]> National Institute of Standards and Technology

100 Bureau Drive Gaithersburg Maryland 20877 USA david.waltermire@nist.gov

National Institute of Standards and Technology

100 Bureau Drive Gaithersburg Maryland 20877 USA stephen.banghart@nist.gov

Security SACM Working Group This document extends the Resource-Oriented Lightweight Information Exchange (ROLIE) core to add the information type category and related requirements needed to support Software Record and Software Inventory use cases. The 'software-descriptor' information type is defined as a ROLIE extension. Additional supporting requirements are also defined that describe the use of specific formats and link relations pertaining to the new information type.

This document defines an extension to the Resource-Oriented Lightweight Information Exchange (ROLIE) protocol to support the publication of software descriptor information. Software descriptor information is information that characterizes: an installable software package, or information about static software components that may be installed by a software package or patch. Software descriptor information includes identifying, versioning, software creation and publication, and file artifact information. Software descriptor information provides data about what might be installed, but doesn't describe where or how a specific software installation is installed, configured, or executed. Some possible use cases for Software descriptor information include: Software providers can publish software descriptor information so that software researchers and users of software can understand the collection of software produced by a that software provider. Organizations can aggregate and syndicate collections of software descriptor information provided by multiple software providers to support software-related analysis processes (e.g., vulnerability analysis) and value added information (e.g., software configuration checklist repositories) using identification and characterization information derived from software descriptor information. End user organizations can consume sources of software descriptor information, and other related software vulnerability and configuration information to provide the data needed to automate software asset, patch, and configuration management practices. Organizations can use software descriptors to support verification of other entities, thru mechanisms such as RIM or other integrity measurements. This document supports these use cases by describing the content requirements for Collections of software descriptor information that are to be published to or retrieved from a ROLIE repository. This document also discusses requirements around the use of link relationships and describing the data model formats used in a ROLIE Entry describing a software descriptor information resource.

The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in . Definitions for some of the common computer security-related terminology used in this document can be found in Section 2 of .

This document defines the following information type:

The "software-descriptor" information type represents any information that describes a piece of software. This document uses the definition of software provided by . Note that as per this definition, this information type pertains to static software, that is, code on the disc. The software-descriptor information type is intended to provide a category for information that does one or more of the following: This software identification and characterization information can be provided by a large variety of data, but always describes software in a pre-installed state. This represents information about software used to install other software. This metadata identifies, and characterizes a software installation package or media. Information that describes the software post-deployment, such as files that may be deployed during an installation. It is expected that this metadata is produced generally for a given installation, and may not exactly match the actual installed files on a given endpoint. Provided below is a non-exhaustive list of information that may be considered to be of a software-descriptor information type. Naming information: IDs and names that aid in the identification of a piece of software Version and patching information: Version numbers, patch identifiers, or other information that Vendor and source information: Includes where the software was developed or distributed from, as well as where the software installation media may be located. Payload and file information: information that describes or enumerates the files and folders that make up the piece of software, and information about those files. Descriptive information and data: Any information that otherwise characterizes a piece of software, such as libraries, runtime environments, target OSes, intended purpose or audience, etc. Note again that this list is not exhaustive, any information that in is the abstract realm of an incident should be classified under this information-type. This information type does not include descriptions of running software, or state and configuration information that is associated with a software installation.

This document does not specify any additional requirements for use of the Atom Publishing Protocol.

This document does not specify any additional requirements for use of the atom:feed element.

This document specifies the following requirements for use of the software-descriptor information type with regards to Atom Entries.

This section defines the requirements around the use of atom:links in Entries. Each relationship should be named,described, and given a requirement level. Name Description Conformance ancestor Links to a software descriptor resource that defines an ancestor of the software being described by this Entry. MAY patches Links to a software descriptor resource that defines the software being patched by this software MAY requires Links to a software descriptor resource that defines a piece of software required for this software to function properly. MAY installs Links to a software descriptor resource that defines the software being installed by this software. MAY installationrecord Provides a link to a resource that describes an installation of this software. MAY

This document does not contain any additional requirements for the rolie:format element, the formats that follow are provided as examples of formats that describe the software descriptor information type.

The ISO SWID Tag 2016 format is a software descriptor and software record data format. It provides several tags: primary, which provides descriptive and naming information about software, patch, which describes non-standalone software meant to patch existing software, and corpus, which describes the software installation media that installs a given piece of software. For a more complete overview as well as normative requirements, refer to TODO(ref?):ISO/IEC 19770-2

The Consise SWID format is an alternative representation of the ISO SWID Tag 2016 format using a CBOR encoding defined by a CDDL specification. It provides the same features and attributes as are specified in ISO 19770-2, plus: a straight forward method to sign and encrypt SWID Tags using COSE, and additional attributes that provide an improved structure to include file hashes intended to be used as Reference Integrity Measurements (RIM).

This document registers new valid rolie:property names as follows:

This property provides an exposure point for an identification field from the associated software descriptor. The value of this property SHOULD be uniquely identifying information generated from the software descriptor linked to by the entry's atom:content element. swd:id property values SHOULD have a one-to-one mapping to individual pieces of SWD content.

This property provides an exposure point for the plain text name of the software being described. Due to the great variance in naming schemes, this property should be considered informative.

IANA has added an entry to the "ROLIE Security Resource Information Type Sub-Registry" registry located at . The entry is as follows: name: software-descriptor index: TBD reference: This document,

IANA has added an entry to the "ROLIE URN Parameters" registry located in . The entry is as follows: name: property:swd:id Extension IRI: urn:ietf:params:rolie:property:swd:id Reference: This document, Subregistry: None

IANA has added an entry to the "ROLIE URN Parameters" registry located in . The entry is as follows: name: property:swd:swname Extension IRI: urn:ietf:params:rolie:property:swd:swname Reference: This document, Subregistry: None

Use of this extension implies dealing with the security implications of both ROLIE and of software descriptors in general. As with any SWD information, care should be taken to verify the trustworthiness and veracity of the descriptor information to the fullest extent possible. Ideally, software descriptors should have been signed by the software manufacturer, or signed by whichever agent processed the source code. SWD documents from these sources are more likely to be accurate than those generated by scraping installed software. These "authoritative" sources of SWD content should consider additional security for their ROLIE repository beyond the typical recommendations, as the central importance of the repository is likely to make it a target. Version information is often represented differently across manufacturers and even across product releases. If using SWD version information for low fault tolerance comparisons and searches, care should be taken that the correct version scheme is being utilized.

&RFC2119; &RFC5070; &RFC4949;

This document does not require any schema extensions.

Use of this extension in a ROLIE repository will not typically change that repo's operation. As such, the general examples provided by the ROLIE core document would serve as examples. Provided below is a sample SWD ROLIE entry:

dd786dba-88e6-440b-9158-b8fae67ef67c 2015-08-04T18:13:51.0Z 2015-08-05T18:13:51.0Z

A descriptor for a piece of software published by this organization.

]]>