Make Objects Top-level Entities

[ikiril01]

We should consider making Objects top-level entities in the MAEC Package, adding an Objects list that will serve as the container for ALL Objects used in the document. Accordingly, this will be the only place where Objects may be defined; all other uses in a Package will be via reference. This entails that all uses of the CybOX ObjectType in the Package will need to be replaced with an ObjectReferenceType (notionally).

This will serve a number of purposes:

• It will eliminate any confusion as to when Objects should be defined inline or referenced, since this will now be enforced via the data model. All Objects will be defined in the top-level Objects list of the Package and then referenced elsewhere.
• It will eliminate any ambiguities/issues with Actions that reference Objects used in Malware_Subjects. Currently, an Action that operates on a the Object used in a Malware_Subject (for example, if the Action creates the Object used in the Malware_Subject) must reference the Malware_Instance_Object_Attributes of the Malware_Subject (rather than the Malware_Subject directly) via its ID. This is ambiguous because the Action is operating on the Malware_Instance_Object_Attributes rather than another Object. Thus, instead of Action -> Malware_Instance_Object_Attributes, we'll have Action -> Object.
• It will serve as a container for any Objects that have yet to be analyzed or verified as being malware, thus better aligning with the general malware analysis process of triaging unknown samples and then deciding whether to perform further analysis upon them (i.e. as Malware Subjects).
• It will make it easier to extract and manipulate Objects, since they will all be in one place.

[bworrell]

👍

[dzbeck]

added proposal place holder.