First, do the following:
pip install pyDatalog
Booleans or values 0-1.0 for if confidentiality, integrity, and availability are provided on the connection
- connectsTo(SourceService,TargetService,CProvided,IProvided,AProvided)
Note: Should this be isType? If not, then there should be a ChildType and ParentType or something like that
- isSubType(TargetService,TargetType)
Note: isType shouldn't use the same name for the instance and the type or it will mess up credential evaluation, when we treat use the instance name as the type name so we can specifically apply a credential as a vulnerability in an instance.
- isVulnerable(TargetType,VulnType,C,CImpact,IImpact,AImpact)
- isVulnerable(TargetType,VulnType,C,CImpact,IImpact,AImpact)
For example, weather forecasts could be used to determine whether or not to bring an umbrella (low imapct) or whether or not it's safe to fly a helicopter (high impact)
The SourceService here is a producer of the data type Data. There can be multiple producers of Data.
- producesData(SourceService,Data)
The consumer knows how it's using the data it consumes. The TargetService component is a consumer of Data on behalf of FuncName. It's agnostic to which component produces the Data.
The consumer has weighted (in terms of impact to function utility) requirements for confidentiality, integrity, and availability.
An impact of 0 for any of the parameters below means that it is not required. For example, data may be public, so confidentiality is not a concern.
- consumesData(FuncName,ConsumesSet,Data,CImpact,IImpact,AImpact)
The following two lines define that FunctName requires Data for AND(OR(TargetService1,TargetService2),OR(TargetService3,TargetService4)). That is, either 1 or 2, AND either 3 or 4.
- consumesData(FuncName,[TargetService1,TargetService2],Data,CImpact,IImpact,AImpact)
- consumesData(FuncName,[TargetService3,TargetService4],Data,CImpact,IImpact,AImpact)
Note that each component MUST have a credential fact associated with it, or it will not be included in attack path evaluation. This is to eliminate branching on attack path generation depending on whether or not a component has a credential. The goal is to reduce state space explosion.
- hasCredentials(SourceService,CredentialSet)
Explain the optimization by memoizing the leaves and the branches to ensure all scenarios are topologically distinct
When we multiply for cumulative C,I,A (in creating transitive paths) and when we add (in creating sum effects over C, I, A) -- each C,I,A can tank the whole utility, but if one is not required (0), then it shouldn't be multiplied, because that would make everything 0. And (1-0) creates the wrong effect, too, if one wants to multiply.
CRequired (% of total U) | CProvided (% of total C) | CImpact (Multiple Effect on Utility) | 1-CProvided | Product
( 'dataTransit', 'serverData', ('server', 'fwA2', 'fwA1', 'client'), ( ('attacker', 'attacker', 'compromisedattacker'), ('attacker', 'fwA1', 'fwAExploit'), ('attacker', 'fwB1', 'fwBExploit'), ('fwB1', 'fwB2', 'fwBExploit'), ('fwB2', 'server', 'serverExploit'), ('server', 'fwA2', 'fwAExploit')), 0.225, 0.140625, 0.196875),