IoT Surfacing Threats Overspecified

[mike1813]

Surfacing and internal threats for IoT Controllers all use the same pattern CoPDS comprising an IoT Controller, the control input Data and the stored copy of this data on the IoT device. The DataCopy is included because many of these threats are caused by issues at the stored control input. However:

• Co.A.CoPDS.6 is a side-effect from disabling the controlled process which only involves the Controller (strictly speaking, it only involves the controlled physical process, but that is modelled as an aspect of the Controller).
• Co.C.CoPDS.0 is a surfacing threat to propagate loss of confidentiality from the Data to the Controller, but it doesn't involve the stored copy.
• Co.U.CoPDS.0.3 is an internal threat whereby loss of availability of the IoT device leads to unreliability in the controlled physical process, which also doesn't involve the DataCopy or Data.

These threats should be modified so the threat pattern refers only to the relevant assets. This change should not affect risk calculation outcomes, but:

• it ensures we don't get duplicate threats leading to the same outcome where the user asserts multiple control inputs for a controller, and
• it means these threats will not be affected by future changes to the other CoPDS threats that do actively involve the data assets (e.g., related to the classification of stored data depending on whether it is a persistent copy or a cached data flow).

The second of these reasons makes it convenient to tackle this as part of #120, which requires changes to the inheritance hierarchy for stored data assets.

[mike1813]

A test case was created Issue 123 Case 1 - Asserted.nq.gz, which should produce one threat each from the affected classes, allowing verification that the revised threats are generated correctly.

However, this test case fails and produces modelling errors, because the data is not saved on the IoT controller device. This is due to a separate issue #124, whereby the 'stores' relationship is not generated if the control input is asserted. As a result, the threats of concern here are not generated when using the original (baseline) domain model version.

A second test case Issue 123 Case 2 - Asserted.nq.gz works around this problem. Comparison of results between the two models also allows fixes for #124 to be verified.

[mike1813]

With the second test, the fixes for these three threats were verified and pushed on branch 40.