search

Spyderisk / domain-network

Network domain model
Apache License 2.0
1 stars 0 forks source link

Inferred access to spaces needs updating #7

Open mike1813 opened 1 year ago

mike1813 commented 1 year ago

At present, if a Human can access a private space, we infer they can also access any public space from which the private space is accessible.

The idea is that domain#canAccess implies that the Human may choose to be in that space, and hence threats in that space apply. Without this inference, we could miss physical attacks on mobile devices in public spaces because the model says the Human spends their entire life in a secure data centre.

The problem is that the current logic doesn't handle the case where one private space is accessible via another, and not directly from a public space. What is needed here is an iterative deduction process, working out the paths that may be taken by humans to reach the inner private space. Only then can domain#canAccess links can be inferred for each human.

mike1813 commented 8 months ago

There is also a potential problem with inferred accessibility to private spaces. Construction pattern PPS-E+W looks for Private Space assets that are not accessibleVia any Space. If it finds any, it makes each of them accessibleVia the inferred public space 'World'. The World acts as a default entrance to any Private Space.

Later, pattern HuaSaE+cA infers that if a Human can access a Private Space, it can access the entrance to that space.

This is all perfectly sensible, but may lead to unexpected results if a system modeller user forgets to specify from which other Space a Private Space is accessible, and incomplete results in any case. For example, one might have two spaces:

If the system modeller user/client forgets to assert the Home-accessibleVia-Town relationship, we then get:

One might expect the Town to be accessibleVia the World, but because PPS-E+W only creates relationships to private spaces, this is not found. The two Public Spaces are totally disconnected, and the Home seems to be accessible from the wrong one.

The default TW level for occupants of a Public Space is Very Low, so arguably it makes no difference which public space provides a path to the Home. However, the inferred relationships may clash with user expectations and lead to other unexpected results, e.g., inferred canAccess relationships between Humans and spaces produced by HuaSaE+cA, which may lead to mobile devices carried by the Human turning up in unexpected locations.

A reasonable solution could be as follows: