So I downloaded SWI-Prolog (http://www.swi-prolog.com) and installed it on both Linux and Windows systems. A few experiments and a couple of days of head-scratching later (most of it down to using a hyphen in a term in one place, and an underscore in another - doh!) I'm making some progress. Here's a simple example:
We define information assets as being managed by program/products which have vulnerabilities. An attacker can use an exploit against these vulnerabilities. Controls (patches, firewalls, IPS, etc.) remove or defend against the vulnerabilities and protect the programs. Now it becomes quite easy to state some facts and rules:
%% FactsLoading this into SWI-Prolog, one can now ask some questions, like:
%% A more sophisticated approach would build these from CVE
%% Example: X11.org X font server has three vulns
%% has_vulnerability(Program, Vuln)
%% Postulate some exploits for these vulns
%% Some controls, safeguards, (patches?)
%% removes_vulnerability(Control, Vuln)
%% Programs are protected by controls or patches
%% protects(Control, Program)
%% Assets are managed by programs
%% manages(Program, Asset)
%% Some rules
%% An asset A is vulnerable to an exploit E if
%% the asset is managed by a product X which has vulnerability Y
%% and exploit E exploits vulnerability Y
%% and the program is protected by control C which remove vulnerability Y
22 ?- [approach4].This indicates that the fonts (a slightly silly asset, but I just happened to pick three vulnerabilities in xfs) are vulnerable to attack-tool-2 and attack-tool-3. Attack-tool-1 cannot exploit cve-2007-2103 because there's a (hypothetical) patch for it.
% approach4 compiled 0.00 sec, 0 bytes
23 ?- vulnerable(fonts,X).
X = attack-tool-2 ;
X = attack-tool-3 ;
This approach needs to be extended quite a lot to be useful. The two obvious first extensions are a) an automatic loading of program/product vulnerabilities and exploits, perhaps from CVE and b) a model of the system under examination, perhaps as a graph relating assets, program/products and the controls which defend them. It would then be possible to have the system identify which controls are redundant or which patches need to be applied.
Another extension relates to the fact that some controls are themselves programs/products which may have their own vulnerabilities. An attack could therefore consist of a sequence of exploits which defeat or disable multiple levels of controls.
I guess now it's time to hit the books and coax SWI-Prolog into reading CVE from the XML, as well as representing the system as a graph.