Merge pull request #78 from softScheck/feature-ipc

add protocol interprocess communication
Threagile · Jun 10, 2024 · fe67530 · fe67530
2 parents c82bf84 + 2692157
commit fe67530
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 3 deletions.
diff --git a/pkg/risks/builtin/unencrypted_communication_rule.go b/pkg/risks/builtin/unencrypted_communication_rule.go
@@ -26,7 +26,7 @@ func (*UnencryptedCommunicationRule) Category() *types.RiskCategory {
 		Check:      "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?",
 		Function:   types.Operations,
 		STRIDE:     types.InformationDisclosure,
-		DetectionLogic: "Unencrypted technical communication links of in-scope technical assets (excluding " + types.Monitoring + " traffic as well as " + types.LocalFileAccess.String() + " and " + types.InProcessLibraryCall.String() + ") " +
+		DetectionLogic: "Unencrypted technical communication links of in-scope technical assets (excluding " + types.Monitoring + " traffic as well as " + types.LocalFileAccess.String() + ", " + types.InProcessLibraryCall.String() + " and " + types.InterProcessCommunication.String() + ") " +
 			"transferring sensitive data.", // TODO more detailed text required here
 		RiskAssessment: "Depending on the confidentiality rating of the transferred data-assets either medium or high risk.",
 		FalsePositives: "When all sensitive data sent over the communication link is already fully encrypted on document or data level. " +

diff --git a/pkg/risks/builtin/unencrypted_communication_rule_test.go b/pkg/risks/builtin/unencrypted_communication_rule_test.go
@@ -456,6 +456,13 @@ func TestUnencryptedCommunicationRuleGenerateRisks(t *testing.T) {
 
 			riskCreated: false,
 		},
+		"InterProcessCommunication": {
+			sourceOutOfScope: false,
+			targetOutOfScope: false,
+			protocol:         types.InterProcessCommunication,
+
+			riskCreated: false,
+		},
 		"LocalFileAccess": {
 			sourceOutOfScope: false,
 			targetOutOfScope: false,

diff --git a/pkg/risks/builtin/wrong_communication_link_content_rule.go b/pkg/risks/builtin/wrong_communication_link_content_rule.go
@@ -55,6 +55,10 @@ func (r *WrongCommunicationLinkContentRule) GenerateRisks(input *types.Model) ([
 			}
 			// check for protocol inconsistencies
 			targetAsset := input.TechnicalAssets[commLink.TargetId]
+			if commLink.Protocol == types.InterProcessCommunication && targetAsset.Type != types.Process {
+				risks = append(risks, r.createRisk(techAsset, commLink,
+					"(protocol type \""+types.InterProcessCommunication.String()+"\" does not match target technology type \""+targetAsset.Technologies.String()+"\": expected \""+types.Process.String()+"\")"))
+			}
 			if commLink.Protocol == types.InProcessLibraryCall && !targetAsset.Technologies.GetAttribute(types.Library) {
 				risks = append(risks, r.createRisk(techAsset, commLink,
 					"(protocol type \""+types.InProcessLibraryCall.String()+"\" does not match target technology type \""+targetAsset.Technologies.String()+"\": expected \""+types.Library+"\")"))

diff --git a/pkg/risks/builtin/wrong_communication_link_content_rule_test.go b/pkg/risks/builtin/wrong_communication_link_content_rule_test.go
@@ -117,6 +117,25 @@ func TestWrongCommunicationLinkContentRuleSendDataAssetRisksCreated(t *testing.T
 
 			riskCreated: false,
 		},
+		"protocol type InterProcessCommunication does not match target technology type Process": {
+			receiveAnyData: false,
+			sendAnyData:    false,
+			readonly:       false,
+			protocol:       types.InterProcessCommunication,
+			isLibrary:      false,
+
+			riskCreated:    true,
+			expectedReason: "(protocol type \"InterProcessCommunication\" does not match target technology type \"\": expected \"process\")",
+		},
+		"protocol type InterProcessCommunication match target technology type Process": {
+			receiveAnyData: false,
+			sendAnyData:    false,
+			readonly:       false,
+			protocol:       types.InterProcessCommunication,
+			isLibrary:      true,
+
+			riskCreated: false,
+		},
 		"protocol type LocalFileAccess does not match target technology type LocalFileSystem": {
 			receiveAnyData:    false,
 			sendAnyData:       false,

diff --git a/pkg/types/protocol.go b/pkg/types/protocol.go
@@ -61,6 +61,7 @@ const (
 	JRMP
 	JrmpEncrypted
 	InProcessLibraryCall
+	InterProcessCommunication
 	ContainerSpawning
 )
 
@@ -112,6 +113,7 @@ func ProtocolValues() []TypeEnum {
 		JRMP,
 		JrmpEncrypted,
 		InProcessLibraryCall,
+		InterProcessCommunication,
 		ContainerSpawning,
 	}
 }
@@ -163,6 +165,7 @@ var ProtocolTypeDescription = [...]TypeDescription{
 	{"jrmp", "Java Remote Method Protocol"},
 	{"jrmp-encrypted", "Java Remote Method Protocol, encrypted"},
 	{"in-process-library-call", "Call to local library"},
+	{"inter-process-communication", "Communication between processes via system sockets or systems like dbus"},
 	{"container-spawning", "Spawn a container"},
 }
 
@@ -186,7 +189,7 @@ func (what Protocol) Explain() string {
 }
 
 func (what Protocol) IsProcessLocal() bool {
-	return what == InProcessLibraryCall || what == LocalFileAccess || what == ContainerSpawning
+	return what == InProcessLibraryCall || what == InterProcessCommunication || what == LocalFileAccess || what == ContainerSpawning
 }
 
 func (what Protocol) IsEncrypted() bool {

diff --git a/pkg/types/protocol_test.go b/pkg/types/protocol_test.go
@@ -203,6 +203,10 @@ func TestParseProtocol(t *testing.T) {
 			input:    "in-process-library-call",
 			expected: InProcessLibraryCall,
 		},
+		"inter-process-communication": {
+			input:    "inter-process-communication",
+			expected: InterProcessCommunication,
+		},
 		"container-spawning": {
 			input:    "container-spawning",
 			expected: ContainerSpawning,

diff --git a/support/schema.json b/support/schema.json
@@ -650,6 +650,7 @@
                     "jrmp",
                     "jrmp-encrypted",
                     "in-process-library-call",
+                    "inter-process-communication",
                     "container-spawning"
                   ]
                 },

diff --git a/test/all.json b/test/all.json
@@ -1608,7 +1608,7 @@
       "action": "Encryption of Communication Links",
       "mitigation": "Apply transport layer encryption to the communication link.",
       "check": "Are recommendations from the linked cheat sheet and referenced ASVS chapter applied?",
-      "detection_logic": "Unencrypted technical communication links of in-scope technical assets (excluding monitoring traffic as well as local-file-access and in-process-library-call) transferring sensitive data.",
+      "detection_logic": "Unencrypted technical communication links of in-scope technical assets (excluding monitoring traffic as well as local-file-access, in-process-library-call and inter-process-communication) transferring sensitive data.",
       "risk_assessment": "Depending on the confidentiality rating of the transferred data-assets either medium or high risk.",
       "false_positives": "When all sensitive data sent over the communication link is already fully encrypted on document or data level. Also intra-container/pod communication can be considered false positive when container orchestration platform handles encryption.",
       "function": "operations",