use of com.ge.verdict.attackdefensecollector.DependentRules in project VERDICT by ge-high-assurance.
the class SystemModel method trace.
/**
* Trace a port concern through a system from an output port, or from the input port of a
* subsystem with an internal incoming connection, constructing an attack-defense tree for all
* possible attacks on the system.
*
* <p>Uses attacks directly affecting the system, cyber relations, internal connections to
* subcomponents, and incoming connections to construct the entire attack-defense tree.
*
* <p>Avoids entering infinite loops by keeping track of pairs of connections and CIAs that have
* already been traced.
*
* <p>Builds maps (with concretize()) on first invocation.
*
* @param concern the port and CIA to trace
* @param cyclePrevention a set of previously-traced connections and CIAs, used to prevent
* cycles from causing infinite loops
* @return the optional attack-defense tree constructed from tracing the port concern
*/
protected Optional<ADTree> trace(PortConcern concern, Set<Pair<ConnectionModel, CIA>> cyclePrevention) {
if (!isConcretized()) {
concretize();
}
// Logger.println("Tracing " + getName() + " " + concern.getPortName() + ":" +
// concern.getCia());
// All attack-defense trees that will be OR-ed together at the end
Set<ADTree> children = new HashSet<>();
// If we find a cyber rel with this output port, then even if we have successfully
// traced the port concern even if we don't turn up an attack-defense tree at the end
boolean hasCyberRel = false;
// Attacks which apply directly to this system
for (Attack attack : attackable.getAttacks()) {
// Only allow matching CIA attacks
if (attack.getCia().equals(concern.getCia())) {
if (attackToDefense.containsKey(attack)) {
// There is a defense associated
Optional<ADTree> dependentRules = DependentRules.getComponentDependence(this, attack.getName());
if (dependentRules.isPresent()) {
children.add(new ADAnd(new ADNot(attackToDefense.get(attack)), attack, dependentRules.get()));
} else {
children.add(new ADAnd(new ADNot(attackToDefense.get(attack)), attack));
}
} else {
// There is no defense, just a raw attack
children.add(attack);
}
}
}
// Search in cyber relations
for (CyberRel cyberRel : Util.guardedGet(outputConcernToCyberRel, concern)) {
hasCyberRel = true;
if (cyberRel.getInput().isPresent()) {
// Trace cyber relation
cyberRel.getInput().get().toADTree(inputConcern -> traceInputConcern(inputConcern, cyclePrevention)).map(children::add);
}
}
// Search in subcomponents (using internal connections)
for (ConnectionModel internalConnection : Util.guardedGet(destPortToOutgoingInternalConnection, concern.getPortName())) {
internalConnection.trace(concern.getCia(), cyclePrevention).map(children::add);
}
// (This happens when tracing from a subcomponent back to an input of the overall system)
for (ConnectionModel internalConnection : Util.guardedGet(sourcePortToIncomingInternalConnection, concern.getPortName())) {
traceInputConcern(new PortConcern(internalConnection.getSourcePortName(), concern.getCia()), cyclePrevention).map(children::add);
}
if (children.isEmpty()) {
if (!hasCyberRel) {
Logger.showWarning("Found no trace for " + getName() + " " + concern.getPortName() + ":" + concern.getCia());
}
return Optional.empty();
} else {
// Disjunction of all of the inputs
return Optional.of(new ADOr(children));
}
}
Aggregations