: Public abstract Class
| Created: |
19.12.2017 09:24:11 |
| Modified: |
16.03.2021 14:27:09 |
|
 Project: |
|
| Author: |
mz |
| Version: |
1.0 |
| Phase: |
1.0 |
| Status: |
Proposed |
| Complexity: |
Easy |
| Difficulty: |
|
| Priority: |
|
| Multiplicity: |
|
| Advanced: |
|
| UUID: |
{14CC8BCF-13CB-4a93-ABD2-AA14F9F59200} |
| Appears In: |
Security |
The abstract metaclass AttackMotivation abstracts the motivation of an attacker and the concrete attack (an attack is a motivation in itself). It is intended to be part of an attack tree, were the topmost elements are attack motivations and the bottom elements of the attack tree are attacks, i.e., the upper part of the attack tree consists of one root attack motivation that is broken down into fine-grained submotivations; the bottom part of the attack tree comprises the concrete attacks as fine-grained attack motivations. The syntax of AttackMotivations is inspired by the concept of security attack trees and attack vectors.<br/><br/>Human Actor and Item in Dependability package are associated to an AttackMotivation via the Target super class. Item plays the role of a “Feature” in the context of an attack (motivation) according to SAE J 3601.<br/><br/>Semantics:<br/><br/>The AttackMotivation abstracts the attack motivations and attacks that are used to model the attack tree, where attack motivations cover the topmost part and attacks cover the bottom part of the attack tree.<br/><br/>Subclasses of the abstract class AttackMotivation add their own semantics. Unless there is no further information about the severity of an attack available, either by the score of the vulnerability or by the affected security goals, the subclasses of AttackMotivation represent priorities, with Harm #gt; FinancialGain #gt; Product Modification #gt; Information., i.e., Harm is more severe than Financial gain and so on<br/><br/>Constraints:<br/><br/>[1] Leaves of the attack tree should be attacks, not attack motivations.<br/>[2] If safetyRelevance is set to L(ow) or (H)igh, there must be a Hazard<br/><br/><br/>Notation:<br/><br/>The AttackMotivation is shown as a solid-outline rectangle containing the name. Submotivations and subattacks are connected to their respective supermotivation/superattack by an undirected relationship and are arranged below their supermotivation/superattack (tree view).<br/><br/><br/>Extension: Specialization of SysML::Requirement<br/><br/>
- Attributes
- Associations To
- Associations From
- Other Links
| Attribute |
Public String
availabilityImpact (A)
|
Details:
| Alias: |
|
| Initial: |
|
| Stereotype: |
|
| Ordered: |
|
| Range: |
Range:0 to 1 |
| Transient: |
False |
| Derived: |
False |
| IsID: |
False |
|
Notes:
|
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. <br/><br/>High (H) There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).<br/><br/>Low (L) There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.<br/><br/>None (N) There is no impact to availability within the impacted component.<br/>
|
|
Public SecurityGoal
breaksSecurityGoals*
|
Details:
| Alias: |
|
| Initial: |
|
| Stereotype: |
|
| Ordered: |
|
| Range: |
|
| Transient: |
False |
| Derived: |
False |
| IsID: |
False |
|
Notes:
|
This metric determines which security goal is attacked based on the enumeration:<br/><br/>-Confidentiality<br/>-Integrity<br/>-Availability<br/>-Authenticity<br/>-Reliability<br/>-Accountability<br/><br/>
|
|
Public String
confidentialityImpact (C)
|
Details:
| Alias: |
|
| Initial: |
|
| Stereotype: |
|
| Ordered: |
|
| Range: |
Range:0 to 1 |
| Transient: |
False |
| Derived: |
False |
| IsID: |
False |
|
Notes:
|
This metric measures the impact to the confidentiality of the information resources managed by a software component or a manual file storage due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.<br/><br/>High (H) There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.<br/><br/>Low (L) There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component.<br/><br/>None (N) There is no loss of confidentiality within the impacted component.<br/>
|
|
Public String
integrityImpact (I)
|
Details:
| Alias: |
|
| Initial: |
|
| Stereotype: |
|
| Ordered: |
|
| Range: |
Range:0 to 1 |
| Transient: |
False |
| Derived: |
False |
| IsID: |
False |
|
Notes:
|
This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.<br/><br/>High (H) There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.<br/><br/>Low (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.<br/><br/>None (N) There is no loss of integrity within the impacted component.<br/>
|
|
Public String
safetyRelevance
|
Details:
| Alias: |
|
| Initial: |
|
| Stereotype: |
|
| Ordered: |
|
| Range: |
Range:0 to 1 |
| Transient: |
False |
| Derived: |
False |
| IsID: |
False |
|
Notes:
|
This metric measures if there is safety hazard and if it is handled.<br/><br/>N(one)<br/>- there is no safety hazard<br/><br/>L(ow) Fail-safe<br/>- there will be a safety hazard, but is a handled case<br/><br/>H(igh) System Failure<br/>- there will be a safety hazard and it is an unhandled case<br/>
|
|
| Element |
Source Role |
Target Role |
Item
Class
|
Name:
|
Name: derived
|
 Details:
|