The Credentialsasset was used to represent credentials being store or transmitted, but not credentials as part of the authentication process.
This pull request introduces the concept of overriding Credentials and locking out Identities when a Credentials asset is written or denied, respectively. This change requires a slightly different interpretation of the impact attack steps on the Credentials asset. If an attacker is able to write to Credentials the assumption is that they are able to change the information that the authentication process uses to verify if the credentials match, therefore if an attacker is able to write them over they can trivially assume the Identities associated with the credentials.
Similarly, if an attacker is able to deny Credentials the assumption is that they can prevent the authentication process from accepting the legitimate information provided by the authorised users. This leads to the newly introduced attack step on the Identity asset called Lockout. If all of the Credentials associated with an Identity are denied the Lockout attack step is triggered on the Identity to represent that users can no longer authenticate using that Identity due to the attacker's actions. Additionally, if all of the Identities that have ExecutionPrivilegeAccess on an Application have been locked out this leads to a Deny on the Application, it is assumed that there is no way for legitimate users to run it any longer. In some situations this would require a reboot or restart, but since one would occur sooner or later the deny is simply triggered trivially.
For situations where the attacker is able to Write or DenyData that hold Credentials, but the Data are not seen as the actual information used by the authentication process, but rather separate entries, such as password managers or text files containing credentials, the Replica association between Credentials and Data should be used. If the user is assumed to be able to remember the Credentials a Data asset that represents the user's biological memory should be created and associated with the Credentials via the Replica relationship to prevent the attacker from locking out the user. This Data asset representing biological memory should, obviously, not be connected to any other asset as it simply resides in the user's brain.
The
Credentialsasset was used to represent credentials being store or transmitted, but not credentials as part of the authentication process.This pull request introduces the concept of overriding
Credentialsand locking outIdentitieswhen aCredentialsasset is written or denied, respectively. This change requires a slightly different interpretation of the impact attack steps on theCredentialsasset. If an attacker is able to write toCredentialsthe assumption is that they are able to change the information that the authentication process uses to verify if the credentials match, therefore if an attacker is able to write them over they can trivially assume theIdentitiesassociated with the credentials.Similarly, if an attacker is able to deny
Credentialsthe assumption is that they can prevent the authentication process from accepting the legitimate information provided by the authorised users. This leads to the newly introduced attack step on theIdentityasset calledLockout. If all of theCredentialsassociated with anIdentityare denied theLockoutattack step is triggered on theIdentityto represent that users can no longer authenticate using thatIdentitydue to the attacker's actions. Additionally, if all of theIdentitiesthat haveExecutionPrivilegeAccesson anApplicationhave been locked out this leads to aDenyon theApplication, it is assumed that there is no way for legitimate users to run it any longer. In some situations this would require a reboot or restart, but since one would occur sooner or later the deny is simply triggered trivially.For situations where the attacker is able to
WriteorDenyDatathat holdCredentials, but theDataare not seen as the actual information used by the authentication process, but rather separate entries, such as password managers or text files containing credentials, theReplicaassociation betweenCredentialsandDatashould be used. If the user is assumed to be able to remember theCredentialsaDataasset that represents the user's biological memory should be created and associated with theCredentialsvia theReplicarelationship to prevent the attacker from locking out the user. ThisDataasset representing biological memory should, obviously, not be connected to any other asset as it simply resides in the user's brain.