Closed jesajx closed 3 years ago
andrewbwm
commented
3 years ago If a particular vulnerability does not require a specific condition it should automatically trigger that step. So the and attack step is correct. I have messaged you on slack and maybe we can investigate the particular model that is causing you issues.
andrewbwm
commented
3 years ago After discussing the matter with @jesajx we've determined that the issue is a bug in the SoftwareProduct code that I already have a fix for. I will close this bug and mention the commit once it has been pushed upstream.
andrewbwm
commented
3 years ago Fix(79edf959cda10a860336f661981ce6bd5da08d25) was merged into master.
Application.softwareProductAbusehas very high requirements to compromise. Maybe it should be an OR-node? You currently need physical access, local access, network access, low privileges AND high privileges all at the same time -- probably a bug.I have a working coreLang 0.1.0 model of a malicious firmware installation scenario. When attempting to port it to coreLang 0.2.0 I run into issues with
Application.softwareProductAbuse.