-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restructuring the Software
class hierarchy
#596
Comments
References: * #596 Co-authored-by: Sean Barnum <sbarnum@mitre.org> Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * #596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
@sbarnum , there are a few points needed to finish preparing this proposal well enough for a Requirements Review vote:
|
This patch also updates a test result from one of the to-be-rearranged classes. A follow-on patch will regenerate Make-managed files. References: * RDFLib/pySHACL#222 * #596 * https://www.w3.org/TR/shacl/#NodeConstraintComponent Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * #596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
Update on the implementation: The initial PR tried inlining some anonymous This patch, particularly between pre-line 8740 and post-line 13771, changes the implementation style to move all of those "gentle warning" shapes into anonymous shapes trailing at the end of I moved them to anonymous nodes because it felt unhelpful to devise shape IRIs for temporary shapes, because they would no longer be relevant after UCO 2.0.0, but as introduced IRIs we might need to retain them permanently as part of backwards compatibility. From at least how UCO's current testing infrastructure works, there is a slight difference in the validation reporting depending on whether the shape is identified with a blank node or with an IRI. So, there is a question to address before Solutions Approval: Should these "gentle warning" shapes be given IRIs, or is it fine to have them be blank nodes? Absent requests otherwise, they will be left as blank nodes. |
References: * #596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
From Issue 602, I found a middle ground: The temporary shapes are blank nodes, but are linked to their associated classes with |
No effects were observed on Make-managed files. References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
A follow-on patch will regenerate Make-managed files. References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
A follow-on patch will regenerate Make-managed files. References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
A follow-on patch will regenerate Make-managed files. References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
This Issue is awaiting English definitions to be added to the new classes before we consider whether the requirements are sufficiently specified. |
There was some question in last week's call on the mutability of a process's parent-reference. Here is a demonstration in macOS or Linux of a process changing its parent, using a Bash shell: sleep 60 That command runs an idle process for 60 seconds, and the process remains the foreground of the shell. Terminating the parent shell would recursively terminate the child sleep 60 & That command runs an idle process and backgrounds the process. The shell is still the process's parent - terminating the parent shell would recursively terminate the child nohup sleep 60 & That command runs like |
@sbarnum : I was looking at the classes in this proposal and thinking of how to demonstrate them. "Service pack" is giving me some confusion versus the other classes. How would you instantiate Windows XP Service Pack 2 (relevant for at least a lot of available forensic reference data), in these ways:
I expect in both of these cases several of the software types will apply to each node. |
No effects were observed on Make-managed files. References: * ucoProject/UCO#596 Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
Here are proposed English definitions for each of the new proposed classes as well as tweaks to a few existing definitions to better align over all and to address some issues that came about from creating clear distinct definitions for Task, ProcessThread, and Process.
|
No effects were observed on Make-managed files. AJN: This is my transcription of Sean's Issue Comment (see references), with a few minor grammatical and typographical fixes. References: * #596 (comment) Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
No effects were observed on Make-managed files. AJN: This is my transcription of Sean's Issue Comment (see references), with a few minor grammatical and typographical fixes. References: * #596 (comment) Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
Thank you, @sbarnum, I've incorporated the definition updates. |
This patch leaves one incompletely-typed class, `ServicePack`, pending discussion. References: * ucoProject/UCO#596 * ucoProject/UCO@faae89b Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
@sbarnum : I'm looking at some class-pairings.
|
I think it is very tricky and risky in defining disjoint between classes of software as there is a large amount of inherent potential overlap.
|
This patch is known to not pass CI due to an already-existing and unresolved modeling question on ServicePack. References: * ucoProject/UCO#596 (comment) Co-authored-by: Sean Barnum <sbarnum@mitre.org> Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
@sbarnum : Also in light of Issue 626 (constraining
Per this SPARQL query: PREFIX uco-observable: <https://ontology.unifiedcyberontology.org/uco/observable/>
SELECT ?nClass
WHERE {
?nClass
rdfs:subClassOf* uco-observable:Software ;
owl:disjointWith
uco-observable:Application ,
uco-observable:OperatingSystem
;
.
}
ORDER BY ?nClass
Could you perhaps illustrate how a |
@sbarnum , given the definition you provided for |
I believe that I think that CPE also felt this way which is why they have separate 'a' and 'o' types. That being said I do think that CPE missed the ball in that they basically presume ALL software falls into these two categories which I think is clearly inaccurate. If the approach we need to follow for constraining cpeid does not align with this then I think we either need to remove and ignore the cpeid constraint or simply not declare On the issue of Does that make sense? |
Good point. I think you are correct, it should be a subclass of I think it is important to maintain semantic separation between a The latter (e.g., Microsoft Windows 11 SP1) is an identifier for a body of software consisting of the Windows 11 operating system AND the ServicePack 1 updates/fixes. This is not the same thing as the ServicePack 1 updates/fixes which would be represented by a ServicePack object. You could assert that the ServicePack 1 ServicePack object is associated with the Windows 11 OperatingSystem object or even that as part of an Action that the ServicePack 1 object was applied to the Windows 11 OperatingSystem object resulting in the Windows 11 SP1 OperatingSystem object. Does that answer your uncertainties around ServicePack? |
From one angle I guess you could consider a I definitely do not think of a |
I would start by highlighting my comment above on the importance of distinguishing between an actual ServicePack of SW update content and a software version identifier for a software that has had a service pack applied. Beyond that, I am having some trouble understanding where the confusion lies. So, if I don't answer your question please let me know where I am missing the area of confusion. The below are VERY simple graph diagrams of classes, properties and relationships at a conceptual level (ignoring facets and the like) that attempt to convey how to use UCO to represent a few scenarios. If you wished to convey the relationship between an OS, a ServicePack for that OS, and the updated version of the OS with the ServicePack applied you could do that with something like: If you wished to convey a storage medium (such as a DVD) containing a service pack updated version of an OS you could do it with something like: If you wanted to show the ServicePack itself on the storage medium instead of the updated OS then just replace the OperatingSystem object with the ServicePack object. You could also simply leave out the File object hop if you wanted to be even more abstract. If you wished to convey a service pack updated version of an OS running on a computer you could do it with something like: All of these scenarios could also easily be combined with something like: Does that make sense? Does it provide the clarity you were looking for? |
…dividual Thanks to @sbarnum for discussion leading to ServicePack's motion. Thanks to @plbt5 for discussion leading to the FunctionalComplex alignment. No effects were observed on Make-managed files. References: * ucoProject/UCO#596 (comment) Signed-off-by: Alex Nelson <alexander.nelson@nist.gov>
@sbarnum , thank you for the illustration figure. It identified a point where I don't think we agree - indirect, but still in scope of this proposal, and I think important to address to the benefit of at least forensics and software supply chain review. Your second figure describes some DVD that contains one file, and that one file contains an I think that in the general case this constellation is inconsistent with software deployment strategies. Take for example the ISO installation image of Windows 101, which today Microsoft provides here. If you mount and review the contents of that DVD, you will see there are hundreds of non-directory files in it. (There is a similar file tally in a recent Ubuntu1 installation image.) No one file among them is "The operating system". It seems to me that the operating system is some subset of the collection of files. Is There's also a point of nuance that this There's also another interpretation of operating system - the running process that has the hardware-interfacing kernel. You've previously designated I think significant parts of software supply chain review processes hinge on the representation of operating system, in similar manners that affect I'd also like to understand how you think This might help with answering Competency Question 1, which I apologize but I'd forgotten hadn't been answered yet. For what it's worth, my current thinking is that Footnotes
|
Disclaimer
Participation by NIST in the creation of the documentation of mentioned software is not intended to imply a recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that any specific software is necessarily the best available for the purpose.
Background
UCO Issue 583 proposed several revisions around representations pertaining to software and its configuration.
This Issue focuses on one set of changes pertaining to a restructure of the class hierarchy pertaining to software, so some changes from 583 can be discussed and implemented for UCO 1.4.0.
Requirements
Requirement 583-2
This requirement is ported from Issue 583:
Risk / Benefit analysis
Benefits
This benefit is ported from Issue 583:
Risks
These risks are in addition to those listed on Issue 583.
rdfs:comment
definition ofProcessThread
does not seem entirely coherent withProcessThread
being a subclass ofProcess
. This software overhaul provides an opportunity for clarification.observable:Software
subclasses should be considered disjoint with otherobservable:Software
subclasses. The rich and adaptive behavioral nature of software might make it impractical to designate any of these classes disjoint.observable:Package
has some usage modes where it is anobservable:File
and where it is not. Take for example the wheel distribution (URL ending.whl
) ofcase-utils
, as listed here. The.whl
file that was prepared for upload could be considered both anobservable:Package
, because it is an installable artifact, andobservable:File
, because it's a file on the build system's file system. However, the object on PyPI might not be classifiable as anobservable:File
.File
as a subclass ofFileSystemObject
. PyPI, and other package management ecosystems, might not store blobs like this as files. They're free to store the backing contents of these URLs as blobs in relational database tables or NoSQL stores if they wanted to. But this is generally invisible to the package consumer.Competencies demonstrated
(For the sake of discusssion, these examples avoid the UCO rule ending IRIs with UUIDs.)
Competency 1
On a laptop, a directory contains a lone, regular file that contains Python code.
The SHA3-256 hash of this file's contents is
496e34e7fe23cf69f078cd1fe860b98b2e91101194773b2f144656c0bab877c3
.This below snippet characterizes this Python file with concepts predating this restructuring proposal: There is a
File
; separately there is aContentData
; and last there is aRelationship
stating that theFile
contains thatContentData
, for all times that theRelationship
holds. (Let's assume theRelationship
still holds.)Note: This demonstration purposefully avoids attaching a
ContentDataFacet
directly to theFile
.Competency Question 1.1
Which objects, between the
File
,ContentData
andObservableRelationship
, are classified as, or constitute, the following?observable:Application
observable:Code
observable:Script
Result 1.1
TODO
Competency 2
An Ubuntu server runs a service called
mywebapp
. Running the commandservice mywebapp status
reports three tasks associated with the service. The primary task has PID 10001, and two other worker tasks have PIDs 10002 and 10003. A graph containing these objects contains at least the following:(NOTE:
observable:parent
might require a revision to its modeling, due to the potential for processes to become daemons, orphans, zombies - each of which severs the original parent link. The community should consider this an invitation to propose updating practices pertaining toobservable:parent
, and whether deprecation is appropriate.)Competency Question 2.1
Which objects are classified as
observable:Task
s?Result 2.1
kb:Process-10001
kb:Process-10002
kb:Process-10003
Competency Question 2.2
Which objects are classified as
observable:Service
s?Result 2.2
kb:Process-10001
Competency Question 2.3
Which processes are, or were, currently non-primary tasks for the service
kb:Process-10001
? If the process was a task, when is the relationship known to have ended?Note this requires terminable parent-child relationship objects; and also, this example applies a custom string for
core:kindOfRelationship
. (Another proposal about strongly-typedObservableRelationship
s linking child processes to parents would complement this example well.)Result 2.3
Assume that the example is modified to remove these statements (which removes reliance on the mutative
observable:pid
property) ...... and to add these instead:
To motivate modeling terminable relationships, consider this extra example data, which includes a representation that some process was spawned and became detached from the website service:
Then, the query portion pertaining to detached processes would show a process that left home for the holiday:
kb:Process-10002
kb:Process-10003
kb:Process-10987
2023-12-25T08:14:15.9Z
Solution suggestion
This diagram is ported from Issue 583's solution suggestion:
Since the initial implementation sketch of Issue 583, the following changes have been made:
observable:LinuxService
, a subclass ofobservable:Service
and sibling toobservable:WindowsService
, has been added.Coordination
develop
for the next releasedevelop
state with backwards-compatible implementation merged intodevelop-2.0.0
develop-2.0.0
develop
branch updated to track UCO's updateddevelop
branchdevelop-2.0.0
branch updated to track UCO's updateddevelop-2.0.0
branchThe text was updated successfully, but these errors were encountered: