings and Graphs 2. Our String Problem: Enumerating Maximal Common

Maximal Common Subsequence Enumeration 1 How Graph Structure Helped Solve a String Problem Giulia Punzi PhD Student in Computer Science Department of Computer Science Mauriana Pesaresi PhD Seminars April 20th 2020 1 A. Conte, R. Grossi, G.

832 views • 81 slides
An Introduction to Enumeration Schemes Lara Pudwell Valparaiso University Trinity University

An Introduction to Enumeration Schemes Lara Pudwell Valparaiso University Trinity University

Pattern-Avoiding Permutations Enumeration Schemes Summary An Introduction to Enumeration Schemes Lara Pudwell Valparaiso University Trinity University Mathematics Colloquium November 18, 2009 Lara Pudwell An Introduction to Enumeration

1.14k views • 79 slides
ENUMERATION TYPES An enumeration type is a type whose values are defined by a list of named values

ENUMERATION TYPES An enumeration type is a type whose values are defined by a list of named values

ENUMERATION TYPES An enumeration type is a type whose values are defined by a list of named values of type int. This programmer-defined type is very much like a list of declared constants. Enumeration types can be handy for defining a list of

363 views • 3 slides
Verified Enumeration of Plane Graphs Modulo Isomorphism Tobias Nipkow Fakult at f ur

Verified Enumeration of Plane Graphs Modulo Isomorphism Tobias Nipkow Fakult at f ur

Verified Enumeration of Plane Graphs Modulo Isomorphism Tobias Nipkow Fakult at f ur Informatik TU M unchen 1 Background 2 Generic enumeration 3 Application 1 Background 2 Generic enumeration 3 Application Kepler Conjecture (1611)

643 views • 30 slides
Random Sampling Revisited: Lattice Enumeration with Discrete Pruning Yoshinori Aono

Random Sampling Revisited: Lattice Enumeration with Discrete Pruning Yoshinori Aono

Random Sampling Revisited: Lattice Enumeration with Discrete Pruning Yoshinori Aono Phong Nguy n Summary Motivation Lattices, Enumeration and Pruning Enumeration with Discrete Pruning Motivation Context Needs: convincing

457 views • 43 slides
Tim Pettersen @kannonboy @kannonboy What do the following have in common? Homebrew Flashbake

Tim Pettersen @kannonboy @kannonboy What do the following have in common? Homebrew Flashbake

4/24/13 Git as a Platform | by @kannonboy Tim Pettersen @kannonboy @kannonboy What do the following have in common? Homebrew Flashbake Ticgit The German legislature This presentation localhost:8000 1/30 4/24/13 Git as a Platform | by

520 views • 30 slides
Graph classes with given 3 -connected components: asymptotic enumeration and random graphs

Graph classes with given 3 -connected components: asymptotic enumeration and random graphs

Background Enumeration Largest block 3-connected component Graph classes with given 3 -connected components: asymptotic enumeration and random graphs Juanjo Ru e (joint work with Omer Gim enez and Marc Noy) Laboratoire dInformatique

947 views • 70 slides
GOAL 7 COP 21 for a common platform for cooperation among solar rich countries. Ensure access

GOAL 7 COP 21 for a common platform for cooperation among solar rich countries. Ensure access

Paris Declaration: Launched at GOAL 7 COP 21 for a common platform for cooperation among solar rich countries. Ensure access to affordable, reliable, sustainable and modern energy for all GOAL 13 Take urgent action to combat climate change

298 views • 4 slides
: Enumeration Type Enumeration Type Week Week 11 11: Monchai Sopitkamol, Ph.D. Monchai

: Enumeration Type Enumeration Type Week Week 11 11: Monchai Sopitkamol, Ph.D. Monchai

2/8/2007 204111 204111: Computer and : Computer and Programming Programming : Enumeration Type Enumeration Type Week Week 11 11: Monchai Sopitkamol, Ph.D. Monchai Sopitkamol, Ph.D. Enumeration Type Enumeration Type Motivations

229 views • 10 slides
StratoSphere Above the Clouds Triangle Enumeration Input Set of undirected edges

StratoSphere Above the Clouds Triangle Enumeration Input Set of undirected edges

Stratosphere Demo Triangle Enumeration &amp; TPC-H Query 3 Thomas Bodner, Matthias Ringwald TU Berlin StratoSphere Above the Clouds Triangle Enumeration Input Set of undirected edges Friend-of-a-Friend RDF data from Billion Triple

590 views • 19 slides
FLREDC Public Meeting Rochester Riverside Convention Center February 25, 2016 Kathy Hochul New

FLREDC Public Meeting Rochester Riverside Convention Center February 25, 2016 Kathy Hochul New

FLREDC Public Meeting Rochester Riverside Convention Center February 25, 2016 Kathy Hochul New York State Lt. Governor URI Implementation Status $30 million committed to 40 projects as part of 2015 Round V CFA awards to FLREDC priority

109 views • 10 slides
WS-CAF in a Nutshell Mark Little, Arjuna Technologies Ltd What is WS-CAF? Collection of 3

WS-CAF in a Nutshell Mark Little, Arjuna Technologies Ltd What is WS-CAF? Collection of 3

WS-CAF in a Nutshell Mark Little, Arjuna Technologies Ltd What is WS-CAF? Collection of 3 specifications Designed to be used independently or together 18+ months of effort Based on implementation and user feedback

750 views • 72 slides
Program (WRP) for College Students with Disabilities What is the Workforce Recruitment

Program (WRP) for College Students with Disabilities What is the Workforce Recruitment

The Workforce Recruitment Program (WRP) for College Students with Disabilities What is the Workforce Recruitment Program? Purpose increase the representation of people with disabilities in the federal government and private workforce.

647 views • 17 slides
IMI URI Project Pattern Formation in Thermally Convecting Non-Newtonian Fluids Supervisor: Prof.

IMI URI Project Pattern Formation in Thermally Convecting Non-Newtonian Fluids Supervisor: Prof.

IMI URI Project Pattern Formation in Thermally Convecting Non-Newtonian Fluids Supervisor: Prof. Jonathan Dawes Summers of 2016/17 Pattern Formation in Thermally Convecting Non-Newtonian Fluids Supervisor: Prof. Jonathan Dawes IMI URI Project

210 views • 5 slides
AN INTRODUCTION TO DEEPSTREAM SDK Kaustubh Purandare March 2018 AGENDA Introduction to

AN INTRODUCTION TO DEEPSTREAM SDK Kaustubh Purandare March 2018 AGENDA Introduction to

AN INTRODUCTION TO DEEPSTREAM SDK Kaustubh Purandare March 2018 AGENDA Introduction to DeepStream SDK DeepStream SDK Basic Building Blocks Setup &amp; Installation Application Examples Performance Analysis 3 rd

229 views • 19 slides
SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple

SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple

SOAP and Its Extensions Matt Van Gundy CS 595G 2006.02.07 What is SOAP? Formerly Simple Object Access Protocol Abstract Stateless Messaging Protocol Another XML-based Meta-Standard SOAP Processing Model SOAP Message Construct

397 views • 16 slides
TkGecko: Another Attempt for an HTML Renderer for Tk Georgios Petasis Software and Knowledge

TkGecko: Another Attempt for an HTML Renderer for Tk Georgios Petasis Software and Knowledge

TkGecko: Another Attempt for an HTML Renderer for Tk Georgios Petasis Software and Knowledge Engineering Laboratory, Institute of Informatics and Telecommunications, National Centre for Scientific Research Demokritos, Athens, Greece

512 views • 22 slides
TABLE OF CONTENTS General view of ISA Programme EIF: European Interoperability Framework EIRA:

TABLE OF CONTENTS General view of ISA Programme EIF: European Interoperability Framework EIRA:

ISA 2 Programme By Natalia ARISTIMUO PEREZ Head of Interoperability Unit at Directorate- General for Informatics (DG DIGIT) European Commission Stockholm, 24 th August 2017 TABLE OF CONTENTS General view of ISA Programme EIF: European

467 views • 31 slides

More recommend