CTI STIX Subcommittee

I believe our team has uncovered a bug in STIX Patterning WRT lack of clarify around qualifiers. Currently the specification a) does not appear to limit the number of times a qualifier can be used after an observation _expression_ b) does not appear to define how qualifiers should be evaluated against an observation _expression_ (are they left-associative, or right associative, are they greedy or non-greedy *) This means you can have a legal patterns like this: [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES [ipv4-addr:value = '198.51.100.1/32'] WITHIN 5 SECONDS REPEATS 5 TIMES WITHIN 10 SECONDS REPEATS 15 TIMES .... any of which would result in an undefined behaviour in the spec. I would like to be proposed we make some changes here in 2.1. 1) I would suggest we make change to the spec to disallow (a) outright, so that any given qualifier can be used at most once in an observation _expression_ (IE, you can use REPEATS only once, START / STOP only once, etc). However, I am unsure exactly where in the spec it would be best to make this change, as we discuss qualifiers in a few places. 2) I would suggest that we define that qualifiers should be evaluated as left-associative and non-greedy.   * we actually say in an example in 4.1.2 that they are supposed to be non-greedy, but we don't say it normatively anywhere. - Jason Keirstead Lead Architect - IBM Security Cloud www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown

Related to this  https://github.com/oasis-tcs/cti-stix2/issues/70  ? On Jul 26, 2018, at 3:38 PM, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I believe our team has uncovered a bug in STIX Patterning WRT lack of clarify around qualifiers. Currently the specification a) does not appear to limit the number of times a qualifier can be used after an observation _expression_ b) does not appear to define how qualifiers should be evaluated against an observation _expression_ (are they left-associative, or right associative, are they greedy or non-greedy *) This means you can have a legal patterns like this: [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES [ipv4-addr:value = '198.51.100.1/32'] WITHIN 5 SECONDS REPEATS 5 TIMES WITHIN 10 SECONDS REPEATS 15 TIMES .... any of which would result in an undefined behaviour in the spec. I would like to be proposed we make some changes here in 2.1. 1) I would suggest we make change to the spec to disallow (a) outright, so that any given qualifier can be used at most once in an observation _expression_ (IE, you can use REPEATS only once, START / STOP only once, etc). However, I am unsure exactly where in the spec it would be best to make this change, as we discuss qualifiers in a few places. 2) I would suggest that we define that qualifiers should be evaluated as left-associative and non-greedy.   * we actually say in an example in 4.1.2 that they are supposed to be non-greedy, but we don't say it normatively anywhere. - Jason Keirstead Lead Architect - IBM Security Cloud www.ibm.com/security Things may come to those who wait, but only the things left by those who hustle. - Unknown

Yep - that would be the same as (a) - Jason Keirstead Lead Architect - IBM Security Cloud www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From:         drew.varner@ninefx.com To:         Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc:         cti-stix@lists.oasis-open.org Date:         07/26/2018 04:46 PM Subject:         Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix Related to this https://github.com/oasis-tcs/cti-stix2/issues/70 ? On Jul 26, 2018, at 3:38 PM, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I believe our team has uncovered a bug in STIX Patterning WRT lack of clarify around qualifiers. Currently the specification a) does not appear to limit the number of times a qualifier can be used after an observation _expression_ b) does not appear to define how qualifiers should be evaluated against an observation _expression_ (are they left-associative, or right associative, are they greedy or non-greedy *) This means you can have a legal patterns like this: [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES [ipv4-addr:value = '198.51.100.1/32'] WITHIN 5 SECONDS REPEATS 5 TIMES WITHIN 10 SECONDS REPEATS 15 TIMES .... any of which would result in an undefined behaviour in the spec. I would like to be proposed we make some changes here in 2.1. 1) I would suggest we make change to the spec to disallow (a) outright, so that any given qualifier can be used at most once in an observation _expression_ (IE, you can use REPEATS only once, START / STOP only once, etc). However, I am unsure exactly where in the spec it would be best to make this change, as we discuss qualifiers in a few places. 2) I would suggest that we define that qualifiers should be evaluated as left-associative and non-greedy.   * we actually say in an example in 4.1.2 that they are supposed to be non-greedy, but we don't say it normatively anywhere. - Jason Keirstead Lead Architect - IBM Security Cloud www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown

Jason Keirstead wrote this message on Thu, Jul 26, 2018 at 16:38 -0300: > I believe our team has uncovered a bug in STIX Patterning WRT lack of > clarify around qualifiers. > > Currently the specification > > a) does not appear to limit the number of times a qualifier can be used > after an observation expression > b) does not appear to define how qualifiers should be evaluated against an > observation expression (are they left-associative, or right associative, > are they greedy or non-greedy *) > > This means you can have a legal patterns like this: > > [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES > > [ipv4-addr:value = '198.51.100.1/32'] WITHIN 5 SECONDS REPEATS 5 TIMES > WITHIN 10 SECONDS REPEATS 15 TIMES The first qualifier doesn't make sense here, since there is only one observation, and it will always be WITHING 5 SECONDS. > .... any of which would result in an undefined behaviour in the spec. I don't see that this is undefined in the spec.. A qualifier cannot exist w/o an observation expression. so you have [ a ], then if you have [ a ] WITHIN 5 SECONDS, that results in a new observation expression, which is the qualified by REPEATS 5 TIMES, and so on... > I would like to be proposed we make some changes here in 2.1. > > 1) I would suggest we make change to the spec to disallow (a) outright, so > that any given qualifier can be used at most once in an observation > expression (IE, you can use REPEATS only once, START / STOP only once, > etc). However, I am unsure exactly where in the spec it would be best to > make this change, as we discuss qualifiers in a few places. I don't see a need to constrain the spec like this.. it seems unnecessary and makes the specification more complex... > 2) I would suggest that we define that qualifiers should be evaluated as > left-associative and non-greedy. I am fine w/ adding additional text to make it more clear that the qualifiers are non-greedy... I thought we had added text to clarify it, but I cannot find a specific clause to point too.. > * we actually say in an example in 4.1.2 that they are supposed to be > non-greedy, but we don't say it normatively anywhere. We do have the text: > This interpretation is due to qualifiers not being greedy, and is > equivalent to [ a = 'b' ] FOLLOWEDBY ( [ c = 'd' ] REPEATS 5 TIMES). -- John-Mark

The problem with this approach is - even if you do clarify that qualifiers are left associative and non-greedy, you have an ambiguous behaviour, because of conflicting qualifiers. If I have the _expression_..  ' [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES ... I have conflicting qualifiers, because qualifiers are not operating on themselves (they don't nest)... as per the spec, qualifiers are only operating on the observation _expression_ itself. So if I have two 'REPEATS' qualifiers, it is ambiguous which one is the one that should be evaluated. IMO it is simpler to just disallow this behaviour. Why allow it, what is the use case. - Jason Keirstead Lead Architect - IBM Security Cloud www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From:         John-Mark Gurney <jmg@newcontext.com> To:         Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc:         cti-stix@lists.oasis-open.org Date:         07/26/2018 06:34 PM Subject:         Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix Sent by:         <cti-stix@lists.oasis-open.org> Jason Keirstead wrote this message on Thu, Jul 26, 2018 at 16:38 -0300: > I believe our team has uncovered a bug in STIX Patterning WRT lack of > clarify around qualifiers. > > Currently the specification > > a) does not appear to limit the number of times a qualifier can be used > after an observation _expression_ > b) does not appear to define how qualifiers should be evaluated against an > observation _expression_ (are they left-associative, or right associative, > are they greedy or non-greedy *) > > This means you can have a legal patterns like this: > > [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES > > [ipv4-addr:value = '198.51.100.1/32'] WITHIN 5 SECONDS REPEATS 5 TIMES > WITHIN 10 SECONDS REPEATS 15 TIMES The first qualifier doesn't make sense here, since there is only one observation, and it will always be WITHING 5 SECONDS. > .... any of which would result in an undefined behaviour in the spec. I don't see that this is undefined in the spec.. A qualifier cannot exist w/o an observation _expression_.  so you have [ a ], then if you have [ a ] WITHIN 5 SECONDS, that results in a new observation _expression_, which is the qualified by REPEATS 5 TIMES, and so on... > I would like to be proposed we make some changes here in 2.1. > > 1) I would suggest we make change to the spec to disallow (a) outright, so > that any given qualifier can be used at most once in an observation > _expression_ (IE, you can use REPEATS only once, START / STOP only once, > etc). However, I am unsure exactly where in the spec it would be best to > make this change, as we discuss qualifiers in a few places. I don't see a need to constrain the spec like this..  it seems unnecessary and makes the specification more complex... > 2) I would suggest that we define that qualifiers should be evaluated as > left-associative and non-greedy. I am fine w/ adding additional text to make it more clear that the qualifiers are non-greedy...  I thought we had added text to clarify it, but I cannot find a specific clause to point too.. > * we actually say in an example in 4.1.2 that they are supposed to be > non-greedy, but we don't say it normatively anywhere. We do have the text: > This interpretation is due to qualifiers not being greedy, and is > equivalent to [ a = 'b' ] FOLLOWEDBY ( [ c = 'd' ] REPEATS 5 TIMES). -- John-Mark --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

This sounds reasonable Jason. Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com> Sent: Thursday, July 26, 2018 5:23:04 PM To: John-Mark Gurney Cc: cti-stix@lists.oasis-open.org Subject: [EXT] Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix   The problem with this approach is - even if you do clarify that qualifiers are left associative and non-greedy, you have an ambiguous behaviour, because of conflicting qualifiers. If I have the _expression_..  ' [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES ... I have conflicting qualifiers, because qualifiers are not operating on themselves (they don't nest)... as per the spec, qualifiers are only operating on the observation _expression_ itself. So if I have two 'REPEATS' qualifiers, it is ambiguous which one is the one that should be evaluated. IMO it is simpler to just disallow this behaviour. Why allow it, what is the use case. - Jason Keirstead Lead Architect - IBM Security Cloud www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From:         John-Mark Gurney <jmg@newcontext.com> To:         Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc:         cti-stix@lists.oasis-open.org Date:         07/26/2018 06:34 PM Subject:         Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix Sent by:         <cti-stix@lists.oasis-open.org> Jason Keirstead wrote this message on Thu, Jul 26, 2018 at 16:38 -0300: > I believe our team has uncovered a bug in STIX Patterning WRT lack of > clarify around qualifiers. > > Currently the specification > > a) does not appear to limit the number of times a qualifier can be used > after an observation _expression_ > b) does not appear to define how qualifiers should be evaluated against an > observation _expression_ (are they left-associative, or right associative, > are they greedy or non-greedy *) > > This means you can have a legal patterns like this: > > [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES > > [ipv4-addr:value = '198.51.100.1/32'] WITHIN 5 SECONDS REPEATS 5 TIMES > WITHIN 10 SECONDS REPEATS 15 TIMES The first qualifier doesn't make sense here, since there is only one observation, and it will always be WITHING 5 SECONDS. > .... any of which would result in an undefined behaviour in the spec. I don't see that this is undefined in the spec.. A qualifier cannot exist w/o an observation _expression_.  so you have [ a ], then if you have [ a ] WITHIN 5 SECONDS, that results in a new observation _expression_, which is the qualified by REPEATS 5 TIMES, and so on... > I would like to be proposed we make some changes here in 2.1. > > 1) I would suggest we make change to the spec to disallow (a) outright, so > that any given qualifier can be used at most once in an observation > _expression_ (IE, you can use REPEATS only once, START / STOP only once, > etc). However, I am unsure exactly where in the spec it would be best to > make this change, as we discuss qualifiers in a few places. I don't see a need to constrain the spec like this..  it seems unnecessary and makes the specification more complex... > 2) I would suggest that we define that qualifiers should be evaluated as > left-associative and non-greedy. I am fine w/ adding additional text to make it more clear that the qualifiers are non-greedy...  I thought we had added text to clarify it, but I cannot find a specific clause to point too.. > * we actually say in an example in 4.1.2 that they are supposed to be > non-greedy, but we don't say it normatively anywhere. We do have the text: > This interpretation is due to qualifiers not being greedy, and is > equivalent to [ a = 'b' ] FOLLOWEDBY ( [ c = 'd' ] REPEATS 5 TIMES). -- John-Mark --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

On 26.07.2018 20:23:04, Jason Keirstead wrote: > > ... I have conflicting qualifiers, because qualifiers are not > operating on themselves (they don't nest)... as per the spec, > qualifiers are only operating on the observation expression > itself. So if I have two 'REPEATS' qualifiers, it is ambiguous which > one is the one that should be evaluated. > > IMO it is simpler to just disallow this behaviour. Why allow it, > what is the use case. > Seems reasonable to me, Jason. Would you please suggest some text in 2.1, Part 5? -- Cheers, Trey ++--------------------------------------------------------------------------++ Director of Standards Development, New Context gpg fingerprint: 3918 9D7E 50F5 088F 823F 018A 831A 270A 6C4F C338 ++--------------------------------------------------------------------------++ -- "It is always something." --RFC 1925 Attachment: signature.asc Description: PGP signature