Implemented defenses should show "and" instead of "or"
Opened this issue · 1 comments
In DeliveryDrone.aadl:
actuation: system Actuation
{
-- VERDICT Component Properties
CASE_Consolidated_Properties::componentType => Hardware;
CASE_Consolidated_Properties::hasSensitiveInfo => true;
CASE_Consolidated_Properties::insideTrustedBoundary => true;
CASE_Consolidated_Properties::pedigree => InternallyDeveloped;
-- VERDICT Cyber Defense and DAL Mitigations
CASE_Consolidated_Properties::physicalAccessControl => 7;
CASE_Consolidated_Properties::supplyChainSecurity => 7;
CASE_Consolidated_Properties::systemAccessControl => 7;
};
MBAA Result (Security Failure Paths tab) shows the following in the Implemented Defenses column:
But it should really be: actuation:physicalAccessControl and systemAccessControl.
It's currently displaying "or" because it is reading the following from Defenses.csv:
Have to modify Defenses.csv, or think of some other way to read that both defenses are listed under actuation in the aadl file.
If you look at lines 8 and 9 in the Defenses.csv shown in the screen capture above, they are both "correct" representation. Each line of this file is related to a Capec on a component/connection and for it the ApplicableDefenseProperties as well as the information about presence of those properties in the implementation is presented. If for a Capec we have "A or B" as mitigation then they will appear over 2 lines in Defenses.csv. If both "A" and "B" are implemented in the AADL model then SOTERIA++ needs to reflect that in the console output.
A simple solution would be for SOTERIA++ to use "and" instead of "or" in "Implemented Defenses" if multiple items are present.