One of the possible requirements of SoftwareVulnerabilities is UserInteraction. However, the CVSS score is binary, so it does not define the likelihood of the user triggering the interaction on their own. This feels too coarse as vulnerabilities can range quite substantially in the user interaction required. Some could require behaviour that is reasonable to expect regularly, such as clicking on a shortcut or accessing network storage, while other may require behaviour that is unlikely to happen unless the user is tricked into the specific interaction.
We have been using the unsafeUserActivity attack step to fulfil this requirement so far. However, this entirely disregards the possibility that the user would trigger the required interaction without adversary inducement. This pull request introduces an attack step, inherentUserInteraction, that automatically fulfils the requirement, representing the user triggering it as part of their regular operations. However, the probability associated with this attack step is entirely vulnerability dependent, so the modeller should assign an appropriate distribution given the description of the vulnerability.
One of the possible requirements of
SoftwareVulnerabilitiesisUserInteraction. However, the CVSS score is binary, so it does not define the likelihood of the user triggering the interaction on their own. This feels too coarse as vulnerabilities can range quite substantially in the user interaction required. Some could require behaviour that is reasonable to expect regularly, such as clicking on a shortcut or accessing network storage, while other may require behaviour that is unlikely to happen unless the user is tricked into the specific interaction.We have been using the
unsafeUserActivityattack step to fulfil this requirement so far. However, this entirely disregards the possibility that the user would trigger the required interaction without adversary inducement. This pull request introduces an attack step,inherentUserInteraction, that automatically fulfils the requirement, representing the user triggering it as part of their regular operations. However, the probability associated with this attack step is entirely vulnerability dependent, so the modeller should assign an appropriate distribution given the description of the vulnerability.