Common Vulnerability Reporting Framework Proposed

Back in 2008, a group of five technology provides formed the Industry Consortium for Advancement of Security on the Internet [ICASI]; the original five member companies — Cisco Systems, IBM, Intel, Juniper Networks, and Microsoft — have been joined by Nokia, as a Founding Member, and by Amazon.  The idea behind the formation of the effort was to provide a mechanism for cooperative work on security issues.

ICASI will allow IT vendors to work together to address multi-vendor security threats. The consortium will provide a mechanism for international vendor and customer involvement, and allow for a government-neutral way of resolving significant global, multi-product security incidents.

This past week, ICASI has released a free white paper  proposing a new Common Vulnerability Reporting Framework [CVRF], which attempts to provide a uniform format for reporting security information.   As the white paper points out, some basic standardization of security information has been achieved with, for example, the Common Vulnerabilities and Exposures [CVE] database; but most security information is still produced in a variety of formats, often vendor-specific. The CVRF proposal aims to provide a standard format for this reporting.

The Common Vulnerability Reporting Framework (CVRF) is an XML-based language that is designed to provide a standard format for the dissemination of security-related information. CVRF is intended to replace the myriad of nonstandard vulnerability reporting formats with one format that is machine readable.

Appendix A of the paper contains a list of Frequently Asked Questions.

I think anyone who has had the dubious pleasure of reading through vulnerability reports and security bulletins from multiple vendors would probably agree that the objective of standardizing this information is a worthy one.  It remains to be seen, of course, whether the various participants will get on board.

Memristors’ Workings Elucidated

Last fall, I wrote a note about a new business venture between Hewlett-Packard [HP] and Hynix (a Korean electronics manufacturer) to produce memory devices using memristor technology.  The projection that the devices would be commercially available by sometime in 2013 seemed a bit speculative, given the many questions surrounding the development of a new technology.

This week, an article at the BBC News site reports that at least some of the fundamental questions about how memristors work have begun to be answered.  A group of HP researchers has used X-ray techniques to analyze how current flows through the devices, and how the heat produced affects the structure of the materials in the device.

Now, researchers at Hewlett-Packard including the memristor’s discoverer Stan Williams, have analysed the devices using X-rays and tracked how heat builds up in them as current passes through. … The passage of current caused heat deposition, such that the titanium dioxide surrounding the conducting channel actually changed its structure to a non-conducting state.

The research was reported in the journal Nanotechnology [abstract, PDF download available], and examines the chemical, structural, and thermal characteristics of the device as its electrical state changes.

Dr. Williams told the BBC that this information would be of great importance in developing memristor technology.

The detailed knowledge of the nanometre-scale structure of memristors and precisely where heat is deposited will help to inform future engineering efforts, said Dr Williams.

He contrasted this with Thomas Edison’s development of the incandescent light bulb, which was characterized by a series of trial and error experiments.   The technology is still very new — memristors were first predicted theoretically in the 1970s, with the first prototype device being built at HP in 2008 — but it has the potential to produce some further amazing gains in electronics’ performance.