ATSyRA Building User Guide

See User Guide Overview Download and install section.

You are now ready to use ATSyRA. The interface is shown in Figure Interface. To create a new project, look for the menu and click File → New → ATSyRA Building Project. The window of Figure New project should show up.

Choose a name for your project, and click Next. Pick a sample example if you want to try out the tool before creating your own building, and click Finish. Your project is now created.

The user interface of ATSyRA is composed of several areas, as you can see in Figure Areas of the interface.

A Zone is a location inside of the building where:

For example, a zone can be a room of the building, a safe, a key panel, …​

Specifying a zone is very easy. Simply write the following inside of your building file:

<name_of_alarm_X> should be the names of existing and alarms (see the corresponding section for the definition of an alarm). Adding alarms is not mandatory, don’t put anything inside the brackets if you do not need them.

We will now see how to add elements like items or alarms inside a zone.

An Item is an element that the attacker might possess or that he can find during the attack, like keys or badges. They can then be used to unlock accesses. Items can also be objectives for the attacker, like documents to steal.

An item is written as follows:

Items can also be used to simulate skills. For example, an item named "Pick_simple_lock" could represent the possibility for the attacker to force a lock, and be a key to any door.

For now, items and skills cannot be used to deactivate alarms, but we might add this possibility in the future.

An Alarm is an element that, when enabled, watches over some zones or accesses. If the attacker enter a zone or go through an access that is under alarm, the alarm will be triggered, and thus the attacker will be detected. To avoid being detected, the attacker will have to disable it.

An alarm is written as follows:

The location of an alarm is the Zone in which the alarm can be deactivated. If you do not want to offer the possibility to deactivate an alarm, feel free to use a fake, inaccessible zone.

You can also use alarms to represent cameras, which work in the exact same way, and even to depict employees or security guard. Think about them as alarms: they monitor the room they are in, and if they see something strange, they will get triggered and react. You can then think of how they can be "deactivated": triggering a fire alarm, reaching the cleaning supplies to not look suspicious, …​ This way of representing employees is just temporary, we will work in the future on a better way to add them.

For now, an alarm can only be deactivated in one location, but we might add the possibility to use several locations in the future.

An Access is an element that allows the attacker to go from a Zone to an other Zone. The software allows to use several types of accesses, which are detailed below.

The Attacker is the person who will try to attack the building. You need to declare him, simply by giving him a name:

For now, only one attacker is allowed. We will work on adding the possibility to have a team of attackers in the future.

You can add comments inside the building file to help you when reading the file again later. Comments can be written as follows:

When the current file is a .building file, the outline area on the right side of the window gives a list of all the elements of the building, sorted by type: zones, alarms, accesses and items. A double click on one of the elements in the outline will bring you to its definition inside the .building file, which can be useful if you need to find an element in a large file.

ATSyRA provides a graphical view of the specified building. To have it to show, follow these few steps:

You can find below an example building file using all the existing features.

In order to write your goals, you will need to refer to the elements of your building. This section gives a list of all the variables that you can use to specify your goals.

In order to simplify the process of goal writing, you can specify default settings for your initial conditions. These default settings will be usable in several goals, so it allows you to only write one time things that are always the same, like alarms being enabled and not triggered yet, or doors being locked.

Default settings are written as follows:

Add the definition of default settings in the .atg file, inside of the AtsyraGoalModel brackets.

Writing a goal is nearly the same as writing default settings, except that there are some operators.

Goals are written as follows:

Add the definition of goals in the .atg file, inside of the AtsyraGoalModel brackets, under the default settings if you defined some.

When writing preconditions, you can either write all the conditions you need, or use a default setting. To do so, simply use pre with <name_of_default_setting>. This will use all the conditions already written in the default setting, plus the ones you add in the goal definition.

As for buildings, the outline area shows the elements of your goals, and allow you to find them easily by double clicking on it (see Figure Outline for goals).

Now that goals are defined, let’s check if they are reachable, that is to say, if there is a possibility for the attacker to go from the initial condition to the final one.

To do so, right click on your .atg file, and go to ATSyRA 4 Building → Check reachability of one goal. Select the name of the goal you want to analyze, and click OK.

The results should appear on the console (see Figure Results of reachability analysis). Depending on the size of your building, the reachability analysis can take some time, so you might have to wait a bit.

There are three possible output:

In order to avoid infinite computation, we had to put a time limit on all the functionnalities of ATSyRA. By default, all the tools timeout after 60 seconds. However, this time limit is not enough for big examples.

If your building is too big for the default timeout, go to Window → Preferences → ATSyRA → Computation, and change the maximum execution time.

Knowing that a goal is reachable is good, but knowing how is better. ATSyRA provides a tool that gives witnesses, that is to say, existing scenarios that satisfies a given goal.

To get these scenarios, right click on your .atg file, go to ATSyRA 4 Building → Compute Shortest Wintess Scenarios, select the goal for witch you want to compute scenarios, and click OK.

The results should appear on the console (see Figure Results of witness search). Depending on the size of your building, the analysis can take some time, so you might have to wait a bit.

There are four possible outputs:

If the search of witnesses succeeded, a .witness and a .witness.sd.uml file should have been created inside the results folder. Let’s open the .witness file to see what is inside.

The main thing to look for inside the .witness file is the steps part: it gives a list of transitions that allow to go from the initial condition to the final one.

For small scenarios, the .witness file is easily readable. But in the case of large buildings, the witnesses might be too complex to read. To get a better understanding of a scenario, double click on the .witness.sd.uml file, and switch to the PlantUML view. This will show the sequence diagrams of the witnesses, which are easier to read.

The sequence diagrams show the scenarios by aggregating the location of the attacker: each vertical line is a location, and the arrows are transitions that may or may not change the location of the attacker. With this representation, you can better understand what the attacker does in each location.

Before specifying the actual tree, you need to define the goals that will appear in the nodes, as explained previously. There is no need to define a lot of goals at the beginning, just start with the main attack goal that will correspond to the root of the tree, and the first layer of refinement.

Once the goals are written, you can define a tree as follows:

Add the definition of trees in the .atg file, inside the AtsyraGoalModel brackets, under the atsyragoals ones.

<name_of_tree> can be any name you want to give, <name_of_goal> must be the name of an existing goal, and <OP> is one of AND, SAND, OR.

<first_son>, <second_son>, etc. are other trees. You can either write everything inside of the main tree, or define them outside and call them. The second option might be better for large trees, since it will be easier to read this way.

Here is an example to better understand the nesting of the trees:

And here is the same example with the trees defined separately:

As for building and goals, the outline shows the elements of trees, and allow you to find them easily inside the atg file by double clicking on them. It also shows the nested structure of your trees (see Figure Outline for trees).

ATSyRA provides a graphical view of the specified trees. To have it to show, follow these few steps:

In order to verify that the tree is consistent, you can check so-called correctness properties, that compare the goal of a node with the goals of its children. In theory, these correctness properties check the following:

To check the correctness of your attack tree, right click on your .atg file, and go to ATSyRA 4 Building → Correctness → Check [xxx] property of tree. Select the tree you want to analyze, and click OK. The results will show up in the console. Note that the analysis might take some time, mostly for large buildings.

You can only check the Meet, Undermatch, and Overmatch properties with these steps. To check the Match property, simply check both the Undermatch and Overmatch ones. If both of them hold, then the Match property also holds.

There can be three possible output:

Now that you can check correctness properties, let’s seet what the results of the analysis means for your attack tree:

When the tool finds that a property does not hold, it will look for a counter example, meaning an attack scenario that is in contradiction with said property. The computation of counter examples can be difficult, so sometimes the tool will not succeed in finding one, but most of the time it will give one.

You can use this counter example to understand why the property does not hold, by comparing the given scenario with your goals and trying to see where the problem is.

The usefull item tool allows you to check which items are mandatory, and which ones the attacker can not pick during his attacks.

To use this tool, right click on your .atg file, and go to ATSyRA 4 Building → Compute the necessary items for one goal. Pick the goal you want to analyze, and click OK. The computation can take some time, mostly when there are a lot of items in your building specification.

If the computation succeeds, four lists of items will show up in the console:

The results of this tool can help design the attack tree: if you know that an item is never used, then it should not appear in your attack tree. On the contrary, if an item is mandatory, then you could have a node who’s goal is to pick this item.

The location graph tool computes a graph representing all the scenarios for one goal, in terms of locations, or zones. An example of location graph is given in Figure Location graph. In this example, the attacker starts in location 10, and then goes to location 8. There, he has two choices: either reach location 7 directly, or do a little detour before. He then continues until he reached location 9, which is the final one. The locations in the graph are given by their internal id, but don’t worry: we provide the conversion table between the numbers and your zone names.

To use this tool, right click on your .atg file and go to ATSyRA 4 Building → Compute the graph of locations for one goal. Select the goal you want to analyze, and click OK.

If the computation succeeds, an image file will appear in the results folder. Open it to see the location graph.

In order to read the location graph, you will need the conversion table from internal zone ids to zone names. You will find this table into the building-gen folder, under the name <project_name>_<goal_name>_reach.gal.trace. Open this file to know the ids of your zones.

Now, you can use the location graph to get informations about the possible attack scenarios. Here are a few things to look for.

Using this tool can give you some precious informations about the general behavior of the attacker, and these informations can help you design your attack tree.