Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug in Java attack path algorithm #173

Open
scp93ch opened this issue May 19, 2024 · 2 comments
Open

Bug in Java attack path algorithm #173

scp93ch opened this issue May 19, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@scp93ch
Copy link
Member

scp93ch commented May 19, 2024

I made a simple system model to test the risk-report algorithm and have found a bug in the Java attack path code.

The model is "small-uncontrolled" (small-uncontrolled 2024-05-19T11_41.nq.gz):

  • Server -> Stores -> Data
  • Impacts
    • loss of availability of Data is High
  • Control strategies
    • None

The Java attack path code (as launched from the Consequence Explorer for the LossOfAvailability @ Data Consequence) shows:

image

The attack path visual graph (which uses the Python in the ssm-adaptor) shows:

image

The visual graph is correct. The second and third threats in the Consequence Explorer's threat list are superfluous.
@scp93ch scp93ch added the bug Something isn't working label May 19, 2024
@scp93ch
Copy link
Member Author

scp93ch commented May 19, 2024

It might be a difference in the shortest path part of the algorithm?

@mike1813
Copy link
Member

@scp93ch : I ran this test case recently when looking for something simple to check how domain model changes affect the risk treatment plan. It looks like the bug has now been fixed.

The second and third threats in the original threat path listing are relevant. The full threat path looks like this:

image

As shown, loss of availability in the data can be caused by insertion of malware, which (since the server is disconnected) can only be done via physical insertion of infected storage media. It isn't the shortest path because the malware is assumed to have a range of possible warheads. Insertion only leads to a behaviour modelling the presence of the malware, which causes subsequent threats to model possible effects - in this case, encrypting data and holding it for ransom.

Version 3.6.0-test of system modeller does list both root cause threats, but now displays only the shortest attack path, which starts from the physical theft root cause threat.

I thought the original plan was to allow users to select a root cause, then get the shortest attack path from there. If true, it means that the problem you saw is not a bug - the extra threats are relevant. It is just a case of having incomplete functionality - since the envisaged filtering based on the selected root cause threat has not been implemented.

We also briefly discussed whether one could filter on any selected threat, showing threat paths via the selected threat, rather than only on the last selected root cause threat. I don't recall whether this was considered too difficult.

@scp93ch : please clarify - what is the intended functionality here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scp93ch @mike1813