4.5.1
Introduction
From the PVA and PVAI models, we systematically construct a ProbLog program. Due to the deliberate separation of concerns between PVA and PVAI models, we have implemented this transformation in two separate steps (see also the last box of figure 3.1). This results in two separate ProbLog programs, which can be merged to form a complete program. The reason for this separation is that we can quickly generate a new program when the object model changes, without generating code for the class model.
4.5.2
Transformation of PVA models to ProbLog models
We implement the transformation of PVA models to ProbLog models as a model-to-model transfor- mation. Our transformation of a PVA model to a ProbLog model attempts to address the following two concerns:
1. The data stored in PVA models.
2. The vulnerability analysis has to conform to the analysis of CySeMoL.
For item 1, we generate non-probabilistic facts denoting the existence of the objects in the PVA model. This results in a long list of facts (in our tests using CySeMoL we generate 1636 facts in total), which we will use in the implementation of item 2, to construct the analysis.
Item 2 is implemented using a different inference approach than CySeMoL. This is due to the fact that ProbLog does not require sampling to infer the marginal probabilities of a model. Instead of sampling, we use ProbLog to infer the exact probabilities by the algorithm as described in section 2.7.6. Given that the scope of the P2AMF derivations are specified relative to the attack step and defence instances, we generate ProbLog code with unique statements for each derivation. This way, we ensure that derivations of attack steps are independent from other derivations. Furthermore, we define helper functions for the probability distribution function evaluation, which return a single probability. For testing purposes, we conform to the ‘workdays’ parametrization as used in CySeMoL. However, by abstracting from the implementation through these helper functions, we are free to change this parametrization if we so desire.
The probability of success for an attack step instance is determined as follows: first, we let ProbLog determine which attack steps are reachable, according to the graph induced by the
AttackStepType.target
edges. For these attack step instances, we calculate the success prob- ability by evaluating the converted P2AMF code for each attack step instance. ProbLog allows us to specify that attack steps success probabilities may depend on the success probabilities of other attack steps, and manages the corresponding calculation using conditional probabilities. Due to the fact that we use parametrized probability distributions, we are able to infer the exact success probabilities of attack steps using this approach with ProbLog.4.5.3
Transformation of PVAI models to ProbLog models
The transformation from PVAI models to ProbLog models is independent from the transformation of PVA models to ProbLog. This due to the fact that the PVAI model references its corresponding PVA model, which is accessed during the transformation process to ProbLog. Consequently, this transformation relies on the same information used by the PVA transformation.
We designed the resulting ProbLog program for the PVA program in such a way, that it is able to derive the entire analysis from the specification of template instances, their connections, and an entry point for the attacker. Therefore, most of the transformation effort is performed in the PVA transformation. This allows our PVAI transformation to remain simple and fast. Due to our implementation of the PVA transformation, the PVAI transformation comprises the generation of facts about the data in the PVAI model. We are able to trivially generate facts for:
• Template instances
• Entry Points
• Evidence
However, due to the construction of our PVAI model, the generation of connections between templates is more involved. In order to generate connections between templates, the transformation script derives the concrete relation the template connections resolve to, and creates facts which directly instantiate theseconcreteconnections.
4.5.4
Transformation of ProbLog models to ProbLog programs
ProbLog requires a program written in text as its input, therefore, we apply a model-to-text transfor- mation from our models to ProbLog code. Due to the low-level design of the ProbLog model, the model already bears structural similarities to ProbLog programs. Recall that the ProbLog model was designed with the intention to serve as an input for model-to-text transformations, which is reflected in the property that all components have local references to all other model elements required for the generation of their text representation.
We have implemented a single transformation script using EGL, which is able to transform arbitrary ProbLog models into a ProbLog program. This script is executed for both the PVA and PVAI model. The output from both transformations is merged into a single file. Finally, some auxiliary ProbLog code is appended to the resulting total program, resulting in a valid ProbLog program. Running this program will cause ProbLog to determine the success probability for all attack steps and the probability that all defences are functioning.
Chapter 5
Implementation
5.1
Introduction
In the chapter 3, we have introduced the PVA, PVAI and ProbLog models. We intend to use the PVA and PVAI models as a pivot model between CySeMoL models and our ProbLog model, as shown in figure 3.1. The use of a pivot model requires the definition of a set of model-to-model transformations to and from that model. The overall design of these transformations have been laid out in chapter 4. In this chapter, we will focus on the implementation of the transformation steps for our approach to an alternative vulnerability analysis of CySeMoL models using ProbLog. For this implementation, we have constructed two software programs, which we describe next.
We have structured this chapter according to these two aforementioned programs, which are the following:
• The iEaat Parser, which transforms CySeMoL models into PVA and/or PVAI models.
• The analysis generator, which transforms a set of PVA and PVAI models into a ProbLog model, which is in turn transformed to a ProbLog program.
CySeMoL models are stored in EAAT instance
iEaat
files. These files contain the model containing specification of the vulnerability analysis and the model representing a concrete network architecture. The iEaat parser is able to extract these models fromiEaat
files, and transform them into a PVA or a PVAI model respectively. We will examine its implementation design and mode of operation in section 5.3.The analysis generator program orchestrates the execution of model transformation scripts, with the goal of transforming PVA and PVAI models into a ProbLog program. This process consists of two parts, the model-to-model transformation of PVA and PVAI models into a ProbLog model, and the model-to-text transformation of ProbLog models into ProbLog programs. The details of the analysis generator implementation will be discussed in section 5.4.