search

Spyderisk / domain-network

Network domain model
Apache License 2.0
1 stars 0 forks source link

Refactoring Software Vulnerability Discovery #139

Closed mike1813 closed 3 months ago

mike1813 commented 3 months ago

Threats involving exploitation of software vulnerabilities in Host or Process assets are modelled as threat paths composed of simpler steps:

  1. Discovery of the vulnerability by a potential attacker, whose effect is to reduce 'Extrinsic TW' attributes of the affected Host or Process. These TW attributes are based on CVSS v2 vulnerability classification metrics (we may update this to v3 in due course).
  2. Access to the vulnerability by the attacker, with causes based on CVSS access metrics, reducing an 'Exploit TW' attribute representing an absence of exploitable vulnerabilities.
  3. Exploitation of the vulnerability, caused by the Exploit TW attribute combined with CVSS impact metrics, leading to effects like access to the Host, crashing the vulnerable Host or Process, or access to data stored locally and/or used by the vulnerable Process.

For current risk calculations, the discovery threats are skipped. Instead, known (detected) vulnerabilities are modelled by reducing the CVSS-aligned TW attributes appropriately for the affected vulnerabilities.

In future risk calculations, vulnerability discovery is treated as a normal operation process, whose effects can be reduced by operational management policies such as regular, systematic application of software patches. However, this leads to two problems.

Firstly, each of the vulnerability discovery threats is specific to a CVSS metric value or combination of metric values, so discovery of a real vulnerability corresponds to a combination of those threats. When looking for root causes of a downstream effect, one finds multiple root causes, which may confuse system modeller users.

Secondly, software patching (as a normal operational policy) suppresses all vulnerability discover threats. When a risk treatment plan is extracted, the effect of software patching is represented by multiple entries, one for each CVSS-mapped TW attribute. This may also be confusing, but at minimum it means the risk treatment plan is highly repetitive. Moreover, if one then analyses the effect of a software patching policy, one finds it reduces the likelihood of multiple threats, each of which may be an upstream cause of multiple downstream effects. The calculation of residual risk levels is thus rendered a lot more complex.

Software patching reduces the likelihood of vulnerability discovery threats because it reduces the time for which the vulnerability is both known to the attacker and present in the software. Other control strategies seek to reduce the likelihood that vulnerabilities are present to be discovered, e.g., penetration testing, software certification and formal verification. Although these represent different mechanisms, they also give rise to the same problems for residual risk analysis.

To solve these problems, it is proposed that we make two changes:

The effect of these changes is to move the control mechanism upstream of the bifurcation of threat paths to cover multiple CVSS-aligned TW attributes. The goal is to reduce the size of risk treatment plans and hopefully also reduce the complexity of residual risk calculations - although to what extent can only be determined by running tests.

mike1813 commented 3 months ago

Changes as described have been made on branch 139, but some work is needed to produce an adequate test case.

@kenmeacham, @scp93ch or @samuelsenior may wish to merge changes from this branch into their current working branches to see if (a) these changes affect the risk levels (they should not), or (b) these changes simplify system modeller output (root causes or risk reports or residual risk analysis outputs).

I can't do any more today. May get some time to run up a test case over the weekend.

mike1813 commented 3 months ago

Tested using four test cases:

The first two are taken from the tutorial last updated in 2022, modelling a simple public website that holds profiles of consumers. These were updated to V11 by replacing a deprecated control assertion (ChipAndPinVerifier no longer applies to physical spaces, having been replaced by a distinct ChipAndPinLock control type), and simplified by making all assets singletons. The last two are models used in a recent publication.

In all four cases, the outcome of risk calculations is unchanged by switching to the refactored vulnerability discovery threats, other than through the inclusion of the new 'Vulnerability Discovered' behaviour. All other misbehaviour sets have the same likelihoods as before.

This confirms that the refactored vulnerability discovery threat paths are working correctly.

mike1813 commented 3 months ago

The hope was that refactoring in this way would reduce the complexity of the risk treatment plan. It turns out this is the case, as the asset behaviours corresponding to CVSS-aligned TW attributes are no longer subject to threats that have control strategies. However, these behaviours are still included in the risk treatment plan by system modeller v3.6.0-test, so at this point it doesn't lead to a reduction in the size of the risk treatment plan report.

For example, in the case of 'Online Store V11s More Security', the first asset class shown in the risk treatment plan is ClientBrowser, which includes the following behaviours when validated using domain model v6a5-1-2:

Consequence Impact Likelihood Risk Direct Causes Treatment Method Status Controls
LossOfExtrinsic-A-TW Negligible Low Very Low Vulnerability (A) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-AU-TW Negligible Low Very Low Vulnerability (AU) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-C-TW Negligible Very Low Very Low Vulnerability (C) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-I-TW Negligible Very Low Very Low Vulnerability (I) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-M-TW Negligible Low Very Low Vulnerability (M) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-QI-TW Negligible Low Very Low Vulnerability (QI) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-U-TW Negligible Low Very Low Vulnerability (U) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-VA-TW Negligible Low Very Low Vulnerability (VA) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-VL-TW Negligible Low Very Low Vulnerability (VL) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-VN-TW Negligible Low Very Low Vulnerability (VN) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-W-TW Negligible Low Very Low Vulnerability (W) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)
LossOfExtrinsic-XS-TW Negligible Low Very Low Vulnerability (XS) discovered at "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)

Once the vulnerability discovery threat path has been refactored in the domain model, this changes to:

Consequence Impact Likelihood Risk Direct Causes Treatment Method Status Controls
LossOfExtrinsic-A-TW Negligible Low Very Low Vulnerability (A) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-AU-TW Negligible Low Very Low Vulnerability (AU) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-C-TW Negligible Very Low Very Low Vulnerability (C) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-I-TW Negligible Very Low Very Low Vulnerability (I) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-M-TW Negligible Low Very Low Vulnerability (M) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-QI-TW Negligible Low Very Low Vulnerability (QI) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-U-TW Negligible Low Very Low Vulnerability (U) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-VA-TW Negligible Low Very Low Vulnerability (VA) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-VL-TW Negligible Low Very Low Vulnerability (VL) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-VN-TW Negligible Low Very Low Vulnerability (VN) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-W-TW Negligible Low Very Low Vulnerability (W) discovered at "ClientBrowser" n/a n/a
LossOfExtrinsic-XS-TW Negligible Low Very Low Vulnerability (XS) discovered at "ClientBrowser" n/a n/a
VulnerabilityDiscovered Negligible Low Very Low Vulnerabilities discovered in process "ClientBrowser" Mitigate In Place SoftwarePatching at ClientPC (Safe)

Evidently, the report could be made much shorter by filtering out behaviours with threats that have no control strategies. In this particular case, this should also make the system model easier for users to understand, by removing the individual CVSS-aligned behaviours and replacing them with a simpler concept.

The domain model updates are now on branch 139. An issue has been created for system modeller, see https://github.com/Spyderisk/system-modeller/issues/182.

mike1813 commented 3 months ago

Branch 139 has now been merged by pull request https://github.com/Spyderisk/domain-network/pull/143, so this can now be closed.