Thanks Scott! Yes, that's the table. We just need to replace CWE-A/B/C with the actual CWE #s and that will give us a good mapping. I think the Observed Examples section of the transient execution weaknesses may already have some of this mapping too.
@Fung, Jason M <jason.m.f...@intel.com> yes this would definitely help a lot, thanks for resurfacing it. On Tue, Oct 15, 2024 at 2:34 PM Fung, Jason M <jason.m.f...@intel.com> wrote: > Good points, team. > > > > I would like to clarify that given HW issues are outnumbered by SW issues > (thankfully), rather than taking all CVEs into consideration, we should > look into the subset of CVEs that are HW orientated and see which CWEs > stand out to be the recurring patterns. That’s why Jason Oberg, Chris > Turner and I submitted a proposal to add tagging to CVE schema > <https://github.com/CVEProject/cve-schema/issues/22> to facilitate such > query back in March 2021. Unfortunately, despite the effort was initiated > 3.5 years ago, it does not seem to get anywhere. Not sure if Alec has more > visibility. > > > > - Jason > > > > *From:* Constable, Scott D <scott.d.consta...@intel.com> > *Sent:* Tuesday, October 15, 2024 12:03 PM > *To:* Jason Oberg <ja...@cycuity.com>; Kanuparthi, Arun < > arun.kanupar...@intel.com> > *Cc:* Steven M Christey <co...@mitre.org>; Fung, Jason M < > jason.m.f...@intel.com>; Ford, Thomas <thoma...@dell.com>; HW CWE Special > Interest Group SIG <hw-cwe-special-interest-group-sig-list@mitre.org>; > Bob Heinemann <rheinem...@mitre.org> > *Subject:* RE: [EXT] Re: Hardward CWE Top-N list > > > > Thanks for recalling this work, Jason! If the list of transient execution > CWEs would be helpful, it does exist in the public domain: > https://github.com/CWE-CAPEC/hw-cwe-sig/blob/b14189ceb8b198b040340e504f8d37f16a5799f0/working-docs/transient.md#applying-these-new-cwes-to-a-variety-of-transient-execution-cves > . > > > > Regards, > > > > Scott Constable > > > > *From:* Jason Oberg <ja...@cycuity.com> > *Sent:* Tuesday, October 15, 2024 9:54 AM > *To:* Kanuparthi, Arun <arun.kanupar...@intel.com> > *Cc:* Steven M Christey <co...@mitre.org>; Fung, Jason M < > jason.m.f...@intel.com>; Ford, Thomas <thoma...@dell.com>; HW CWE Special > Interest Group SIG <hw-cwe-special-interest-group-sig-list@mitre.org>; > Bob Heinemann <rheinem...@mitre.org> > *Subject:* Re: [EXT] Re: Hardward CWE Top-N list > > > > Another data point is the work done on the microarchitectural/transient > execution weaknesses. Scott Constable did a great job of putting together a > long list of relevant CVEs and the CWE mappings, so we may be able to use > some of that data as well. > > > > Perhaps one approach to this "most important HW list" is to start with > something data centric like hardware advisories (as Arun mentioned) or the > microarchitectural vulnerabilities then "back fill" the rest through a > survey of the community like we did before. It's not perfect but would at > least anchor some of the most important HW CWEs into real observed > examples. > > > > On Tue, Oct 15, 2024 at 9:14 AM Kanuparthi, Arun < > arun.kanupar...@intel.com> wrote: > > I’m afraid we can’t go by NVD data alone to get our top HW CWE list as not > many CVEs do not follow the diligent tagging for HW CWEs. > > > > A lot of security advisories have been published in the past few years > pertaining to hardware. We will need to eyeball those and make a ballpark > guess of what the CWE could be. It is time taking but might be worth it. > The Hack@DAC team periodically monitors these advisories to get ideas to > insert new bugs in the competition. We’d be happy to help. > > > > -Arun Kanuparthi > > > > *From:* Steven M Christey <co...@mitre.org> > *Sent:* Tuesday, October 15, 2024 9:03 AM > *To:* Oberg, Jason <ja...@cycuity.com>; Fung, Jason M < > jason.m.f...@intel.com> > *Cc:* Ford, Thomas <thoma...@dell.com>; HW CWE Special Interest Group SIG > <hw-cwe-special-interest-group-sig-list@mitre.org>; Bob Heinemann < > rheinem...@mitre.org> > *Subject:* RE: [EXT] Re: Hardward CWE Top-N list > > > > There are no HW-specific CWEs in recent CWE Top 25 lists (derived from NVD > data), and there’s no indication in this year’s Top 25 work either. > > > > We can look at some recent NVD data to see how much any particular HW CWE > is used, but I’ll warn ahead of time that the number will almost certainly > be very small. Consider that a HW product with a design weakness is going > against software products with dozens of implementation bugs like SQL > injection and buffer overflows. Also, many HW products seem to map to > “classic” non-HW CWEs. > > > > We can get back to you with some numbers fairly quickly. > > > > - Steve > > > > > > > > *From:* Jason Oberg <ja...@cycuity.com> > *Sent:* Tuesday, October 8, 2024 6:30 PM > *To:* Fung, Jason <jason.m.f...@intel.com> > *Cc:* Ford, Thomas <thoma...@dell.com>; HW CWE Special Interest Group SIG > <hw-cwe-special-interest-group-sig-list@mitre.org>; Bob Heinemann < > rheinem...@mitre.org> > *Subject:* [EXT] Re: Hardward CWE Top-N list > > > > *This Message Is From an External Sender * > > This message originates outside of MITRE. If you feel this is suspicious, > please report it via "Report Suspicious Email" button in Outlook. > > Third! Having a refresh to the TopN for hardware would be great for the > community. > > > > On Tue, Oct 8, 2024 at 3:21 PM Fung, Jason M <jason.m.f...@intel.com> > wrote: > > Great point. I second Tom’s idea. > > > > *From:* Ford, Thomas <thoma...@dell.com> > *Sent:* Tuesday, October 8, 2024 1:45 PM > *To:* hw-cwe-special-interest-group-sig-list@mitre.org > *Cc:* Bob Heinemann <rheinem...@mitre.org> > *Subject:* Hardward CWE Top-N list > > > > Hello, > > I would like bring up a topic to the group about the Most Important > Hardware Weakness list now that it’s a few years old. > > > > I’ve been looking into the question of which HW CWEs have been referenced > from CVEs to date, and are those CWEs on the Top N list? > > Should we revisit the Top N list based on what is being reported to CVE? > > > > I’m curious about what insights others have on this. > > > > Thanks, > > Tom Ford > > > > > > > > Internal Use - Confidential >
