Search in sources :

Example 1 with DependentRules

use of com.ge.verdict.attackdefensecollector.DependentRules in project VERDICT by ge-high-assurance.

the class SystemModel method trace.

/**
 * Trace a port concern through a system from an output port, or from the input port of a
 * subsystem with an internal incoming connection, constructing an attack-defense tree for all
 * possible attacks on the system.
 *
 * <p>Uses attacks directly affecting the system, cyber relations, internal connections to
 * subcomponents, and incoming connections to construct the entire attack-defense tree.
 *
 * <p>Avoids entering infinite loops by keeping track of pairs of connections and CIAs that have
 * already been traced.
 *
 * <p>Builds maps (with concretize()) on first invocation.
 *
 * @param concern the port and CIA to trace
 * @param cyclePrevention a set of previously-traced connections and CIAs, used to prevent
 *     cycles from causing infinite loops
 * @return the optional attack-defense tree constructed from tracing the port concern
 */
protected Optional<ADTree> trace(PortConcern concern, Set<Pair<ConnectionModel, CIA>> cyclePrevention) {
    if (!isConcretized()) {
        concretize();
    }
    // Logger.println("Tracing " + getName() + " " + concern.getPortName() + ":" +
    // concern.getCia());
    // All attack-defense trees that will be OR-ed together at the end
    Set<ADTree> children = new HashSet<>();
    // If we find a cyber rel with this output port, then even if we have successfully
    // traced the port concern even if we don't turn up an attack-defense tree at the end
    boolean hasCyberRel = false;
    // Attacks which apply directly to this system
    for (Attack attack : attackable.getAttacks()) {
        // Only allow matching CIA attacks
        if (attack.getCia().equals(concern.getCia())) {
            if (attackToDefense.containsKey(attack)) {
                // There is a defense associated
                Optional<ADTree> dependentRules = DependentRules.getComponentDependence(this, attack.getName());
                if (dependentRules.isPresent()) {
                    children.add(new ADAnd(new ADNot(attackToDefense.get(attack)), attack, dependentRules.get()));
                } else {
                    children.add(new ADAnd(new ADNot(attackToDefense.get(attack)), attack));
                }
            } else {
                // There is no defense, just a raw attack
                children.add(attack);
            }
        }
    }
    // Search in cyber relations
    for (CyberRel cyberRel : Util.guardedGet(outputConcernToCyberRel, concern)) {
        hasCyberRel = true;
        if (cyberRel.getInput().isPresent()) {
            // Trace cyber relation
            cyberRel.getInput().get().toADTree(inputConcern -> traceInputConcern(inputConcern, cyclePrevention)).map(children::add);
        }
    }
    // Search in subcomponents (using internal connections)
    for (ConnectionModel internalConnection : Util.guardedGet(destPortToOutgoingInternalConnection, concern.getPortName())) {
        internalConnection.trace(concern.getCia(), cyclePrevention).map(children::add);
    }
    // (This happens when tracing from a subcomponent back to an input of the overall system)
    for (ConnectionModel internalConnection : Util.guardedGet(sourcePortToIncomingInternalConnection, concern.getPortName())) {
        traceInputConcern(new PortConcern(internalConnection.getSourcePortName(), concern.getCia()), cyclePrevention).map(children::add);
    }
    if (children.isEmpty()) {
        if (!hasCyberRel) {
            Logger.showWarning("Found no trace for " + getName() + " " + concern.getPortName() + ":" + concern.getCia());
        }
        return Optional.empty();
    } else {
        // Disjunction of all of the inputs
        return Optional.of(new ADOr(children));
    }
}
Also used : ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) Pair(com.ge.verdict.attackdefensecollector.Pair) Set(java.util.Set) ArrayList(java.util.ArrayList) Attack(com.ge.verdict.attackdefensecollector.adtree.Attack) HashSet(java.util.HashSet) LinkedHashMap(java.util.LinkedHashMap) Objects(java.util.Objects) ADAnd(com.ge.verdict.attackdefensecollector.adtree.ADAnd) List(java.util.List) Defense(com.ge.verdict.attackdefensecollector.adtree.Defense) Util(com.ge.verdict.attackdefensecollector.Util) Map(java.util.Map) Logger(com.ge.verdict.attackdefensecollector.Logger) Optional(java.util.Optional) DependentRules(com.ge.verdict.attackdefensecollector.DependentRules) ADTree(com.ge.verdict.attackdefensecollector.adtree.ADTree) Collections(java.util.Collections) ADNot(com.ge.verdict.attackdefensecollector.adtree.ADNot) ADNot(com.ge.verdict.attackdefensecollector.adtree.ADNot) ADAnd(com.ge.verdict.attackdefensecollector.adtree.ADAnd) Attack(com.ge.verdict.attackdefensecollector.adtree.Attack) ADTree(com.ge.verdict.attackdefensecollector.adtree.ADTree) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) HashSet(java.util.HashSet)

Aggregations

DependentRules (com.ge.verdict.attackdefensecollector.DependentRules)1 Logger (com.ge.verdict.attackdefensecollector.Logger)1 Pair (com.ge.verdict.attackdefensecollector.Pair)1 Util (com.ge.verdict.attackdefensecollector.Util)1 ADAnd (com.ge.verdict.attackdefensecollector.adtree.ADAnd)1 ADNot (com.ge.verdict.attackdefensecollector.adtree.ADNot)1 ADOr (com.ge.verdict.attackdefensecollector.adtree.ADOr)1 ADTree (com.ge.verdict.attackdefensecollector.adtree.ADTree)1 Attack (com.ge.verdict.attackdefensecollector.adtree.Attack)1 Defense (com.ge.verdict.attackdefensecollector.adtree.Defense)1 ArrayList (java.util.ArrayList)1 Collections (java.util.Collections)1 HashSet (java.util.HashSet)1 LinkedHashMap (java.util.LinkedHashMap)1 List (java.util.List)1 Map (java.util.Map)1 Objects (java.util.Objects)1 Optional (java.util.Optional)1 Set (java.util.Set)1