First official release of coreLang.

Includes fixes made when preparing release candidates.

This is meant to be the last pre-release version of coreLang, unless something unpredictable occurs.

All of the changes introduced by this version have come about as a result of the code review.

Warning: Since the code refactoring work resulted in renaming and removing a lot of attack steps this release will likely break most of the old models.

Here is an overview of the updates in this release:

• a lot of refactoring, the details of which can be found in #91.
• merge the three vulnerabilities files into a single one.
• removed NetworkClientAccess association between Applications and Networks because it felt out of place. If the modeller wants that level of detail they should use ConnectionRules even if they are not essential to the scenario.
• rework how read, write, and delete on Applications impact Data they are hosting, sending, or receiving to be uniform and clearer. Read also had a small bug that was fixed.
• remove access attack step on Data, it is too vague, access should describe the type of access, such as: read, delete, write.
• have specificAccess on an Application require write privileges on receivedData to be able to perform a respond connect attack.
• remove Origin association between Data and SoftwareProduct since there was some redundancy due to the fact that SoftwareProduct extends Information. See #98 for more details.
• introduce inherentUserInteraction for SoftwareVulnerabilities that require user interaction in case the user may trigger the interaction without additional attacker actions(i.e. social engineering). See #99 for more details.

This new version of coreLang comes with the following changes:

• Refactor the codebase into five separate files, one for each category of assets
• Rework Data Access, Read, Write, and Delete attack steps to follow the same pattern as the rest of the language and only propagate via themselves and one level at time when Data contain other Data.
• Introduce Dependence association between Data and Applications to represent circumstances where modifying a particular set of Data can give the attacker control over the Application(FullAccess) and denying them would prevent the Application from performing its tasks(Deny).
• Have Users spread malware to other Hardware systems that they have access to in order to depict worm malware replication. This change also introduced the NoRemovableMediaUsage defence on the User which is enabled by default to not confuse the modeller if they are are not interested in these aspects.
• Split network connectivity into two separate components Inspected and Uninspected traffic. The inspection is payload inspection specifically.
  • Uninspected communications do not impose any limitations on the attacker's activities.
  • Inspected communications carry some limitations. Such as, preventing the attacker from exploiting SoftwareVulnerabilities, and limiting ReverseReach(which in turn is needed to maximise the impact of UnsafeUserActivity and prevent Extract on Data).
• Have Data encryption via Credentials bypass PayloadInspection on ConnectionRules that we know can be used to transfer the Data.
• Minor fixes, improvements, date updates, and typo corrections.

This new version of coreLang comes with the following changes:

• Introduce more bypasses of defences:
  • Add bypasses for the SupplyChainAudit and HardwareModificationsProtection defences on the Hardware asset.
  • Add bypasses for the Effectiveness defence on the IDPS asset.
  • Add bypasses for the SupplyChainAudit defence on the Application asset.
  • Add bypasses for the SecurityAwareness defence on the User asset.
  • Add bypasses for the Restricted and PayloadInspection defences on the ConnectionRule asset.
  • Rework some of the existing bypass attack steps on the Network asset.
• Rework IAMObject abstract asset to extend the Information asset.
  • Add attack steps to represent the impacts of an attacker manipulating the access control privileges defined by the IAMObject assets.
  • This was implemented as part of the conversation regarding how the IAMObject subassets(Identity, Group, and Privileges) can be used to represent directory/domain policy entries in the a directory/domain policy service.
  • Move the Subprivileges association to the IAMObject from the Group and Identity assets, this way the behaviour is homogeneous and Privileges can form hierarchies too.
• Rework Deny and Write on Credentials.
  • Have Write on Credentials lead to Assume as the logic is that the credentials are overwritten for the authentication mechanism, and not simply a file containing credentials.
  • Have Deny on Credentials lead to Lockout on the associated Identity if all of the Credentials assets that are associated have been denied.
• Lockout a Group if all of its member Identities have suffered a Lockout.
• Assume by default that Credentials are weak if the Identity asset is not connected or User asset is not connected to the Identity associated with the Credentials.
• Rename some of the social engineering attack steps on the Application asset for more clarity.
• Bypass IDPS on Deny as well, not only on FullAccess.
• Minor fixes, improvements and typo corrections.

Same as version 0.5.0, but the System.svg file was renamed to Hardware.svg. Required by the SOCCRATES project.

This new version of coreLang comes with the following changes:

• Rework and expand IAM assets:
  • Introduce IAMOBject abstract asset that coalesces the common behaviour of IAM assets(Identity, Group, and Privileges).
  • Introduce account management association that allows IAMObjects manage other IAMObjects. An attacker can leverage this by gaining access to the managed roles if they are able to compromise any of the managers.
• Rework how data replication functions:
  • Individual disruptions to distinct replicas are registered normally on Data assets, the replication itself is now represented on the Information asset impact steps(deny, delete, write).
  • Update SoftwareProduct to extend Information so that it can also make use of the replica association with Data.
• Rework how hardware and physical zones are represented in coreLang:
  • Rework the System asset into the Hardware asset that is simpler and only represents, as the name suggests, the hardware components on which Applications are run.
  • Introduce HardwareVulnerability asset that functions analogously to the SoftwareVulnerability, but is slightly simpler.
  • PhysicalZones can now include both Network and Hardware assets and they can overlap. Users can be associated with Hardware and PhysicalZones that they have physical access to.
• Reindent and refactor some of the existing code:
  • Introduce attempt-successful-impact design pattern for the relevant impact attack steps(read, modify, deny, reverseReach, useVulnerability, and applicationRespondConnectThroughData) on the Application asset.
  • Remove eavesdrop and manInTheMiddle attack steps on Data and have the Network trigger the appropriate impact attack steps instead.
• Remove UnknownSoftwareVulnerability asset.
• Minor fixes and typo corrections.

This new version of coreLang comes with the following major changes:

• Rework how unsafe user actions are implemented:
  • Introduce logic to represent autonomous(where the attacker cannot reach or be reached, but has deployed through other means) malicious code.
  • Simplify privileges logic(remove high/low distinction when it comes to unsafe user actions). Privileges are presented via the Identity asset that is now automatically compromised when a social engineering attack occurs.
  • Remove unforced unsafe user activity. This was deemed extraneous and was leading to orphan attack graphs that couldn't properly be represented in the visualisation tools.
• Remove many attack steps(eavesdrop, manInTheMiddle, transmit, and transmitResponse) from the ConnectionRule asset. The idea is to utilise connection rules more like virtual assets that specify connectivity rather than elements that themselves transmit the data.
• Introduce SendData and ReceiveData associations between Data and Application assets to more easily represent directionality in data flows.
• Introduce IDPS(Intrusion Detection and Prevention System) asset that can be associated with an Application to protect it from malicious actions.
• Introduce credentials hashing association between Credentials assets.
• Remove authenticated defence on the Data asset and replace it with a signing association that is analogous to the Credentials - Data encryption relationship. This allows the attacker to also break authentication if they are able to attain the Credentials used for signing.
• Changed deny on Application to occur when all of the networking assets(ConnectionRules and Networks) associated with it have been denied. This was done to match the current info strings and git commit messages, it is not seen as a solved issue, see #66.
• Remove reverse takeover attack steps as they are now covered by unsafe user actions instead.
• Writing Credentials leads to them becoming compromised, the idea being that the attacker overrides them for the authentication mechanism.
• Minor documentation and comments updates.

As per usual, due to the the nature of the changes it is assumed that most previous models would no longer be compatible with this version.

This new version of coreLang brings some breaking changes related to how the Credentials are modelled.

• Introduce security awareness defence on the User asset to represent the
  possibility that the user performs unsafe actions.
• Introduce malicious removable media attack on the User that propagates via
  System assets.
• Introduce ConditionalAuthentication association between Credentials assets
  that can be used to represent multi-factor authentication.
• Introduce Replica association between Data and Information assets to
  represent information that is replicated across multiple data assets. Can be
  used to implement data backups.
• Fix data in transit to be written and deleted only if accessible via an
  outgoing/bidirectional connection.
• Fix Filtered defence on the ConnectionRule asset. Rename Disabled and
  Filtered defences on the ConnectionRule asset to Restricted and
  PayloadInspection, respectively.
• Fix software supply chain attacks and introduce hardware supply chain
  attacks on System.
• Minor documentation improvements and typo fixes.
• Various other smaller fixes.

This new version of coreLang bring some breaking changes related to how the Vulnerabilities and Exploit are modeled.

• An abstract Vulnerability asset exists.
• The two previously used assets (i.e. Vulnerability and Exploit) are now merged in one "SoftwareVulnerability" asset.
• The "UnknownSoftwareVulnerability" asset should be used to model unknown vulnerabilities (such as zero-days) associated with software.
• The new Vulnerability system is aligned with CVSS v3.1.
• The CVSS properties of a vulnerability to model, are now configurable as defenses on that new asset.
• The separation of Manual and Automatic Vulnerabilities is no longer needed.

P.S. A big thank you to @andrewbwm for those changes!

Many improvements and enhancements, including but not limited to:

• Introduction of uni-directional connectionRules for the Application assets, using two new associations.
• A new "ClientAccess" association for Applications and Networks.
• Two new defenses were added: Credentials.notDisclosed (describes the situation where a password is leaked out in the wild) and User.noPasswordReuse (describes the situation where the user is reusing passwords among identities).
• Added some defenses on multiple assets: Identity.disable, Application.disable, ConnectionRule.filtered. Added also a new asset, called Privileges, that groups privileges between Identities.
• A lot of bugfixes!
• Code rework in a lot of parts and updated documentation.

Note: The .jar file attached on this release is ready to be used in securiCAD.

This is the last release before the next "breaking changes" version that will be released soon.