📊 Model: (InformationFlow-Hospital-violation)
🔗 Link to Original Paper/Article
View SourceOpen Example Model in Example Models Bundle
📝 Short Description
The case is about an employee of a hospital that loads and updates a patient list via a hospital app. The hospital app authorizes the employee and requests the patient list from a database. The employee reads and modifies the list. The modified list is written back to the database.
🔤 Abbreviations
Hospital DS: Hospital DataStore
📖 Extensive Description
The Hospital App provides the means to modify a patient list. Receive Patient List combines the request and patient_list_encrypted flows and forwards a patient_list to the Employee. The Employee can Modify Patient List and write the modified_list back to the Hospital DS. Because the patient_list from the Hospital DS is encrypted, the Attacker cannot gain sensitive data.
🏷️ Label Description
🗂️ Data Labels:
- Level: This label denotes the zones a data flow may access. There are levels
HighandLow. - LevelBeforeEncryption: This label stores the security classification of a data flow before it is encrypted with the
declassifynode. This can beHighorLow.
🏷️ Node Labels:
- Zone: There are two
Zones:TrustandAttack. A node can be in either or none of theseZones.
⚠️ Constraint
SafetyConstraint
The fundamental requirement is that system parts or actors in the attack zone must not have access to data classified High:
SafetyConstraint: Level.High neverFlows vertex Zone.Attack
🚨 Violations
The error introduced in the case is that the patient list is not encrypted anymore when receiving the patient list. The attacker has access to the receiving process and therefore to data received at this process. The new direct data flow is called patient_list.