Document Format Support

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Document Format Support

Kirillov, Ivan A.

All,

 

We’ve been getting a number of requests to support explicit characterization of document formats in CybOX (via new Object types), so I’d thought I’d get the ball rolling on this discussion.

 

The main questions right now are:

 

1)      Which document formats should we support? PDF is the most likely initial target, but there will likely be interest for PPT, XLS, and DOC as well. Are there any others we should add to the list?

2)      For these documents, which attributes should we support? Both PDF and the MS binary file formats are fairly convoluted and expansive, so to get these objects out there in a timely manner, we’d have to pick and choose the attributes we want to support, especially for the initial release.

 

We welcome your input!

 

Regards,

Ivan

 

Ivan Kirillov

CybOX Project

The MITRE Corporation

Reply | Threaded
Open this post in threaded view
|

Re: Document Format Support

Pat Maroney
More for discussion vs. any hard suggestions/beliefs:

Some of the common types of weaponized documents may make sense? E.g.:  SWF (FLA, F4V, F4V), SCR, CHM.  There is also the issue of masquerading (e.g. How do you characterize CAB/GIF/JPG files that aren't really same).

Include a flexible XML construct (which could also cover MS Office docs, openDoc , etc.)?

 ZIP could also be useful?


Patrick Maroney
Chief Architect - CyberIQ
Cell: (609)841-5104


On Dec 7, 2012, at 11:48 AM, "Kirillov, Ivan A." <[hidden email]> wrote:

All,

 

We’ve been getting a number of requests to support explicit characterization of document formats in CybOX (via new Object types), so I’d thought I’d get the ball rolling on this discussion.

 

The main questions right now are:

 

1)      Which document formats should we support? PDF is the most likely initial target, but there will likely be interest for PPT, XLS, and DOC as well. Are there any others we should add to the list?

2)      For these documents, which attributes should we support? Both PDF and the MS binary file formats are fairly convoluted and expansive, so to get these objects out there in a timely manner, we’d have to pick and choose the attributes we want to support, especially for the initial release.

 

We welcome your input!

 

Regards,

Ivan

 

Ivan Kirillov

CybOX Project

The MITRE Corporation

Reply | Threaded
Open this post in threaded view
|

RE: Document Format Support

Kirillov, Ivan A.

Thanks Patrick. I think our initial focus is certainly on those formats capable of being exploited and weaponized, and as such adding SWF and CHM is quite sensible. Adding a flexible/generic construct for XML based files would also be useful, though probably a lower priority item for now. SCR is from my understanding just a type of Portable Executable (PE), which we largely have the ability to characterize with the Windows Executable File Object (http://cybox.mitre.org/XMLSchema/objects/Win_Executable_File/Win_Executable_File_Object_1.3.xsd).

 

ZIP and other archive formats would also likely make sense, though I think they belong in a separate bin from document formats.

 

As far as masquerading, I agree that’s something we should think about, and in a broader context (i.e., with regards to any type of file). I think such a capability is a perfect fit for inclusion in CybOX; however, it’s something that will likely require a change to the core CybOX schema, and deserves its own discussion.

 

Anyhow, I’ve started a tracker item for this and the masquerading issue on the newly created CybOX Schemas Repository on GitHub: https://github.com/CybOXProject/Schemas/issues/1

https://github.com/CybOXProject/Schemas/issues/2

 

Regards,

Ivan

 

From: Pat Maroney [mailto:[hidden email]]
Sent: Friday, December 07, 2012 1:35 PM
To: Kirillov, Ivan A.
Cc: cybox-discussion-list Cyber Observable Expression/CybOX Discussi
Subject: Re: Document Format Support

 

More for discussion vs. any hard suggestions/beliefs:

 

Some of the common types of weaponized documents may make sense? E.g.:  SWF (FLA, F4V, F4V), SCR, CHM.  There is also the issue of masquerading (e.g. How do you characterize CAB/GIF/JPG files that aren't really same).

 

Include a flexible XML construct (which could also cover MS Office docs, openDoc , etc.)?



 ZIP could also be useful?



Patrick Maroney

Chief Architect - CyberIQ

Cell: (609)841-5104

 


On Dec 7, 2012, at 11:48 AM, "Kirillov, Ivan A." <[hidden email]> wrote:

All,

 

We’ve been getting a number of requests to support explicit characterization of document formats in CybOX (via new Object types), so I’d thought I’d get the ball rolling on this discussion.

 

The main questions right now are:

 

1)      Which document formats should we support? PDF is the most likely initial target, but there will likely be interest for PPT, XLS, and DOC as well. Are there any others we should add to the list?

2)      For these documents, which attributes should we support? Both PDF and the MS binary file formats are fairly convoluted and expansive, so to get these objects out there in a timely manner, we’d have to pick and choose the attributes we want to support, especially for the initial release.

 

We welcome your input!

 

Regards,

Ivan

 

Ivan Kirillov

CybOX Project

The MITRE Corporation