Open maxwalls opened 4 years ago
Added a request to set conventions for "attemptX". Needs to be reviewed.
The above issue (mentioned by Per) was fixed in https://github.com/mal-lang/coreLang/commit/a23b12a65a56e1be1c683e6eb77d65e1f8e67231. We concluded that "Attempt" should be used either when effort is associated with an attack's end result or in order to signify the need of additional attack steps to reach the goal.
I have two issues that may belong on that list.
First, ManuallyModeledVulnerability
has a defence called userInteracts
. Being a defence it prevents an attack from occurring, therefore it should be renamed to userDoesNotInteract
.
Second, neither ManualLowImpactVulnerability
nor 'ManualHighImpactVulnerability' trigger any attack steps on either System or Object assets. Maybe they should be renamed to something along the lines of ManualLowImpactSoftwareVulnerability
or ManualLowImpactApplicationVulnerability
for added clarity.
Things that might need to be renamed:
[x] Think of a new name for Connection because it sounds like the connection already exists. Maybe we should name it ConnectionRule (same as the association)
[x] Naming of the LowApp and HighAppPrivileges associations. Update: renamed to LowPrivilegeApplicationAccess and such on https://github.com/mal-lang/coreLang/commit/16fa9c3a275ae62fe5d46a88186b1fb7a38d329d
[X] ManualVulnerability. What does "manual" really mean? Maybe we need to rename the manual ones to something else, like ”otherVulnerability” or ”unknownVulnerability”. Update: renamed to ManuallyModeledVulnerability on https://github.com/mal-lang/coreLang/commit/16fa9c3a275ae62fe5d46a88186b1fb7a38d329d
[ ] the name routingFirewall feels a bit awkward
[x] Object asset might need to be renamed. (it is confusing because objects also refers to instances in e.g. the UML world. Perhaps an alternative name is component.)
[x] Also the System asset has a confusing name. First the category is called system and also it seems like Hardware better represents what we actually mean. (Or?) (Hardware perhaps could include network cables then also.)
[x] System category should be renamed
[x] Rename Application.access and Application.localInteraction (Update: Done on https://github.com/mal-lang/coreLang/commit/9e27f4ade96125ab40bfc0fe92b8709f35b0518b)
[x] Consistent use of "attempt" in attack steps. "attemptX" is intuitively letting the Attacker testing X that may succeed but typically with an effort. This appears not to be the case for e.g. User.
[x] Rename "DataNotExist" defense to "DataNotPresent" or something better we find out.