Open scp93ch opened 6 months ago
It might be a difference in the shortest path part of the algorithm?
@scp93ch : I ran this test case recently when looking for something simple to check how domain model changes affect the risk treatment plan. It looks like the bug has now been fixed.
The second and third threats in the original threat path listing are relevant. The full threat path looks like this:
As shown, loss of availability in the data can be caused by insertion of malware, which (since the server is disconnected) can only be done via physical insertion of infected storage media. It isn't the shortest path because the malware is assumed to have a range of possible warheads. Insertion only leads to a behaviour modelling the presence of the malware, which causes subsequent threats to model possible effects - in this case, encrypting data and holding it for ransom.
Version 3.6.0-test of system modeller does list both root cause threats, but now displays only the shortest attack path, which starts from the physical theft root cause threat.
I thought the original plan was to allow users to select a root cause, then get the shortest attack path from there. If true, it means that the problem you saw is not a bug - the extra threats are relevant. It is just a case of having incomplete functionality - since the envisaged filtering based on the selected root cause threat has not been implemented.
We also briefly discussed whether one could filter on any selected threat, showing threat paths via the selected threat, rather than only on the last selected root cause threat. I don't recall whether this was considered too difficult.
@scp93ch : please clarify - what is the intended functionality here?
I made a simple system model to test the risk-report algorithm and have found a bug in the Java attack path code.
The model is "small-uncontrolled" (small-uncontrolled 2024-05-19T11_41.nq.gz):
The Java attack path code (as launched from the Consequence Explorer for the LossOfAvailability @ Data Consequence) shows:
The attack path visual graph (which uses the Python in the ssm-adaptor) shows:
The visual graph is correct. The second and third threats in the Consequence Explorer's threat list are superfluous.