From 690989363e12781681ad2beb4d2b9e4e0b9bf480 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Wed, 19 Oct 2022 11:49:19 +0200 Subject: [PATCH 01/21] Rework comments to refer to associated assets as such rather than connected to avoid confusion. --- src/main/mal/ComputeResources.mal | 17 ++++++++--------- src/main/mal/DataResources.mal | 2 +- src/main/mal/HardwareVulnerability.mal | 2 +- src/main/mal/IAM.mal | 2 +- src/main/mal/SoftwareVulnerability.mal | 4 ++-- 5 files changed, 13 insertions(+), 14 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index e0db63b..64beb87 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -29,7 +29,7 @@ category ComputeResources { -> useVulnerability | useVulnerability - user info: "The attacker is able to use the connected vulnerabilities, usually as a result of obtaining physical access." + user info: "The attacker is able to use the associated vulnerabilities, usually as a result of obtaining physical access." -> vulnerabilities.attemptAbuse | spreadWormViaRemovableMedia @hidden @@ -202,7 +202,7 @@ category ComputeResources { successfulDeny | attemptUseVulnerability @hidden - developer info: "Attempt to use the connected vulnerabilities, when able to locally or via network connect to the application or when local interaction is possible." + developer info: "Attempt to use the associated vulnerabilities, when able to locally or via network connect to the application or when local interaction is possible." -> successfulUseVulnerability, protectorIDPSs.bypassEffectiveness @@ -211,7 +211,7 @@ category ComputeResources { -> useVulnerability | useVulnerability - user info: "Attempt to exploit the connected vulnerabilities." + user info: "Attempt to exploit the associated vulnerabilities." -> allVulnerabilities().attemptAbuse, attemptSoftwareProductAbuse, fullAccessAfterSoftProdVulnerability, @@ -244,19 +244,18 @@ category ComputeResources { user info: "An attacker with low-privilege access on the executing instance is assumed to be able to locally (on the same host i.e. using loopback) interact with the application." -> localAccess, specificAccessFromLocalConnection, - attemptUseVulnerability, // Connection to all possible vulnerabilities that might be connected to the Application + attemptUseVulnerability, // Attempt to exploit all the vulnerabilities associated with the Application allVulnerabilities().localAccessAchieved, softwareProductVulnerabilityLocalAccessAchieved | networkConnectUninspected user info: "An attacker can connect to any network exposed application and attempt to authenticate or trigger vulnerabilities." - -> attemptUseVulnerability, // Connection to all possible vulnerabilities that might be connected to the Application + -> attemptUseVulnerability, // Attempt to exploit all the vulnerabilities associated with the Application allVulnerabilities().networkAccessAchieved, softwareProductVulnerabilityNetworkAccessAchieved, networkConnect, specificAccessNetworkConnect - | networkConnectInspected user info: "This attack step is used if the network connection occurs via a ConnectionRule that has its payload inspected, in which case the attacker can still authenticate, but they cannot trigger vulnerabilities." -> networkConnect, @@ -303,13 +302,13 @@ category ComputeResources { developer info: "An attacker with low-privilege access on the executing instance is assumed to be able to locally (on the same host i.e. using loopback) interact with the executed applications." -> appExecutedApps.localConnect, // But also achieve localConnect on all child applications (this is something that needs to be reviewed again at a later stage) attemptLocalConnectVulnOnHost, - attemptUseVulnerability, // Connection to all possible vulnerabilities that might be connected to the Application + attemptUseVulnerability, // Attempt to exploit all the vulnerabilities associated with the Application containedData.authorizedAccessFromApplication, // This also enables the use of compromised permissions but only after specificAccess is reached sentData.authorizedReadFromApplication, // Both Data sent and received can be read receivedData.authorizedReadFromApplication, sentData.authorizedWriteFromApplication, // But only sent Data can be written attemptApplicationRespondConnectThroughData, - accessNetworkAndConnections // and access the network(s) and connections on/to which the app is connected + accessNetworkAndConnections // and access the network(s) and connections on/to which the app is connected | attemptLocalConnectVulnOnHost [HardAndUncertain] user info: "The attacker is able to break out of an application container/sandbox and try to exploit any vulnerability of the hypervisor/host application" @@ -432,7 +431,7 @@ category ComputeResources { -> denyAfterSoftProdVulnerability E softwareCheck @hidden - user info: "Existence attack step to only allow the connected attacks steps only if a SoftwareProduct is associated." + user info: "Only enable the following attacks steps if a SoftwareProduct is associated with this Application." <- appSoftProduct -> fullAccessAfterSoftProdVulnerability, readAfterSoftProdVulnerability, diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index b31646a..53c2bf5 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -154,7 +154,7 @@ category DataResources { successfulDelete # dataNotPresent [Disabled] - user info: "It should be used to model the probability of data actually not existing on the connected container (i.e. Hardware, Application, Connection, etc.)." + user info: "It should be used to model the probability of data actually not existing on the associated container (i.e. Hardware, Application, Network, etc.)." developer info: "This attack step is in series with the 'accessUnencryptedData' attack step because there is no reason to defend encrypted data (or deny them) if they do not exist..." -> access, applicationRespondConnect, diff --git a/src/main/mal/HardwareVulnerability.mal b/src/main/mal/HardwareVulnerability.mal index 63cbae9..3b4e07c 100644 --- a/src/main/mal/HardwareVulnerability.mal +++ b/src/main/mal/HardwareVulnerability.mal @@ -75,5 +75,5 @@ category Vulnerability { associations { HardwareVulnerability [vulnerabilities] * <-- hardwareVulnerability --> 0..1 [hardware] Hardware - developer info: "Every Application can also be connected to any Vulnerability." + developer info: "A Hardware system/component can have multiple hardware vulnerabilities." } diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index 00e7135..d02e36f 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -99,7 +99,7 @@ category IAM { asset Privileges extends IAMObject user info: "A privileges asset can be associated with an identity to group a set of given privileges on Applications and Data." - modeller info: "The privileges asset is not meant to be used normally when assigning permissions. Identities and Groups should be directly connected to the relevant assets. The purpose of the Privileges asset is to be used as a speculative asset when reasoning about additional privileges that a particular Group or Identity may have as a result of either poor configurations or the attacker's actions." + modeller info: "The privileges asset is not meant to be used normally when assigning permissions. Identities and Groups should be directly associated with the relevant assets. The purpose of the Privileges asset is to be used as a speculative asset when reasoning about additional privileges that a particular Group or Identity may have as a result of either poor configurations or the attacker's actions." { | assume @Override {C,I,A} user info: "After authentication or compromise of an account/identity, assume its privileges." diff --git a/src/main/mal/SoftwareVulnerability.mal b/src/main/mal/SoftwareVulnerability.mal index 3d86af6..d5fe4e3 100644 --- a/src/main/mal/SoftwareVulnerability.mal +++ b/src/main/mal/SoftwareVulnerability.mal @@ -139,7 +139,7 @@ category Vulnerability { associations { SoftwareVulnerability [vulnerabilities] * <-- ApplicationVulnerability --> 0..1 [application] Application - developer info: "Every Application can also be connected to any Vulnerability." + developer info: "An Application can have multiple software vulnerabilities." SoftwareVulnerability [softProductVulnerabilities] * <-- ApplicationVulnerability --> 0..1 [softwareProduct] SoftwareProduct - developer info: "Every SoftwareProduct can also be connected to any Vulnerability." + developer info: "A SoftwareProduct can have multiple software vulnerabilities." } From a7f0c3b172c5c6f4d5ac2a8ea97f99aa2e7c83c1 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Thu, 20 Oct 2022 17:12:31 +0200 Subject: [PATCH 02/21] Reword comments that describe non-attempt attacks steps to avoid confusion. --- src/main/mal/ComputeResources.mal | 11 +++++------ src/main/mal/DataResources.mal | 2 +- src/main/mal/HardwareVulnerability.mal | 2 +- src/main/mal/IAM.mal | 2 +- src/main/mal/coreVulnerability.mal | 2 +- 5 files changed, 9 insertions(+), 10 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 64beb87..740a0cb 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -33,9 +33,8 @@ category ComputeResources { -> vulnerabilities.attemptAbuse | spreadWormViaRemovableMedia @hidden - developer info: "Attempt to spread malware via removable media that the users connect to the hardware system." - -> users.attemptDeliverMaliciousRemovableMedia, - physicalZones.users.attemptDeliverMaliciousRemovableMedia + developer info: "Try to spread malware via removable media that the users connect to the hardware system." + -> (users \/ physicalZones.users).attemptDeliverMaliciousRemovableMedia | attemptFullAccess @hidden developer info: "Intermediate attack step to allow for defences." @@ -211,7 +210,7 @@ category ComputeResources { -> useVulnerability | useVulnerability - user info: "Attempt to exploit the associated vulnerabilities." + user info: "Try to exploit the associated vulnerabilities." -> allVulnerabilities().attemptAbuse, attemptSoftwareProductAbuse, fullAccessAfterSoftProdVulnerability, @@ -249,7 +248,7 @@ category ComputeResources { softwareProductVulnerabilityLocalAccessAchieved | networkConnectUninspected - user info: "An attacker can connect to any network exposed application and attempt to authenticate or trigger vulnerabilities." + user info: "An attacker can connect to any network exposed application and try to authenticate or trigger vulnerabilities." -> attemptUseVulnerability, // Attempt to exploit all the vulnerabilities associated with the Application allVulnerabilities().networkAccessAchieved, softwareProductVulnerabilityNetworkAccessAchieved, @@ -504,7 +503,7 @@ category ComputeResources { -> applicationRespondConnectThroughData | applicationRespondConnectThroughData @hidden - user info: "After access on the application the contained data or data in transit can be used to attempt a respond connect to the client side application." + user info: "After access on the application the contained data or data in transit can be used to try a connect via Respond to the client side application." modeler info: "This is an intermediate attack step that groups connections to attack steps." -> receivedData.attemptApplicationRespondConnect diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index 53c2bf5..e62dc7e 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -99,7 +99,7 @@ category DataResources { -> access | authorizedAccessFromApplication - user info: "Attempt to gain access to the data through permissions." + user info: "Try to gain access to the data through permissions." -> authorizedReadFromApplication, authorizedWriteFromApplication, authorizedDeleteFromApplication diff --git a/src/main/mal/HardwareVulnerability.mal b/src/main/mal/HardwareVulnerability.mal index 3b4e07c..a19af43 100644 --- a/src/main/mal/HardwareVulnerability.mal +++ b/src/main/mal/HardwareVulnerability.mal @@ -36,7 +36,7 @@ category Vulnerability { # effortRequiredToExploit @suppress [Disabled] user info: "The vulnerability requires additional effort(time) from the attacker in order to be successful." - modeler info: "The expectation is that the attacker has prolonged or recurring access to the targeted hardware in order to repeatedly/continuously attempt the exploit." + modeler info: "The expectation is that the attacker has prolonged or recurring access to the targeted hardware in order to repeatedly/continuously try the exploit." -> exploitTrivially & read diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index d02e36f..a6c0979 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -222,7 +222,7 @@ category IAM { -> guessCredentials & guessCredentials [HardAndUncertain] - user info: "The attacker can attempt to just guess a set of credentials. The likelihood of succeeding is depend on how strong the credentials are." + user info: "The attacker can try to just guess a set of credentials. The likelihood of succeeding is dependent on how strong the credentials are." modeller info: "The guessability of the Credentials is influenced by the notGuessable defence on this asset and the securityAwareness defence on the User associated with the Identity that these Credentials belong to. If either the User or Identity associations are missing the assumption is made that the crentials are guessable and only the notGuessable defence would play a role in restricting this attack step." developer info: "We should research the probability we want to use for this attack step more." -> attemptUse diff --git a/src/main/mal/coreVulnerability.mal b/src/main/mal/coreVulnerability.mal index 066dd79..02047b3 100644 --- a/src/main/mal/coreVulnerability.mal +++ b/src/main/mal/coreVulnerability.mal @@ -28,7 +28,7 @@ category Vulnerability { -> abuse & abuse - user info: "The attacker is attempting to abuse a vulnerability in an asset." + user info: "The attacker is trying to abuse a vulnerability in an asset." -> attemptExploit | attemptExploit @hidden From 2ce0c73e7abff342b4b29992aafe08c933ccaba7 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Thu, 20 Oct 2022 17:55:09 +0200 Subject: [PATCH 03/21] Change British spelling of modeler and defense to their American counterparts for uniformity. --- src/main/mal/ComputeResources.mal | 44 +++++++++++++------------- src/main/mal/DataResources.mal | 10 +++--- src/main/mal/HardwareVulnerability.mal | 6 ++-- src/main/mal/IAM.mal | 10 +++--- src/main/mal/Networking.mal | 14 ++++---- src/main/mal/User.mal | 8 ++--- 6 files changed, 46 insertions(+), 46 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 740a0cb..7beab38 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -20,12 +20,12 @@ category ComputeResources { user info: "Specifies the hardware on which applications can run." { | attemptUseVulnerability @hidden - developer info: "Intermediate attack step to allow for defences." + developer info: "Intermediate attack step to allow for defenses." -> successfulUseVulnerability, bypassHardwareModificationsProtection & successfulUseVulnerability @hidden - developer info: "Intermediate attack step to enable defences." + developer info: "Intermediate attack step to enable defenses." -> useVulnerability | useVulnerability @@ -37,11 +37,11 @@ category ComputeResources { -> (users \/ physicalZones.users).attemptDeliverMaliciousRemovableMedia | attemptFullAccess @hidden - developer info: "Intermediate attack step to allow for defences." + developer info: "Intermediate attack step to allow for defenses." -> successfulFullAccess & successfulFullAccess @hidden - developer info: "Intermediate attack step to enable defences." + developer info: "Intermediate attack step to enable defenses." -> fullAccess | fullAccess {C,I,A} @@ -51,12 +51,12 @@ category ComputeResources { spreadWormViaRemovableMedia | attemptSupplyChainAttack - developer info: "Intermediate attack step to allow for the auditing defence." + developer info: "Intermediate attack step to allow for the auditing defense." -> successfulSupplyChainAttack, bypassSupplyChainAuditing & successfulSupplyChainAttack @hidden - developer info: "Intermediate attack step to enable defences." + developer info: "Intermediate attack step to enable defenses." -> supplyChainAttack | supplyChainAttack [VeryHardAndUncertain] @@ -91,7 +91,7 @@ category ComputeResources { bypassHardwareModificationsProtection & successfulHardwareModifications @hidden - developer info: "Intermediate attack step to enable defences." + developer info: "Intermediate attack step to enable defenses." -> hardwareModifications | hardwareModifications @@ -100,7 +100,7 @@ category ComputeResources { sysExecutedApps.physicalAccessAchieved # hardwareModificationsProtection - user info: "This defence protects against unauthorized modifications to the hardware that would allow an attacker to exploit a hardware vulnerability or a user to connect malicious devices to it." + user info: "This defense protects against unauthorized modifications to the hardware that would allow an attacker to exploit a hardware vulnerability or a user to connect malicious devices to it." developer info: "But it does not protect against denial of service attacks or local connect." -> hardwareModificationsProtectionBypassed @@ -116,12 +116,12 @@ category ComputeResources { successfulUnsafeUserActivity | attemptUnsafeUserActivity - user info: "Intermediate attack step that allows for the hardware modifications defence to reduce the impact of unsafe user activity." + user info: "Intermediate attack step that allows for the hardware modifications defense to reduce the impact of unsafe user activity." -> successfulUnsafeUserActivity, bypassHardwareModificationsProtection & successfulUnsafeUserActivity @hidden - developer info: "Intermediate attack step to enable defences." + developer info: "Intermediate attack step to enable defenses." -> unsafeUserActivity | unsafeUserActivity @@ -220,11 +220,11 @@ category ComputeResources { | attemptReverseReach developer info: "This attack step needs to be called in order to have reverse reach start propagating from this Application to the rest of the assets." - modeller info: "No other attack step on the Application asset triggers this attack step which means that it must be explicitly triggered by the modeller if the attacker is assumed to have reverse reachability on it." + modeler info: "No other attack step on the Application asset triggers this attack step which means that it must be explicitly triggered by the modeler if the attacker is assumed to have reverse reachability on it." -> successfulReverseReach & successfulReverseReach @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> reverseReach | reverseReach @hidden @@ -279,7 +279,7 @@ category ComputeResources { clientApplicationConnections().attemptAccessNetworksInspected | attemptNetworkConnectViaResponse - developer info: "Intermediate attack step to handle defences." + developer info: "Intermediate attack step to handle defenses." -> networkConnectViaResponse & networkConnectViaResponse [VeryHardAndUncertain] @@ -368,7 +368,7 @@ category ComputeResources { protectorIDPSs.bypassEffectiveness & successfulUnsafeUserActivity @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> unsafeUserActivity | unsafeUserActivity @@ -499,7 +499,7 @@ category ComputeResources { -> successfulApplicationRespondConnectThroughData & successfulApplicationRespondConnectThroughData @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> applicationRespondConnectThroughData | applicationRespondConnectThroughData @hidden @@ -512,7 +512,7 @@ category ComputeResources { -> successfulRead & successfulRead @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> read | read {C} @@ -526,7 +526,7 @@ category ComputeResources { -> successfulModify & successfulModify @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> modify | modify {I} @@ -538,7 +538,7 @@ category ComputeResources { -> successfulDeny & successfulDeny @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> deny | deny {A} @@ -560,12 +560,12 @@ category ComputeResources { user info: "An IDPS is tasked with protecting other applications from malicious activity." { # disabled @Override @hidden [Disabled] - modeller info: "As per the comment for the effectiveness defence, the disabled defence does not function as desired for the IDPS asset and should not be used. The effectiveness defence should be adjusted to reflect the likelihood that the IDPS is present instead." - developer info: "It would be ideal to hide this defence when using modelling tools to avoid confusion." + modeler info: "As per the comment for the effectiveness defense, the disabled defense does not function as desired for the IDPS asset and should not be used. The effectiveness defense should be adjusted to reflect the likelihood that the IDPS is present instead." + developer info: "It would be ideal to hide this defense when using modelling tools to avoid confusion." # effectiveness [Enabled] - user info: "The effectiveness defence represents how capable the IDPS is to prevent disruptions from occurring on the associated applications." - modeller info: "The disabled defence should inversely impact the effectiveness defence. However, because this is not currently implemented in coreLang it is up to the modeller to properly take this into account when setting the values of these defences." + user info: "The effectiveness defense represents how capable the IDPS is to prevent disruptions from occurring on the associated applications." + modeler info: "The disabled defense should inversely impact the effectiveness defense. However, because this is not currently implemented in coreLang it is up to the modeler to properly take this into account when setting the values of these defenses." -> effectivenessBypassed | bypassEffectiveness [VeryHardAndUncertain] diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index e62dc7e..532a7e5 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -43,23 +43,23 @@ category DataResources { -> successfulExtractFromReplica & successfulReadFromReplica @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> read & successfulWriteFromReplica @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> write & successfulDeleteFromReplica @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> delete & successfulDenyFromReplica @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> deny & successfulExtractFromReplica @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> extract | read diff --git a/src/main/mal/HardwareVulnerability.mal b/src/main/mal/HardwareVulnerability.mal index a19af43..94c3e6a 100644 --- a/src/main/mal/HardwareVulnerability.mal +++ b/src/main/mal/HardwareVulnerability.mal @@ -21,17 +21,17 @@ category Vulnerability { { # confidentialityImpactLimitations @suppress [Disabled] user info: "Limits the impact on confidentiality of the vulnerability." - modeler info: "Analogous defence to the SoftwareVulnerability impact limitations." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." -> read # availabilityImpactLimitations @suppress [Disabled] user info: "Limits the impact on availability of the vulnerability." - modeler info: "Analogous defence to the SoftwareVulnerability impact limitations." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." -> deny # integrityImpactLimitations @suppress [Disabled] user info: "Limits the impact on integrity of the vulnerability." - modeler info: "Analogous defence to the SoftwareVulnerability impact limitations." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." -> modify # effortRequiredToExploit @suppress [Disabled] diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index a6c0979..241b8ad 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -56,7 +56,7 @@ category IAM { -> successfulLockout & successfulLockout @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> lockout | lockout {A} @@ -84,7 +84,7 @@ category IAM { -> successfulLockoutFromCredentials & successfulLockoutFromCredentials @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> lockout | lockout @@ -99,7 +99,7 @@ category IAM { asset Privileges extends IAMObject user info: "A privileges asset can be associated with an identity to group a set of given privileges on Applications and Data." - modeller info: "The privileges asset is not meant to be used normally when assigning permissions. Identities and Groups should be directly associated with the relevant assets. The purpose of the Privileges asset is to be used as a speculative asset when reasoning about additional privileges that a particular Group or Identity may have as a result of either poor configurations or the attacker's actions." + modeler info: "The privileges asset is not meant to be used normally when assigning permissions. Identities and Groups should be directly associated with the relevant assets. The purpose of the Privileges asset is to be used as a speculative asset when reasoning about additional privileges that a particular Group or Identity may have as a result of either poor configurations or the attacker's actions." { | assume @Override {C,I,A} user info: "After authentication or compromise of an account/identity, assume its privileges." @@ -208,7 +208,7 @@ category IAM { -> weakCredentials | weakCredentials @hidden - developer info: "Intermediate step used to represent how weak the credentials the user employs are. This is inversely related to the securityAwareness defence on the User asset associated with the Identity to which these Credentials belong. If either the User or Identity associations are missing the assumption is made that the crentials are weak and therefore guessable by the attacker." + developer info: "Intermediate step used to represent how weak the credentials the user employs are. This is inversely related to the securityAwareness defense on the User asset associated with the Identity to which these Credentials belong. If either the User or Identity associations are missing the assumption is made that the crentials are weak and therefore guessable by the attacker." -> guessCredentials, requiredFactors.weakCredentials @@ -223,7 +223,7 @@ category IAM { & guessCredentials [HardAndUncertain] user info: "The attacker can try to just guess a set of credentials. The likelihood of succeeding is dependent on how strong the credentials are." - modeller info: "The guessability of the Credentials is influenced by the notGuessable defence on this asset and the securityAwareness defence on the User associated with the Identity that these Credentials belong to. If either the User or Identity associations are missing the assumption is made that the crentials are guessable and only the notGuessable defence would play a role in restricting this attack step." + modeler info: "The guessability of the Credentials is influenced by the notGuessable defense on this asset and the securityAwareness defense on the User associated with the Identity that these Credentials belong to. If either the User or Identity associations are missing the assumption is made that the crentials are guessable and only the notGuessable defense would play a role in restricting this attack step." developer info: "We should research the probability we want to use for this attack step more." -> attemptUse } diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index b686cda..9479251 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -35,12 +35,12 @@ category Networking { bypassManInTheMiddleDefenseViaPhysicalAccess | bypassEavesdropDefenseViaPhysicalAccess @hidden [VeryHardAndUncertain] - modeller info: "The eavesdrop defense can be bypassed more easily if the attacker has physical access to the network." + modeler info: "The eavesdrop defense can be bypassed more easily if the attacker has physical access to the network." developer info: "The probability distribution for this attack step needs to be researched more. This attack step will add its impact to the existing regular bypass." -> eavesdropDefenseBypassed | bypassManInTheMiddleDefenseViaPhysicalAccess @hidden [VeryHardAndUncertain] - modeller info: "The man in the middle defense can be bypassed more easily if the attacker has physical access to the network." + modeler info: "The man in the middle defense can be bypassed more easily if the attacker has physical access to the network." developer info: "The probability distribution for this attack step needs to be researched more. This attack step will add its impact to the existing regular bypass." -> manInTheMiddleDefenseBypassed @@ -145,7 +145,7 @@ category Networking { bypassEavesdropDefense & successfulEavesdrop @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> eavesdrop | eavesdrop {C} @@ -171,7 +171,7 @@ category Networking { bypassManInTheMiddleDefense & successfulManInTheMiddle @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> manInTheMiddle | manInTheMiddle {C, I} @@ -203,7 +203,7 @@ category Networking { let serverApplications = (applications \/ inApplications) # restricted [Disabled] - user info: "The restricted defence can be used to probabilistically model the likelihood of both the protocols required by the attack being enabled or the existence of the ConnectionRule altogether." + user info: "The restricted defense can be used to probabilistically model the likelihood of both the protocols required by the attack being enabled or the existence of the ConnectionRule altogether." -> restrictedBypassed | bypassRestricted [VeryHardAndUncertain] @@ -258,11 +258,11 @@ category Networking { bypassRestricted & successfulAccessNetworksUninspected @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> accessNetworksUninspected & successfulAccessNetworksInspected @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> accessNetworksInspected | accessNetworksUninspected diff --git a/src/main/mal/User.mal b/src/main/mal/User.mal index fdfa1dc..1715c8c 100644 --- a/src/main/mal/User.mal +++ b/src/main/mal/User.mal @@ -52,7 +52,7 @@ category User { -> userIds.credentials.attemptCredentialsReuse | weakCredentials @hidden - developer info: "Intermediate attack step that defines the strength of all of the Credentials associated with the user. This is inversely proportional with the user's securityAwareness defence." + developer info: "Intermediate attack step that defines the strength of all of the Credentials associated with the user. This is inversely proportional with the user's securityAwareness defense." -> userIds.credentials.weakCredentials | attemptSocialEngineering @@ -61,7 +61,7 @@ category User { bypassSecurityAwareness & successfulSocialEngineering @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> socialEngineering | socialEngineering @hidden @@ -76,7 +76,7 @@ category User { bypassSecurityAwareness & successfulDeliverMaliciousRemovableMedia @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> deliverMaliciousRemovableMedia | deliverMaliciousRemovableMedia @hidden [Exponential(0.01)] @@ -105,7 +105,7 @@ category User { bypassSecurityAwareness & successfulUnsafeUserActivity @hidden - developer info: "Intermediate attack step to model defences." + developer info: "Intermediate attack step to model defenses." -> unsafeUserActivity | unsafeUserActivity @hidden [Exponential(0.03)] From 9cc87047c03536bb1b2e64fed28f3c6bdd47aed5 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Fri, 21 Oct 2022 20:24:33 +0200 Subject: [PATCH 04/21] Reword info texts for attempt and successful attack steps to be uniform. --- src/main/mal/ComputeResources.mal | 68 ++++++++++--------- src/main/mal/DataResources.mal | 35 +++++----- src/main/mal/HardwareVulnerability.mal | 2 +- src/main/mal/IAM.mal | 18 ++--- src/main/mal/Networking.mal | 26 +++---- src/main/mal/SoftwareVulnerability.mal | 2 +- src/main/mal/User.mal | 10 +-- src/main/mal/coreVulnerability.mal | 4 +- .../mal_lang/corelang/test/IdentityTest.java | 2 +- 9 files changed, 82 insertions(+), 85 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 7beab38..2345645 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -20,12 +20,12 @@ category ComputeResources { user info: "Specifies the hardware on which applications can run." { | attemptUseVulnerability @hidden - developer info: "Intermediate attack step to allow for defenses." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulUseVulnerability, bypassHardwareModificationsProtection & successfulUseVulnerability @hidden - developer info: "Intermediate attack step to enable defenses." + developer info: "Intermediate attack step to model defenses." -> useVulnerability | useVulnerability @@ -41,7 +41,7 @@ category ComputeResources { -> successfulFullAccess & successfulFullAccess @hidden - developer info: "Intermediate attack step to enable defenses." + developer info: "Intermediate attack step to model defenses." -> fullAccess | fullAccess {C,I,A} @@ -51,16 +51,17 @@ category ComputeResources { spreadWormViaRemovableMedia | attemptSupplyChainAttack - developer info: "Intermediate attack step to allow for the auditing defense." + user info: "Adversaries may perform supply chain compromise attacks to gain control of hardware before it is put into use." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulSupplyChainAttack, bypassSupplyChainAuditing & successfulSupplyChainAttack @hidden - developer info: "Intermediate attack step to enable defenses." + developer info: "Intermediate attack step to model defenses." -> supplyChainAttack | supplyChainAttack [VeryHardAndUncertain] - user info: "Adversaries may perform supply chain compromise attacks to gain control of hardware before it is put into use." + user info: "A supply chain compromise means that the attacker has gained full access of the hardware." developer info: "Based on supply chain attacks in icsLang as designed by Sotirios." modeler info: "The probability function and its value is just an estimation! The Hardware supply chain attack represents an attacker being able to tamper with the hardware/firmware before the deployment of the product and not alterations made to the hardware/firmware once it is operating." -> attemptFullAccess @@ -86,12 +87,12 @@ category ComputeResources { attemptHardwareModifications | attemptHardwareModifications @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulHardwareModifications, bypassHardwareModificationsProtection & successfulHardwareModifications @hidden - developer info: "Intermediate attack step to enable defenses." + developer info: "Intermediate attack step to model defenses." -> hardwareModifications | hardwareModifications @@ -115,13 +116,13 @@ category ComputeResources { successfulHardwareModifications, successfulUnsafeUserActivity - | attemptUnsafeUserActivity - user info: "Intermediate attack step that allows for the hardware modifications defense to reduce the impact of unsafe user activity." + | attemptUnsafeUserActivity @hidden + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulUnsafeUserActivity, bypassHardwareModificationsProtection & successfulUnsafeUserActivity @hidden - developer info: "Intermediate attack step to enable defenses." + developer info: "Intermediate attack step to model defenses." -> unsafeUserActivity | unsafeUserActivity @@ -201,12 +202,12 @@ category ComputeResources { successfulDeny | attemptUseVulnerability @hidden - developer info: "Attempt to use the associated vulnerabilities, when able to locally or via network connect to the application or when local interaction is possible." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulUseVulnerability, protectorIDPSs.bypassEffectiveness & successfulUseVulnerability @hidden - developer info: "Intermediate attack step to model the case where vulnerabilities should not be compromised because application is disabled." + developer info: "Intermediate attack step to model defenses." -> useVulnerability | useVulnerability @@ -219,8 +220,9 @@ category ComputeResources { denyAfterSoftProdVulnerability | attemptReverseReach - developer info: "This attack step needs to be called in order to have reverse reach start propagating from this Application to the rest of the assets." - modeler info: "No other attack step on the Application asset triggers this attack step which means that it must be explicitly triggered by the modeler if the attacker is assumed to have reverse reachability on it." + user info: "The attacker is reachable from this Application therefore start propagating reverse reach from it. Reverse reach is used to determine whether or not the attacker can be reached by the user." + developer info: "Intermediate attack step to allow for defenses." + modeler info: "If the entry point of the attacker is an Application this attack step needs to be explicitly called on it by the modeler in order to have reverse reach start propagating from the Application to the rest of the assets in the model. This is the case because no other attack step on the Application asset triggers this attack step." -> successfulReverseReach & successfulReverseReach @hidden @@ -279,7 +281,7 @@ category ComputeResources { clientApplicationConnections().attemptAccessNetworksInspected | attemptNetworkConnectViaResponse - developer info: "Intermediate attack step to handle defenses." + developer info: "Intermediate attack step to allow for defenses." -> networkConnectViaResponse & networkConnectViaResponse [VeryHardAndUncertain] @@ -300,7 +302,7 @@ category ComputeResources { user info: "This level of access models a low-privilege access and requires all other privileges to be modeled separately." developer info: "An attacker with low-privilege access on the executing instance is assumed to be able to locally (on the same host i.e. using loopback) interact with the executed applications." -> appExecutedApps.localConnect, // But also achieve localConnect on all child applications (this is something that needs to be reviewed again at a later stage) - attemptLocalConnectVulnOnHost, + bypassContainerization, attemptUseVulnerability, // Attempt to exploit all the vulnerabilities associated with the Application containedData.authorizedAccessFromApplication, // This also enables the use of compromised permissions but only after specificAccess is reached sentData.authorizedReadFromApplication, // Both Data sent and received can be read @@ -309,8 +311,8 @@ category ComputeResources { attemptApplicationRespondConnectThroughData, accessNetworkAndConnections // and access the network(s) and connections on/to which the app is connected - | attemptLocalConnectVulnOnHost [HardAndUncertain] - user info: "The attacker is able to break out of an application container/sandbox and try to exploit any vulnerability of the hypervisor/host application" + | bypassContainerization @hidden [HardAndUncertain] + developer info: "The attacker is able to break out of an application container/sandbox and try to exploit any vulnerability of the hypervisor, operating system, or host application." modeler info: "The probability and its value are just estimations and are subject to change." -> hostApp.attemptUseVulnerability @@ -361,7 +363,7 @@ category ComputeResources { appExecutedApps.physicalAccessAchieved | attemptUnsafeUserActivity @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulUnsafeUserActivity, attackerUnsafeUserActivityCapabilityWithReverseReach, attackerUnsafeUserActivityCapabilityWithoutReverseReach, @@ -404,7 +406,7 @@ category ComputeResources { -> fullAccessAfterSoftProdCompromise | attemptFullAccessAfterSoftProdCompromise @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> fullAccessAfterSoftProdCompromise, bypassSupplyChainAuditing @@ -414,19 +416,19 @@ category ComputeResources { // Intermediate attack steps to allow SoftwareProduct Vulnerabilities to only happen after each Applications is reached by the attacker. | attemptFullAccessAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> fullAccessAfterSoftProdVulnerability | attemptReadAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> readAfterSoftProdVulnerability | attemptModifyAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> modifyAfterSoftProdVulnerability | attemptDenyAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> denyAfterSoftProdVulnerability E softwareCheck @hidden @@ -479,23 +481,23 @@ category ComputeResources { denyAfterSoftProdVulnerability & fullAccessAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step to handle existence." + developer info: "Intermediate attack step to handle SoftwareProduct existence." -> fullAccess & readAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step to handle existence." + developer info: "Intermediate attack step to handle SoftwareProduct existence." -> attemptRead & modifyAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step to handle existence." + developer info: "Intermediate attack step to handle SoftwareProduct existence." -> attemptModify & denyAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step to handle existence." + developer info: "Intermediate attack step to handle SoftwareProduct existence." -> attemptDeny | attemptApplicationRespondConnectThroughData @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> successfulApplicationRespondConnectThroughData & successfulApplicationRespondConnectThroughData @hidden @@ -508,7 +510,7 @@ category ComputeResources { -> receivedData.attemptApplicationRespondConnect | attemptRead @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> successfulRead & successfulRead @hidden @@ -522,7 +524,7 @@ category ComputeResources { appExecutedApps.attemptRead | attemptModify @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> successfulModify & successfulModify @hidden @@ -534,7 +536,7 @@ category ComputeResources { -> fullAccess | attemptDeny @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> successfulDeny & successfulDeny @hidden diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index 532a7e5..9d25d99 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -19,9 +19,6 @@ category DataResources { asset Information user info: "Represents any type of information that might be contained inside Data." { - | attemptAccess - user info: "The attacker is attempting to access the information." - | attemptReadFromReplica @hidden developer info: "Reading one replica allows the attacker to read all other replicas as well since the information contained in them is the same." -> successfulReadFromReplica @@ -95,21 +92,21 @@ category DataResources { developer info: "Adopted from awsLang but significantly changed." { | attemptAccess - user info: "Attempt to access the data, this might fail if the 'dataNotPresent' defense is used." + developer info: "Intermediate attack step to allow for defenses." -> access - | authorizedAccessFromApplication - user info: "Try to gain access to the data through permissions." - -> authorizedReadFromApplication, - authorizedWriteFromApplication, - authorizedDeleteFromApplication - & access user info: "Access the data." -> attemptRead, attemptWrite, attemptDelete + | authorizedAccessFromApplication + user info: "Try to gain access to the data through permissions." + -> authorizedReadFromApplication, + authorizedWriteFromApplication, + authorizedDeleteFromApplication + !E dataEncrypted @hidden user info: "If the data are encrypted then accessing them requires the associated encryption credentials/key." developer info: "Data will be considered as encrypted if there is at least one Credentials instance associated with it. Otherwise, 'accessUnencryptedData' is reached." @@ -173,11 +170,11 @@ category DataResources { containedData.applicationRespondConnect | attemptRead @hidden - user info: "Attempt to read the data." + developer info: "Intermediate attack step to allow for defenses." -> successfulRead & successfulRead @hidden - developer info: "Intermediate attack step to model the requirements." + developer info: "Intermediate attack step to model defenses." -> read | read {C} @@ -200,11 +197,11 @@ category DataResources { -> attemptRead | attemptWrite @hidden - user info: "Attempt to write on the data." + developer info: "Intermediate attack step to allow for defenses." -> successfulWrite & successfulWrite @hidden - developer info: "Intermediate attack step to model the requirements." + developer info: "Intermediate attack step to model defenses." -> write | write {I} @@ -229,11 +226,11 @@ category DataResources { -> attemptWrite | attemptDelete @hidden - user info: "Attempt to delete the data." + developer info: "Intermediate attack step to allow for defenses." -> successfulDelete & successfulDelete @hidden - developer info: "Intermediate attack step to model the requirements." + developer info: "Intermediate attack step to model defenses." -> delete | delete {I,A} @@ -256,11 +253,11 @@ category DataResources { -> attemptDelete | attemptDeny @hidden - developer info: "Intermediate attack step to only allow deny on data after only if 'dataNotPresent' defense is disabled." + developer info: "Intermediate attack step to allow for defenses." -> successfulDeny & successfulDeny @hidden - developer info: "Intermediate attack step to model the requirements." + developer info: "Intermediate attack step to model defenses." -> deny | deny {A} @@ -275,7 +272,7 @@ category DataResources { -> attemptDeny | attemptReverseReach @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> reverseReach & reverseReach @hidden diff --git a/src/main/mal/HardwareVulnerability.mal b/src/main/mal/HardwareVulnerability.mal index 94c3e6a..50b5429 100644 --- a/src/main/mal/HardwareVulnerability.mal +++ b/src/main/mal/HardwareVulnerability.mal @@ -52,7 +52,7 @@ category Vulnerability { -> hardware.deny | attemptExploit @Override - user info: "This is the attack step that must be reached in order for a vulnerability to be able to be exploited. This is also the single checkpoint for all vulnerabilities to model hindrances to employing an exploit." + developer info: "Intermediate attack step to allow for defenses." -> exploitTrivially, exploitWithEffort diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index 241b8ad..c9ce875 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -25,11 +25,11 @@ category IAM { successfulLockout | attemptAssume - user info: "Attempt to assume the privileges associated with the IAM object. If disabled this will not be possible." + developer info: "Intermediate attack step to allow for defenses." -> successfulAssume & successfulAssume @hidden - developer info: "Intermediate attack step to model the requirements for the assume attack step." + developer info: "Intermediate attack step to model defenses." -> assume | assume @@ -52,7 +52,7 @@ category IAM { +> attemptAssume | attemptLockout @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> successfulLockout & successfulLockout @hidden @@ -159,7 +159,7 @@ category IAM { -> attemptUse | attemptCredentialsReuse @hidden - developer info: "Intermediate step used to trigger the reuse attack step on other credentials belonging to the same user." + developer info: "Intermediate attack step to allow for defenses." -> credentialsReuse, requiredFactors.attemptCredentialsReuse @@ -168,7 +168,7 @@ category IAM { -> attemptUse | attemptUse - user info: "The attacker is using the credentials to perform a legitimate authentication." + developer info: "Intermediate attack step to allow for defenses." -> use & use {C} @@ -182,19 +182,15 @@ category IAM { origCreds.guessCredentialsFromHash | attemptPropagateOneCredentialCompromised @hidden - developer info: "Intermediate step used to propagate the credentials reuse attack step." + developer info: "Intermediate attack step to allow for defenses." -> propagateOneCredentialCompromised & propagateOneCredentialCompromised @hidden developer info: "Intermediate step used to propagate the credentials reuse attack step." -> credentials*.identities.users.oneCredentialCompromised - | attemptAccess - user info: "The attacker is attempting to access the credentials." - -> attemptUse - | attemptCredentialTheft @hidden - developer info: "Intermediate step used to trigger the credential theft attack step." + user info: "The attacker is attempting to access the credentials." -> credentialTheft, requiredFactors.attemptCredentialTheft diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 9479251..36da488 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -59,21 +59,21 @@ category Networking { successfulAccessInspected | attemptAccessUninspected @hidden - user info: "Access on a Network can be attempted after physicalAccess." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulAccessUninspected, bypassAccessControl | attemptAccessInspected @hidden - user info: "Access on a Network can be attempted after physicalAccess." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulAccessInspected, bypassAccessControl & successfulAccessUninspected @hidden - developer info: "This is an intermediate attack step to prevent repeating code." + developer info: "Intermediate attack step to model defenses." -> accessUninspected & successfulAccessInspected @hidden - developer info: "This is an intermediate attack step to prevent repeating code." + developer info: "Intermediate attack step to model defenses." -> accessInspected | accessUninspected @@ -95,7 +95,7 @@ category Networking { denialOfService | attemptReverseReach @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses." -> reverseReach & reverseReach @hidden @@ -140,7 +140,7 @@ category Networking { -> successfulEavesdrop | attemptEavesdrop @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulEavesdrop, bypassEavesdropDefense @@ -166,7 +166,7 @@ category Networking { -> successfulManInTheMiddle | attemptManInTheMiddle @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulManInTheMiddle, bypassManInTheMiddleDefense @@ -237,7 +237,7 @@ category Networking { // All the hidden attack steps below are hidden because they are just used for the internal mechanics of the ConnectionRules | attemptReverseReach @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> reverseReach, bypassRestricted, bypassPayloadInspection @@ -248,12 +248,12 @@ category Networking { (networks \/ outNetworks).attemptReverseReach | attemptAccessNetworksUninspected @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulAccessNetworksUninspected, bypassRestricted | attemptAccessNetworksInspected @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulAccessNetworksInspected, bypassRestricted @@ -275,13 +275,13 @@ category Networking { -> (networks \/ inNetworks \/ diodeInNetworks).accessInspected | attemptConnectToApplicationsUninspected @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> connectToApplicationsUninspected, bypassRestricted, bypassPayloadInspection | attemptConnectToApplicationsInspected @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> connectToApplicationsInspected, bypassRestricted, bypassPayloadInspection @@ -297,7 +297,7 @@ category Networking { -> serverApplications().networkConnectInspected | attemptDenialOfService @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> denialOfService, bypassRestricted diff --git a/src/main/mal/SoftwareVulnerability.mal b/src/main/mal/SoftwareVulnerability.mal index d5fe4e3..ab0d6f7 100644 --- a/src/main/mal/SoftwareVulnerability.mal +++ b/src/main/mal/SoftwareVulnerability.mal @@ -116,7 +116,7 @@ category Vulnerability { softwareProduct.denyApplications | attemptExploit @Override - user info: "This is the attack step that must be reached in order for a vulnerability to be able to be exploited. This is also the single checkpoint for all vulnerabilities to model hindrances to employing an exploit." + developer info: "Intermediate attack step to allow for defenses." -> exploitTrivially, exploitWithEffort diff --git a/src/main/mal/User.mal b/src/main/mal/User.mal index 1715c8c..aff1539 100644 --- a/src/main/mal/User.mal +++ b/src/main/mal/User.mal @@ -56,7 +56,8 @@ category User { -> userIds.credentials.weakCredentials | attemptSocialEngineering - developer info: "Intermediate attack step that allows for security awareness to reduce the impact of social engineering operations." + user info: "The attacker can run social engineering operations on Users." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulSocialEngineering, bypassSecurityAwareness @@ -72,6 +73,7 @@ category User { | attemptDeliverMaliciousRemovableMedia user info: "Intermediate attack step that allows for security awareness to reduce the impact of delivering malicious removable media." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulDeliverMaliciousRemovableMedia, bypassSecurityAwareness @@ -91,16 +93,16 @@ category User { -> attemptCredentialTheft | attemptCredentialTheft @hidden - developer info: "Trick the user to provide their credentials." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> credentialTheft | credentialTheft @hidden [HardAndUncertain] - developer info: "This attack is hard to happen." + developer info: "Trick the user to provide their credentials." modeler info: "Distribution: Bernoulli(0.5) * Exponential(0.1), source: Sommestad (2011) Password authentication attacks: a survey of attacks and when they will succeed, suggest to use Bernoulli(0.05)" -> userIds.credentials.attemptCredentialTheft | attemptUnsafeUserActivity @hidden - developer info: "Intermediate attack step." + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulUnsafeUserActivity, bypassSecurityAwareness diff --git a/src/main/mal/coreVulnerability.mal b/src/main/mal/coreVulnerability.mal index 02047b3..565b8a1 100644 --- a/src/main/mal/coreVulnerability.mal +++ b/src/main/mal/coreVulnerability.mal @@ -24,7 +24,7 @@ category Vulnerability { -> abuse | attemptAbuse @hidden - user info: "This is the attack step that must be reached in order for a vulnerability to be able to be abused. This is also the single entry point for all vulnerabilities." + developer info: "Intermediate attack step to allow for defenses." -> abuse & abuse @@ -32,7 +32,7 @@ category Vulnerability { -> attemptExploit | attemptExploit @hidden - user info: "This is the attack step that must be reached in order for a vulnerability to be able to be exploited. This is also the single checkpoint for all vulnerabilities to model hindrances to employing an exploit." + developer info: "Intermediate attack step to allow for defenses." -> exploit | exploit diff --git a/src/test/java/org/mal_lang/corelang/test/IdentityTest.java b/src/test/java/org/mal_lang/corelang/test/IdentityTest.java index c691b05..ad37675 100644 --- a/src/test/java/org/mal_lang/corelang/test/IdentityTest.java +++ b/src/test/java/org/mal_lang/corelang/test/IdentityTest.java @@ -62,7 +62,7 @@ public void testIdentityMultipleCredentialsSingleCompromised() { var model = new IdentityTestMultipleCredentialsModel(); var attacker = new Attacker(); - attacker.addAttackPoint(model.creds1.attemptAccess); + attacker.addAttackPoint(model.creds1.attemptUse); attacker.attack(); model.identity.successfulAssume.assertCompromisedInstantaneously(); From 11e39031f10456148055f830ab9a1041f0a8ba64 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Fri, 21 Oct 2022 22:27:21 +0200 Subject: [PATCH 05/21] Reword Via attack steps to From for uniformity. --- src/main/mal/ComputeResources.mal | 14 +++++++------- src/main/mal/DataResources.mal | 8 ++++---- src/main/mal/Networking.mal | 10 +++++----- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 2345645..b4dc29a 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -32,7 +32,7 @@ category ComputeResources { user info: "The attacker is able to use the associated vulnerabilities, usually as a result of obtaining physical access." -> vulnerabilities.attemptAbuse - | spreadWormViaRemovableMedia @hidden + | spreadWormFromRemovableMedia @hidden developer info: "Try to spread malware via removable media that the users connect to the hardware system." -> (users \/ physicalZones.users).attemptDeliverMaliciousRemovableMedia @@ -48,7 +48,7 @@ category ComputeResources { user info: "Full access on a piece of hardware confers full access on the applications running on it and access to the hosted data." -> sysExecutedApps.fullAccess, hostedData.attemptAccess, - spreadWormViaRemovableMedia + spreadWormFromRemovableMedia | attemptSupplyChainAttack user info: "Adversaries may perform supply chain compromise attacks to gain control of hardware before it is put into use." @@ -239,7 +239,7 @@ category ComputeResources { containedData.attemptReverseReach, sentData.attemptReverseReach, receivedData.attemptReverseReach, - networkConnectViaResponse + networkConnectFromResponse | localConnect user info: "An attacker with low-privilege access on the executing instance is assumed to be able to locally (on the same host i.e. using loopback) interact with the application." @@ -280,11 +280,11 @@ category ComputeResources { clientApplicationConnections().attemptAccessNetworksUninspected, clientApplicationConnections().attemptAccessNetworksInspected - | attemptNetworkConnectViaResponse + | attemptNetworkConnectFromResponse developer info: "Intermediate attack step to allow for defenses." - -> networkConnectViaResponse + -> networkConnectFromResponse - & networkConnectViaResponse [VeryHardAndUncertain] + & networkConnectFromResponse [VeryHardAndUncertain] user info: "An attacker may be able to respond to requests submitted by a client application." developer info: "Adopted from awsLang." modeler info: "The probability and its value are just estimations and are subject to change." @@ -353,7 +353,7 @@ category ComputeResources { accessNetworkAndConnections, // and access the network(s) and connections on/to which the app is connected hostApp.localConnect, // and localConnect on the host application managedRoutingFw.attemptModify, // if the routing firewall manager app is compromised the routing firewall should also be compromised - hostHardware.spreadWormViaRemovableMedia, // Propagate malware worms via removable media + hostHardware.spreadWormFromRemovableMedia, // Propagate malware worms via removable media specificAccess // And also provide specificAccess, mainly for completeness and more intuitive results | physicalAccessAchieved @hidden diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index 9d25d99..e9b1245 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -119,12 +119,12 @@ category DataResources { <- signingCreds -> accessUnsignedData - E payloadInspectionBypassViaEncryptedData + E payloadInspectionBypassFromEncryptedData user info: "If the data are encrypted then payload inspection cannot be performed on the connection rules they are transmitted over." <- encryptCreds - -> bypassPayloadInspectionViaEncryptedData + -> bypassPayloadInspectionFromEncryptedData - | bypassPayloadInspectionViaEncryptedData @hidden + | bypassPayloadInspectionFromEncryptedData @hidden developer info: "The connection rules that the encrypted data traverse over cannot provide payload inspection since they are assumed to permit encrypted traffic. This implies that the attacker could simply encrypt their own communications to evade inspection." -> (senderApp.clientApplicationConnections() /\ transitNetwork.inboundAllowedConnections()).payloadInspectionBypassed, (receiverApp.serverApplicationConnections() /\ transitNetwork.outboundAllowedConnections()).payloadInspectionBypassed @@ -166,7 +166,7 @@ category DataResources { & applicationRespondConnect user info: "If data is manInTheMiddled or the server side application is compromised, then respond connect to the client side application can be done." - -> senderApp.attemptNetworkConnectViaResponse, + -> senderApp.attemptNetworkConnectFromResponse, containedData.applicationRespondConnect | attemptRead @hidden diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 36da488..678b3d9 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -31,15 +31,15 @@ category Networking { -> denialOfService, attemptAccessUninspected, attemptAccessInspected, - bypassEavesdropDefenseViaPhysicalAccess, - bypassManInTheMiddleDefenseViaPhysicalAccess + bypassEavesdropDefenseFromPhysicalAccess, + bypassManInTheMiddleDefenseFromPhysicalAccess - | bypassEavesdropDefenseViaPhysicalAccess @hidden [VeryHardAndUncertain] + | bypassEavesdropDefenseFromPhysicalAccess @hidden [VeryHardAndUncertain] modeler info: "The eavesdrop defense can be bypassed more easily if the attacker has physical access to the network." developer info: "The probability distribution for this attack step needs to be researched more. This attack step will add its impact to the existing regular bypass." -> eavesdropDefenseBypassed - | bypassManInTheMiddleDefenseViaPhysicalAccess @hidden [VeryHardAndUncertain] + | bypassManInTheMiddleDefenseFromPhysicalAccess @hidden [VeryHardAndUncertain] modeler info: "The man in the middle defense can be bypassed more easily if the attacker has physical access to the network." developer info: "The probability distribution for this attack step needs to be researched more. This attack step will add its impact to the existing regular bypass." -> manInTheMiddleDefenseBypassed @@ -82,7 +82,7 @@ category Networking { applications.networkConnectUninspected, networkForwardingUninspected, attemptReverseReach, - clientApplications.attemptNetworkConnectViaResponse, + clientApplications.attemptNetworkConnectFromResponse, accessNetworkData, denialOfService From 6f902f55c95ade98a211212cbd2e5036ef4332c7 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Thu, 3 Nov 2022 15:07:54 +0100 Subject: [PATCH 06/21] Massive refactoring commit: - clarify and uniformise info texts - homogenise attack step patterns - homogenise attack step names - replace British spelling with its American counterparts - remove unhelpful info strings - flag attack steps as entry points See https://github.com/mal-lang/coreLang/issues/91 for more details --- src/main/mal/ComputeResources.mal | 264 +++++++++++++------------ src/main/mal/DataResources.mal | 114 ++++++----- src/main/mal/HardwareVulnerability.mal | 17 +- src/main/mal/IAM.mal | 31 ++- src/main/mal/Networking.mal | 36 ++-- src/main/mal/SoftwareVulnerability.mal | 21 +- src/main/mal/User.mal | 27 ++- 7 files changed, 254 insertions(+), 256 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index b4dc29a..8457c7a 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -32,8 +32,17 @@ category ComputeResources { user info: "The attacker is able to use the associated vulnerabilities, usually as a result of obtaining physical access." -> vulnerabilities.attemptAbuse - | spreadWormFromRemovableMedia @hidden - developer info: "Try to spread malware via removable media that the users connect to the hardware system." + | attemptSpreadWormThroughRemovableMedia @hidden + developer info: "Intermediate attack step to allow for defenses and trigger bypasses." + -> successfulSpreadWormThroughRemovableMedia, + bypassHardwareModificationsProtection + + & successfulSpreadWormThroughRemovableMedia @hidden + developer info: "Intermediate attack step to model defenses." + -> spreadWormThroughRemovableMedia + + | spreadWormThroughRemovableMedia @hidden + developer info: "Try to spread malware through removable media that the users connect to the hardware system." -> (users \/ physicalZones.users).attemptDeliverMaliciousRemovableMedia | attemptFullAccess @hidden @@ -45,14 +54,15 @@ category ComputeResources { -> fullAccess | fullAccess {C,I,A} - user info: "Full access on a piece of hardware confers full access on the applications running on it and access to the hosted data." + user info: "Full access on a piece of hardware grants full access on the applications running on it and access to the hosted data." -> sysExecutedApps.fullAccess, hostedData.attemptAccess, - spreadWormFromRemovableMedia + attemptSpreadWormThroughRemovableMedia - | attemptSupplyChainAttack + | attemptSupplyChainAttack @entrypoint user info: "Adversaries may perform supply chain compromise attacks to gain control of hardware before it is put into use." developer info: "Intermediate attack step to allow for defenses and trigger bypasses." + modeler info: "Triggering this attack step is the only way to model hardware supply chain attacks in the language, therefore scenarios interested in those aspects need to employ it as an entry point." -> successfulSupplyChainAttack, bypassSupplyChainAuditing @@ -62,26 +72,24 @@ category ComputeResources { | supplyChainAttack [VeryHardAndUncertain] user info: "A supply chain compromise means that the attacker has gained full access of the hardware." - developer info: "Based on supply chain attacks in icsLang as designed by Sotirios." - modeler info: "The probability function and its value is just an estimation! The Hardware supply chain attack represents an attacker being able to tamper with the hardware/firmware before the deployment of the product and not alterations made to the hardware/firmware once it is operating." + modeler info: "The Hardware supply chain attack represents an attacker being able to tamper with the hardware/firmware before the deployment of the product and not alterations made to the hardware/firmware once it is operating." -> attemptFullAccess # supplyChainAuditing - user info: "Auditing inside the supply chain can detect possible supply chain attacks." - developer info: "Mitigation moved into coreLang from icsLang. Originally designed by Sotirios." + user info: "Auditing inside the hardware supply chain can detect possible supply chain attacks." -> supplyChainAuditingBypassed | bypassSupplyChainAuditing [VeryHardAndUncertain] user info: "Supply chain auditing can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." -> supplyChainAuditingBypassed | supplyChainAuditingBypassed @hidden developer info: "Supply chain auditing is bypassed either because it was not set or the attacker was able to circumvent it through additional effort." -> successfulSupplyChainAttack - | physicalAccess - user info: "Attacker has physical access to the location where the hardware is physically deployed. They could then deny the hardware, locally connect to the hosted applications, and exploit physical vulnerabilities." + | physicalAccess @entrypoint + user info: "Attacker has physical access to the location where the hardware is physically deployed. They could then deny the hardware, locally connect to the hosted applications, and exploit potential physical vulnerabilities." + modeler info: "This attack step can be used as an entry point when analyzing scenarios that involve gaining physical access to assets." -> deny, sysExecutedApps.localConnect, attemptHardwareModifications @@ -95,25 +103,25 @@ category ComputeResources { developer info: "Intermediate attack step to model defenses." -> hardwareModifications - | hardwareModifications - user info: "Attacker is able to modify the hardware setup. They could then exploit physical vulnerabilities or software vulnerabilities that require physical access." + | hardwareModifications @hidden + developer info: "Attacker is able to modify the hardware setup. They could then exploit physical vulnerabilities or software vulnerabilities that require physical access." -> attemptUseVulnerability, sysExecutedApps.physicalAccessAchieved # hardwareModificationsProtection user info: "This defense protects against unauthorized modifications to the hardware that would allow an attacker to exploit a hardware vulnerability or a user to connect malicious devices to it." - developer info: "But it does not protect against denial of service attacks or local connect." + developer info: "But it does not protect against denial of service attacks or local connect on hosted applications." -> hardwareModificationsProtectionBypassed | bypassHardwareModificationsProtection [VeryHardAndUncertain] user info: "Hardware modifications protection can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." -> hardwareModificationsProtectionBypassed | hardwareModificationsProtectionBypassed @hidden developer info: "Hardware modifications protection is bypassed either because it was not set or the attacker was able to circumvent it through additional effort." -> successfulUseVulnerability, successfulHardwareModifications, + successfulSpreadWormThroughRemovableMedia, successfulUnsafeUserActivity | attemptUnsafeUserActivity @hidden @@ -126,9 +134,8 @@ category ComputeResources { -> unsafeUserActivity | unsafeUserActivity - user info: "A user is performing unsafe actions on the hardware." - developer info: "This exposes the Applications running on top of the hardware and fulfils the physical access requirement of SoftwareVulnerabilities associated with them." - modeler info: "Currently only represents connecting a malicious removable media drive." + user info: "A user is performing unsafe actions on the hardware. This exposes the Applications running on top of the hardware and fulfils the physical access requirement of SoftwareVulnerabilities associated with them." + developer info: "Currently only represents connecting a malicious removable media drive." -> sysExecutedApps.attemptUnsafeUserActivity, sysExecutedApps.physicalAccessAchieved @@ -143,39 +150,44 @@ category ComputeResources { hostedData.attemptRead | modify {I} - user info: "Modify on hardware leads to a modify/write on all the applications running on it and hosted data." + user info: "Modify on hardware gives the attacker full access to the hardware and leads to a modify/write on all the applications running on it and hosted data." -> attemptFullAccess, sysExecutedApps.attemptModify, hostedData.attemptWrite } asset SoftwareProduct extends Information - user info: "A software product is a specific type of software/application which can be associated with specific vulnerabilities." - developer info: "This asset is only introduced in order to improve the usability of the language." + user info: "A software product that certain applications are using which represents a specific software package, potentially even a version, which can be associated with certain vulnerabilities or have its deployment repositories compromised in a software supply chain attack." + developer info: "This asset was introduced in order to improve the usability of the language and enable software supply chain attacks." { | compromiseApplications - user info: "If the origin of a software product is compromised (modified maliciously) then the associated application should also be fully compromised." - -> softApplications.attemptFullAccessAfterSoftProdCompromise - - | readApplications - user info: "If the vulnerability has a read impact, it should propagate that on all the applications." - -> softApplications.attemptReadAfterSoftProdVulnerability - - | modifyApplications - user info: "If the vulnerability has a modify impact, it should propagate that on all the applications." - -> softApplications.attemptModifyAfterSoftProdVulnerability - - | denyApplications - user info: "If the vulnerability has a deny impact, it should propagate that on all the applications." - -> softApplications.attemptDenyAfterSoftProdVulnerability + user info: "If the origin of a software product is compromised (modified maliciously) this is interpreted as a software supply chain attack and therefore the associated applications should also be fully compromised." + -> softApplications.attemptFullAccessFromSupplyChainCompromise | write @Override - developer info: "If the attacker is able to write the software product they are able to compromise the applications using it." + user info: "If the attacker is able to write the software product they are able to execute a software supply chain attack on the applications associated with it." +> compromiseApplications + + /* The following three attack steps are used to trigger the + * SoftwareProduct's SoftwareVulnerabilities' impacts on each of the + * Applications associated with the SoftwareProduct separately. + */ + | readApplications @hidden + developer info: "This is an intermediary attack step to propagate read on all of the associated applications if the vulnerability has a confidentiality impact." + -> softApplications.attemptReadFromSoftProdVulnerability + + | modifyApplications @hidden + developer info: "This is an intermediary attack step to propagate modify on all of the associated applications if the vulnerability has an integrity impact." + -> softApplications.attemptModifyFromSoftProdVulnerability + + | denyApplications @hidden + developer info: "This is an intermediary attack step to propagate deny on all of the associated applications if the vulnerability has an availability impact." + -> softApplications.attemptDenyFromSoftProdVulnerability } asset Application - user info: "An application models pretty much everything that is executed or can execute other applications." + user info: "An application models any type of software process or component, from firmware and operating systems to plugins and sessions." + modeler info: "Applications are some of the most common assets in models due to their versatility and scope." { let allVulnerabilities = vulnerabilities \/ appSoftProduct.softProductVulnerabilities @@ -185,15 +197,15 @@ category ComputeResources { # disabled [Disabled] user info: "If application is disabled it should behave as nonexistent, thus all attack vectors are removed." - developer info: "This would even allow us to have a much more dynamic and probabilistic aspect on our model and simulations." + developer info: "This defense allows for both speculation about the presence of a particular application and to suggest that if it is possible removing it may restrict the attacker's actions." -> specificAccessFromLocalConnection, specificAccessFromNetworkConnection, localAccess, networkAccess, - fullAccessAfterSoftProdVulnerability, - readAfterSoftProdVulnerability, - modifyAfterSoftProdVulnerability, - denyAfterSoftProdVulnerability, + fullAccessFromSoftProdVulnerability, + readFromSoftProdVulnerability, + modifyFromSoftProdVulnerability, + denyFromSoftProdVulnerability, successfulReverseReach, successfulUseVulnerability, successfulApplicationRespondConnectThroughData, @@ -212,14 +224,15 @@ category ComputeResources { | useVulnerability user info: "Try to exploit the associated vulnerabilities." + developer info: "This includes vulnerabilities associated with the SoftwareProduct that this Application is running as well." -> allVulnerabilities().attemptAbuse, attemptSoftwareProductAbuse, - fullAccessAfterSoftProdVulnerability, - readAfterSoftProdVulnerability, - modifyAfterSoftProdVulnerability, - denyAfterSoftProdVulnerability + fullAccessFromSoftProdVulnerability, + readFromSoftProdVulnerability, + modifyFromSoftProdVulnerability, + denyFromSoftProdVulnerability - | attemptReverseReach + | attemptReverseReach @entrypoint user info: "The attacker is reachable from this Application therefore start propagating reverse reach from it. Reverse reach is used to determine whether or not the attacker can be reached by the user." developer info: "Intermediate attack step to allow for defenses." modeler info: "If the entry point of the attacker is an Application this attack step needs to be explicitly called on it by the modeler in order to have reverse reach start propagating from the Application to the rest of the assets in the model. This is the case because no other attack step on the Application asset triggers this attack step." @@ -230,7 +243,7 @@ category ComputeResources { -> reverseReach | reverseReach @hidden - developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user." + developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." -> networks.attemptReverseReach, clientAccessNetworks.attemptReverseReach, serverApplicationConnections().attemptReverseReach, @@ -242,7 +255,7 @@ category ComputeResources { networkConnectFromResponse | localConnect - user info: "An attacker with low-privilege access on the executing instance is assumed to be able to locally (on the same host i.e. using loopback) interact with the application." + user info: "The attacker can interface with the Application without going through networking communications. This is achieved by gaining full access on a hosted Application, specific access on the hosting Application, physical access on the hardware on which the Application is running, or via unsafe user activity." -> localAccess, specificAccessFromLocalConnection, attemptUseVulnerability, // Attempt to exploit all the vulnerabilities associated with the Application @@ -258,19 +271,20 @@ category ComputeResources { specificAccessNetworkConnect | networkConnectInspected - user info: "This attack step is used if the network connection occurs via a ConnectionRule that has its payload inspected, in which case the attacker can still authenticate, but they cannot trigger vulnerabilities." + user info: "If the network communications occur via any ConnectionRules that have their payload inspected the attacker can still authenticate, but they cannot trigger vulnerabilities." -> networkConnect, specificAccessNetworkConnect | networkConnect @hidden - user info: "Intermediate attack step." + developer info: "Intermediate attack step." -> networkAccess - | specificAccessNetworkConnect + | specificAccessNetworkConnect @hidden + developer info: "Intermediate attack step." -> specificAccessFromNetworkConnection - | accessNetworkAndConnections - user info: "An attacker is also possible to access the network(s) and connections to which this application is connected to, and perform client-side attacks." + | accessNetworkAndConnections @hidden + developer info: "The attacker can access outgoing and bidirectional networks and connections associated with the application." -> networks.accessUninspected, networks.accessInspected, clientAccessNetworks.accessUninspected, @@ -280,66 +294,63 @@ category ComputeResources { clientApplicationConnections().attemptAccessNetworksUninspected, clientApplicationConnections().attemptAccessNetworksInspected - | attemptNetworkConnectFromResponse + | attemptNetworkConnectFromResponse @hidden developer info: "Intermediate attack step to allow for defenses." -> networkConnectFromResponse - & networkConnectFromResponse [VeryHardAndUncertain] - user info: "An attacker may be able to respond to requests submitted by a client application." - developer info: "Adopted from awsLang." - modeler info: "The probability and its value are just estimations and are subject to change." + & networkConnectFromResponse @hidden [VeryHardAndUncertain] + developer info: "An attacker may be able to respond to requests submitted by a client application." -> networkConnectUninspected & specificAccessFromLocalConnection @hidden - developer info: "This intermediate step is used to represent that localConnect has happened before being able to get 'specificAccess'. Same as 'localAccess' attack step." + developer info: "Intermediate attack steps for modeling the two requirements (reachability and authentication) for specific access." -> specificAccess & specificAccessFromNetworkConnection @hidden - developer info: "This intermediate step is used to represent that networkConnect has happened before being able to get 'specificAccess'. Same as 'networkAccess' attack step." + developer info: "Intermediate attack steps for modeling the two requirements (reachability and authentication) for specific access." -> specificAccess | specificAccess - user info: "This level of access models a low-privilege access and requires all other privileges to be modeled separately." - developer info: "An attacker with low-privilege access on the executing instance is assumed to be able to locally (on the same host i.e. using loopback) interact with the executed applications." - -> appExecutedApps.localConnect, // But also achieve localConnect on all child applications (this is something that needs to be reviewed again at a later stage) + user info: "The adversary is able to gain low-privilege access on the Application which allows them to access the networks and connections associated with it and locally connect to hosted Applications. Additionally, if they have the required privileges the attacker may also access data hosted, sent, or received by the Application." + -> appExecutedApps.localConnect, // An attacker with low-privilege access on the executing instance is assumed to be able to locally interact with the executed applications. bypassContainerization, attemptUseVulnerability, // Attempt to exploit all the vulnerabilities associated with the Application - containedData.authorizedAccessFromApplication, // This also enables the use of compromised permissions but only after specificAccess is reached - sentData.authorizedReadFromApplication, // Both Data sent and received can be read + containedData.authorizedAccessFromApplication, // This also enables the use of compromised permissions but only after those privileges are attained + sentData.authorizedReadFromApplication, // Both Data sent and received can be read given the necessary permissions receivedData.authorizedReadFromApplication, - sentData.authorizedWriteFromApplication, // But only sent Data can be written + sentData.authorizedWriteFromApplication, // But only sent Data can be written given the necessary permissions attemptApplicationRespondConnectThroughData, accessNetworkAndConnections // and access the network(s) and connections on/to which the app is connected - | bypassContainerization @hidden [HardAndUncertain] - developer info: "The attacker is able to break out of an application container/sandbox and try to exploit any vulnerability of the hypervisor, operating system, or host application." - modeler info: "The probability and its value are just estimations and are subject to change." + | bypassContainerization [HardAndUncertain] + user info: "The attacker is able to break out of an application container/sandbox and try to exploit any vulnerability of the host application." -> hostApp.attemptUseVulnerability | authenticate - user info: "The attacker is able to authenticate with the appropriate credentials." + user info: "The attacker is able to authenticate with the appropriate high-level privileges." -> localAccess, networkAccess, allVulnerabilities().highPrivilegesAchieved, softwareProductVulnerabilityHighPrivilegesAchieved | specificAccessAuthenticate - user info: "The attacker is able to authenticate with the appropriate specific access credentials." + user info: "The attacker is able to authenticate with the appropriate low-level privileges." -> specificAccessFromLocalConnection, specificAccessFromNetworkConnection, allVulnerabilities().lowPrivilegesAchieved, softwareProductVulnerabilityLowPrivilegesAchieved & localAccess @hidden - developer info: "Intermediate attack steps for modeling the two requirements (reachability and authentication) for access." + developer info: "Intermediate attack steps for modeling the two requirements (reachability and authentication) for full access." -> fullAccess & networkAccess @hidden - developer info: "Intermediate attack steps for modeling the two requirements (reachability and authentication) for access." + developer info: "Intermediate attack steps for modeling the two requirements (reachability and authentication) for full access." -> fullAccess - | fullAccess {C,I,A} - user info: "Full access on the Application, the attacker has complete control of the application and can perform any actions within its execution context." + | fullAccess @entrypoint {C,I,A} + user info: "Full access on the Application means the attacker has complete control of the application and can perform any actions within its execution context." + modeler info: "It is common in models for the attacker to be granted full access on an Application, representing their own tools, that is connected to the Internet to explore possible attack vectors." -> attemptRead, attemptModify, attemptDeny, @@ -353,7 +364,7 @@ category ComputeResources { accessNetworkAndConnections, // and access the network(s) and connections on/to which the app is connected hostApp.localConnect, // and localConnect on the host application managedRoutingFw.attemptModify, // if the routing firewall manager app is compromised the routing firewall should also be compromised - hostHardware.spreadWormFromRemovableMedia, // Propagate malware worms via removable media + hostHardware.attemptSpreadWormThroughRemovableMedia, // Propagate malware worms through removable media specificAccess // And also provide specificAccess, mainly for completeness and more intuitive results | physicalAccessAchieved @hidden @@ -365,8 +376,8 @@ category ComputeResources { | attemptUnsafeUserActivity @hidden developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> successfulUnsafeUserActivity, - attackerUnsafeUserActivityCapabilityWithReverseReach, - attackerUnsafeUserActivityCapabilityWithoutReverseReach, + attackerUnsafeUserActivityCapabilityWithReverseReach, // If the user can reach the attacker via networking assets this makes the unsafe user actions much easier to perform + attackerUnsafeUserActivityCapabilityWithoutReverseReach, // Without being able to reach the attacker the User can still perform malicious actions on their behalf, but it is much more complicated protectorIDPSs.bypassEffectiveness & successfulUnsafeUserActivity @hidden @@ -393,52 +404,52 @@ category ComputeResources { # supplyChainAuditing user info: "Auditing inside the supply chain can detect possible supply chain attacks." - developer info: "Mitigation based on the hardware/firmware supply chain attack mitigation in icsLang as designed by Sotirios." -> supplyChainAuditingBypassed | bypassSupplyChainAuditing [VeryHardAndUncertain] user info: "Supply chain auditing can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." -> supplyChainAuditingBypassed | supplyChainAuditingBypassed @hidden developer info: "The supply chain audit is bypassed either because it was not set or the attacker was able to circumvent it through additional effort." - -> fullAccessAfterSoftProdCompromise + -> fullAccessFromSupplyChainCompromise - | attemptFullAccessAfterSoftProdCompromise @hidden + | attemptFullAccessFromSupplyChainCompromise @hidden developer info: "Intermediate attack step to allow for defenses and trigger bypasses." - -> fullAccessAfterSoftProdCompromise, + -> fullAccessFromSupplyChainCompromise, bypassSupplyChainAuditing - & fullAccessAfterSoftProdCompromise @hidden + & fullAccessFromSupplyChainCompromise @hidden developer info: "Intermediate attack step." -> fullAccess - // Intermediate attack steps to allow SoftwareProduct Vulnerabilities to only happen after each Applications is reached by the attacker. - | attemptFullAccessAfterSoftProdVulnerability @hidden - developer info: "Intermediate attack step to allow for defenses." - -> fullAccessAfterSoftProdVulnerability - - | attemptReadAfterSoftProdVulnerability @hidden + /* Intermediate attack steps to allow SoftwareProduct Vulnerabilities to + * only happen after each Applications is reached by the attacker. + */ + | attemptReadFromSoftProdVulnerability @hidden developer info: "Intermediate attack step to allow for defenses." - -> readAfterSoftProdVulnerability + -> readFromSoftProdVulnerability - | attemptModifyAfterSoftProdVulnerability @hidden + | attemptModifyFromSoftProdVulnerability @hidden developer info: "Intermediate attack step to allow for defenses." - -> modifyAfterSoftProdVulnerability + -> modifyFromSoftProdVulnerability - | attemptDenyAfterSoftProdVulnerability @hidden + | attemptDenyFromSoftProdVulnerability @hidden developer info: "Intermediate attack step to allow for defenses." - -> denyAfterSoftProdVulnerability + -> denyFromSoftProdVulnerability E softwareCheck @hidden - user info: "Only enable the following attacks steps if a SoftwareProduct is associated with this Application." + developer info: "Only enable the following attacks steps if a SoftwareProduct is associated with this Application." <- appSoftProduct - -> fullAccessAfterSoftProdVulnerability, - readAfterSoftProdVulnerability, - modifyAfterSoftProdVulnerability, - denyAfterSoftProdVulnerability - + -> fullAccessFromSoftProdVulnerability, + readFromSoftProdVulnerability, + modifyFromSoftProdVulnerability, + denyFromSoftProdVulnerability + + /* The seven following attack steps were implemented to trigger + * SoftwareVulnerabilities on a SoftwareProduct on each Application + * associated with the SoftwareProduct individually. + */ | softwareProductVulnerabilityLocalAccessAchieved @hidden developer info: "Intermediate attack step used to conditionally trigger SoftwareProduct vulnerabilities separately for each application." -> appSoftProduct.softProductVulnerabilities.localAccessAchieved, @@ -475,24 +486,24 @@ category ComputeResources { & softwareProductAbuse @hidden developer info: "Intermediate attack step used to conditionally trigger SoftwareProduct vulnerabilities separately for each application." - -> fullAccessAfterSoftProdVulnerability, - readAfterSoftProdVulnerability, - modifyAfterSoftProdVulnerability, - denyAfterSoftProdVulnerability + -> fullAccessFromSoftProdVulnerability, + readFromSoftProdVulnerability, + modifyFromSoftProdVulnerability, + denyFromSoftProdVulnerability - & fullAccessAfterSoftProdVulnerability @hidden + & fullAccessFromSoftProdVulnerability @hidden developer info: "Intermediate attack step to handle SoftwareProduct existence." -> fullAccess - & readAfterSoftProdVulnerability @hidden + & readFromSoftProdVulnerability @hidden developer info: "Intermediate attack step to handle SoftwareProduct existence." -> attemptRead - & modifyAfterSoftProdVulnerability @hidden + & modifyFromSoftProdVulnerability @hidden developer info: "Intermediate attack step to handle SoftwareProduct existence." -> attemptModify - & denyAfterSoftProdVulnerability @hidden + & denyFromSoftProdVulnerability @hidden developer info: "Intermediate attack step to handle SoftwareProduct existence." -> attemptDeny @@ -505,8 +516,7 @@ category ComputeResources { -> applicationRespondConnectThroughData | applicationRespondConnectThroughData @hidden - user info: "After access on the application the contained data or data in transit can be used to try a connect via Respond to the client side application." - modeler info: "This is an intermediate attack step that groups connections to attack steps." + developer info: "After access on the application the contained data or data in transit can be used to try a connect through Respond to the client side application." -> receivedData.attemptApplicationRespondConnect | attemptRead @hidden @@ -519,7 +529,7 @@ category ComputeResources { | read {C} user info: "The attacker can read some or all of this service's code and data." - developer info: "We don't model the services data, as we do not expect that information will be available to the parser. We also don't differentiate between service administrators and service users (e.g., mail service admins and users), as we have no information about the services. Adopted from awsLang." + developer info: "We don't model the services data, as we do not expect that information will be available to the parser." -> containedData.attemptRead, appExecutedApps.attemptRead @@ -559,11 +569,11 @@ category ComputeResources { } asset IDPS extends Application - user info: "An IDPS is tasked with protecting other applications from malicious activity." + user info: "An IDPS(Intrusion Detection and Prevention System) is tasked with protecting other applications from malicious activity, such as exploiting vulnerabilities or unsafe user actions." { # disabled @Override @hidden [Disabled] - modeler info: "As per the comment for the effectiveness defense, the disabled defense does not function as desired for the IDPS asset and should not be used. The effectiveness defense should be adjusted to reflect the likelihood that the IDPS is present instead." developer info: "It would be ideal to hide this defense when using modelling tools to avoid confusion." + modeler info: "As per the comment for the effectiveness defense, the disabled defense does not function as desired for the IDPS asset and should not be used. The effectiveness defense should be adjusted to reflect the likelihood that the IDPS is present instead." # effectiveness [Enabled] user info: "The effectiveness defense represents how capable the IDPS is to prevent disruptions from occurring on the associated applications." @@ -571,8 +581,7 @@ category ComputeResources { -> effectivenessBypassed | bypassEffectiveness [VeryHardAndUncertain] - user info: "Supply chain auditing can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." + user info: "The effectiveness of an IDPS can be bypassed." -> effectivenessBypassed | effectivenessBypassed @hidden @@ -581,7 +590,7 @@ category ComputeResources { protectedApps.successfulUnsafeUserActivity | fullAccess {C,I,A} - developer info: "The IDPS is no longer able to protect the apps assigned to it if it has been compromised itself." + user info: "The IDPS is no longer able to protect the apps assigned to it if it has been compromised itself." +> effectivenessBypassed | deny {A} @@ -590,10 +599,11 @@ category ComputeResources { } asset PhysicalZone - user info: "A physical zone is the location where hardware systems networks are physically deployed." + user info: "A physical zone is the location where hardware systems and networks are physically deployed." { - | gainPhysicalAccess + | gainPhysicalAccess @entrypoint user info: "By gaining access on a physical zone, physical access on the housed hardware and networks is also attained." + modeler info: "This attack step can be used as an entry point when analyzing scenarios that involve gaining physical access to assets." -> hardwareSystems.physicalAccess, networks.physicalAccess } @@ -601,15 +611,15 @@ category ComputeResources { associations { Hardware [hostHardware] 0..1 <-- SysExecution --> * [sysExecutedApps] Application - developer info: "Hardware on which Applications are running. The host hardware is not mandatory to be specified but if it is, it adds on the model." + user info: "Hardware on which Applications are running. The host hardware is not mandatory to be specified." Application [hostApp] 0..1 <-- AppExecution --> * [appExecutedApps] Application - developer info: "Application 1 runs application 2 which runs application 3. (Where application 1 is an OS, application 2 is a VM and application 3 is app running in the VM.)" + user info: "Sandboxing and containerization are represented through AppExecution. This application hosting can be nested. For example, application 1 runs application 2 which runs application 3. (Where application 1 is an OS, application 2 is a VM, and application 3 is app running in the VM.)" IDPS [protectorIDPSs] * <-- AppProtection --> * [protectedApps] Application - developer info: "IDPSs can provide protection to other applications." + user info: "IDPSs can provide protection to other applications." SoftwareProduct [appSoftProduct] 0..1 <-- AppSoftwareProduct --> * [softApplications] Application - user info: "An application can be associated with a software product that has some specific characteristics such as specific Vulnerabilities." + user info: "An application can be associated with a software product that has some specific characteristics such as specific Vulnerabilities and deployment repository." PhysicalZone [physicalZones] * <-- ZoneInclusion --> * [hardwareSystems] Hardware - developer info: "Access on PhysicalZone will give physicalAccess on the deployed Hardware, but access to the hardware does not provide access to the physical zone (e.g. iLOs)." + user info: "Access on PhysicalZone will give physicalAccess on the deployed Hardware, but access to the hardware does not provide access to the physical zone (e.g. iLOs)." PhysicalZone [physicalZones] * <-- ZoneInclusion --> * [networks] Network - developer info: "Access on PhysicalZone will give physicalAccess on the deployed networks, but access to the network does not provide access to the physical zone." + user info: "Access on PhysicalZone will give physicalAccess on the deployed networks, but access to the network does not provide access to the physical zone." } diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index e9b1245..ec1fa15 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -17,8 +17,36 @@ category DataResources { asset Information - user info: "Represents any type of information that might be contained inside Data." + user info: "Represents any type of information that might be contained inside Data. This include general purpose information, but also serves as the basis for more specialized types, such as Credentials and SoftwareProduct. Information represents the abstract concept while Data represent an actual instance of information stored or transmitted digitally." { + | read + user info: "The attacker is able to read the information. They may still be unable to extract it, which represents the adversary being able to read it themselves. This is the case if autonomous code is able to read it, but lack the required networking connections to transmit it back to the adversary." + -> dataReplicas.read, + containerData.read + + | write + user info: "The attacker is able to write the information." + -> dataReplicas.write, + containerData.write, + dependentApps.fullAccess, + delete + + | delete + user info: "The attacker is able to delete the information." + -> dataReplicas.delete, + containerData.delete, + deny + + | deny + user info: "The attacker is able to deny the information." + -> dataReplicas.deny, + containerData.deny, + dependentApps.deny + + | extract + user info: "The attacker is able to extract the information. This means that they have a path available through which they can transfer the information back to a system they control." + + // The following 10 attack steps are used to implement data replication | attemptReadFromReplica @hidden developer info: "Reading one replica allows the attacker to read all other replicas as well since the information contained in them is the same." -> successfulReadFromReplica @@ -58,69 +86,39 @@ category DataResources { & successfulExtractFromReplica @hidden developer info: "Intermediate attack step to model defenses." -> extract - - | read - user info: "The attacker is able to read the information. They may still be unable to extract it." - -> dataReplicas.read, - containerData.read - - | write - user info: "The attacker is able to write the information." - -> dataReplicas.write, - containerData.write, - dependentApps.fullAccess, - delete - - | delete - user info: "The attacker is able to delete the information." - -> dataReplicas.delete, - containerData.delete, - deny - - | deny - user info: "The attacker is able to deny the information." - -> dataReplicas.deny, - containerData.deny, - dependentApps.deny - - | extract - user info: "The attacker is able to extract the information. This means that they have a path available through which they can transfer the information back to a system they control." } asset Data user info: "Any form of data that can be stored or transmitted." - developer info: "Adopted from awsLang but significantly changed." { - | attemptAccess + | attemptAccess @hidden developer info: "Intermediate attack step to allow for defenses." -> access - & access - user info: "Access the data." + & access @hidden + developer info: "Access the data." -> attemptRead, attemptWrite, attemptDelete - | authorizedAccessFromApplication - user info: "Try to gain access to the data through permissions." + | authorizedAccessFromApplication @hidden + developer info: "Try to gain access to the data through permissions." -> authorizedReadFromApplication, authorizedWriteFromApplication, authorizedDeleteFromApplication !E dataEncrypted @hidden - user info: "If the data are encrypted then accessing them requires the associated encryption credentials/key." - developer info: "Data will be considered as encrypted if there is at least one Credentials instance associated with it. Otherwise, 'accessUnencryptedData' is reached." + developer info: "If the data are encrypted then accessing them requires the associated encryption credentials/key. Data will be considered encrypted if there is at least one Credentials instance associated with it. Otherwise, 'accessUnencryptedData' is triggered." <- encryptCreds -> accessUnencryptedData !E dataSigned @hidden - user info: "If the data are authenticated, then modifying them is not possible to achieve." - developer info: "Data will be considered as encrypted if there is at least one Credentials instance associated with it. Otherwise, 'accessUnencryptedData' is reached." + developer info: "If the data are signed then writing them requires the associated signing credentials/key. Data will be considered signed if there is at least one Credentials asset associated with it. Otherwise, 'accessUnsignedData' is triggered." <- signingCreds -> accessUnsignedData - E payloadInspectionBypassFromEncryptedData - user info: "If the data are encrypted then payload inspection cannot be performed on the connection rules they are transmitted over." + E payloadInspectionBypassFromEncryptedData @hidden + developer info: "If the data are encrypted then payload inspection cannot be performed on the connection rules they are transmitted over." <- encryptCreds -> bypassPayloadInspectionFromEncryptedData @@ -130,20 +128,20 @@ category DataResources { (receiverApp.serverApplicationConnections() /\ transitNetwork.outboundAllowedConnections()).payloadInspectionBypassed & accessUnencryptedData @hidden - user info: "If data are unencrypted then access them." + developer info: "If data are unencrypted then access them." -> accessDecryptedData & accessUnsignedData @hidden - user info: "If data are unsigned then alter them." + developer info: "If data are unsigned then alter them." -> accessSpoofedData | accessSpoofedData @hidden - user info: "Intermediate attack step to only allow effects of 'accessUnsignedData' on data after compromising the signing credentials or signing is disabled." + developer info: "Intermediate attack step to only allow effects of 'accessUnsignedData' on data after compromising the signing credentials or signing is disabled." -> applicationRespondConnect, successfulWrite | accessDecryptedData @hidden - user info: "Intermediate attack step to only allow effects of 'accessUnencryptedData' on data after compromising the encryption credentials or encryption is disabled." + developer info: "Intermediate attack step to only allow effects of 'accessUnencryptedData' on data after compromising the encryption credentials or encryption is disabled." -> access, applicationRespondConnect, successfulRead, @@ -164,8 +162,8 @@ category DataResources { developer info: "Intermediate attack step to handle defenses." -> applicationRespondConnect - & applicationRespondConnect - user info: "If data is manInTheMiddled or the server side application is compromised, then respond connect to the client side application can be done." + & applicationRespondConnect @hidden + developer info: "If data is manInTheMiddled or the server side application is compromised, then respond connect to the client side application can be done." -> senderApp.attemptNetworkConnectFromResponse, containedData.applicationRespondConnect @@ -185,15 +183,15 @@ category DataResources { extract | authorizedReadFromIAM @hidden - user info: "The attacker has obtained the access control permissions required to read the data." + developer info: "The attacker has obtained the access control permissions required to read the data." -> authorizedRead | authorizedReadFromApplication @hidden - user info: "The attacker can reach the data via an Application, but they still require the adequate permissions to read it." + developer info: "The attacker can reach the data via an Application, but they still require the adequate permissions to read it." -> authorizedRead & authorizedRead @hidden - developer info: "An attacker is able to read the Data through legitimate means, this requires both access to the Data and the adequate permissions." + developer info: "An attacker is able to read the Data through authorized permissions, this requires both access to the Data and the adequate permissions." -> attemptRead | attemptWrite @hidden @@ -214,15 +212,15 @@ category DataResources { attemptDelete | authorizedWriteFromIAM @hidden - user info: "The attacker has obtained the access control permissions required to write the data." + developer info: "The attacker has obtained the access control permissions required to write the data." -> authorizedWrite | authorizedWriteFromApplication @hidden - user info: "The attacker can reach the data via an Application, but they still require the adequate permissions to write it." + developer info: "The attacker can reach the data via an Application, but they still require the adequate permissions to write it." -> authorizedWrite & authorizedWrite @hidden - developer info: "Intermediate attack step to only allow operations on data after both access and identity assume is compromised." + developer info: "An attacker is able to write the Data through authorized permissions, this requires both access to the Data and the adequate permissions." -> attemptWrite | attemptDelete @hidden @@ -241,15 +239,15 @@ category DataResources { attemptDeny | authorizedDeleteFromIAM @hidden - user info: "The attacker has obtained the access control permissions required to delete the data." + developer info: "The attacker has obtained the access control permissions required to delete the data." -> authorizedDelete | authorizedDeleteFromApplication @hidden - user info: "The attacker can reach the data via an Application, but they still require the adequate permissions to delete it." + developer info: "The attacker can reach the data via an Application, but they still require the adequate permissions to delete it." -> authorizedDelete & authorizedDelete @hidden - developer info: "Intermediate attack step to only allow operations on data after both access and identity assume is compromised." + developer info: "An attacker is able to delete the Data through authorized permissions, this requires both access to the Data and the adequate permissions." -> attemptDelete | attemptDeny @hidden @@ -298,9 +296,9 @@ associations { Data [containedData] * <-- AppContainment --> * [containingApp] Application user info: "An application should be able to contain some data." Data [sentData] * <-- SendData --> * [senderApp] Application - user info: "An application can also send some data that are supposed to be transferred over a connection. This expresses an active connection." + user info: "An application can also send some data that are supposed to be transferred over a network or connection. This expresses an active connection." Data [receivedData] * <-- ReceiveData --> * [receiverApp] Application - user info: "An application can also receive some data that are supposed to be transferred over a connection. This expresses an active connection." + user info: "An application can also receive some data that are supposed to be transferred over a network or connection. This expresses an active connection." Data [transitData] * <-- DataInTransit --> * [transitNetwork] Network user info: "A network can also contain some data that are supposed to be network-wide available." Data [hostedData] * <-- DataHosting --> 0..1 [hardware] Hardware @@ -314,7 +312,7 @@ associations { // ### Application dependence associations /* Dependence is used to represent various situations where the operations * of the Application are impacted by modifying/denying the Data/Information - * it depends upon. Examples of this type of behaviour are configurations, + * it depends upon. Examples of this type of behavior are configurations, * plugins, libraries, or other input data that is critical to the purpose * of the software component represented by the Application. This * association should only be used for circumstances where the workflow of diff --git a/src/main/mal/HardwareVulnerability.mal b/src/main/mal/HardwareVulnerability.mal index 50b5429..77d3d10 100644 --- a/src/main/mal/HardwareVulnerability.mal +++ b/src/main/mal/HardwareVulnerability.mal @@ -51,22 +51,21 @@ category Vulnerability { user info: "Denial-of-Service attack is an attack in which a machine or hardware component is rendered unavailable to its intended users by temporarily or indefinitely disrupting it." -> hardware.deny - | attemptExploit @Override + | attemptExploit @hidden @Override developer info: "Intermediate attack step to allow for defenses." -> exploitTrivially, exploitWithEffort - & exploitTrivially - user info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." + & exploitTrivially @hidden + developer info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." -> exploit - & exploitWithEffort [Exponential(0.01)] - user info: "The attacker must expend effort in order to successfully exploit the vulnerability." - developer info: "The distribution chosen here may be scientifically sound, but needs to be reevaluated to ensure that this is the case." + & exploitWithEffort @hidden [Exponential(0.01)] + developer info: "The attacker must expend effort in order to successfully exploit the vulnerability." -> exploit - | impact - user info: "The actual impact caused by successfully exploiting the vulnerability." + | impact @hidden + developer info: "The actual impact caused by successfully exploiting the vulnerability." -> read, modify, deny @@ -75,5 +74,5 @@ category Vulnerability { associations { HardwareVulnerability [vulnerabilities] * <-- hardwareVulnerability --> 0..1 [hardware] Hardware - developer info: "A Hardware system/component can have multiple hardware vulnerabilities." + user info: "A Hardware system/component can have multiple hardware vulnerabilities." } diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index c9ce875..29930fd 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -24,7 +24,7 @@ category IAM { -> successfulAssume, successfulLockout - | attemptAssume + | attemptAssume @hidden developer info: "Intermediate attack step to allow for defenses." -> successfulAssume @@ -98,17 +98,17 @@ category IAM { } asset Privileges extends IAMObject - user info: "A privileges asset can be associated with an identity to group a set of given privileges on Applications and Data." + user info: "A privileges asset can be associated with another IAMObject to reason about a specific subset of given privileges on Applications and Data." modeler info: "The privileges asset is not meant to be used normally when assigning permissions. Identities and Groups should be directly associated with the relevant assets. The purpose of the Privileges asset is to be used as a speculative asset when reasoning about additional privileges that a particular Group or Identity may have as a result of either poor configurations or the attacker's actions." { | assume @Override {C,I,A} - user info: "After authentication or compromise of an account/identity, assume its privileges." + user info: "After authentication or compromise assume its privileges." developer info: "Assume identity/group the privileges are associated with since the privileges are simply an extension of it." +> IAMOwners.attemptAssume } asset Group extends IAMObject - user info: "A group is a way to group together identities and/or groups. This allows the expression of hierarchical IAM (structured inheritance)." + user info: "A group is a way to group together identities and/or other groups. This allows the expression of hierarchical IAM (structured inheritance)." modeler info: "Groups can be used instead of nested identities to make the model more intuitive and clearer to understand." { | assume @Override {C,I,A} @@ -117,7 +117,7 @@ category IAM { +> parentGroup.attemptAssume & lockoutFromMembers @hidden - user info: "If all of the Identities belonging to a Group are lockedout we assume that the Group as a whole is lockedout." + developer info: "If all of the Identities belonging to a Group are lockedout we assume that the Group as a whole is lockedout." -> lockout } @@ -143,15 +143,15 @@ category IAM { -> credentialTheft | read @Override - developer info: "If the attacker is able to read the information containing credentials we assume that they are compromised." + user info: "If the attacker is able to read the information containing credentials we assume that they are compromised." +> attemptUse | write @Override - developer info: "If the attacker is able to write the information containing credentials we assume that they have changed them for the authentication process." + user info: "If the attacker is able to write the information containing credentials we assume that they have changed them for the authentication process." +> attemptUse | deny @Override - developer info: "If the attacker is able to deny the information containing credentials we assume that they have denied them for the authentication process." + user info: "If the attacker is able to deny the information containing credentials we assume that they have denied them for the authentication process." +> identities.attemptLockoutFromCredentials | useLeakedCredentials [EasyAndCertain] @@ -163,11 +163,11 @@ category IAM { -> credentialsReuse, requiredFactors.attemptCredentialsReuse - & credentialsReuse + & credentialsReuse @hidden developer info: "The user is reusing credentials which means that the attacker is able to compromise all of the non-unique credentials associated with this user." -> attemptUse - | attemptUse + | attemptUse @hidden developer info: "Intermediate attack step to allow for defenses." -> use @@ -190,12 +190,12 @@ category IAM { -> credentials*.identities.users.oneCredentialCompromised | attemptCredentialTheft @hidden - user info: "The attacker is attempting to access the credentials." + developer info: "The attacker is attempting to access the credentials." -> credentialTheft, requiredFactors.attemptCredentialTheft - & credentialTheft - user info: "The attacker is able to steal the credentials." + & credentialTheft @hidden + developer info: "The attacker is able to steal the credentials." -> attemptUse !E missingIdentity @hidden @@ -217,10 +217,9 @@ category IAM { developer info: "If hashes are associated with this Credentials asset the assumption is that one of those hashes is required by the attacker to be able to perform a guessing attack." -> guessCredentials - & guessCredentials [HardAndUncertain] - user info: "The attacker can try to just guess a set of credentials. The likelihood of succeeding is dependent on how strong the credentials are." + & guessCredentials @hidden [HardAndUncertain] + developer info: "The attacker can try to just guess a set of credentials. The likelihood of succeeding is dependent on how strong the credentials are." modeler info: "The guessability of the Credentials is influenced by the notGuessable defense on this asset and the securityAwareness defense on the User associated with the Identity that these Credentials belong to. If either the User or Identity associations are missing the assumption is made that the crentials are guessable and only the notGuessable defense would play a role in restricting this attack step." - developer info: "We should research the probability we want to use for this attack step more." -> attemptUse } } diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 678b3d9..36ac7ca 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -26,22 +26,21 @@ category Networking { let allNetConnections = (netConnections \/ ingoingNetConnections \/ outgoingNetConnections \/ diodeIngoingNetConnections) let allowedApplicationConnectionsApplications = (allNetApplications() \/ allNetConnections().applications) - | physicalAccess {C, A} - developer info: "Attacker has physical access on the network. This means he can cut wires/fibers, connect using iLOs, eavesdrop and get proper network access." + | physicalAccess @entrypoint {C, A} + user info: "Attacker has physical access on the network. This means they can cut wires/fibers, connect using iLOs, eavesdrop and get proper network access." + modeler info: "This attack step can be used as an entry point when analyzing scenarios that involve gaining physical access to assets." -> denialOfService, attemptAccessUninspected, attemptAccessInspected, bypassEavesdropDefenseFromPhysicalAccess, bypassManInTheMiddleDefenseFromPhysicalAccess - | bypassEavesdropDefenseFromPhysicalAccess @hidden [VeryHardAndUncertain] - modeler info: "The eavesdrop defense can be bypassed more easily if the attacker has physical access to the network." - developer info: "The probability distribution for this attack step needs to be researched more. This attack step will add its impact to the existing regular bypass." + | bypassEavesdropDefenseFromPhysicalAccess [VeryHardAndUncertain] + user info: "The eavesdrop defense can be bypassed more easily if the attacker has physical access to the network. This attack step will add its impact to the unconditional bypass." -> eavesdropDefenseBypassed - | bypassManInTheMiddleDefenseFromPhysicalAccess @hidden [VeryHardAndUncertain] - modeler info: "The man in the middle defense can be bypassed more easily if the attacker has physical access to the network." - developer info: "The probability distribution for this attack step needs to be researched more. This attack step will add its impact to the existing regular bypass." + | bypassManInTheMiddleDefenseFromPhysicalAccess [VeryHardAndUncertain] + user info: "The man in the middle defense can be bypassed more easily if the attacker has physical access to the network. This attack step will add its impact to the unconditional bypass." -> manInTheMiddleDefenseBypassed # networkAccessControl @@ -50,7 +49,6 @@ category Networking { | bypassAccessControl [VeryHardAndUncertain] user info: "If access control is enabled, the attacker can still try to bypass it and gain access on the network." - developer info: "The probability distribution for this attack step needs to be researched more." -> accessControlBypassed | accessControlBypassed @hidden @@ -99,18 +97,18 @@ category Networking { -> reverseReach & reverseReach @hidden - developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user." + developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." -> (netConnections \/ ingoingNetConnections \/ diodeIngoingNetConnections).attemptReverseReach, clientApplications.attemptReverseReach, applications.attemptReverseReach - | networkForwardingUninspected + | networkForwardingUninspected @hidden developer info: "By using the allowed connections (connection rules), uninspected forwarding from one network to another network or applications can happen." -> outboundAllowedConnections().attemptAccessNetworksUninspected, outboundAllowedConnections().attemptConnectToApplicationsUninspected, networkForwardingInspected - | networkForwardingInspected + | networkForwardingInspected @hidden developer info: "By using the allowed connections (connection rules), inspected forwarding from one network to another network or applications can happen." -> outboundAllowedConnections().attemptAccessNetworksInspected, outboundAllowedConnections().attemptConnectToApplicationsInspected @@ -120,19 +118,18 @@ category Networking { -> allNetConnections().attemptDenialOfService, allowedApplicationConnectionsApplications().denyFromNetworkingAsset - | accessNetworkData - user info: "Access also the data that are network-wide available." + | accessNetworkData @hidden + developer info: "Access also the data that are network-wide available." -> attemptEavesdrop, attemptManInTheMiddle # eavesdropDefense user info: "This defense protects from eavesdrop attacks. If this defense is disabled, then it is equivalent to the network being considered a broadcast network." - modeler info: "If this defense is enabled, attacks such as ARP spoofing should however, still be possible. This can be done by assigning a Bernoulli distribution to this defense." + modeler info: "If this defense is enabled, attacks such as ARP spoofing should however, still be possible." -> eavesdropDefenseBypassed | bypassEavesdropDefense [VeryHardAndUncertain] user info: "The eavesdrop defense can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." -> eavesdropDefenseBypassed | eavesdropDefenseBypassed @hidden @@ -158,7 +155,6 @@ category Networking { | bypassManInTheMiddleDefense [VeryHardAndUncertain] user info: "The man in the middle defense can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." -> manInTheMiddleDefenseBypassed | manInTheMiddleDefenseBypassed @hidden @@ -208,7 +204,6 @@ category Networking { | bypassRestricted [VeryHardAndUncertain] user info: "The restricted defense can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." -> restrictedBypassed | restrictedBypassed @hidden @@ -226,7 +221,6 @@ category Networking { | bypassPayloadInspection [VeryHardAndUncertain] user info: "Payload inspection can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." -> payloadInspectionBypassed | payloadInspectionBypassed @hidden @@ -243,7 +237,7 @@ category Networking { bypassPayloadInspection & reverseReach @hidden - developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user." + developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." -> clientApplications().attemptReverseReach, (networks \/ outNetworks).attemptReverseReach @@ -291,7 +285,6 @@ category Networking { -> serverApplications().networkConnectUninspected, serverApplications().networkConnectInspected - & connectToApplicationsInspected @hidden developer info: "Connect to all the (server) Applications that are associated with this ConnectionRule, but taking into account that the traffic payload is being inspected. This attack step is used to allow legitimate traffic even when payload inspection is enabled on the connection." -> serverApplications().networkConnectInspected @@ -302,6 +295,7 @@ category Networking { bypassRestricted & denialOfService {A} + user info: "If a connection rule is denied it affects the applications communicating over it." -> allApplications().denyFromNetworkingAsset } } diff --git a/src/main/mal/SoftwareVulnerability.mal b/src/main/mal/SoftwareVulnerability.mal index ab0d6f7..c138843 100644 --- a/src/main/mal/SoftwareVulnerability.mal +++ b/src/main/mal/SoftwareVulnerability.mal @@ -97,7 +97,7 @@ category Vulnerability { -> abuse | userInteractionAchieved @hidden - developer info: "Intermediate attack step to model user interaction defense." + developer info: "Intermediate attack step to model user interaction requirement." -> abuse & read @@ -115,22 +115,21 @@ category Vulnerability { -> application.deny, softwareProduct.denyApplications - | attemptExploit @Override + | attemptExploit @hidden @Override developer info: "Intermediate attack step to allow for defenses." -> exploitTrivially, exploitWithEffort - & exploitTrivially - user info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." + & exploitTrivially @hidden + developer info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." -> exploit - & exploitWithEffort [Exponential(0.01)] - user info: "The attacker must expend effort in order to successfully exploit the vulnerability." - developer info: "The distribution chosen here may be scientifically sound, but needs to be reevaluated to ensure that this is the case." + & exploitWithEffort @hidden [Exponential(0.01)] + developer info: "The attacker must expend effort in order to successfully exploit the vulnerability." -> exploit - | impact - user info: "The actual impact caused by successfully exploiting the vulnerability." + | impact @hidden + developer info: "The actual impact caused by successfully exploiting the vulnerability." -> read, modify, deny @@ -139,7 +138,7 @@ category Vulnerability { associations { SoftwareVulnerability [vulnerabilities] * <-- ApplicationVulnerability --> 0..1 [application] Application - developer info: "An Application can have multiple software vulnerabilities." + user info: "An Application can have multiple software vulnerabilities." SoftwareVulnerability [softProductVulnerabilities] * <-- ApplicationVulnerability --> 0..1 [softwareProduct] SoftwareProduct - developer info: "A SoftwareProduct can have multiple software vulnerabilities." + user info: "A SoftwareProduct can have multiple software vulnerabilities." } diff --git a/src/main/mal/User.mal b/src/main/mal/User.mal index aff1539..8574a37 100644 --- a/src/main/mal/User.mal +++ b/src/main/mal/User.mal @@ -34,7 +34,6 @@ category User { | bypassSecurityAwareness [VeryHardAndUncertain] user info: "Security awareness can be bypassed." - developer info: "The probability distribution for this attack step needs to be researched more." -> securityAwarenessBypassed | securityAwarenessBypassed @hidden @@ -55,9 +54,10 @@ category User { developer info: "Intermediate attack step that defines the strength of all of the Credentials associated with the user. This is inversely proportional with the user's securityAwareness defense." -> userIds.credentials.weakCredentials - | attemptSocialEngineering - user info: "The attacker can run social engineering operations on Users." + | attemptSocialEngineering @entrypoint + user info: "An attacker can try to perform social engineering techniques such as phishing and inducing the user to perform malicious actions." developer info: "Intermediate attack step to allow for defenses and trigger bypasses." + modeler info: "Social engineering is modeled by having the attacker trigger this attack step on hthe target Users." -> successfulSocialEngineering, bypassSecurityAwareness @@ -66,14 +66,14 @@ category User { -> socialEngineering | socialEngineering @hidden - modeler info: "An attacker can try to perform social engineering techniques such as phishing and inducing the user to perform malicious actions." - developer info: "In the future, other social engineering techniques should be connected to this attack step." + developer info: "Currently social engineering entails phishing credentials and tricking the user into unsafe actions that expose Applications to the attacker. In the future, other social engineering techniques should be added to this attack step." -> phishUser, unsafeUserActivity - | attemptDeliverMaliciousRemovableMedia - user info: "Intermediate attack step that allows for security awareness to reduce the impact of delivering malicious removable media." + | attemptDeliverMaliciousRemovableMedia @entrypoint + user info: "An attacker can try to deliver a removable media drive(e.g. USB drive) containing malicious code to a location accessible to the target users." developer info: "Intermediate attack step to allow for defenses and trigger bypasses." + modeler info: "Social engineering is modeled by having the attacker trigger this attack step on hthe target Users." -> successfulDeliverMaliciousRemovableMedia, bypassSecurityAwareness @@ -82,14 +82,13 @@ category User { -> deliverMaliciousRemovableMedia | deliverMaliciousRemovableMedia @hidden [Exponential(0.01)] - modeler info: "An attacker can try to deliver a removable media drive(e.g. USB drive) containing malicious code to a location accessible to the target users." - developer info: "The probability distribution is entirely arbitrary and should be researched in greater detail." + developer info: "The user is assumed to connect the removable media containing the malicious code to all of the hardware systems that they have access to. Since this is expected to unwittingly happen as part of their normal operations the attack exposes their regular security context." -> userIds.attemptAssume, physicalZones.hardwareSystems.attemptUnsafeUserActivity, hardwareSystems.attemptUnsafeUserActivity | phishUser @hidden - modeler info: "The attacker can phish the user to gain access to their credentials." + developer info: "The attacker can phish the user to gain access to their credentials." -> attemptCredentialTheft | attemptCredentialTheft @hidden @@ -112,7 +111,7 @@ category User { | unsafeUserActivity @hidden [Exponential(0.03)] developer info: "The user can engage in unsafe behaviour that could allow the attacker to gain access to the applications the user has access to." - modeler info: "An attacker may trigger the assume step on identities belonging to the user without being able to reach (or be reached) via any of the Applications that the identity has access to. This represents an unmaterialised threat in that scenario. The choice of probability is entirely arbitrary and should be replaced with a scientifically grounded distribution." + modeler info: "An attacker may trigger the assume step on identities belonging to the user without being able to reach (or be reached) via any of the Applications that the identity has access to. This represents an unmaterialised threat in that scenario." -> userIds.attemptAssume, userIds.execPrivApps.attemptUnsafeUserActivity, userIds.subprivileges.subprivileges*.execPrivApps.attemptUnsafeUserActivity, @@ -125,9 +124,9 @@ category User { associations { User [users] * <-- ZoneAccess --> * [physicalZones] PhysicalZone - developer info: "A user may have access to different physical zones." + user info: "A user may have access to different physical zones." User [users] * <-- HardwareAccess --> * [hardwareSystems] Hardware - developer info: "A user may have access to different hardware systems, rigs, or components." + user info: "A user may have access to different hardware systems, rigs, or components." User [users] * <-- UserAssignedIdentities--> * [userIds] Identity - developer info: "A user may have different identities associated with it." + user info: "A user may have different identities associated with it." } From 564a4bb08062e8dcc09cfb59af32423ce01710a4 Mon Sep 17 00:00:00 2001 From: Sotirios Katsikeas Date: Fri, 4 Nov 2022 11:35:41 +0100 Subject: [PATCH 07/21] Merge vulnerabilities to a single Vulnerability.mal file (to increase uniformity) --- src/main/mal/HardwareVulnerability.mal | 78 ----------------- ...areVulnerability.mal => Vulnerability.mal} | 86 ++++++++++++++++++- src/main/mal/coreLang.mal | 4 +- src/main/mal/coreVulnerability.mal | 45 ---------- 4 files changed, 86 insertions(+), 127 deletions(-) delete mode 100644 src/main/mal/HardwareVulnerability.mal rename src/main/mal/{SoftwareVulnerability.mal => Vulnerability.mal} (65%) delete mode 100644 src/main/mal/coreVulnerability.mal diff --git a/src/main/mal/HardwareVulnerability.mal b/src/main/mal/HardwareVulnerability.mal deleted file mode 100644 index 77d3d10..0000000 --- a/src/main/mal/HardwareVulnerability.mal +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Copyright 2019-2022 coreLang contributors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -category Vulnerability { - - asset HardwareVulnerability extends Vulnerability - user info: "A vulnerability that affects hardware." - { - # confidentialityImpactLimitations @suppress [Disabled] - user info: "Limits the impact on confidentiality of the vulnerability." - modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." - -> read - - # availabilityImpactLimitations @suppress [Disabled] - user info: "Limits the impact on availability of the vulnerability." - modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." - -> deny - - # integrityImpactLimitations @suppress [Disabled] - user info: "Limits the impact on integrity of the vulnerability." - modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." - -> modify - - # effortRequiredToExploit @suppress [Disabled] - user info: "The vulnerability requires additional effort(time) from the attacker in order to be successful." - modeler info: "The expectation is that the attacker has prolonged or recurring access to the targeted hardware in order to repeatedly/continuously try the exploit." - -> exploitTrivially - - & read - user info: "The attacker can read some or all of the associated hardware's data." - -> hardware.read - - & modify - user info: "The attacker can modify some or all of the associated hardware's behaviour." - -> hardware.modify - - & deny - user info: "Denial-of-Service attack is an attack in which a machine or hardware component is rendered unavailable to its intended users by temporarily or indefinitely disrupting it." - -> hardware.deny - - | attemptExploit @hidden @Override - developer info: "Intermediate attack step to allow for defenses." - -> exploitTrivially, - exploitWithEffort - - & exploitTrivially @hidden - developer info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." - -> exploit - - & exploitWithEffort @hidden [Exponential(0.01)] - developer info: "The attacker must expend effort in order to successfully exploit the vulnerability." - -> exploit - - | impact @hidden - developer info: "The actual impact caused by successfully exploiting the vulnerability." - -> read, - modify, - deny - } -} - -associations { - HardwareVulnerability [vulnerabilities] * <-- hardwareVulnerability --> 0..1 [hardware] Hardware - user info: "A Hardware system/component can have multiple hardware vulnerabilities." -} diff --git a/src/main/mal/SoftwareVulnerability.mal b/src/main/mal/Vulnerability.mal similarity index 65% rename from src/main/mal/SoftwareVulnerability.mal rename to src/main/mal/Vulnerability.mal index c138843..d32e54e 100644 --- a/src/main/mal/SoftwareVulnerability.mal +++ b/src/main/mal/Vulnerability.mal @@ -16,7 +16,89 @@ category Vulnerability { - asset SoftwareVulnerability extends Vulnerability + abstract asset Vulnerability + user info: "Vulnerability refers to the inability (of a unit or a system, application, etc.) to withstand the effects of a hostile environment." + { + # remove + user info: "If the remove defense is enabled the vulnerability will not be effective on the model." + -> abuse + + | attemptAbuse @hidden + developer info: "Intermediate attack step to allow for defenses." + -> abuse + + & abuse + user info: "The attacker is trying to abuse a vulnerability in an asset." + -> attemptExploit + + | attemptExploit @hidden + developer info: "Intermediate attack step to allow for defenses." + -> exploit + + | exploit + user info: "Attacker is employing an exploit that makes use of this vulnerability." + -> impact + + | impact + user info: "Each vulnerability has an impact (of different levels) on the vulnerable component." + } + + asset HardwareVulnerability extends Vulnerability + user info: "A vulnerability that affects hardware." + { + # confidentialityImpactLimitations @suppress [Disabled] + user info: "Limits the impact on confidentiality of the vulnerability." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." + -> read + + # availabilityImpactLimitations @suppress [Disabled] + user info: "Limits the impact on availability of the vulnerability." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." + -> deny + + # integrityImpactLimitations @suppress [Disabled] + user info: "Limits the impact on integrity of the vulnerability." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." + -> modify + + # effortRequiredToExploit @suppress [Disabled] + user info: "The vulnerability requires additional effort(time) from the attacker in order to be successful." + modeler info: "The expectation is that the attacker has prolonged or recurring access to the targeted hardware in order to repeatedly/continuously try the exploit." + -> exploitTrivially + + & read + user info: "The attacker can read some or all of the associated hardware's data." + -> hardware.read + + & modify + user info: "The attacker can modify some or all of the associated hardware's behaviour." + -> hardware.modify + + & deny + user info: "Denial-of-Service attack is an attack in which a machine or hardware component is rendered unavailable to its intended users by temporarily or indefinitely disrupting it." + -> hardware.deny + + | attemptExploit @hidden @Override + developer info: "Intermediate attack step to allow for defenses." + -> exploitTrivially, + exploitWithEffort + + & exploitTrivially @hidden + developer info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." + -> exploit + + & exploitWithEffort @hidden [Exponential(0.01)] + developer info: "The attacker must expend effort in order to successfully exploit the vulnerability." + -> exploit + + | impact @hidden + developer info: "The actual impact caused by successfully exploiting the vulnerability." + -> read, + modify, + deny + } + + asset SoftwareVulnerability extends Vulnerability user info: "A vulnerability that affects software (i.e. Applications or SoftwareProducts)." { # networkAccessRequired @suppress [Disabled] @@ -137,6 +219,8 @@ category Vulnerability { } associations { + HardwareVulnerability [vulnerabilities] * <-- hardwareVulnerability --> 0..1 [hardware] Hardware + user info: "A Hardware system/component can have multiple hardware vulnerabilities." SoftwareVulnerability [vulnerabilities] * <-- ApplicationVulnerability --> 0..1 [application] Application user info: "An Application can have multiple software vulnerabilities." SoftwareVulnerability [softProductVulnerabilities] * <-- ApplicationVulnerability --> 0..1 [softwareProduct] SoftwareProduct diff --git a/src/main/mal/coreLang.mal b/src/main/mal/coreLang.mal index 2696eca..d9c1e4a 100644 --- a/src/main/mal/coreLang.mal +++ b/src/main/mal/coreLang.mal @@ -19,6 +19,4 @@ include "DataResources.mal" include "IAM.mal" include "User.mal" include "Networking.mal" -include "coreVulnerability.mal" -include "SoftwareVulnerability.mal" -include "HardwareVulnerability.mal" +include "Vulnerability.mal" diff --git a/src/main/mal/coreVulnerability.mal b/src/main/mal/coreVulnerability.mal deleted file mode 100644 index 565b8a1..0000000 --- a/src/main/mal/coreVulnerability.mal +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright 2019-2022 coreLang contributors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -category Vulnerability { - - abstract asset Vulnerability - user info: "Vulnerability refers to the inability (of a unit or a system, application, etc.) to withstand the effects of a hostile environment." - { - # remove - user info: "If the remove defense is enabled the vulnerability will not be effective on the model." - -> abuse - - | attemptAbuse @hidden - developer info: "Intermediate attack step to allow for defenses." - -> abuse - - & abuse - user info: "The attacker is trying to abuse a vulnerability in an asset." - -> attemptExploit - - | attemptExploit @hidden - developer info: "Intermediate attack step to allow for defenses." - -> exploit - - | exploit - user info: "Attacker is employing an exploit that makes use of this vulnerability." - -> impact - - | impact - user info: "Each vulnerability has an impact (of different levels) on the vulnerable component." - } -} From a3365b27485692398d51c4edf1585ed9af335e99 Mon Sep 17 00:00:00 2001 From: Sotirios Katsikeas Date: Fri, 4 Nov 2022 18:21:40 +0100 Subject: [PATCH 08/21] Changed the client/server nomenclature to ingoing/outgoing to match the ConnectionRule logic and be clearer Changed also the ClientAccess association to NetworkClientAccess to highlight the network aspect of the client --- src/main/mal/ComputeResources.mal | 14 +++++++------- src/main/mal/DataResources.mal | 4 ++-- src/main/mal/Networking.mal | 14 +++++++------- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 8457c7a..34630b5 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -192,8 +192,8 @@ category ComputeResources { let allVulnerabilities = vulnerabilities \/ appSoftProduct.softProductVulnerabilities let allApplicationConnections = (appConnections \/ outgoingAppConnections \/ ingoingAppConnections) - let clientApplicationConnections = (appConnections \/ outgoingAppConnections) - let serverApplicationConnections = (appConnections \/ ingoingAppConnections) + let outgoingApplicationConnections = (appConnections \/ outgoingAppConnections) + let ingoingApplicationConnections = (appConnections \/ ingoingAppConnections) # disabled [Disabled] user info: "If application is disabled it should behave as nonexistent, thus all attack vectors are removed." @@ -246,7 +246,7 @@ category ComputeResources { developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." -> networks.attemptReverseReach, clientAccessNetworks.attemptReverseReach, - serverApplicationConnections().attemptReverseReach, + ingoingApplicationConnections().attemptReverseReach, appExecutedApps.attemptReverseReach, attackerUnsafeUserActivityCapabilityWithReverseReach, containedData.attemptReverseReach, @@ -289,10 +289,10 @@ category ComputeResources { networks.accessInspected, clientAccessNetworks.accessUninspected, clientAccessNetworks.accessInspected, - clientApplicationConnections().attemptConnectToApplicationsUninspected, - clientApplicationConnections().attemptConnectToApplicationsInspected, - clientApplicationConnections().attemptAccessNetworksUninspected, - clientApplicationConnections().attemptAccessNetworksInspected + outgoingApplicationConnections().attemptConnectToApplicationsUninspected, + outgoingApplicationConnections().attemptConnectToApplicationsInspected, + outgoingApplicationConnections().attemptAccessNetworksUninspected, + outgoingApplicationConnections().attemptAccessNetworksInspected | attemptNetworkConnectFromResponse @hidden developer info: "Intermediate attack step to allow for defenses." diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index ec1fa15..a0d1927 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -124,8 +124,8 @@ category DataResources { | bypassPayloadInspectionFromEncryptedData @hidden developer info: "The connection rules that the encrypted data traverse over cannot provide payload inspection since they are assumed to permit encrypted traffic. This implies that the attacker could simply encrypt their own communications to evade inspection." - -> (senderApp.clientApplicationConnections() /\ transitNetwork.inboundAllowedConnections()).payloadInspectionBypassed, - (receiverApp.serverApplicationConnections() /\ transitNetwork.outboundAllowedConnections()).payloadInspectionBypassed + -> (senderApp.outgoingApplicationConnections() /\ transitNetwork.inboundAllowedConnections()).payloadInspectionBypassed, + (receiverApp.ingoingApplicationConnections() /\ transitNetwork.outboundAllowedConnections()).payloadInspectionBypassed & accessUnencryptedData @hidden developer info: "If data are unencrypted then access them." diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 36ac7ca..14f80d4 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -195,8 +195,8 @@ category Networking { developer info: "This asset is mainly used to model the functionality of a network connection through a firewall. If Data is added, then it also models the data in transit." { let allApplications = (applications \/ inApplications \/ outApplications) - let clientApplications = (applications \/ outApplications) - let serverApplications = (applications \/ inApplications) + let senderApplications = (applications \/ outApplications) + let receiverApplications = (applications \/ inApplications) # restricted [Disabled] user info: "The restricted defense can be used to probabilistically model the likelihood of both the protocols required by the attack being enabled or the existence of the ConnectionRule altogether." @@ -238,7 +238,7 @@ category Networking { & reverseReach @hidden developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." - -> clientApplications().attemptReverseReach, + -> senderApplications().attemptReverseReach, (networks \/ outNetworks).attemptReverseReach | attemptAccessNetworksUninspected @hidden @@ -282,12 +282,12 @@ category Networking { & connectToApplicationsUninspected @hidden developer info: "Connect to all the (server) Applications that are associated with this ConnectionRule, without any restriction due to inspection." - -> serverApplications().networkConnectUninspected, - serverApplications().networkConnectInspected + -> receiverApplications().networkConnectUninspected, + receiverApplications().networkConnectInspected & connectToApplicationsInspected @hidden developer info: "Connect to all the (server) Applications that are associated with this ConnectionRule, but taking into account that the traffic payload is being inspected. This attack step is used to allow legitimate traffic even when payload inspection is enabled on the connection." - -> serverApplications().networkConnectInspected + -> receiverApplications().networkConnectInspected | attemptDenialOfService @hidden developer info: "Intermediate attack step to allow for defenses and trigger bypasses." @@ -310,7 +310,7 @@ associations { user info: "An application can communicate / be exposed on a network." modeler info: "This is DEPRECATED and should only be used by fully aware modelers." developer info: "This can equivalently be modeled using a ConnectionRule but this direct approach should be prefered in the case where the application is “located” in the same network as the host on which it is running." - Network [clientAccessNetworks] * <-- ClientAccess --> * [clientApplications] Application + Network [clientAccessNetworks] * <-- NetworkClientAccess --> * [clientApplications] Application user info: "A client application can communicate over a network." Application [applications] * <-- ApplicationConnection --> * [appConnections] ConnectionRule user info: "An application can communicate over one or more (mesh type) bidirectional connections." From 5e01da6cff0ac127f446802a69dacb4480e5c152 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Tue, 8 Nov 2022 22:39:43 +0100 Subject: [PATCH 09/21] Rename man-in-the-middle to adversary-in-the-middle. --- src/main/mal/DataResources.mal | 2 +- src/main/mal/Networking.mal | 42 +++++++++++++++++----------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index a0d1927..cb02bff 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -163,7 +163,7 @@ category DataResources { -> applicationRespondConnect & applicationRespondConnect @hidden - developer info: "If data is manInTheMiddled or the server side application is compromised, then respond connect to the client side application can be done." + developer info: "If data are adversaryInTheMiddled or the server side application is compromised, then respond connect to the client side application can be done." -> senderApp.attemptNetworkConnectFromResponse, containedData.applicationRespondConnect diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 14f80d4..cafa9b8 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -33,15 +33,15 @@ category Networking { attemptAccessUninspected, attemptAccessInspected, bypassEavesdropDefenseFromPhysicalAccess, - bypassManInTheMiddleDefenseFromPhysicalAccess + bypassAdversaryInTheMiddleDefenseFromPhysicalAccess | bypassEavesdropDefenseFromPhysicalAccess [VeryHardAndUncertain] user info: "The eavesdrop defense can be bypassed more easily if the attacker has physical access to the network. This attack step will add its impact to the unconditional bypass." -> eavesdropDefenseBypassed - | bypassManInTheMiddleDefenseFromPhysicalAccess [VeryHardAndUncertain] - user info: "The man in the middle defense can be bypassed more easily if the attacker has physical access to the network. This attack step will add its impact to the unconditional bypass." - -> manInTheMiddleDefenseBypassed + | bypassAdversaryInTheMiddleDefenseFromPhysicalAccess [VeryHardAndUncertain] + user info: "The adversary in the middle defense can be bypassed more easily if the attacker has physical access to the network. This attack step will add its impact to the unconditional bypass." + -> adversaryInTheMiddleDefenseBypassed # networkAccessControl user info: "Access control protects from unauthorized physical access on the network." @@ -121,7 +121,7 @@ category Networking { | accessNetworkData @hidden developer info: "Access also the data that are network-wide available." -> attemptEavesdrop, - attemptManInTheMiddle + attemptAdversaryInTheMiddle # eavesdropDefense user info: "This defense protects from eavesdrop attacks. If this defense is disabled, then it is equivalent to the network being considered a broadcast network." @@ -149,29 +149,29 @@ category Networking { user info: "An attacker that performs an eavesdrop attack on a network tries to access all the transferred data over that network." -> transitData.attemptRead - # manInTheMiddleDefense - user info: "This defense protects against man-in-the-middle (MitM) attacks that are originating either form the network layer (like ARP spoofing) or by manipulating the higher network layers (like DNS poisoning)." - -> manInTheMiddleDefenseBypassed + # adversaryInTheMiddleDefense + user info: "This defense protects against adversary-in-the-middle (AitM) attacks that are originating either form the network layer (like ARP spoofing) or by manipulating the higher network layers (like DNS poisoning)." + -> adversaryInTheMiddleDefenseBypassed - | bypassManInTheMiddleDefense [VeryHardAndUncertain] - user info: "The man in the middle defense can be bypassed." - -> manInTheMiddleDefenseBypassed + | bypassAdversaryInTheMiddleDefense [VeryHardAndUncertain] + user info: "The adversary in the middle defense can be bypassed." + -> adversaryInTheMiddleDefenseBypassed - | manInTheMiddleDefenseBypassed @hidden - developer info: "The man in the middle defense is bypassed either because it was not set, the attacker was able to circumvent it through additional effort." - -> successfulManInTheMiddle + | adversaryInTheMiddleDefenseBypassed @hidden + developer info: "The adversary in the middle defense is bypassed either because it was not set, the attacker was able to circumvent it through additional effort." + -> successfulAdversaryInTheMiddle - | attemptManInTheMiddle @hidden + | attemptAdversaryInTheMiddle @hidden developer info: "Intermediate attack step to allow for defenses and trigger bypasses." - -> successfulManInTheMiddle, - bypassManInTheMiddleDefense + -> successfulAdversaryInTheMiddle, + bypassAdversaryInTheMiddleDefense - & successfulManInTheMiddle @hidden + & successfulAdversaryInTheMiddle @hidden developer info: "Intermediate attack step to model defenses." - -> manInTheMiddle + -> adversaryInTheMiddle - | manInTheMiddle {C, I} - user info: "An attacker that performs a MitM attack on a network tries to read and modify all the transferred data over that network." + | adversaryInTheMiddle {C, I} + user info: "An attacker that performs a AitM attack on a network tries to read and modify all the transferred data over that network." -> eavesdrop, transitData.attemptWrite, transitData.attemptApplicationRespondConnect From 7f00eed0bdb2632dc519c7740124c1fccbba1c58 Mon Sep 17 00:00:00 2001 From: Sotirios Katsikeas Date: Fri, 11 Nov 2022 12:39:32 +0100 Subject: [PATCH 10/21] Renamed all "disabled" and "remove" defenses to "notPresent" for uniformity and clarity --- src/main/mal/ComputeResources.mal | 6 +++--- src/main/mal/IAM.mal | 4 ++-- src/main/mal/Vulnerability.mal | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 34630b5..3af1ba0 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -195,8 +195,8 @@ category ComputeResources { let outgoingApplicationConnections = (appConnections \/ outgoingAppConnections) let ingoingApplicationConnections = (appConnections \/ ingoingAppConnections) - # disabled [Disabled] - user info: "If application is disabled it should behave as nonexistent, thus all attack vectors are removed." + # notPresent [Disabled] + user info: "If application is notPresent it should behave as nonexistent, thus all attack vectors are removed." developer info: "This defense allows for both speculation about the presence of a particular application and to suggest that if it is possible removing it may restrict the attacker's actions." -> specificAccessFromLocalConnection, specificAccessFromNetworkConnection, @@ -571,7 +571,7 @@ category ComputeResources { asset IDPS extends Application user info: "An IDPS(Intrusion Detection and Prevention System) is tasked with protecting other applications from malicious activity, such as exploiting vulnerabilities or unsafe user actions." { - # disabled @Override @hidden [Disabled] + # notPresent @Override @hidden [Disabled] developer info: "It would be ideal to hide this defense when using modelling tools to avoid confusion." modeler info: "As per the comment for the effectiveness defense, the disabled defense does not function as desired for the IDPS asset and should not be used. The effectiveness defense should be adjusted to reflect the likelihood that the IDPS is present instead." diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index 29930fd..a8a5835 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -19,7 +19,7 @@ category IAM { abstract asset IAMObject extends Information user info: "An IAM object represents the base logic shared by all assets used for Identity and Access Management roles(Identity, Group, Privileges)." { - # disabled [Disabled] + # notPresent [Disabled] user info: "It should be used to model the probability that the IAM object does not actually exist." -> successfulAssume, successfulLockout @@ -70,7 +70,7 @@ category IAM { user info: "An identity models an IAM identity that should then be associated with privileges on other instances." developer info: "An identity can be visualised as a group of assumable roles that can be associated with many credentials." { - # disabled + # notPresent +> successfulLockoutFromCredentials | assume @Override {C,I,A} diff --git a/src/main/mal/Vulnerability.mal b/src/main/mal/Vulnerability.mal index d32e54e..4a19240 100644 --- a/src/main/mal/Vulnerability.mal +++ b/src/main/mal/Vulnerability.mal @@ -19,8 +19,8 @@ category Vulnerability { abstract asset Vulnerability user info: "Vulnerability refers to the inability (of a unit or a system, application, etc.) to withstand the effects of a hostile environment." { - # remove - user info: "If the remove defense is enabled the vulnerability will not be effective on the model." + # notPresent + user info: "If the notPresent defense is enabled the vulnerability will not be effective on the model." -> abuse | attemptAbuse @hidden From ae2dcfaf1e20632ef32051023f57a9bf52939c2f Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Wed, 9 Nov 2022 23:30:00 +0100 Subject: [PATCH 11/21] Add extra clarifying comments to vulnerabilities. --- src/main/mal/Vulnerability.mal | 161 +++++++++++++++++++++------------ 1 file changed, 103 insertions(+), 58 deletions(-) diff --git a/src/main/mal/Vulnerability.mal b/src/main/mal/Vulnerability.mal index 4a19240..894b3c0 100644 --- a/src/main/mal/Vulnerability.mal +++ b/src/main/mal/Vulnerability.mal @@ -43,64 +43,18 @@ category Vulnerability { user info: "Each vulnerability has an impact (of different levels) on the vulnerable component." } - asset HardwareVulnerability extends Vulnerability - user info: "A vulnerability that affects hardware." - { - # confidentialityImpactLimitations @suppress [Disabled] - user info: "Limits the impact on confidentiality of the vulnerability." - modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." - -> read - - # availabilityImpactLimitations @suppress [Disabled] - user info: "Limits the impact on availability of the vulnerability." - modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." - -> deny - - # integrityImpactLimitations @suppress [Disabled] - user info: "Limits the impact on integrity of the vulnerability." - modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." - -> modify - - # effortRequiredToExploit @suppress [Disabled] - user info: "The vulnerability requires additional effort(time) from the attacker in order to be successful." - modeler info: "The expectation is that the attacker has prolonged or recurring access to the targeted hardware in order to repeatedly/continuously try the exploit." - -> exploitTrivially - - & read - user info: "The attacker can read some or all of the associated hardware's data." - -> hardware.read - - & modify - user info: "The attacker can modify some or all of the associated hardware's behaviour." - -> hardware.modify - - & deny - user info: "Denial-of-Service attack is an attack in which a machine or hardware component is rendered unavailable to its intended users by temporarily or indefinitely disrupting it." - -> hardware.deny - - | attemptExploit @hidden @Override - developer info: "Intermediate attack step to allow for defenses." - -> exploitTrivially, - exploitWithEffort - - & exploitTrivially @hidden - developer info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." - -> exploit - - & exploitWithEffort @hidden [Exponential(0.01)] - developer info: "The attacker must expend effort in order to successfully exploit the vulnerability." - -> exploit - - | impact @hidden - developer info: "The actual impact caused by successfully exploiting the vulnerability." - -> read, - modify, - deny - } - - asset SoftwareVulnerability extends Vulnerability + asset SoftwareVulnerability extends Vulnerability user info: "A vulnerability that affects software (i.e. Applications or SoftwareProducts)." + developer info: "Vulnerabilities in coreLang were designed to be in line with the 3.1 CVSS specification(https://www.first.org/cvss/specification-document#Common-Vulnerability-Scoring-System-version-3-1-Specification-Document). The defenses on the SoftwareVulnerability asset represent 7 of the base metrics scores, all of them except the scope metric. The temporal and environmental metrics are beyond the language's scope." { + /* The following 10 defenses are used to model the 7 metrics of the 3.1 + * CVSS specification that we cover. Network, local, and physical access + * are individual defenses in coreLang but they all form attack vector + * score for CVSS. Similarly, low and high privileges are individual + * defenses, but for CVSS they are one score. If a defense is disabled + * that means that the SoftwareVulnerability does not require the attacker + * to fulfil that requirement. + */ # networkAccessRequired @suppress [Disabled] user info: "Network access is required to abuse the vulnerability." modeler info: "https://www.first.org/cvss/v3.1/specification-document#2-1-1-Attack-Vector-AV" @@ -158,6 +112,11 @@ category Vulnerability { modeler info: "https://www.first.org/cvss/v3.1/specification-document#2-1-2-Attack-Complexity-AC" -> exploitTrivially + /* The following 10 attack steps are used to satisfy the requirements + * that the defenses above specify. They are used if the defense is not + * enabled or if the attacker is able to fulfil the requirement through + * their actions. + */ | networkAccessAchieved @hidden developer info: "Intermediate attack step to model network access requirement." -> abuse @@ -182,6 +141,16 @@ category Vulnerability { developer info: "Intermediate attack step to model user interaction requirement." -> abuse + | impact @hidden + developer info: "The actual impact caused by successfully exploiting the vulnerability." + -> read, + modify, + deny + + /* Impact attack steps, the ones that actually implement the disruptions + * based on the Confidentiality, Integrity, and Availability scores, + * respectively. + */ & read user info: "The attacker can read some or all of the associated applications's code and data." -> application.read, @@ -202,6 +171,9 @@ category Vulnerability { -> exploitTrivially, exploitWithEffort + /* These two attack steps are used to implement attacks of varying + * complexity based on the attack complexity CVSS score. + */ & exploitTrivially @hidden developer info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." -> exploit @@ -209,20 +181,93 @@ category Vulnerability { & exploitWithEffort @hidden [Exponential(0.01)] developer info: "The attacker must expend effort in order to successfully exploit the vulnerability." -> exploit + } + + /* Hardware vulnerabilities were created to be slightly simpler versions of + * their software counterparts. They are not based on a vulnerability + * framework, but are fairly similar to the CVSS specification since they + * were based on the SoftwareVulnerability design. + * + * What constitutes a software or hardware vulnerability in coreLang may not + * be immediately intuitive. The distinction is based on where the impact of + * the vulnerability is observed, rather than where the fault is located. + * For example, if a hardware vulnerability does not negatively impact + * hardware, but affects software applications running on said hardware it + * would be depicted as a SoftwareVulnerability with a PhysicalAccess + * requirement in coreLang. + * + * There is currently no way to represent a software vulnerability that + * leads to hardware damage as this is not seen as possible within the + * generic coreLang context. + */ + asset HardwareVulnerability extends Vulnerability + user info: "A vulnerability that affects hardware." + { + # confidentialityImpactLimitations @suppress [Disabled] + user info: "Limits the impact on confidentiality of the vulnerability." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." + -> read + + # availabilityImpactLimitations @suppress [Disabled] + user info: "Limits the impact on availability of the vulnerability." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." + -> deny + + # integrityImpactLimitations @suppress [Disabled] + user info: "Limits the impact on integrity of the vulnerability." + modeler info: "Analogous defense to the SoftwareVulnerability impact limitations." + -> modify + + # effortRequiredToExploit @suppress [Disabled] + user info: "The vulnerability requires additional effort(time) from the attacker in order to be successful." + modeler info: "The expectation is that the attacker has prolonged or recurring access to the targeted hardware in order to repeatedly/continuously try the exploit." + -> exploitTrivially | impact @hidden developer info: "The actual impact caused by successfully exploiting the vulnerability." -> read, modify, deny + + /* Impact attack steps, the ones that actually implement the disruptions + * based on the Confidentiality, Integrity, and Availability impact + * limitations, respectively. + */ + & read + user info: "The attacker can read some or all of the associated hardware's data." + -> hardware.read + + & modify + user info: "The attacker can modify some or all of the associated hardware's behaviour." + -> hardware.modify + + & deny + user info: "Denial-of-Service attack is an attack in which a machine or hardware component is rendered unavailable to its intended users by temporarily or indefinitely disrupting it." + -> hardware.deny + + | attemptExploit @hidden @Override + developer info: "Intermediate attack step to allow for defenses." + -> exploitTrivially, + exploitWithEffort + + /* These two attack steps are used to implement attacks of varying + * complexity based on the effort required to exploit defense. + */ + & exploitTrivially @hidden + developer info: "The exploit is trivial and requires insignificant effort from the attacker in order to be successful." + -> exploit + + & exploitWithEffort @hidden [Exponential(0.01)] + developer info: "The attacker must expend effort in order to successfully exploit the vulnerability." + -> exploit } } associations { - HardwareVulnerability [vulnerabilities] * <-- hardwareVulnerability --> 0..1 [hardware] Hardware - user info: "A Hardware system/component can have multiple hardware vulnerabilities." SoftwareVulnerability [vulnerabilities] * <-- ApplicationVulnerability --> 0..1 [application] Application user info: "An Application can have multiple software vulnerabilities." SoftwareVulnerability [softProductVulnerabilities] * <-- ApplicationVulnerability --> 0..1 [softwareProduct] SoftwareProduct user info: "A SoftwareProduct can have multiple software vulnerabilities." + HardwareVulnerability [vulnerabilities] * <-- hardwareVulnerability --> 0..1 [hardware] Hardware + user info: "A Hardware system/component can have multiple hardware vulnerabilities." } From 52d56123ad5254ff6357ce9bdfe1643602316952 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Thu, 10 Nov 2022 10:51:55 +0100 Subject: [PATCH 12/21] Remove unused allApplicationConnections and rename denialOfService to deny for uniformity. --- src/main/mal/ComputeResources.mal | 1 - src/main/mal/Networking.mal | 22 +++++++++++----------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 3af1ba0..74f4a09 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -191,7 +191,6 @@ category ComputeResources { { let allVulnerabilities = vulnerabilities \/ appSoftProduct.softProductVulnerabilities - let allApplicationConnections = (appConnections \/ outgoingAppConnections \/ ingoingAppConnections) let outgoingApplicationConnections = (appConnections \/ outgoingAppConnections) let ingoingApplicationConnections = (appConnections \/ ingoingAppConnections) diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index cafa9b8..594542d 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -29,7 +29,7 @@ category Networking { | physicalAccess @entrypoint {C, A} user info: "Attacker has physical access on the network. This means they can cut wires/fibers, connect using iLOs, eavesdrop and get proper network access." modeler info: "This attack step can be used as an entry point when analyzing scenarios that involve gaining physical access to assets." - -> denialOfService, + -> deny, attemptAccessUninspected, attemptAccessInspected, bypassEavesdropDefenseFromPhysicalAccess, @@ -82,7 +82,7 @@ category Networking { attemptReverseReach, clientApplications.attemptNetworkConnectFromResponse, accessNetworkData, - denialOfService + deny | accessInspected user info: "Inspected access provides connect to all reachable applications, but with limitations." @@ -90,7 +90,7 @@ category Networking { applications.networkConnectInspected, networkForwardingInspected, accessNetworkData, - denialOfService + deny | attemptReverseReach @hidden developer info: "Intermediate attack step to allow for defenses." @@ -113,9 +113,9 @@ category Networking { -> outboundAllowedConnections().attemptAccessNetworksInspected, outboundAllowedConnections().attemptConnectToApplicationsInspected - | denialOfService {A} + | deny {A} user info: "If a DoS is performed it affects, the applications communicating over the network as well as the connected application." - -> allNetConnections().attemptDenialOfService, + -> allNetConnections().attemptDeny, allowedApplicationConnectionsApplications().denyFromNetworkingAsset | accessNetworkData @hidden @@ -180,9 +180,9 @@ category Networking { asset RoutingFirewall extends Application user info: "A routing firewall specifies a router with firewall capabilities that connects many networks." { - | denialOfService {A} + | deny {A} user info: "A DoS attack should cascade on the connected networks and associated connections" - -> connectionRules.attemptDenialOfService + -> connectionRules.attemptDeny | fullAccess {I, A} developer info: "If full access is achieved on RoutingFirewall then it is 0wned and all connections can be allowed! This can happen by compromising the manager application." @@ -212,7 +212,7 @@ category Networking { successfulAccessNetworksInspected, connectToApplicationsUninspected, connectToApplicationsInspected, - denialOfService, + deny, reverseReach # payloadInspection [Disabled] @@ -289,12 +289,12 @@ category Networking { developer info: "Connect to all the (server) Applications that are associated with this ConnectionRule, but taking into account that the traffic payload is being inspected. This attack step is used to allow legitimate traffic even when payload inspection is enabled on the connection." -> receiverApplications().networkConnectInspected - | attemptDenialOfService @hidden + | attemptDeny @hidden developer info: "Intermediate attack step to allow for defenses and trigger bypasses." - -> denialOfService, + -> deny, bypassRestricted - & denialOfService {A} + & deny {A} user info: "If a connection rule is denied it affects the applications communicating over it." -> allApplications().denyFromNetworkingAsset } From 7fa2d51941f7a2a5d02b713c18ae20c27cfbf7ed Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Tue, 15 Nov 2022 12:09:16 +0100 Subject: [PATCH 13/21] Small rewordings to make the notPresent defence uniform. --- src/main/mal/ComputeResources.mal | 4 ++-- src/main/mal/DataResources.mal | 20 ++++++++++---------- src/main/mal/IAM.mal | 2 +- src/main/mal/Vulnerability.mal | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 74f4a09..7923e0d 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -572,11 +572,11 @@ category ComputeResources { { # notPresent @Override @hidden [Disabled] developer info: "It would be ideal to hide this defense when using modelling tools to avoid confusion." - modeler info: "As per the comment for the effectiveness defense, the disabled defense does not function as desired for the IDPS asset and should not be used. The effectiveness defense should be adjusted to reflect the likelihood that the IDPS is present instead." + modeler info: "As per the comment for the effectiveness defense, the notPresent defense does not function as desired for the IDPS asset and should not be used. The effectiveness defense should be adjusted to reflect the likelihood that the IDPS is present instead." # effectiveness [Enabled] user info: "The effectiveness defense represents how capable the IDPS is to prevent disruptions from occurring on the associated applications." - modeler info: "The disabled defense should inversely impact the effectiveness defense. However, because this is not currently implemented in coreLang it is up to the modeler to properly take this into account when setting the values of these defenses." + modeler info: "The notPresent defense should inversely impact the effectiveness defense. However, because this is not currently implemented in coreLang it is up to the modeler to properly take this into account when setting the values of these defenses." -> effectivenessBypassed | bypassEffectiveness [VeryHardAndUncertain] diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index cb02bff..668ab8d 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -91,6 +91,16 @@ category DataResources { asset Data user info: "Any form of data that can be stored or transmitted." { + # notPresent [Disabled] + user info: "It should be used to model the probability of data actually not existing on the associated container (i.e. Hardware, Application, Network, etc.)." + developer info: "This attack step is in series with the 'accessUnencryptedData' attack step because there is no reason to defend encrypted data (or deny them) if they do not exist..." + -> access, + applicationRespondConnect, + successfulRead, + successfulWrite, + successfulDeny, + successfulDelete + | attemptAccess @hidden developer info: "Intermediate attack step to allow for defenses." -> access @@ -148,16 +158,6 @@ category DataResources { successfulWrite, successfulDelete - # dataNotPresent [Disabled] - user info: "It should be used to model the probability of data actually not existing on the associated container (i.e. Hardware, Application, Network, etc.)." - developer info: "This attack step is in series with the 'accessUnencryptedData' attack step because there is no reason to defend encrypted data (or deny them) if they do not exist..." - -> access, - applicationRespondConnect, - successfulRead, - successfulWrite, - successfulDeny, - successfulDelete - | attemptApplicationRespondConnect @hidden developer info: "Intermediate attack step to handle defenses." -> applicationRespondConnect diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index a8a5835..5deaff3 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -70,7 +70,7 @@ category IAM { user info: "An identity models an IAM identity that should then be associated with privileges on other instances." developer info: "An identity can be visualised as a group of assumable roles that can be associated with many credentials." { - # notPresent + # notPresent [Disabled] +> successfulLockoutFromCredentials | assume @Override {C,I,A} diff --git a/src/main/mal/Vulnerability.mal b/src/main/mal/Vulnerability.mal index 894b3c0..92908b7 100644 --- a/src/main/mal/Vulnerability.mal +++ b/src/main/mal/Vulnerability.mal @@ -19,7 +19,7 @@ category Vulnerability { abstract asset Vulnerability user info: "Vulnerability refers to the inability (of a unit or a system, application, etc.) to withstand the effects of a hostile environment." { - # notPresent + # notPresent [Disabled] user info: "If the notPresent defense is enabled the vulnerability will not be effective on the model." -> abuse From 4d6fe6057ae61f5326759d5e222af8b75128e0bd Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Tue, 15 Nov 2022 18:02:42 +0100 Subject: [PATCH 14/21] Make sure i.e. and e.g. are used properly and follow the same style. --- src/main/mal/IAM.mal | 6 +++--- src/main/mal/Networking.mal | 2 +- src/main/mal/User.mal | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index 5deaff3..cc2c001 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -112,7 +112,7 @@ category IAM { modeler info: "Groups can be used instead of nested identities to make the model more intuitive and clearer to understand." { | assume @Override {C,I,A} - user info: "If an identity of a group is compromised then the whole group (i.e. all other privileges of the group) should be considered as compromised. Furthermore, the parent groups should also be considered compromised." + user info: "If an identity of a group is compromised then the whole group(i.e. all other privileges of the group) should be considered as compromised. Furthermore, the parent groups should also be considered compromised." developer info: "The parent groups should be compromised because all the privileges of the parent groups are inherited on the children groups but lower children groups should not be compromised because lower levels might have inherited plus additional privileges." +> parentGroup.attemptAssume @@ -130,7 +130,7 @@ category IAM { -> useLeakedCredentials # notGuessable [Enabled] - user info: "Describes if the credentials can be guessed by the attacker(e. g. they represent a password or passphrase)." + user info: "Describes if the credentials can be guessed by the attacker(i.e. they represent a password or passphrase)." -> guessCredentials # unique [Enabled] @@ -139,7 +139,7 @@ category IAM { propagateOneCredentialCompromised # notPhishable [Disabled] - user info: "Describes if the credentials cannot be phished(they are biometric, e. g. fingerprints or iris scans, or physical, e. g. access cards or keys, elements)." + user info: "Describes if the credentials cannot be phished(they are biometric, e.g. fingerprints or iris scans, or physical, e.g. access cards or keys, elements)." -> credentialTheft | read @Override diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 594542d..7371af4 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -216,7 +216,7 @@ category Networking { reverseReach # payloadInspection [Disabled] - user info: "If enabled, then the traffic is considered to be inspected and filtered by an IDPS that can detect and stop malicious payloads, effectively allowing only legitimate communication(i. e. network-level vulnerabilities cannot be exploited, unsafe actions that the user may taken that would benefit the attacker are also prevented)." + user info: "If enabled, then the traffic is considered to be inspected and filtered by an IDPS that can detect and stop malicious payloads, effectively allowing only legitimate communication(i.e. network-level vulnerabilities cannot be exploited, unsafe actions that the user may taken that would benefit the attacker are also prevented)." -> payloadInspectionBypassed | bypassPayloadInspection [VeryHardAndUncertain] diff --git a/src/main/mal/User.mal b/src/main/mal/User.mal index 8574a37..d0032ab 100644 --- a/src/main/mal/User.mal +++ b/src/main/mal/User.mal @@ -71,7 +71,7 @@ category User { unsafeUserActivity | attemptDeliverMaliciousRemovableMedia @entrypoint - user info: "An attacker can try to deliver a removable media drive(e.g. USB drive) containing malicious code to a location accessible to the target users." + user info: "An attacker can try to deliver a removable media drive(i.e. USB drive) containing malicious code to a location accessible to the target users." developer info: "Intermediate attack step to allow for defenses and trigger bypasses." modeler info: "Social engineering is modeled by having the attacker trigger this attack step on hthe target Users." -> successfulDeliverMaliciousRemovableMedia, From 2f9133d696a7e8f78782c51f68bb04a05286171e Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Wed, 16 Nov 2022 22:22:29 +0100 Subject: [PATCH 15/21] Remove full access from software product vulnerability, it already uses modify which is the preferred way. --- src/main/mal/ComputeResources.mal | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 7923e0d..6f694ae 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -201,7 +201,6 @@ category ComputeResources { specificAccessFromNetworkConnection, localAccess, networkAccess, - fullAccessFromSoftProdVulnerability, readFromSoftProdVulnerability, modifyFromSoftProdVulnerability, denyFromSoftProdVulnerability, @@ -226,7 +225,6 @@ category ComputeResources { developer info: "This includes vulnerabilities associated with the SoftwareProduct that this Application is running as well." -> allVulnerabilities().attemptAbuse, attemptSoftwareProductAbuse, - fullAccessFromSoftProdVulnerability, readFromSoftProdVulnerability, modifyFromSoftProdVulnerability, denyFromSoftProdVulnerability @@ -440,8 +438,7 @@ category ComputeResources { E softwareCheck @hidden developer info: "Only enable the following attacks steps if a SoftwareProduct is associated with this Application." <- appSoftProduct - -> fullAccessFromSoftProdVulnerability, - readFromSoftProdVulnerability, + -> readFromSoftProdVulnerability, modifyFromSoftProdVulnerability, denyFromSoftProdVulnerability @@ -485,15 +482,10 @@ category ComputeResources { & softwareProductAbuse @hidden developer info: "Intermediate attack step used to conditionally trigger SoftwareProduct vulnerabilities separately for each application." - -> fullAccessFromSoftProdVulnerability, - readFromSoftProdVulnerability, + -> readFromSoftProdVulnerability, modifyFromSoftProdVulnerability, denyFromSoftProdVulnerability - & fullAccessFromSoftProdVulnerability @hidden - developer info: "Intermediate attack step to handle SoftwareProduct existence." - -> fullAccess - & readFromSoftProdVulnerability @hidden developer info: "Intermediate attack step to handle SoftwareProduct existence." -> attemptRead From 6f8b34fc22062cd5f55d3bb95ba018550357c2b9 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Wed, 16 Nov 2022 23:01:34 +0100 Subject: [PATCH 16/21] Use uniform info texts for notPresent defences and make sure they prevent all of the relevant attack steps. --- src/main/mal/ComputeResources.mal | 11 +++++++---- src/main/mal/DataResources.mal | 8 +++++--- src/main/mal/IAM.mal | 10 +++++++++- src/main/mal/Vulnerability.mal | 3 ++- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 6f694ae..d507f34 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -195,17 +195,20 @@ category ComputeResources { let ingoingApplicationConnections = (appConnections \/ ingoingAppConnections) # notPresent [Disabled] - user info: "If application is notPresent it should behave as nonexistent, thus all attack vectors are removed." + user info: "This defense is used to reason about the attack vectors introduced by this asset. It should be used to model the possibility that the Application does not actually exist. Typically this is useful to see what attack steps are removed if a particular non-essential component(e.g. a plugin, library, feature, or service)." developer info: "This defense allows for both speculation about the presence of a particular application and to suggest that if it is possible removing it may restrict the attacker's actions." - -> specificAccessFromLocalConnection, + -> successfulUseVulnerability, + successfulReverseReach, + networkConnectFromResponse, + specificAccessFromLocalConnection, specificAccessFromNetworkConnection, localAccess, networkAccess, + successfulUnsafeUserActivity, + fullAccessFromSupplyChainCompromise, readFromSoftProdVulnerability, modifyFromSoftProdVulnerability, denyFromSoftProdVulnerability, - successfulReverseReach, - successfulUseVulnerability, successfulApplicationRespondConnectThroughData, successfulRead, successfulModify, diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index 668ab8d..3ac23c8 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -92,14 +92,16 @@ category DataResources { user info: "Any form of data that can be stored or transmitted." { # notPresent [Disabled] - user info: "It should be used to model the probability of data actually not existing on the associated container (i.e. Hardware, Application, Network, etc.)." - developer info: "This attack step is in series with the 'accessUnencryptedData' attack step because there is no reason to defend encrypted data (or deny them) if they do not exist..." + user info: "This defense is used to reason about the attack vectors introduced by this asset. It should be used to model the possibility of data not existing on the associated container (i.e. Hardware, Application, Network, etc.)." + developer info: "Enabling this defense should make the asset behave as if it did not exist, as such all of its impactful attack steps should be disabled by it." -> access, applicationRespondConnect, successfulRead, successfulWrite, successfulDeny, - successfulDelete + successfulDelete, + reverseReach, + extract | attemptAccess @hidden developer info: "Intermediate attack step to allow for defenses." diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index cc2c001..fc60246 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -20,7 +20,8 @@ category IAM { user info: "An IAM object represents the base logic shared by all assets used for Identity and Access Management roles(Identity, Group, Privileges)." { # notPresent [Disabled] - user info: "It should be used to model the probability that the IAM object does not actually exist." + user info: "This defense is used to reason about the attack vectors introduced by this asset. It should be used to model the possibility that the IAM object does not actually exist." + developer info: "Enabling this defense should make the asset behave as if it did not exist, as such all of its impactful attack steps should be disabled by it." -> successfulAssume, successfulLockout @@ -71,6 +72,8 @@ category IAM { developer info: "An identity can be visualised as a group of assumable roles that can be associated with many credentials." { # notPresent [Disabled] + user info: "This defense is used to reason about the attack vectors introduced by this asset. It should be used to model the possibility that the Identity does not actually exist." + developer info: "Enabling this defense should make the asset behave as if it did not exist, as such all of its impactful attack steps should be disabled by it." +> successfulLockoutFromCredentials | assume @Override {C,I,A} @@ -111,6 +114,11 @@ category IAM { user info: "A group is a way to group together identities and/or other groups. This allows the expression of hierarchical IAM (structured inheritance)." modeler info: "Groups can be used instead of nested identities to make the model more intuitive and clearer to understand." { + # notPresent [Disabled] + user info: "This defense is used to reason about the attack vectors introduced by this asset. It should be used to model the possibility that the Group does not actually exist." + developer info: "Enabling this defense should make the asset behave as if it did not exist, as such all of its impactful attack steps should be disabled by it." + +> lockoutFromMembers + | assume @Override {C,I,A} user info: "If an identity of a group is compromised then the whole group(i.e. all other privileges of the group) should be considered as compromised. Furthermore, the parent groups should also be considered compromised." developer info: "The parent groups should be compromised because all the privileges of the parent groups are inherited on the children groups but lower children groups should not be compromised because lower levels might have inherited plus additional privileges." diff --git a/src/main/mal/Vulnerability.mal b/src/main/mal/Vulnerability.mal index 92908b7..948f826 100644 --- a/src/main/mal/Vulnerability.mal +++ b/src/main/mal/Vulnerability.mal @@ -20,7 +20,8 @@ category Vulnerability { user info: "Vulnerability refers to the inability (of a unit or a system, application, etc.) to withstand the effects of a hostile environment." { # notPresent [Disabled] - user info: "If the notPresent defense is enabled the vulnerability will not be effective on the model." + user info: "This defense is used to reason about the attack vectors introduced by this asset. This is particularly useful for vulnerabilities where it is common to explore the possibility of patching them out." + developer info: "Enabling this defense should make the asset behave as if it did not exist, as such all of its impactful attack steps should be disabled by it." -> abuse | attemptAbuse @hidden From c99664d9c39b85bf54a696109c362b21b6d05251 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Thu, 17 Nov 2022 13:11:57 +0100 Subject: [PATCH 17/21] Remove unnecessary attack steps and defences. --- src/main/mal/ComputeResources.mal | 12 +----- src/main/mal/DataResources.mal | 28 ++------------ src/main/mal/IAM.mal | 38 +++++-------------- src/main/mal/User.mal | 4 -- .../mal_lang/corelang/test/IdentityTest.java | 2 +- 5 files changed, 17 insertions(+), 67 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index d507f34..71568c0 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -45,14 +45,6 @@ category ComputeResources { developer info: "Try to spread malware through removable media that the users connect to the hardware system." -> (users \/ physicalZones.users).attemptDeliverMaliciousRemovableMedia - | attemptFullAccess @hidden - developer info: "Intermediate attack step to allow for defenses." - -> successfulFullAccess - - & successfulFullAccess @hidden - developer info: "Intermediate attack step to model defenses." - -> fullAccess - | fullAccess {C,I,A} user info: "Full access on a piece of hardware grants full access on the applications running on it and access to the hosted data." -> sysExecutedApps.fullAccess, @@ -73,7 +65,7 @@ category ComputeResources { | supplyChainAttack [VeryHardAndUncertain] user info: "A supply chain compromise means that the attacker has gained full access of the hardware." modeler info: "The Hardware supply chain attack represents an attacker being able to tamper with the hardware/firmware before the deployment of the product and not alterations made to the hardware/firmware once it is operating." - -> attemptFullAccess + -> fullAccess # supplyChainAuditing user info: "Auditing inside the hardware supply chain can detect possible supply chain attacks." @@ -151,7 +143,7 @@ category ComputeResources { | modify {I} user info: "Modify on hardware gives the attacker full access to the hardware and leads to a modify/write on all the applications running on it and hosted data." - -> attemptFullAccess, + -> fullAccess, sysExecutedApps.attemptModify, hostedData.attemptWrite } diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index 3ac23c8..756277e 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -49,42 +49,22 @@ category DataResources { // The following 10 attack steps are used to implement data replication | attemptReadFromReplica @hidden developer info: "Reading one replica allows the attacker to read all other replicas as well since the information contained in them is the same." - -> successfulReadFromReplica + -> read & attemptWriteFromReplica @hidden developer info: "Information can be overwritten only if all replicas have been overwritten." - -> successfulWriteFromReplica + -> write & attemptDeleteFromReplica @hidden developer info: "Information can be deleted only if all replicas have been deleted." - -> successfulDeleteFromReplica + -> delete & attemptDenyFromReplica @hidden developer info: "Information can be denied only if all replicas have been denied." - -> successfulDenyFromReplica + -> deny | attemptExtractFromReplica @hidden developer info: "The attacker attempts to extract the information." - -> successfulExtractFromReplica - - & successfulReadFromReplica @hidden - developer info: "Intermediate attack step to model defenses." - -> read - - & successfulWriteFromReplica @hidden - developer info: "Intermediate attack step to model defenses." - -> write - - & successfulDeleteFromReplica @hidden - developer info: "Intermediate attack step to model defenses." - -> delete - - & successfulDenyFromReplica @hidden - developer info: "Intermediate attack step to model defenses." - -> deny - - & successfulExtractFromReplica @hidden - developer info: "Intermediate attack step to model defenses." -> extract } diff --git a/src/main/mal/IAM.mal b/src/main/mal/IAM.mal index fc60246..4c8963b 100644 --- a/src/main/mal/IAM.mal +++ b/src/main/mal/IAM.mal @@ -71,24 +71,15 @@ category IAM { user info: "An identity models an IAM identity that should then be associated with privileges on other instances." developer info: "An identity can be visualised as a group of assumable roles that can be associated with many credentials." { - # notPresent [Disabled] - user info: "This defense is used to reason about the attack vectors introduced by this asset. It should be used to model the possibility that the Identity does not actually exist." - developer info: "Enabling this defense should make the asset behave as if it did not exist, as such all of its impactful attack steps should be disabled by it." - +> successfulLockoutFromCredentials - | assume @Override {C,I,A} user info: "After authentication or compromise of an account/identity, assume its privileges." developer info: "This is both legitimate and illegitimate access! Also assume all the privileges of the parent identities (on the above level/inherited by this identity) because those represent the group of (inherited) roles." +> parentId.attemptAssume, memberOf.attemptAssume - & attemptLockoutFromCredentials @hidden + & lockoutFromCredentials @hidden developer info: "Only lockout an identity if all of the Credentials that could be used to authenticate have been denied." - -> successfulLockoutFromCredentials - - & successfulLockoutFromCredentials @hidden - developer info: "Intermediate attack step to model defenses." - -> lockout + -> attemptLockout | lockout user info: "If all of the Identities belonging to a Group are lockedout we assume that the Group as a whole is lockedout." @@ -114,11 +105,6 @@ category IAM { user info: "A group is a way to group together identities and/or other groups. This allows the expression of hierarchical IAM (structured inheritance)." modeler info: "Groups can be used instead of nested identities to make the model more intuitive and clearer to understand." { - # notPresent [Disabled] - user info: "This defense is used to reason about the attack vectors introduced by this asset. It should be used to model the possibility that the Group does not actually exist." - developer info: "Enabling this defense should make the asset behave as if it did not exist, as such all of its impactful attack steps should be disabled by it." - +> lockoutFromMembers - | assume @Override {C,I,A} user info: "If an identity of a group is compromised then the whole group(i.e. all other privileges of the group) should be considered as compromised. Furthermore, the parent groups should also be considered compromised." developer info: "The parent groups should be compromised because all the privileges of the parent groups are inherited on the children groups but lower children groups should not be compromised because lower levels might have inherited plus additional privileges." @@ -152,19 +138,19 @@ category IAM { | read @Override user info: "If the attacker is able to read the information containing credentials we assume that they are compromised." - +> attemptUse + +> use | write @Override user info: "If the attacker is able to write the information containing credentials we assume that they have changed them for the authentication process." - +> attemptUse + +> use | deny @Override user info: "If the attacker is able to deny the information containing credentials we assume that they have denied them for the authentication process." - +> identities.attemptLockoutFromCredentials + +> identities.lockoutFromCredentials | useLeakedCredentials [EasyAndCertain] user info: "If the password/credential is leaked to some location, it can then be available to the attacker and therefore it can be used." - -> attemptUse + -> use | attemptCredentialsReuse @hidden developer info: "Intermediate attack step to allow for defenses." @@ -173,20 +159,16 @@ category IAM { & credentialsReuse @hidden developer info: "The user is reusing credentials which means that the attacker is able to compromise all of the non-unique credentials associated with this user." - -> attemptUse - - | attemptUse @hidden - developer info: "Intermediate attack step to allow for defenses." -> use - & use {C} + | use {C} user info: "The attacker is using the credentials to perform a legitimate authentication." -> identities.attemptAssume, encryptedData.accessDecryptedData, signedData.accessSpoofedData, attemptPropagateOneCredentialCompromised, credentials.use, - hashes.attemptUse, + hashes.use, origCreds.guessCredentialsFromHash | attemptPropagateOneCredentialCompromised @hidden @@ -204,7 +186,7 @@ category IAM { & credentialTheft @hidden developer info: "The attacker is able to steal the credentials." - -> attemptUse + -> use !E missingIdentity @hidden developer info: "If there are no Identities asociated with these Credentials we make the worst case scenario assumption regarding the strength of the Credentials." @@ -228,7 +210,7 @@ category IAM { & guessCredentials @hidden [HardAndUncertain] developer info: "The attacker can try to just guess a set of credentials. The likelihood of succeeding is dependent on how strong the credentials are." modeler info: "The guessability of the Credentials is influenced by the notGuessable defense on this asset and the securityAwareness defense on the User associated with the Identity that these Credentials belong to. If either the User or Identity associations are missing the assumption is made that the crentials are guessable and only the notGuessable defense would play a role in restricting this attack step." - -> attemptUse + -> use } } diff --git a/src/main/mal/User.mal b/src/main/mal/User.mal index d0032ab..77a8749 100644 --- a/src/main/mal/User.mal +++ b/src/main/mal/User.mal @@ -89,10 +89,6 @@ category User { | phishUser @hidden developer info: "The attacker can phish the user to gain access to their credentials." - -> attemptCredentialTheft - - | attemptCredentialTheft @hidden - developer info: "Intermediate attack step to allow for defenses and trigger bypasses." -> credentialTheft | credentialTheft @hidden [HardAndUncertain] diff --git a/src/test/java/org/mal_lang/corelang/test/IdentityTest.java b/src/test/java/org/mal_lang/corelang/test/IdentityTest.java index ad37675..12cb2eb 100644 --- a/src/test/java/org/mal_lang/corelang/test/IdentityTest.java +++ b/src/test/java/org/mal_lang/corelang/test/IdentityTest.java @@ -62,7 +62,7 @@ public void testIdentityMultipleCredentialsSingleCompromised() { var model = new IdentityTestMultipleCredentialsModel(); var attacker = new Attacker(); - attacker.addAttackPoint(model.creds1.attemptUse); + attacker.addAttackPoint(model.creds1.use); attacker.attack(); model.identity.successfulAssume.assertCompromisedInstantaneously(); From 3a3530900769e1ab7a6411d1a9963ce94fb16270 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Thu, 17 Nov 2022 18:31:09 +0100 Subject: [PATCH 18/21] Fix comment and remove client network network response attack step. --- src/main/mal/Networking.mal | 1 - src/main/mal/Vulnerability.mal | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 7371af4..59a3d43 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -80,7 +80,6 @@ category Networking { applications.networkConnectUninspected, networkForwardingUninspected, attemptReverseReach, - clientApplications.attemptNetworkConnectFromResponse, accessNetworkData, deny diff --git a/src/main/mal/Vulnerability.mal b/src/main/mal/Vulnerability.mal index 948f826..57a9618 100644 --- a/src/main/mal/Vulnerability.mal +++ b/src/main/mal/Vulnerability.mal @@ -17,7 +17,7 @@ category Vulnerability { abstract asset Vulnerability - user info: "Vulnerability refers to the inability (of a unit or a system, application, etc.) to withstand the effects of a hostile environment." + user info: "Vulnerability refers to the inability (of a system, application, etc.) to withstand the effects of a hostile environment." { # notPresent [Disabled] user info: "This defense is used to reason about the attack vectors introduced by this asset. This is particularly useful for vulnerabilities where it is common to explore the possibility of patching them out." From 4df5f10372e639a4d9596c13b1d671a8b63dadbd Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Fri, 18 Nov 2022 16:20:17 +0100 Subject: [PATCH 19/21] Remove NetworkClientAccess, it did not mesh well with the rest of the language, and actually use the inboundAllowedConnections variable. --- src/main/mal/ComputeResources.mal | 3 --- src/main/mal/Networking.mal | 8 ++------ 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 71568c0..0caf958 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -237,7 +237,6 @@ category ComputeResources { | reverseReach @hidden developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." -> networks.attemptReverseReach, - clientAccessNetworks.attemptReverseReach, ingoingApplicationConnections().attemptReverseReach, appExecutedApps.attemptReverseReach, attackerUnsafeUserActivityCapabilityWithReverseReach, @@ -279,8 +278,6 @@ category ComputeResources { developer info: "The attacker can access outgoing and bidirectional networks and connections associated with the application." -> networks.accessUninspected, networks.accessInspected, - clientAccessNetworks.accessUninspected, - clientAccessNetworks.accessInspected, outgoingApplicationConnections().attemptConnectToApplicationsUninspected, outgoingApplicationConnections().attemptConnectToApplicationsInspected, outgoingApplicationConnections().attemptAccessNetworksUninspected, diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 59a3d43..6925af4 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -20,11 +20,10 @@ category Networking { user info: "A network (zone) is a set of network accessible applications and data." developer info: "The network asset tries to cover all the levels of the OSI stack in a very abstract and compact way (i.e. it tries to represent all the OSI layers). For example it will try to cover both ARP attacks (that are Level 2) but also DNS/HTTP spoofing attacks (that are Level 7)." { - let allNetApplications = (clientApplications \/ applications) let outboundAllowedConnections = (netConnections \/ outgoingNetConnections) let inboundAllowedConnections = (netConnections \/ ingoingNetConnections \/ diodeIngoingNetConnections) let allNetConnections = (netConnections \/ ingoingNetConnections \/ outgoingNetConnections \/ diodeIngoingNetConnections) - let allowedApplicationConnectionsApplications = (allNetApplications() \/ allNetConnections().applications) + let allowedApplicationConnectionsApplications = (applications \/ allNetConnections().applications) | physicalAccess @entrypoint {C, A} user info: "Attacker has physical access on the network. This means they can cut wires/fibers, connect using iLOs, eavesdrop and get proper network access." @@ -97,8 +96,7 @@ category Networking { & reverseReach @hidden developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." - -> (netConnections \/ ingoingNetConnections \/ diodeIngoingNetConnections).attemptReverseReach, - clientApplications.attemptReverseReach, + -> inboundAllowedConnections().attemptReverseReach, applications.attemptReverseReach | networkForwardingUninspected @hidden @@ -309,8 +307,6 @@ associations { user info: "An application can communicate / be exposed on a network." modeler info: "This is DEPRECATED and should only be used by fully aware modelers." developer info: "This can equivalently be modeled using a ConnectionRule but this direct approach should be prefered in the case where the application is “located” in the same network as the host on which it is running." - Network [clientAccessNetworks] * <-- NetworkClientAccess --> * [clientApplications] Application - user info: "A client application can communicate over a network." Application [applications] * <-- ApplicationConnection --> * [appConnections] ConnectionRule user info: "An application can communicate over one or more (mesh type) bidirectional connections." modeler info: "ConnectionRules associated with Applications are practically expressing a traffic flow." From 320d6c57a45b50b5a805c12acd7bb8820762f64a Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Fri, 18 Nov 2022 16:21:17 +0100 Subject: [PATCH 20/21] Update outdated comment to reflect the current number of attack steps used for data replication. --- src/main/mal/DataResources.mal | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index 756277e..f604331 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -46,7 +46,7 @@ category DataResources { | extract user info: "The attacker is able to extract the information. This means that they have a path available through which they can transfer the information back to a system they control." - // The following 10 attack steps are used to implement data replication + // The following 5 attack steps are used to implement data replication | attemptReadFromReplica @hidden developer info: "Reading one replica allows the attacker to read all other replicas as well since the information contained in them is the same." -> read From 94557db9059b3e5be89a3e1f9a9db6e5c9066205 Mon Sep 17 00:00:00 2001 From: Andrei Buhaiu Date: Mon, 21 Nov 2022 16:45:30 +0100 Subject: [PATCH 21/21] Minor info text adjustments as part of the pull request review. --- src/main/mal/ComputeResources.mal | 2 +- src/main/mal/DataResources.mal | 4 ++-- src/main/mal/Networking.mal | 2 +- src/main/mal/User.mal | 6 +++--- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/main/mal/ComputeResources.mal b/src/main/mal/ComputeResources.mal index 0caf958..a12aaf9 100644 --- a/src/main/mal/ComputeResources.mal +++ b/src/main/mal/ComputeResources.mal @@ -235,7 +235,7 @@ category ComputeResources { -> reverseReach | reverseReach @hidden - developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." + developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates toward outgoing or bidirectional communications." -> networks.attemptReverseReach, ingoingApplicationConnections().attemptReverseReach, appExecutedApps.attemptReverseReach, diff --git a/src/main/mal/DataResources.mal b/src/main/mal/DataResources.mal index f604331..deebe95 100644 --- a/src/main/mal/DataResources.mal +++ b/src/main/mal/DataResources.mal @@ -17,7 +17,7 @@ category DataResources { asset Information - user info: "Represents any type of information that might be contained inside Data. This include general purpose information, but also serves as the basis for more specialized types, such as Credentials and SoftwareProduct. Information represents the abstract concept while Data represent an actual instance of information stored or transmitted digitally." + user info: "Represents any type of information that might be contained inside Data. This include general purpose information, but also serves as the basis for more specialized types, such as Credentials and SoftwareProduct. Information represents the abstract concept, while Data represent an actual instance of information stored or transmitted digitally." { | read user info: "The attacker is able to read the information. They may still be unable to extract it, which represents the adversary being able to read it themselves. This is the case if autonomous code is able to read it, but lack the required networking connections to transmit it back to the adversary." @@ -44,7 +44,7 @@ category DataResources { dependentApps.deny | extract - user info: "The attacker is able to extract the information. This means that they have a path available through which they can transfer the information back to a system they control." + user info: "The attacker is able to extract the information. This means that they have a path available through which they can transfer the information back to a system that they control." // The following 5 attack steps are used to implement data replication | attemptReadFromReplica @hidden diff --git a/src/main/mal/Networking.mal b/src/main/mal/Networking.mal index 6925af4..538bc08 100644 --- a/src/main/mal/Networking.mal +++ b/src/main/mal/Networking.mal @@ -95,7 +95,7 @@ category Networking { -> reverseReach & reverseReach @hidden - developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates via outgoing or bidirectional communications." + developer info: "Reverse reach is used to determine whether or not the attacker can be reached by the user. Reverse reach propagates toward outgoing or bidirectional communications." -> inboundAllowedConnections().attemptReverseReach, applications.attemptReverseReach diff --git a/src/main/mal/User.mal b/src/main/mal/User.mal index 77a8749..62fa004 100644 --- a/src/main/mal/User.mal +++ b/src/main/mal/User.mal @@ -57,7 +57,7 @@ category User { | attemptSocialEngineering @entrypoint user info: "An attacker can try to perform social engineering techniques such as phishing and inducing the user to perform malicious actions." developer info: "Intermediate attack step to allow for defenses and trigger bypasses." - modeler info: "Social engineering is modeled by having the attacker trigger this attack step on hthe target Users." + modeler info: "Social engineering is modeled by having the attacker trigger this attack step on the target Users." -> successfulSocialEngineering, bypassSecurityAwareness @@ -92,7 +92,7 @@ category User { -> credentialTheft | credentialTheft @hidden [HardAndUncertain] - developer info: "Trick the user to provide their credentials." + developer info: "Trick the user into providing their credentials." modeler info: "Distribution: Bernoulli(0.5) * Exponential(0.1), source: Sommestad (2011) Password authentication attacks: a survey of attacks and when they will succeed, suggest to use Bernoulli(0.05)" -> userIds.credentials.attemptCredentialTheft @@ -107,7 +107,7 @@ category User { | unsafeUserActivity @hidden [Exponential(0.03)] developer info: "The user can engage in unsafe behaviour that could allow the attacker to gain access to the applications the user has access to." - modeler info: "An attacker may trigger the assume step on identities belonging to the user without being able to reach (or be reached) via any of the Applications that the identity has access to. This represents an unmaterialised threat in that scenario." + modeler info: "If the attacker is not able to reach (or be reached) via any of the Applications this garnered access does not materialise into any actual attack vectors." -> userIds.attemptAssume, userIds.execPrivApps.attemptUnsafeUserActivity, userIds.subprivileges.subprivileges*.execPrivApps.attemptUnsafeUserActivity,