State identifiers for sink states: |Sink or state IDs?
azqanadeem opened this issue · 2 comments
azqanadeem commented
Determine how to represent vertices in AGs that come from sink states. If we do assign |Sink, then all sinks of that type will be merged in one node (cool for simplicity, bad for readability). However, state IDs taken from sinks (salvaged) might be misleading for analysts (think different context). In either case, vertices related to sink states MUST ALWAYS have a dotted border.
jzelenjak commented
I would like to add something regarding this issue.
- Current implementation is as follows: for low-severity sinks, there is no ID at all. For med- and high-severity sinks, there is the actual ID. For low-severity non-sinks, there is no ID at all.
in_main_model(inag-generation.py, see the fragments below) seems useless, since it is created from the state IDs from the episodes and then the same states are queried inin_main_model(so all states will be inin_main_model, including the ones with ID -1). So, all the if-checks for|Sink's are never true and are currently not used. What could be checked instead isif episode[3] != -1, since nodes with ID -1 are low-severity sinks (their ID is removed intraversemethod). This will lead to some states having|SinkID (which I saw on the image in some of the papers, but which is not the case for the current implementation), and as a result a bit more states (these states will now have an ID "Sink" and hence will not be merged with a non-sink nodes without ID (e.g. someVulnD)).
- This is how an AG would look like if we check
if episode[3] != -1:
And this is the original (i.e. current implementation):
- I think it went wrong somewhere in this commit
- With the current implementation, there is technically no point in removing IDs from low-severity sinks as they will not be shown as sinks anyway and will be treated in the same way as low-severity non-sinks (when creating attack graphs; since they don't have IDs,
graphvizwill treat them the same). As intended, there are no oval dotted sinks in the AGs (I have verified this with the cursed pipelines below).
azqanadeem commented
Note: Changes here might break some tests.