Meta Attack Language (MAL)
As a means to develop our business we like to think about and prototype new ideas on how to improve and extend threat modeling, attack simulations and securiCAD. This happens down in the Foreseeti mine where our engineers are most happy. We have different shafts with different topics open. This blog series summarizes some of that work.
Our meta meta model. Yes, that is a lot of meta… Here in the mine, the meta stuff is very important, in this case, essential actually; MAL is the fundamental platform in which we build all attack simulation logic. MAL originates from research (by some of our founders) at KTH Royal Institute of Technology and is our security analysis programming language, you could say.
In MAL we write domain-specific languages (DSLs) that specify how attack graphs are to be generated from system architecture models. It is those attack graphs we use for attack path simulations and time to compromise calculations. Currently, we offer DSLs out-of-the-box for AWS cloud ecosystems and on-prem ICT environments. We have an Azure DSL and a new improved version of an on-prem DSL. Further, we and our partners have DSLs for areas such as utilities/OT, connected cars, fighter-jets, etc. More out-of-the-box DSLs are in progress, and you can also construct DSLs yourself. So how does MAL work? The fundamentals are (quite) easy. We define what kind of system assets are part of the domain, their relations, and what kind of attack steps the assets are exposed to. And then MAL allows us to define the attack step dependencies in terms of asset and asset relations. So, for instance, if an Application has an attack step Compromised that is achieved, this would lead to that the attacker can Access all Credentials that is Stored by that particular Application. Those Credentials may in turn be the Authentication to other Applications that the attacker can now Compromise if she can also Access the Application. And as you have guessed we can also model defense mechanisms in the DSL and we can assign probability distributions of time to compromise to the attack steps. Maybe the Credential was Encrypted and that we assume it takes the attacker Gamma(25,1) days to Crack it before it could be Compromised. Of course, in a complex world, the DSL may become quite complicated too. But if the world was easy to comprehend in the first place a DSL is of moderate use. And better up, MAL is open source and we offer securiCAD Lab in which you can load your own MAL DSL so you can tailor your security analyses the exact way you want it. You can find everything MAL on GitHub.
As with all fundamental cornerstones we plan for MAL to be the fundamental open platform so that we are allowed the pleasure to keep scratching our heads about how to make the best features in securiCAD on top of it. If you have ideas on how – holler down the mine!