Spyderisk / system-modeller

Spyderisk web service and web client
Other
4 stars 4 forks source link

Bug in Java attack path algorithm #173

Open scp93ch opened 6 months ago

scp93ch commented 6 months ago

I made a simple system model to test the risk-report algorithm and have found a bug in the Java attack path code.

The model is "small-uncontrolled" (small-uncontrolled 2024-05-19T11_41.nq.gz):

The Java attack path code (as launched from the Consequence Explorer for the LossOfAvailability @ Data Consequence) shows:

image

The attack path visual graph (which uses the Python in the ssm-adaptor) shows:

image

The visual graph is correct. The second and third threats in the Consequence Explorer's threat list are superfluous.

scp93ch commented 6 months ago

It might be a difference in the shortest path part of the algorithm?

mike1813 commented 5 months ago

@scp93ch : I ran this test case recently when looking for something simple to check how domain model changes affect the risk treatment plan. It looks like the bug has now been fixed.

The second and third threats in the original threat path listing are relevant. The full threat path looks like this:

image

As shown, loss of availability in the data can be caused by insertion of malware, which (since the server is disconnected) can only be done via physical insertion of infected storage media. It isn't the shortest path because the malware is assumed to have a range of possible warheads. Insertion only leads to a behaviour modelling the presence of the malware, which causes subsequent threats to model possible effects - in this case, encrypting data and holding it for ransom.

Version 3.6.0-test of system modeller does list both root cause threats, but now displays only the shortest attack path, which starts from the physical theft root cause threat.

I thought the original plan was to allow users to select a root cause, then get the shortest attack path from there. If true, it means that the problem you saw is not a bug - the extra threats are relevant. It is just a case of having incomplete functionality - since the envisaged filtering based on the selected root cause threat has not been implemented.

We also briefly discussed whether one could filter on any selected threat, showing threat paths via the selected threat, rather than only on the last selected root cause threat. I don't recall whether this was considered too difficult.

@scp93ch : please clarify - what is the intended functionality here?