Most people will immediately recognize CVE-2014-0160 as a vulnerability, but few will know which vulnerability it refers to. Call it Heartbleed, however, and more people will know more about it. That’s the strength of natural language over numbers — humans remember words more easily than numbers. It’s the same argument as that for using domain names rather than IP addresses for web browsing.
The weakness, however, is that natural language words carry emotive undertones, and that is a concern for Leigh Metcalf at Carnegie Mellon’s Software Engineering Institute. She worries that some vulnerability discoverers choose to name their discoveries purely for maximum media impact rather than accurately reflecting the severity of the flaw — which could lead to worry, or even fear, among users. Other examples she specifically mentions are Spectre, Meltdown, and Dirty Cow.
“This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public,” she blogs. The reasoning is similar to that of the technical director of the NCSC, Ian Levy, who wrote in November 2016, “One thing that’s missing in cyber security is unbiased data… It’s time to stop talking about what the winged ninja cyber monkeys can do and… be in a place where the skilled network defender community are free to tackle the really nasty stuff.”
CERT/CC set itself the task of automatically generating natural language descriptors to represent CVE numbers, but without any emotive bias. “Our goal,” writes Metcalf, “is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary (or not scary) the particular vulnerability in question is.”
To achieve this, CERT/CC decided to ‘randomly’ pair an adjective with a noun, acquiring both word lists from Wiktionary “and categories of words such as animals, plants, objects in space, and more.” Word pairs are then mapped to the CVE IDs using the Cantor Depairing Function, which allows a natural number to be mapped to two natural numbers uniquely.
The results of the process can be seen on Twitter (@vulnonym, which is “a bot for generating names for CVE IDs”). Recent examples include Privileged Ukulele for CVE-2020-16006; Collected Camp for CVE-2020-16002; and Shielded Agnus for CVE-2020-16001. There is no doubt that there is no apparent emotive bias to the new naming convention, but much still needs to be done on the project — and it is not entirely clear that two disconnected words are any better than one emotive word.
There is also the possibility that an automated bot can generate an entirely unacceptable combination. “In case anyone considers a word or name to be offensive,” writes Metcalf, “we have a simple process to remove it from the corpus and re-generate a name.” However, what is inoffensive to one person could be very offensive to another. For example, one @vulnonym tweet reads, “My real name is CVE-2020-15996 but all my friends call me Brisk Squirt.” Brisk Squirt, incidentally, is entirely inoffensive to me. It (CVE-2020-15996) is a high-risk use after free in passwords Android vulnerability fixed in Chrome 86 (86.0.4240.99) for Android.
@vulnonym is currently described as an experiment, and CERT/CC asks users to “let us know if this naming experiment is useful.” However, many of the researching vendors who discover vulnerabilities are primarily motivated by the marketing potential of an emotive description — they may be reluctant to give up exposing MeltdownPlus in favor of Brisk Squirt. Only time will tell whether this naming experiment proves worth the effort, or if the project gets consigned to the Ministry of Silly Names.