CERT/CC: 'Sensational' bug names spark fear, hype – so we'll give flaws our own labels... like Suggestive Bunny
Officials go with randomly selected words with unintentionally hilarious results. Filthy Python, anyone?
Many memorable events get named, whether they're hurricanes, political events, or security incidents like the Morris Worm, which surfaced 32 years ago yesterday.
But named security incidents recently have editorialized their own importance with fear-mongering monikers like Heartbleed (2014), Meltdown, Spectre, and Foreshadow (2018), and Fallout and ZombieLoad (2019).
Not all do so. There have been less emotionally loaded bug names proposed, like CacheOut, CrossTalk, and RIDL, but name-amplified alarmism has become prevalent enough to prompt the infosec experts at the CERT cybersecurity division of Carnegie Mellon University's Software Engineering Institute, to intervene.
At the start of the year, the CERT/CC began applying names to Common Vulnerabilities and Exposures (CVE) identifiers, to make them easier to recall and less likely to cause concern.
"Sensational names are often the tool of the discoverers to create more visibility for their work," explained Leigh Metcalf, senior network security research analyst at the CMU's CERT/CC, on Friday. "This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public."
The impetus for the initiative, Metcalf suggests, is that such names shape public policy debates, such as the 2018 US government hearings that mentioned Meltdown and Spectre.
The idea for the project was first presented at BSidesLV 2018.
US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patchREAD MORE
On January 23, via the Twitter bot dubbed Vulnonym, CERT/CC began proposing randomized adjective noun combinations for CVE designations. So instead of referring to vulnerabilities like the recent Windows kernel flaw with a yawn-inducing identifier like CVE-2020-17087, the group is proposing auto-assembled nicknames like Unsure Ensemble, Shapeless Screwdriver, and Unmarked Slapstick. And Suggestive Bunny.
Metcalf says the goal is to create "neutral names" that manage to be memorable without commenting on the severity of the flaw.
CERT's naming scheme draws from a list of adjectives and nouns culled from Wiktionary and various word categories like animals, plants, space objects, and so on. These then get mapped to the digits in the CVE number using the Cantor Depairing Function. The results often sound like Ubuntu Linux release code names.
"When tackling this problem, we considered several lists of words to ensure no sensational, scary, or offensive names were included," explained Metcalf, perhaps unaware that CVE-2020-9875 was dubbed Scary Seine.
In an email to The Register, Metcalf and Art Manion, vulnerability analysis technical manager, said they don't really expect their efforts to deter security researchers from trying to brand big bug disclosures.
"We do not have any expectations really, and are looking for responses from both the vulnerability research and other less directly involved communities," they said. "Generating neutral names really only tests whether names are more memorable than numbers (CVE IDs)."
They said they've already received feedback that there's a preference for meaningful names, pointing to how the Zerologon name others applied to CVE-2020-1472 is more apt than the randomized one from Vulnonym, "Wattled Lathe."
"We fully expect researchers to keep naming vulnerabilities and do not intend Vulnonym to somehow supplant those names," they said. "Vulnonym covers the other 99 per cent of vulnerabilities that don't get bespoke names, and also calls attention to the element of FUD that is sometimes incorporated into names."
But neutral language is a challenge because individually innocuous words may become less so in combination and because context matters when it comes to meaning. Some of the names issued invite a snicker on their own, like Canny Lumpsucker.
Others might be seen as provocative, if Grizzled Serf referred to an Amazon-related vulnerability or Filthy Python referred to a flaw in an adult toy. And what to make of Headed Bottom and Perceptive Ejaculate?
At least such issues have been anticipated. Metcalf says there's a simple process to remove offensive names from the data set and regenerate them. She doesn't specify what that process is or propose criteria for assessing objectionable combinations.
Perhaps the complaint process will follow the current standard for customer support – raising a ruckus on social media. ®
Editor's note: An earlier version of this story stated the CERT/CC bug-naming project started last month. We are happy to clarify it began at the turn of the year, and to also include further commentary by Leigh Metcalf and Art Manion.