Search in sources :

Example 1 with Defense

use of com.ge.verdict.attackdefensecollector.adtree.Defense in project VERDICT by ge-high-assurance.

the class VerdictSynthesisTest method partialSolutionTest.

@Test
public void partialSolutionTest() {
    CostModel costModel = new CostModel(new File(getClass().getResource("partialCosts.xml").getPath()));
    int dal = 2;
    SystemModel system = new SystemModel("C1");
    Attack attack1 = new Attack(system.getAttackable(), "A1", "An attack", Prob.certain(), CIA.I);
    Defense defense1 = new Defense(attack1);
    defense1.addDefenseClause(Collections.singletonList(new Defense.DefenseLeaf("D1", Optional.of(new com.ge.verdict.attackdefensecollector.Pair<>("D1", 1)))));
    ADTree adtree = new ADOr(new ADAnd(new ADNot(defense1), attack1));
    for (Approach approach : Approach.values()) {
        {
            DLeaf.Factory factoryPartial = new DLeaf.Factory();
            Optional<Pair<Set<ComponentDefense>, Double>> resultPartial = VerdictSynthesis.performSynthesisSingle(DTreeConstructor.construct(adtree, costModel, dal, true, false, factoryPartial), dal, factoryPartial, approach);
            Assertions.assertThat(resultPartial.isPresent());
            Assertions.assertThat(resultPartial.get().right).isEqualTo(1);
        }
        {
            DLeaf.Factory factoryTotal = new DLeaf.Factory();
            Optional<Pair<Set<ComponentDefense>, Double>> resultTotal = VerdictSynthesis.performSynthesisSingle(DTreeConstructor.construct(adtree, costModel, dal, false, false, factoryTotal), dal, factoryTotal, approach);
            Assertions.assertThat(resultTotal.isPresent());
            Assertions.assertThat(resultTotal.get().right).isEqualTo(2);
        }
    }
}
Also used : DLeaf(com.ge.verdict.synthesis.dtree.DLeaf) Set(java.util.Set) ADNot(com.ge.verdict.attackdefensecollector.adtree.ADNot) Optional(java.util.Optional) ADAnd(com.ge.verdict.attackdefensecollector.adtree.ADAnd) Attack(com.ge.verdict.attackdefensecollector.adtree.Attack) Defense(com.ge.verdict.attackdefensecollector.adtree.Defense) ComponentDefense(com.ge.verdict.synthesis.dtree.DLeaf.ComponentDefense) ADTree(com.ge.verdict.attackdefensecollector.adtree.ADTree) SystemModel(com.ge.verdict.attackdefensecollector.model.SystemModel) Approach(com.ge.verdict.synthesis.VerdictSynthesis.Approach) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) File(java.io.File) Pair(com.ge.verdict.synthesis.util.Pair) Test(org.junit.Test)

Example 2 with Defense

use of com.ge.verdict.attackdefensecollector.adtree.Defense in project VERDICT by ge-high-assurance.

the class AttackDefenseCollector method loadAttacksDefensesFromCsv.

/**
 * Load the attacks and defenses from CAPEC.csv and Defenses.csv, respectively.
 *
 * <p>This is factored out because it is used by both the CSV and VDM approaches.
 *
 * @param inputDir the STEM output directory
 * @param connectionNameMap the map from connection names in the CSV files to the actual
 *     connection names
 * @throws CSVFile.MalformedInputException
 * @throws IOException
 */
private void loadAttacksDefensesFromCsv(String inputDir, Map<String, String> connectionNameMap) throws CSVFile.MalformedInputException, IOException {
    // Load all the files as CSV
    CSVFile capecCsv = new CSVFile(new File(inputDir, "CAPEC.csv"), true, "CompType", "CompInst", "CAPEC", "CAPECDescription", "Confidentiality", "Integrity", "Availability", "LikelihoodOfSuccess");
    CSVFile defensesCsv = new CSVFile(new File(inputDir, "Defenses.csv"), true, "CompType", "CompInst", "CAPEC", "Confidentiality", "Integrity", "Availability", "ApplicableDefenseProperties", "ImplProperties", "DAL");
    // Load attacks
    for (CSVFile.RowData row : capecCsv.getRowDatas()) {
        String systemTypeName = row.getCell("CompType");
        String systemInstName = row.getCell("CompInst");
        String attackName = row.getCell("CAPEC");
        String attackDesc = row.getCell("CAPECDescription");
        Prob likelihood = Prob.certain();
        // Look at all three columns to figure out which one is being used
        CIA cia = CIA.fromStrings(row.getCell("Confidentiality"), row.getCell("Integrity"), row.getCell("Availability"));
        if ("Connection".equals(systemTypeName)) {
            String connectionName = connectionNameMap.get(systemInstName);
            for (ConnectionModel connection : connNameToConnectionModelMap.get(connectionName)) {
                connection.getAttackable().addAttack(new Attack(connection.getAttackable(), attackName, attackDesc, likelihood, cia));
            }
        } else {
            SystemModel system = getSystem(systemInstName);
            system.getAttackable().addAttack(new Attack(system.getAttackable(), attackName, attackDesc, likelihood, cia));
        }
    }
    // Note we don't use implemented property column in csv files if we vdm as input
    for (CSVFile.RowData row : defensesCsv.getRowDatas()) {
        String systemTypeName = row.getCell("CompType");
        String systemInstName = row.getCell("CompInst");
        String attackName = row.getCell("CAPEC");
        CIA cia = CIA.fromStrings(row.getCell("Confidentiality"), row.getCell("Integrity"), row.getCell("Availability"));
        List<String> defenseNames = Arrays.asList(row.getCell("ApplicableDefenseProperties").split(";")).stream().map(name -> name.length() > 0 ? Character.toString(name.charAt(0)).toLowerCase() + name.substring(1) : "").collect(Collectors.toList());
        List<String> implProps = Arrays.asList(row.getCell("ImplProperties").split(";"));
        List<String> likelihoodStrings = Arrays.asList(row.getCell("DAL").split(";"));
        if (defenseNames.size() != implProps.size() || defenseNames.size() != likelihoodStrings.size()) {
            throw new RuntimeException("ApplicableDefenseProperties, ImplProperties, and DAL must have same cardinality");
        }
        List<Defense> defenses = new ArrayList<>();
        List<Defense.DefenseLeaf> clause = new ArrayList<>();
        if ("Connection".equals(systemTypeName)) {
            String connectionName = connectionNameMap.get(systemInstName);
            for (ConnectionModel connection : connNameToConnectionModelMap.get(connectionName)) {
                Defense defense = connection.getAttackable().getDefenseByAttackAndCia(attackName, cia);
                if (defense == null) {
                    Attack attack = connection.getAttackable().getAttackByNameAndCia(attackName, cia);
                    if (attack == null) {
                        throw new RuntimeException("could not find attack: " + attackName + ", " + cia);
                    }
                    defense = new Defense(attack);
                    connection.getAttackable().addDefense(defense);
                }
                defenses.add(defense);
            }
        } else {
            SystemModel system = getSystem(systemInstName);
            Defense defense = system.getAttackable().getDefenseByAttackAndCia(attackName, cia);
            if (defense == null) {
                Attack attack = system.getAttackable().getAttackByNameAndCia(attackName, cia);
                if (attack == null) {
                    throw new RuntimeException("could not find attack: " + attackName + ", " + cia);
                }
                defense = new Defense(attack);
                system.getAttackable().addDefense(defense);
            }
            defenses.add(defense);
        }
        // TODO get defense descriptions from Defenses2NIST?
        // Need to get correct name if connection
        String entityName = "Connection".equals(systemTypeName) ? connectionNameMap.get(systemInstName) : systemInstName;
        for (int i = 0; i < defenseNames.size(); i++) {
            if (!"null".equals(defenseNames.get(i))) {
                int dal = -1;
                // it will be null if we are not loading from VDM
                if (compDefenseToImplDal != null) {
                    // load DAL from VDM if available
                    Pair<String, String> pair = new Pair<>(entityName, defenseNames.get(i));
                    if (compDefenseToImplDal.containsKey(pair)) {
                        dal = compDefenseToImplDal.get(pair);
                    } else {
                        // if there is no binding present, then it is not implemented
                        dal = 0;
                    }
                }
                // this code treats applicable defense and impl defense as separate things
                // but we have changed the capitalization so that they should be the same
                Optional<Pair<String, Integer>> impl;
                if (dal == -1) {
                    impl = "null".equals(implProps.get(i)) ? Optional.empty() : Optional.of(new Pair<>(implProps.get(i), Integer.parseInt(likelihoodStrings.get(i))));
                } else {
                    impl = dal == 0 ? Optional.empty() : Optional.of(new Pair<>(defenseNames.get(i), dal));
                }
                clause.add(new Defense.DefenseLeaf(defenseNames.get(i), impl));
            }
        }
        // And there are potentially multiple such rows, forming a DNF
        for (Defense defense : defenses) {
            defense.addDefenseClause(clause);
        }
    }
}
Also used : CIA(com.ge.verdict.attackdefensecollector.model.CIA) CyberNot(com.ge.verdict.attackdefensecollector.model.CyberNot) CIAPort(verdict.vdm.vdm_model.CIAPort) Arrays(java.util.Arrays) VdmTranslator(com.ge.verdict.vdm.VdmTranslator) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) CyberAnd(com.ge.verdict.attackdefensecollector.model.CyberAnd) CyberRel(com.ge.verdict.attackdefensecollector.model.CyberRel) HashMap(java.util.HashMap) CyberReq(com.ge.verdict.attackdefensecollector.model.CyberReq) ArrayList(java.util.ArrayList) GenericAttribute(verdict.vdm.vdm_data.GenericAttribute) Attack(com.ge.verdict.attackdefensecollector.adtree.Attack) LinkedHashMap(java.util.LinkedHashMap) Model(verdict.vdm.vdm_model.Model) Defense(com.ge.verdict.attackdefensecollector.adtree.Defense) DefenseProperties(com.ge.verdict.vdm.DefenseProperties) Map(java.util.Map) Connection(verdict.vdm.vdm_model.Connection) ComponentType(verdict.vdm.vdm_model.ComponentType) ADTree(com.ge.verdict.attackdefensecollector.adtree.ADTree) CyberExpr(com.ge.verdict.attackdefensecollector.model.CyberExpr) SystemModel(com.ge.verdict.attackdefensecollector.model.SystemModel) ComponentImpl(verdict.vdm.vdm_model.ComponentImpl) CyberOr(com.ge.verdict.attackdefensecollector.model.CyberOr) Collection(java.util.Collection) Set(java.util.Set) IOException(java.io.IOException) ComponentInstance(verdict.vdm.vdm_model.ComponentInstance) ConnectionModel(com.ge.verdict.attackdefensecollector.model.ConnectionModel) Collectors(java.util.stream.Collectors) File(java.io.File) List(java.util.List) Severity(verdict.vdm.vdm_model.Severity) Optional(java.util.Optional) Collections(java.util.Collections) PortConcern(com.ge.verdict.attackdefensecollector.model.PortConcern) Mission(verdict.vdm.vdm_model.Mission) ArrayList(java.util.ArrayList) Attack(com.ge.verdict.attackdefensecollector.adtree.Attack) Defense(com.ge.verdict.attackdefensecollector.adtree.Defense) SystemModel(com.ge.verdict.attackdefensecollector.model.SystemModel) CIA(com.ge.verdict.attackdefensecollector.model.CIA) ConnectionModel(com.ge.verdict.attackdefensecollector.model.ConnectionModel) File(java.io.File)

Example 3 with Defense

use of com.ge.verdict.attackdefensecollector.adtree.Defense in project VERDICT by ge-high-assurance.

the class DTreeConstructor method perform.

/**
 * This is the part that actually constructs the dtree.
 *
 * @param adtree
 * @return
 */
private DTree perform(ADTree adtree) {
    Optional<DTree> resultOpt = constructInternal(adtree);
    if (!resultOpt.isPresent()) {
        return new DOr(Collections.emptyList());
    } else {
        DTree result = resultOpt.get();
        // remove raw attack leaves that are covered by a defense
        for (Defense defense : defenses) {
            if (!attackALeafMap.containsKey(defense.getAttack())) {
                throw new RuntimeException("defense references undefined attack: " + defense.getAttack().getName());
            }
            // it isn't included in the final tree
            for (ALeaf aleaf : attackALeafMap.get(defense.getAttack())) {
                aleaf.setMitigated();
            }
        }
        // these are the raw attack leaves that aren't covered by a defense
        Set<ALeaf> unmitigated = new LinkedHashSet<>();
        for (Set<ALeaf> set : attackALeafMap.values()) {
            for (ALeaf aleaf : set) {
                if (!aleaf.isMitigated()) {
                    unmitigated.add(aleaf);
                }
            }
        }
        // raw attacks without corresponding defenses
        for (ALeaf aleaf : unmitigated) {
            System.out.println("Warning: Unmitigated attack: " + aleaf.getAttack().toString());
        }
        // connect the defense condition to its corresponding dleaf
        for (DCondition dcond : dconditions) {
            Optional<DLeaf.ComponentDefense> compDef = factory.lookup(dcond.defenseCond.getAttackable().getParentName(), dcond.defenseCond.getDefenseProperty());
            if (compDef.isPresent()) {
                dcond.setCompDef(compDef.get());
            } else {
                // This means that the defense isn't part of the attack-defense tree,
                // so we need to create a dleaf (which implicitly creates an SMT variable)
                // for it so that the DAL can get forced down to zero if necessary
                // TODO this doesn't actually work. This is the screwy case that we need to fix.
                DLeaf dleaf = new DLeaf(dcond.defenseCond.getAttackable().getParentName(), dcond.defenseCond.getDefenseProperty(), "", dcond.defenseCond.getImplDal(), 0, costModel, factory, usePartialSolution, meritAssignment);
                dcond.setCompDef(dleaf.componentDefense);
            }
        }
        // important to call prepare - collapses nested NOTs and removes unmitigated raw attack
        // leaves
        Optional<DTree> prepared = result.prepare();
        return prepared.orElse(new DOr(Collections.emptyList()));
    }
}
Also used : LinkedHashSet(java.util.LinkedHashSet) DLeaf(com.ge.verdict.synthesis.dtree.DLeaf) DTree(com.ge.verdict.synthesis.dtree.DTree) ADTree(com.ge.verdict.attackdefensecollector.adtree.ADTree) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) DOr(com.ge.verdict.synthesis.dtree.DOr) ALeaf(com.ge.verdict.synthesis.dtree.ALeaf) DCondition(com.ge.verdict.synthesis.dtree.DCondition) Defense(com.ge.verdict.attackdefensecollector.adtree.Defense)

Example 4 with Defense

use of com.ge.verdict.attackdefensecollector.adtree.Defense in project VERDICT by ge-high-assurance.

the class DTreeConstructor method constructInternal.

/**
 * Inductively-defined function over attack-defense trees.
 *
 * <p>The mapping from attack-defense tree to defense tree is pretty straightforward. One of the
 * most important things to note is that AND and OR nodes are transposed in the transformation
 * because they mean opposite things in a defense tree compared to an attack-defense tree. (An
 * attack-defense tree is "how to attack", whereas a defense tree is "how to defend".)
 *
 * @param adtree
 * @return
 */
private Optional<DTree> constructInternal(ADTree adtree) {
    if (adtree instanceof Attack) {
        Attack attack = (Attack) adtree;
        ALeaf aleaf = new ALeaf(attack);
        // keep track of all attack leaves
        if (!attackALeafMap.containsKey(attack)) {
            attackALeafMap.put(attack, new LinkedHashSet<>());
        }
        attackALeafMap.get(attack).add(aleaf);
        return Optional.of(aleaf);
    } else if (adtree instanceof Defense) {
        Defense defense = (Defense) adtree;
        defenses.add(defense);
        return Optional.of(new DNot(constructDefenseTree(defense)));
    } else if (adtree instanceof ADAnd) {
        ADAnd adand = (ADAnd) adtree;
        // Transpose and/or
        return Optional.of(new DOr(adand.children().stream().map(this::constructInternal).flatMap(elem -> elem.isPresent() ? Stream.of(elem.get()) : Stream.empty()).collect(Collectors.toList())));
    } else if (adtree instanceof ADOr) {
        ADOr ador = (ADOr) adtree;
        // Transpose and/or
        return Optional.of(new DAnd(ador.children().stream().map(this::constructInternal).flatMap(elem -> elem.isPresent() ? Stream.of(elem.get()) : Stream.empty()).collect(Collectors.toList())));
    } else if (adtree instanceof ADNot) {
        ADNot adnot = (ADNot) adtree;
        return constructInternal(adnot.child()).map(DNot::new);
    } else if (adtree instanceof DefenseCondition) {
        DCondition dcond = new DCondition((DefenseCondition) adtree);
        dconditions.add(dcond);
        return Optional.of(dcond);
    } else {
        throw new RuntimeException("got invalid adtree type: " + adtree.getClass().getCanonicalName());
    }
}
Also used : DCondition(com.ge.verdict.synthesis.dtree.DCondition) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) DefenseCondition(com.ge.verdict.attackdefensecollector.adtree.DefenseCondition) ArrayList(java.util.ArrayList) Attack(com.ge.verdict.attackdefensecollector.adtree.Attack) LinkedHashMap(java.util.LinkedHashMap) Defense(com.ge.verdict.attackdefensecollector.adtree.Defense) Map(java.util.Map) DTree(com.ge.verdict.synthesis.dtree.DTree) ADTree(com.ge.verdict.attackdefensecollector.adtree.ADTree) LinkedHashSet(java.util.LinkedHashSet) DLeaf(com.ge.verdict.synthesis.dtree.DLeaf) DNot(com.ge.verdict.synthesis.dtree.DNot) AttackDefenseCollector(com.ge.verdict.attackdefensecollector.AttackDefenseCollector) Set(java.util.Set) Collectors(java.util.stream.Collectors) ALeaf(com.ge.verdict.synthesis.dtree.ALeaf) ADAnd(com.ge.verdict.attackdefensecollector.adtree.ADAnd) List(java.util.List) Stream(java.util.stream.Stream) Optional(java.util.Optional) DAnd(com.ge.verdict.synthesis.dtree.DAnd) DOr(com.ge.verdict.synthesis.dtree.DOr) Collections(java.util.Collections) ADNot(com.ge.verdict.attackdefensecollector.adtree.ADNot) ADNot(com.ge.verdict.attackdefensecollector.adtree.ADNot) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) DOr(com.ge.verdict.synthesis.dtree.DOr) ALeaf(com.ge.verdict.synthesis.dtree.ALeaf) ADAnd(com.ge.verdict.attackdefensecollector.adtree.ADAnd) DCondition(com.ge.verdict.synthesis.dtree.DCondition) Attack(com.ge.verdict.attackdefensecollector.adtree.Attack) ADAnd(com.ge.verdict.attackdefensecollector.adtree.ADAnd) DAnd(com.ge.verdict.synthesis.dtree.DAnd) Defense(com.ge.verdict.attackdefensecollector.adtree.Defense) DNot(com.ge.verdict.synthesis.dtree.DNot) ADNot(com.ge.verdict.attackdefensecollector.adtree.ADNot) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) DefenseCondition(com.ge.verdict.attackdefensecollector.adtree.DefenseCondition)

Example 5 with Defense

use of com.ge.verdict.attackdefensecollector.adtree.Defense in project VERDICT by ge-high-assurance.

the class DTreeConstructorTest method testConstruct.

@Test
public void testConstruct() {
    DLeaf.Factory factory = new DLeaf.Factory();
    CostModel dummyCosts = new CostModel(new File(getClass().getResource("dummyCosts.xml").getPath()));
    int dal = 5;
    SystemModel system = new SystemModel("S1");
    Attack attack1 = new Attack(system.getAttackable(), "A1", "An attack", Prob.certain(), CIA.I);
    Defense defense1 = new Defense(attack1);
    defense1.addDefenseClause(Collections.singletonList(new Defense.DefenseLeaf("D1", Optional.empty())));
    ADTree adtree = new ADOr(new ADAnd(new ADNot(defense1), attack1));
    Fraction[] costs = Util.fractionCosts(new double[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 });
    DTree dtree = new DAnd(Collections.singletonList(new DOr(Collections.singletonList(new DOr(Collections.singletonList(new DAnd(Collections.singletonList(new DLeaf("S1", "D1", "A1", 0, dal, costs, factory)))))))));
    Assertions.assertThat(DTreeConstructor.construct(adtree, dummyCosts, dal, false, false, factory).prettyPrint()).isEqualTo(dtree.prettyPrint());
}
Also used : DLeaf(com.ge.verdict.synthesis.dtree.DLeaf) ADNot(com.ge.verdict.attackdefensecollector.adtree.ADNot) DTree(com.ge.verdict.synthesis.dtree.DTree) ADTree(com.ge.verdict.attackdefensecollector.adtree.ADTree) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) DOr(com.ge.verdict.synthesis.dtree.DOr) ADAnd(com.ge.verdict.attackdefensecollector.adtree.ADAnd) Fraction(org.apache.commons.math3.fraction.Fraction) Attack(com.ge.verdict.attackdefensecollector.adtree.Attack) ADAnd(com.ge.verdict.attackdefensecollector.adtree.ADAnd) DAnd(com.ge.verdict.synthesis.dtree.DAnd) Defense(com.ge.verdict.attackdefensecollector.adtree.Defense) ADTree(com.ge.verdict.attackdefensecollector.adtree.ADTree) SystemModel(com.ge.verdict.attackdefensecollector.model.SystemModel) ADOr(com.ge.verdict.attackdefensecollector.adtree.ADOr) File(java.io.File) Test(org.junit.Test)

Aggregations

Defense (com.ge.verdict.attackdefensecollector.adtree.Defense)12 Attack (com.ge.verdict.attackdefensecollector.adtree.Attack)11 ADOr (com.ge.verdict.attackdefensecollector.adtree.ADOr)10 ADTree (com.ge.verdict.attackdefensecollector.adtree.ADTree)10 ADAnd (com.ge.verdict.attackdefensecollector.adtree.ADAnd)8 ADNot (com.ge.verdict.attackdefensecollector.adtree.ADNot)8 DLeaf (com.ge.verdict.synthesis.dtree.DLeaf)8 SystemModel (com.ge.verdict.attackdefensecollector.model.SystemModel)7 File (java.io.File)7 DOr (com.ge.verdict.synthesis.dtree.DOr)6 DTree (com.ge.verdict.synthesis.dtree.DTree)6 Test (org.junit.Test)6 DAnd (com.ge.verdict.synthesis.dtree.DAnd)5 Optional (java.util.Optional)4 Set (java.util.Set)4 Fraction (org.apache.commons.math3.fraction.Fraction)4 AttackDefenseCollector (com.ge.verdict.attackdefensecollector.AttackDefenseCollector)3 CyberReq (com.ge.verdict.attackdefensecollector.model.CyberReq)3 ALeaf (com.ge.verdict.synthesis.dtree.ALeaf)3 ArrayList (java.util.ArrayList)3