Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved support for client/non-listening processes #153

Open
nozmore opened this issue Apr 6, 2021 · 5 comments
Open

Improved support for client/non-listening processes #153

nozmore opened this issue Apr 6, 2021 · 5 comments

Comments

@nozmore
Copy link
Collaborator

nozmore commented Apr 6, 2021
edited
Loading

I would like to have better support for client/non-listening processes. Today Process contain annotations (also inherited from Asset) which applies to Listening/Server Processes or Actor could be used but you miss out on applicable annotations. There are a few ways to address this so thought we could chat about it.

The primary goal is to include the concept of a listening vs non-listening Process in threat evaluation.
A secondary goal is to restrict to applicable annotations during model creation and reporting.

Possible options:

  1. Add a type on Process to indicate if it creates a listening socket. With Threat Evaluation Improvements: Simplify conditions and first step toward detecting mitigations #152 it could be a target condition.
  2. Change nothing and use existing annotations, inbound dataflow with port assigned, etc.
  3. Introduce a new class for ClientProcess with specific annotations. This way using an IDE only applicable annotations will be exposed. This would involve wider changes impacting the entire inheritance model so we should discuss this more. i.e moving some annotations out of Asset and creating a "ListeningAsset" (name tbd).. port, protocol, definesConnectionTimeout, etc.

1 and 2 can address the Primary goal but don't directly address the secondary goal, they could be included in reporting with 2 having to replicate existing logic. 3 would address both cases and IMO the threat eval and reporting would be cleaner.

I have a local branch I was starting to do this but before I get too far along I wanted to get some thoughts.
@nineinchnick
Copy link
Collaborator

A process is a server when it has incoming dataflows. What annotations currently suggest that it's always listening?

@nozmore
Copy link
Collaborator Author

nozmore commented Apr 6, 2021
edited
Loading

Maybe but not currently. Command line arguments or shell/ui interface could be an incoming Dataflow, this does not make it a Server.

I actually thought of this as a 3rd option but got busy and forgot to add it but you could detect this in policy or in the apply_defaults area and set a bit to indicate such. This would address the Primary goal but not the secondary, well technically it could be exposed in reporting but doesn't aid in model creation.

@nineinchnick
Copy link
Collaborator

Still, this is defined by the dataflow, if it has a port/protocol defined or not.

@izar
Copy link
Collaborator

izar commented Apr 6, 2021

That's a good point. At higher levels (Ln) of dfd's we could see a Process "listening" to incoming data via CLI, GUI, IPC, pipes, etc. and that would be reflected in there being dataflows, but not in being a Server per se.

I think this is a semantic thing, not a technical more/less-attributes one.

@nozmore
Copy link
Collaborator Author

nozmore commented Apr 6, 2021

I updated the option list above with with the one I left out and @nineinchnick referenced.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@izar @nineinchnick @nozmore