02 threat modeling
TRANSCRIPT
-
8/8/2019 02 Threat Modeling
1/85
Copyright Microsoft Corp. 2004
Threat ModelingThreat Modeling
Dan SellersDan Sellers.Net Developer Specialist.Net Developer Specialist
Microsoft CanadaMicrosoft Canada
-
8/8/2019 02 Threat Modeling
2/85
Copyright Microsoft Corp. 2004
22
What is Threat Modeling?What is Threat Modeling?
A process to understand and documentA process to understand and documentsecurity threats to a system that:security threats to a system that:
Is methodical and complete.Is methodical and complete.
Will describe the systems threat profile.Will describe the systems threat profile.Allows the security of the system to beAllows the security of the system to becharacterized.characterized.
May find vulnerabilities.May find vulnerabilities.
-
8/8/2019 02 Threat Modeling
3/85
Copyright Microsoft Corp. 2004
33
Key ConceptsKey Concepts
A Threat Model describes a systemsA Threat Model describes a systemsthreat profile.threat profile.
A threat is not a vulnerability.A threat is not a vulnerability.
The point of a threat model is more thanThe point of a threat model is more thanjust finding vulnerabilities.just finding vulnerabilities.
A system is anything that exposesA system is anything that exposes
functionality to an end user, and canfunctionality to an end user, and candescribe anything from a single feature todescribe anything from a single feature toa web application and its supportinga web application and its supportinginfrastructure.infrastructure.
-
8/8/2019 02 Threat Modeling
4/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams /ProcessModels
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
-
8/8/2019 02 Threat Modeling
5/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/ProcessModels
Identify Threats
Analyze Threats /
Determine
Vulnerabilities
-
8/8/2019 02 Threat Modeling
6/85
Copyright Microsoft Corp. 2004
66
Collect Background InformationCollect Background Information
Background information bounds theBackground information bounds thethreat modeling discussion.threat modeling discussion.
It gathers information aboutIt gathers information aboutdependencies that are security-critical.dependencies that are security-critical.
It provides necessary information forIt provides necessary information for
people to understand the threat model.people to understand the threat model.
-
8/8/2019 02 Threat Modeling
7/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/ProcessModels
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
-
8/8/2019 02 Threat Modeling
8/85Copyright Microsoft Corp. 2004
88
Identify Use ScenariosIdentify Use Scenarios
A use scenario explains how the system isA use scenario explains how the system isintended or not intended to be used inintended or not intended to be used indeployment.deployment.
Use scenarios help bound the threat modelingUse scenarios help bound the threat modeling
by describing the situations that wereby describing the situations that wereconsidered during the security design of theconsidered during the security design of thesystem.system.
They can also explain situations where, if theThey can also explain situations where, if thesystem is deployed in an unsupportedsystem is deployed in an unsupportedconfiguration, the security can beconfiguration, the security can becompromised.compromised.
Use scenarios can be used as mitigation forUse scenarios can be used as mitigation forthreats to the system.threats to the system.
-
8/8/2019 02 Threat Modeling
9/85
Tool: Use Scenarios Table
If the Phone 1.0 is installed in a location where untrusted users can access it, it should
have local access control enabled.
2
The Fabrikam Phone 1.0 will be connected to the public switched telephone network.The security of this network is beyond the control of the Phone 1.0.
1
DescriptionID
Use Scenarios
-
8/8/2019 02 Threat Modeling
10/85
Use Scenarios: Relevance Who uses the information? Use scenarios are used by the threat
modeling team to limit the scope of the analysis. Managers anddevelopment leads must sign off on the individual use scenarios for theThreat Model to be valid. Later, the security test team can use thesescenarios when conducting a penetration test, either to verify theirvalidity or prove that they are not consistent with actual deployment.
How is the information collected? The information is best
provided by the designer of the system being modeled. If the system isa component that other teams are using, those teams may have inputas to how the component is being used.
How is it used in the rest of the Threat Model? Use scenarioscan limit the discussion by describing scenarios that will not beconsidered (in other words, that are outside of the safe use of thesystem). During threat analysis, use scenarios can be used as the
mitigation for conditions (for example, a condition may only be true if thesystem is used in an unsupported or unsafe scenario). Use scenariosmay also help identify additional assets. For example, if a system isexpected to run at a certain elevated privilege level, execution rights atthat privilege level is an asset.
-
8/8/2019 02 Threat Modeling
11/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/ProcessModels
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
-
8/8/2019 02 Threat Modeling
12/85Copyright Microsoft Corp. 2004
1212
Identify External DependenciesIdentify External Dependencies
External dependencies are requirements levied onExternal dependencies are requirements levied onsystems outside of the system being modeled.systems outside of the system being modeled.
They are dependencies on a certain behavior orThey are dependencies on a certain behavior or
specification compliance in an external system that, ifspecification compliance in an external system that, ifbroken, could cause threats in the system beingbroken, could cause threats in the system beingmodeled to manifest vulnerabilities.modeled to manifest vulnerabilities.
Often, these dependencies describe functions such asOften, these dependencies describe functions such as
algorithm consistency across systems. For example, ifalgorithm consistency across systems. For example, iftwo systems both normalize a string of text and taketwo systems both normalize a string of text and takeaction based on the result, it is typically important thataction based on the result, it is typically important thatthe normalized representation is the same across boththe normalized representation is the same across bothsystems.systems.
-
8/8/2019 02 Threat Modeling
13/85
Tool: External Dependencies
Table
The Fabrikam Phone 1.0 depends on the PSTN for providing power. There is a 2-daypower cell in the Phone 1.0 that provides backup power should the power provided bythe PSTN go down.
1DescriptionID
External Dependencies
-
8/8/2019 02 Threat Modeling
14/85
External Dependencies:
Relevance Who uses the information? External dependencies are primarily
used by the threat modeling team to validate assumptions betweensystems being modeled. The act of identifying, documenting, andinvestigating external dependencies can ensure that disparate systemsand groups do not result in inconsistencies leading to vulnerabilities.
How is the information collected? The designers andimplementers of the system should be able to identify external systemsthat it depends on. Further, they can characterize the functionality ofthe external system that is used, thus providing a list of dependencies.
How is it used in the rest of the Threat Model? Externaldependencies result in action items that must be resolved with the
target systems team before a Threat Model can be considered valid.They validate cross-system assumptions that, if incorrect, mightotherwise result in vulnerabilities.
-
8/8/2019 02 Threat Modeling
15/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/Process
Models
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
1616
-
8/8/2019 02 Threat Modeling
16/85Copyright Microsoft Corp. 2004
1616
Identify Implementation AssumptionsIdentify Implementation Assumptions
It is good to start the Threat Modeling process before aIt is good to start the Threat Modeling process before asystem is implemented.system is implemented.
Implementation Assumptions are used when some orImplementation Assumptions are used when some or
all of the system is in the design phase, and dictateall of the system is in the design phase, and dictatespecifics about how features must be implemented forspecifics about how features must be implemented forthe system to remain secure.the system to remain secure.
Implementation Assumptions should be validated onImplementation Assumptions should be validated oncompletion of the implementation, in addition to revisingcompletion of the implementation, in addition to revising
the Threat Model as a whole to reflect thethe Threat Model as a whole to reflect theimplementation.implementation.
-
8/8/2019 02 Threat Modeling
17/85
Tool: Implementation
Assumptions Table
If encrypted communication is added, key exchange should be done according toindustry-accepted standards.2
The voice-command dialing option has yet to be implemented. When this is added, itshould not introduce a way to bypass current security features, such as long-distancecall lockout.
1DescriptionID
Implementation Assumptions
-
8/8/2019 02 Threat Modeling
18/85
Implementation
Assumptions: Relevance Who uses the information? The information is used by the implementer of
the relevant feature in the system. It is essentially a coding guideline that theimplementer must adhere to. Post-implementation, the Threat Model teamshould validate that the implementation assumption holds true. Implementationassumptions can also be validated in code reviews and during penetration
testing. How is the information collected? When threats are being identified, they
often include threats that are common globally or to the team responsible for thesystem. If the threat is best mitigated in implementation and not design, theteam usually has a common method of mitigating that threat in code.Implementation assumptions are then simply notes for the coder that include thisinformation.
How is it used in the rest of the Threat Model? Implementationassumptions are invalidation points for the Threat Model if they do not remaintrue after the functionality is implemented. In addition, they are used asdiscussion points during the revising of a Threat Model if it is started during thedesign phase.
-
8/8/2019 02 Threat Modeling
19/85
Threat Modeling ProcessCollect
Background
Information
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/Process
Models
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
2020
-
8/8/2019 02 Threat Modeling
20/85
Copyright Microsoft Corp. 2004
2020
Identify External Security NotesIdentify External Security Notes
External Security Notes are the counterpart to externalExternal Security Notes are the counterpart to externaldependencies.dependencies.
They provide security-relevant information to users that interfaceThey provide security-relevant information to users that interfacewith the system being modeled.with the system being modeled.
This information can be in the form of warnings against potentialThis information can be in the form of warnings against potentialmisuse that, while not constituting a vulnerability in the systemmisuse that, while not constituting a vulnerability in the systembeing modeled, may surface a vulnerability in another system if itbeing modeled, may surface a vulnerability in another system if itis not used correctly.is not used correctly.
Or, the information can be in the form of guarantees that theOr, the information can be in the form of guarantees that the
system makes for users.system makes for users.
As an example, it may contain the specification for how filenamesAs an example, it may contain the specification for how filenamesare normalized internal to the system.are normalized internal to the system.
-
8/8/2019 02 Threat Modeling
21/85
Tool: External Security
Notes Table
If the end user wants to protect the speed dial list and whether the remoteadministration is enabled, he should enable local access control.2
The Phone 1.0 has a remote administration interface that has a default numericpassword. While the interface is disabled by default, the end user should ensure thatthe password is changed if it the feature is enabled.
1DescriptionID
External Security Notes
-
8/8/2019 02 Threat Modeling
22/85
External Security Notes:
Relevance Who uses the information? The information is primarily consumed by
users whose systems in turn depend upon this system. Those users canvalidate dependencies based on this information, or request explanation offunctionality to be added.
How is the information collected? During the threat model process,potential misuses of externally-supplied functionality are often identified. Thisinformation should be proactively included in the Threat Model. In addition,external dependencies on this system can force investigations that result ininformation in this table.
How is it used in the rest of the Threat Model? External security notesare used as validation of external dependencies. In addition, they can
sometimes be used as mitigation for threats. In this case, the threat is mitigatedthrough end-user education rather than design or implementation changes.
-
8/8/2019 02 Threat Modeling
23/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/ProcessModels
Identify Threats
Analyze Threats /
Determine
Vulnerabilities
2424
-
8/8/2019 02 Threat Modeling
24/85
Copyright Microsoft Corp. 2004
2424
Identify Internal Security NotesIdentify Internal Security Notes
Internal security notes are information thatInternal security notes are information thatreaders of the threat model should know toreaders of the threat model should know tomake the model more clear.make the model more clear.
They are often used to explain tradeoffs madeThey are often used to explain tradeoffs madein the design or implementation of the systemin the design or implementation of the systemthat affect security.that affect security.
They should not be used as a replacement forThey should not be used as a replacement forthreats and vulnerabilities.threats and vulnerabilities.
-
8/8/2019 02 Threat Modeling
25/85
Tool: Internal Security Notes
TableSpeed dial information, messages, and the outgoing message are all stored in volatile
RAM. The combination of volatile RAM and a battery backup for the Phone 1.0 is
cheaper to manufacture than to use non-volatile RAM. This means, however, that
power loss to the Phone 1.0 can cause loss of information if the battery backup isdepleted.
1DescriptionID
Internal Security Notes
-
8/8/2019 02 Threat Modeling
26/85
Internal Security Notes:
Relevance Who uses the information? Internal security notes are
used by reviewers of the threat model to understand securitytradeoffs that were made in the design or implementation of thesystem.
How is the information collected?Internal securitynotes are usually collected when the system is being modeled orwhen threats are being investigated. Often internal securitynotes come about when a threat exists because of a particulardesign decision, but that design decision was made to satisfyother, non-security requirements.
How is it used in the rest of the Threat Model?Internal security notes are used when the threat model isreviewed for completeness. They are also used when mitigationfor vulnerabilities is discussed.
-
8/8/2019 02 Threat Modeling
27/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/ProcessModels
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
2828
-
8/8/2019 02 Threat Modeling
28/85
Copyright Microsoft Corp. 2004
Model the SystemModel the System
Modeling the system is critical toModeling the system is critical todetermining threats.determining threats.
It helps the threat modeling teamIt helps the threat modeling team
understand the adversarys view of theunderstand the adversarys view of thesystem.system.
It helps the team understand the internalIt helps the team understand the internal
workings of the system, allowing them toworkings of the system, allowing them toidentify design- and implementation-identify design- and implementation-specific threats.specific threats.
-
8/8/2019 02 Threat Modeling
29/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/Process
Models
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
3030
-
8/8/2019 02 Threat Modeling
30/85
Copyright Microsoft Corp. 2004
Identify Entry PointsIdentify Entry Points
Entry Points define the boundary of the system beingEntry Points define the boundary of the system beingmodeled.modeled.
They list all places where the system consumes dataThey list all places where the system consumes datafrom, provides data to, or performs actions on behalf offrom, provides data to, or performs actions on behalf ofexternal entities.external entities.
Entry points are often obvious: exposed APIs, listeningEntry points are often obvious: exposed APIs, listeningsockets, RPC servers, Web Services, etc. Notesockets, RPC servers, Web Services, etc. Notehowever, thathowever, that anyanyplace where the system interactsplace where the system interactswith external entities could be considered an entrywith external entities could be considered an entry
point. For example, reading data from the file system ispoint. For example, reading data from the file system isan entry point because the file system is likely notan entry point because the file system is likely notprivate to the system being modeled.private to the system being modeled.
-
8/8/2019 02 Threat Modeling
31/85
Tool: Entry Points Table
(1) AdministratorRemove administration is a menu-driven interfacethat is accessed remotely over the PSTN. It isenabled when the answering machine feature ofthe Phone 1.0 is enabled, and is accessed bypressing 9 once the phone answers.
Remote Administration6
(1) Administrator(2) Long-distance user(3) Local call user(4) Denied user
The ringer is an exit point used to alert the enduser of incoming calls.Audible Ringer5
(1) Administrator(2) Long-distance user(3) Local call user(4) Denied user
The alphanumeric display shows information,such as speed dial numbers, caller ID,administrative menus, etc.
Alphanumeric Display4
(5) Anonymous remote userThe telephone line is where the Phone 1.0interfaces with the public switched telephonenetwork.
Telephone Line3
(1) Administrator(2) Long-distance user(3) Local call user(4) Denied user
The keypad is used for dialing, entering localaccess passwords, and other administrativefunctions on the Phone 1.0.
Keypad2
(1) Administrator(2) Long-distance user(3) Local call user(4) Denied user
The handset is used by the end user for voicecommunication. Voice dialing will also beimplemented via this interface.
Handset1Trust LevelDescriptionNameID
Entry Point
-
8/8/2019 02 Threat Modeling
32/85
Entry Points: Relevance
Who uses the information? The entry points are primarily usedinternally to the threat modeling process as described below.
How is the information collected? Both the designers andimplementers of the system provide the list of entry points.Occasionally, additional entry points surface during the data flowmodeling of the system.
How is it used in the rest of the Threat Model? Entry pointsare used to prioritize the threat modeling discussion. They also providethe basis for discussion. For each entry point, the question must beanswered: What functionality does the entry point expose? Thisinformation is used to decompose security-critical processing using dataflow diagrams. Further, they are used to ensure a complete analysis.
That is, a Threat Model can only be considered thorough if all entrypoints are identified and explored.
-
8/8/2019 02 Threat Modeling
33/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/Process
Models
Identify Threats
Analyze Threats /
Determine
Vulnerabilities
3434
-
8/8/2019 02 Threat Modeling
34/85
Copyright Microsoft Corp. 2004
Identify AssetsIdentify Assets
Assets are those things, both concreteAssets are those things, both concreteand abstract, that could be targets of anand abstract, that could be targets of anattack by an adversary.attack by an adversary.
Because of the widely varied functionalityBecause of the widely varied functionalityof systems, protected resources can alsoof systems, protected resources can alsobe widely varied. For example, abe widely varied. For example, aconcrete example might be corporateconcrete example might be corporate
data stored in a database. A moredata stored in a database. A moreabstract example might be networkabstract example might be networkcoherency in a peer to peer application.coherency in a peer to peer application.
Assets should be nouns.Assets should be nouns.
-
8/8/2019 02 Threat Modeling
35/85
Tool: Assets Table
(1) Administrator(2) Long-distance user(3) Local call user
Messages left by callers when the Phone 1.0has the answering machine feature enabled.Messages6
(1) AdministratorThe administrative configuration for the
Phone 1.0Phone configuration5
(1) Administrator(2) Long-distance user
The Phone 1.0 has optional lock-out for longdistance calling so that only authorized userscan make long distance calls.
Long-distance calls4
(1) Administrator(2) Long-distance user(3) Local call user
The Phone 1.0 indirectly protects access tothe PSTN.Access to the PSTN3
(1) Administrator(2) Long-distance user(3) Local call user
Provides information about the incomingcaller.Caller ID2
(1) Administrator(2) Long-distance user(3) Local call user
The speed dial list contains the names andnumbers of often-used contacts.Speed-dial list1
Trust LevelDescriptionNameIDAssets
-
8/8/2019 02 Threat Modeling
36/85
Assets: Relevance Who uses the information? The Threat Modeling team
uses the information when identifying threats. When analyzingsecurity-critical processing, points where an asset is referencedshould be scrutinized. The assets are, in essence, the targets ofthreats to the system. That is, a threat is what an attacker mighttry to do to or with an asset that would result in a violation of thesystems expected security bounds.
How is the information collected? Many assets areidentified when discussing system functionality, use scenarios,and other background information. Questions to ask are: Doesthe system have access to any resources that an external entitywould not normally have access to? What aspects of thesystem are critical to proper functionality?
How is it used in the rest of the Threat Model?Assets are used during threat identification to identify anadversarys goals. Assuming that an adversary picks aprotected resource as a target, what might he try to do to it?
-
8/8/2019 02 Threat Modeling
37/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/ProcessModels
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
3838
-
8/8/2019 02 Threat Modeling
38/85
Copyright Microsoft Corp. 2004
Identify Trust LevelsIdentify Trust Levels
Trust levels characterize either entry points orTrust levels characterize either entry points orassets.assets.
In the case of entry points, they describe the externalIn the case of entry points, they describe the externalentity that can interface with the entry point.entity that can interface with the entry point.
For assets, they should indicate what privilege levelFor assets, they should indicate what privilege levelwould normally be able to access the resource.would normally be able to access the resource.
The type of trust level is specific to the entryThe type of trust level is specific to the entrypoint or protected resource. For example,point or protected resource. For example,
some trust levels may correspond to NTsome trust levels may correspond to NTgroups. Other trust levels may simply describegroups. Other trust levels may simply describewhat is known about the external entity (remotewhat is known about the external entity (remoteanonymous user, in the case of a public webanonymous user, in the case of a public webserver).server).
3939
-
8/8/2019 02 Threat Modeling
39/85
Copyright Microsoft Corp. 2004
Identify Trust LevelsIdentify Trust Levels
Trust Levels that have moreTrust Levels that have morepreconditions (such as requiringpreconditions (such as requiring
authentication) typically have a lower risk.authentication) typically have a lower risk.The Trust Level table can be used toThe Trust Level table can be used toprioritize further discussion based onprioritize further discussion based onwhich categories pose the highest risk.which categories pose the highest risk.
-
8/8/2019 02 Threat Modeling
40/85
Tool: Trust Levels Table
The anonymous remote user represents any data or incoming callsover the PSTN.Anonymous remote user5The Phone 1.0 can be configured to not allow access to the phonewithout a password. The denied user is a user with no access.Denied user4The local call user can only place outgoing local calls.Local call user3
The Phone 1.0 can be configured to restrict long distance calling.
The long-distance user is a phone user that is allowed to make long-distance calls.Long-distance user2
The Phone 1.0 administrator has access to all features, and canbypass all security checks.Administrator1DescriptionNameID
Trust Levels
-
8/8/2019 02 Threat Modeling
41/85
Trust Levels: Relevance
Who uses the information?The Threat Modeling team
uses trust levels to determine high-risk entry points and prioritizethe discussion. The team can also use them when discussingassets. They are particularly relevant in elevation of privilegeattacks.
How is the information collected? The designers of
the system should have this information readily available. It issimply an enumeration of who should and should not haveaccess to an entry point or asset.
How is it used in the rest of the Threat Model?Trust levels are used to prioritize discussion. They are alsoused when discussing mitigation and risk. For example, one
could argue that a buffer overflow at an entry point that requiresadministrative-level privileges is not high risk because theadministrator would not gain access to any assets that he or shedoes not already have access to. (Of course, this depends onthe definition of administrator, and is system-specific.)
-
8/8/2019 02 Threat Modeling
42/85
Threat Modeling ProcessCollect
BackgroundInformation
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/Process
Models
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
4343
-
8/8/2019 02 Threat Modeling
43/85
Copyright Microsoft Corp. 2004
Describe Processing on the ThreatDescribe Processing on the ThreatPathPath
The Threat Path is the processing thatThe Threat Path is the processing thatoccurs based on the input to theoccurs based on the input to the
enumerated entry points.enumerated entry points.Follow processing from the componentsFollow processing from the componentsentry point and determine what it does toentry point and determine what it does tothe input data, or based on the input data.the input data, or based on the input data.
4444
-
8/8/2019 02 Threat Modeling
44/85
Copyright Microsoft Corp. 2004
Describe Processing on the ThreatDescribe Processing on the ThreatPathPath
While a threat path can simply be describedWhile a threat path can simply be describedbased on a components inputs, outputs, andbased on a components inputs, outputs, andprocessing based on the input, it can help toprocessing based on the input, it can help to
use a visual tool such as a Data Flow Diagram.use a visual tool such as a Data Flow Diagram.
DFDs should start with both Context and LevelDFDs should start with both Context and Level0 diagrams0 diagrams
More detailed diagrams should be created toMore detailed diagrams should be created tofurther describe security-critical processing.further describe security-critical processing.
-
8/8/2019 02 Threat Modeling
45/85
Tool: Data Flow Diagram
Auth Data
A ProcessTransforms or manipulates
data.
Multiple Processes
Transforms or manipulates
data.
A Data Store
A location that stores
temporary or permanent
data
Boundary
A machine, physical,
address space or trust
boundary.
Data Flow
Depicts data flow from
data stores, processes or
interactors.
Interactor
Input to the system.
Context
Level 0
Level 2Level 1
* Diagrams taken from Writing Secure Code, 2nd
Edition
-
8/8/2019 02 Threat Modeling
46/85
Tool: Data Flow Diagram
1 Fabrikam
Phone 1.0Local User PSTN
Audible input via handset
Numeric keypad input
Visual display
output
Telephone
conversation
Ringer
DTMF input for admin
interface
Telephone
conversation
Telephone
conversation
Adminmenus/data
-
8/8/2019 02 Threat Modeling
47/85
Tool: Data Flow Diagram
User viaPSTN
1.5Administrative
interface
1.4 Enableadmin
mode
1.3 Check if
buffermatchespassword
1.1 Enablepassword
enteringmode
1.2 Read digit
Password r ingbuffer (stores
8 digits)
Administrative privilege
boundaryInterface enabledprivilege boundary
User dials 9 afteranswering machine
picks up
User entersdigit in
passwordentering mode
Password enterenable
Digit
8-digit password
Wait fornext digit
Successfulcompletion
Admin enable
Menus,data
Selections,
data
-
8/8/2019 02 Threat Modeling
48/85
Data Flow Diagrams:
Relevance Who uses the information? DFDs can be used by security
testers to get a better understanding of the systems functionality andimplementation. The visual representation of the data flows allows thetester to create attack hypotheses.
How is the information collected? The designers andimplementers of the system provide this information. It is often partiallycompleted before any threat modeling meetings. During the meetings,however, they are usually expanded and more diagrams are created asthe team analyzes the system.
How is it used in the rest of the Threat Model? TheDFDs are used during threat identification as a way to direct threathypotheses. They allow the threat modeling team to better understandthe functionality exposed by the system, and what an attackers goalsmight be.
-
8/8/2019 02 Threat Modeling
49/85
Threat Modeling ProcessCollect
Background
Information
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/Process
Models
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
5050
D i ThD t i Th t
-
8/8/2019 02 Threat Modeling
50/85
Copyright Microsoft Corp. 2004
Determine ThreatsDetermine Threats
Enumerating threats creates a threat profile forEnumerating threats creates a threat profile fora system, describing all of the potential attacksa system, describing all of the potential attacksthat should be mitigated against.that should be mitigated against.
Threats with valid attack paths areThreats with valid attack paths are
vulnerabilities.vulnerabilities.The security of a system can be expressed inThe security of a system can be expressed interms of threats with appropriate mitigation vs.terms of threats with appropriate mitigation vs.total threats, taking into account the severity oftotal threats, taking into account the severity of
the threats with insufficient mitigationthe threats with insufficient mitigation(vulnerabilities).(vulnerabilities).
-
8/8/2019 02 Threat Modeling
51/85
Threat Modeling ProcessCollect
Background
Information
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/Process
Models
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
5252
E t Th tE t Th t
-
8/8/2019 02 Threat Modeling
52/85
Copyright Microsoft Corp. 2004
Enumerate ThreatsEnumerate Threats
Identifying threats, as the critical point in creating aIdentifying threats, as the critical point in creating a
usable threat model, is appropriately the most difficultusable threat model, is appropriately the most difficultstep in the process.step in the process.
The Threat Modeling team must take the informationThe Threat Modeling team must take the informationproduced up to this point and create attack hypotheses.produced up to this point and create attack hypotheses.
The team should not limit themselves to knownThe team should not limit themselves to knownvulnerabilities, rather, they should consider threatsvulnerabilities, rather, they should consider threatsregardless of known mitigation.regardless of known mitigation.
For a given entry point where a specific external entityFor a given entry point where a specific external entity
interfaces with the system, what security-criticalinterfaces with the system, what security-criticalprocessing occurs, and what might a malicious externalprocessing occurs, and what might a malicious externalentity try to do to thwart that processing or otherwiseentity try to do to thwart that processing or otherwiseuse an asset outside of its expected use?use an asset outside of its expected use?
5353
E t Th tE t Th t
-
8/8/2019 02 Threat Modeling
53/85
Copyright Microsoft Corp. 2004
Enumerate ThreatsEnumerate Threats
It is important not to confuse threats withIt is important not to confuse threats withvulnerabilities. A threat is simply what anvulnerabilities. A threat is simply what anadversary mightadversary might trytryto do to a protectedto do to a protectedresource in the system. A vulnerability isresource in the system. A vulnerability is
a specific way that a threat is exploitablea specific way that a threat is exploitablebased on an unmitigated attack path.based on an unmitigated attack path.
Threats become more specific as theThreats become more specific as theprocess model becomes more specific.process model becomes more specific.
5454
E t Th tE t Th t
-
8/8/2019 02 Threat Modeling
54/85
Copyright Microsoft Corp. 2004
Enumerate ThreatsEnumerate Threats
A key aspect to enumerating threats is understandingA key aspect to enumerating threats is understandingspecifications (and whether or not they are adhered to).specifications (and whether or not they are adhered to).Protocol specifications, file format specifications, etc.Protocol specifications, file format specifications, etc.can define the adversarys sandbox. While they arecan define the adversarys sandbox. While they areoften constrained by specifications, they can oftenoften constrained by specifications, they can oftencreate spec-valid data that causes corruption or othercreate spec-valid data that causes corruption or other
errors.errors.As specifications become more complex, the cornerAs specifications become more complex, the cornercases that allow for spec-valid but malicious datacases that allow for spec-valid but malicious dataincrease.increase.
Note that if the system includes a parser for a givenNote that if the system includes a parser for a given
specification, then the adversary will also try spec-specification, then the adversary will also try spec-invalid data to attack the parser itself.invalid data to attack the parser itself.
5555
E t Th tE t Th t
-
8/8/2019 02 Threat Modeling
55/85
Copyright Microsoft Corp. 2004
Enumerate ThreatsEnumerate Threats
Threats can apply a verb to an assetThreats can apply a verb to an asset(adversary does something(adversary does something toto an asset):an asset):
AdversaryAdversary capturescaptures [password data] using a sniffer.[password data] using a sniffer.
Or, they can resultOr, they can result inin an asset:an asset:
AdversaryAdversary supplies a path name that exceedssupplies a path name that exceedsMAX_PATHMAX_PATH, causing a buffer overflow that may, causing a buffer overflow that mayresult in the [ability to execute native code].result in the [ability to execute native code].
In either case, threats are verbs.In either case, threats are verbs.
5656
U i STRIDEU i STRIDE
-
8/8/2019 02 Threat Modeling
56/85
Copyright Microsoft Corp. 2004
Using STRIDEUsing STRIDE
STRIDE is used to classify theSTRIDE is used to classify the effecteffectof threats.of threats.
SpoofingSpoofing. Spoofing allows an adversary to pose as another. Spoofing allows an adversary to pose as anotheruser, component, or other system that has an identity in theuser, component, or other system that has an identity in thesystem being modeled.system being modeled.
TamperingTampering. Tampering is the modification of data within the. Tampering is the modification of data within thesystem to achieve a malicious goal.system to achieve a malicious goal.
RepudiationRepudiation. Repudiation is the ability of an adversary to. Repudiation is the ability of an adversary todeny performing some malicious activity because thedeny performing some malicious activity because thesystem does not have sufficient evidence to provesystem does not have sufficient evidence to proveotherwise.otherwise.
InformationInformationDisclosureDisclosure. Information Disclosure is the. Information Disclosure is the
exposure of protected data to a user that is not otherwiseexposure of protected data to a user that is not otherwiseallowed access to that data.allowed access to that data.
DenialDenialofofServiceService. Denial of Service is when an adversary. Denial of Service is when an adversarycan prevent legitimate users from using the normalcan prevent legitimate users from using the normalfunctionality of the system.functionality of the system.
ElevationElevationofofPrivilegePrivilege. Elevation of Privilege is when and. Elevation of Privilege is when and
adversary assumes a Trust Level with different privilegesadversary assumes a Trust Level with different privileges* Some information taken from Writing Secure Code, 2nd
Edition
-
8/8/2019 02 Threat Modeling
57/85
Tool: Threats Table
(5) Phone configurationAssets
(6) Remote Administration(3) Telephone Line(2) Keypad
Entry Points
(none)Investigation Notes
If the remote administration interface is enabled, the end user should change thedefault password.Known MitigationNoMitigated?
TamperingInformation DisclosureDenial of ServiceElevation of Privilege
STRIDE Classification
The Phone 1.0 has a remote administration interface that allows an authorizeduser to configure it via the PSTN. The interface is disabled by default, but can beenabled using the local keypad.
Description
Adversary gains access to the remote administration interface resulting in accessto the phone configuration.Name1IDThreat
Threats
-
8/8/2019 02 Threat Modeling
58/85
Tool: Threats Table
Threats
(1) Speed-dial listAssets
(2) Keypad
(4) Alphanumeric Display
Entry Points
(none)Investigation Notes
Related Use Scenarios:
(2) If the Phone 1.0 is installed in a location where
Known Mitigation
NoMitigated?
Information DisclosureSTRIDE Classification
The speed dial list has sensitive information (names and telephone numbers).DescriptionAdversary reads the speed dial listName2ID
Threat
-
8/8/2019 02 Threat Modeling
59/85
Tool: Threats TableThreats
(4) Long distance callingAssets
(1) Handset(2) Keypad
Entry Points
(none)Investigation Notes
Related Use Scenarios:
(2) If the Phone 1.0 is installed in a location where
Known Mitigation
NoMitigated?
Elevation of PrivilegeSTRIDE Classification
Access to long distance can be restricted. Often it is not desirable for arbitrary
users to make long distance calls.DescriptionAdversary makes a long distance callName3IDThreat
6060
Update DFD for Threat TypesUpdate DFD for Threat Types
-
8/8/2019 02 Threat Modeling
60/85
Copyright Microsoft Corp. 2004
Update DFD for Threat TypesUpdate DFD for Threat Types
Each element inEach element in
the DFD isthe DFD is
susceptible tosusceptible toone or moreone or more
threat typesthreat types
1.01.0
5.05.0
2.0.2.0.
3.03.0
4.04.0
10.010.08.08.0
6.06.0
11.011.0 9.09.0
7.07.0
STRISTRIDEDE
STRISTRIDEDE
STRISTRIDEDE
TIDTID
TIDTID
TIDTID
TIDTID
TIDTID
TIDTID
SRSR
SRSR
-
8/8/2019 02 Threat Modeling
61/85
Threats: Relevance Who uses the information? Managers use threats to
determine the security strengths of the system they areresponsible for. Security testers use threats and theirassociated threat trees to test how well the system is resilient toattacks. Further, threats can be used as a plan of attack for apenetration test.
How is the information collected? Personsresponsible for the systems implementation and design aregood sources. However, it is best to also include persons whodid not work on the system during the threat modeling process.They are often able to think more critically about the system.
How is it used in the rest of the Threat Model?Threats are later analyzed to determine if there are anyvulnerabilities associated with them. They provide the basis fordetermining the strengths and weaknesses of the system.
-
8/8/2019 02 Threat Modeling
62/85
Threat Modeling ProcessCollect
Background
Information
Model the
System
Determine
Threats
Use Scenarios
Implementation
Assumptions
External
Dependencies
External Security
Notes
Internal Security
Notes
Entry Points
Assets
Trust Levels
Data Flow
Diagrams/Process
Models
Identify Threats
Analyze Threats/
Determine
Vulnerabilities
6363
Determine if Vulnerabilities ExistDetermine if Vulnerabilities Exist
-
8/8/2019 02 Threat Modeling
63/85
Copyright Microsoft Corp. 2004
Determine if Vulnerabilities ExistDetermine if Vulnerabilities Exist
A Threat that has no (or insufficient)A Threat that has no (or insufficient)mitigating factors results in a Vulnerabilitymitigating factors results in a Vulnerabilitythat is, something an attacker canthat is, something an attacker canexploit.exploit.
For each Threat, determine if there areFor each Threat, determine if there aresufficient protections. Enumerate thosesufficient protections. Enumerate those
that are Vulnerabilities.that are Vulnerabilities.
6464
Formulate AttacksFormulate Attacks
-
8/8/2019 02 Threat Modeling
64/85
Copyright Microsoft Corp. 2004
Formulate AttacksFormulate Attacks
Using threat treesUsing threat trees
Threat trees start with what an attacker might try toThreat trees start with what an attacker might try todo to or with a protected resource (threat), and createdo to or with a protected resource (threat), and createa tree of conditions that must be met in order obtaina tree of conditions that must be met in order obtainaccess to that protected resource.access to that protected resource.
Each condition can be translated to a test that can beEach condition can be translated to a test that can beperformed programmatically or confirmed via code orperformed programmatically or confirmed via code ordesign review. Conditions may or may not havedesign review. Conditions may or may not havemitigation, but do have DREAD ratings.mitigation, but do have DREAD ratings.
Access to one protected resource can facilitateAccess to one protected resource can facilitate
access to others. Chaining threat trees can createaccess to others. Chaining threat trees can createmore complex attacks (attack chaining).more complex attacks (attack chaining).
6565
Tool: Threat TreesTool: Threat Trees
-
8/8/2019 02 Threat Modeling
65/85
Copyright Microsoft Corp. 2004
Tool: Threat TreesTool: Threat Trees
Threat Trees (also called Attack Trees: Bruce Schneier,Threat Trees (also called Attack Trees: Bruce Schneier,Dr. Dobb's Journal December 1999, Modeling SecurityDr. Dobb's Journal December 1999, Modeling SecurityThreats) are used in Threat Modeling to analyze how aThreats) are used in Threat Modeling to analyze how athreat might be accomplished.threat might be accomplished.
A threat tree is a hierarchical representation ofA threat tree is a hierarchical representation ofconditions, with the root node being the threat.conditions, with the root node being the threat.
AnAn attack pathattack path is a route from a leaf condition to theis a route from a leaf condition to theroot threat, inclusive of anyroot threat, inclusive of any andandcondition.condition.
Threat Trees are used to determine valid attack pathsThreat Trees are used to determine valid attack pathsfor a threat. That is, any attack path that does not havefor a threat. That is, any attack path that does not havea mitigating node is classified as a vulnerability.a mitigating node is classified as a vulnerability.
In its most basic form, a Threat Tree consists of aIn its most basic form, a Threat Tree consists of asingle Threat, and multiple Mitigated Conditions andsingle Threat, and multiple Mitigated Conditions andUnmitigated Conditions.Unmitigated Conditions.
-
8/8/2019 02 Threat Modeling
66/85
Tool: Threat Trees
6767
Tool: Threat TreesTool: Threat Trees
-
8/8/2019 02 Threat Modeling
67/85
Copyright Microsoft Corp. 2004
Tool: Threat TreesTool: Threat Trees
In the previous Threat Tree, MitigatedIn the previous Threat Tree, MitigatedConditions are represented with whiteConditions are represented with whiteboxes, and Unmitigated Conditions areboxes, and Unmitigated Conditions arerepresented as orange boxes.represented as orange boxes.
This example shows four possible attackThis example shows four possible attackpaths, of which only one (the path 1.3.2paths, of which only one (the path 1.3.2-> 1.3 -> 1) has no mitigating nodes and-> 1.3 -> 1) has no mitigating nodes and
thus represents a valid attack orthus represents a valid attack orvulnerability.vulnerability.
6868
Sample: Threat MitigationsSample: Threat Mitigations
-
8/8/2019 02 Threat Modeling
68/85
Copyright Microsoft Corp. 2004
Sample: Threat MitigationsSample: Threat Mitigations
Threat #1 (I)
Compromise
password
1.1
Access in-use
password
1.1.1
Sniff network
1.1.2
Phishing attack
1.2
Guess password
1.2.1
Password is weak
1.2.2
Brute force attack
1.3
Access password
in database
1.3.1
Password is in
cleartext
1.3.2
Compromise
database
1.3.2.1
SQL injection
attack
1.3.2.2
Access database
directly
1.3.2.2.1
Port open
1.3.2.2.2
Weak db accountpassword(s)
Application
Defenses
Infrastructure
Defenses
Encryption Education
Store Salted
Hash
Close ports
to Internet
Enforce strong
passwords
Enforce strong
passwords
Programming
Best Practice
6969
Using DREADUsing DREAD
-
8/8/2019 02 Threat Modeling
69/85
Copyright Microsoft Corp. 2004
Using DREADUsing DREADDREAD is a method of characterizing the riskDREAD is a method of characterizing the riskassociated with a vulnerability. It is an acronym forassociated with a vulnerability. It is an acronym forthe following categories, and is calculated as anthe following categories, and is calculated as anaverage of values assigned to each of:average of values assigned to each of:
Damage PotentialDamage Potential. Damage Potential ranks the extent of the. Damage Potential ranks the extent of thedamage that occurs if a vulnerability is exploited.damage that occurs if a vulnerability is exploited.
ReproducibilityReproducibility. Reproducibility ranks how often an attempt. Reproducibility ranks how often an attempt
at exploiting a vulnerability works.at exploiting a vulnerability works.
ExploitabilityExploitability. Exploitability assigns a number to the effort. Exploitability assigns a number to the effortrequired to exploit the vulnerability, and also considersrequired to exploit the vulnerability, and also considerspreconditions (such as whether the user must bepreconditions (such as whether the user must beauthenticated).authenticated).
AffectedAffectedUsersUsers. Affected Users is a numeric value. Affected Users is a numeric valuecharacterizing the ratio of installed instances of the systemcharacterizing the ratio of installed instances of the systemthat would be affected if an exploit became widelythat would be affected if an exploit became widelyavailable.available.
DiscoverabilityDiscoverability. Discoverability is the likelihood that, if the. Discoverability is the likelihood that, if thevulnerability were to go unpatched, it would be found byvulnerability were to go unpatched, it would be found by
external security researchers, hackers, etc.external security researchers, hackers, etc.* Some information taken from Writing Secure Code, 2nd Edition
-
8/8/2019 02 Threat Modeling
70/85
Tool: Vulnerabilities Table
1 (Adversary gains access to the remote administration interface resulting in
access to the phone configuration.)
Corresponding Threat
7.6 (D: 10, R: 10, E: 8, A: 2, D: 8)DREAD Rating
TamperingInformation DisclosureDenial of ServiceElevation of Privilege
STRIDE Classification
If the default password is left unchanged, and the remote administration
interface is enabled, then remote anonymous users can easily obtain access tothe interface.Description
A user gains access to the administration interface.Name1ID
Vulnerability
Vulnerabilities
-
8/8/2019 02 Threat Modeling
71/85
Tool: Vulnerabilities Table
1 (Adversary gains access to the remote administration interface resulting inaccess to the phone configuration.)
Corresponding Threat
3.8 (D: 10, R: 5, E: 1, A: 2, D: 1)DREAD Rating
TamperingInformation DisclosureDenial of ServiceElevation of Privilege
STRIDE Classification
If a user takes advantage of the fact that the password for the admin interface is
a ring buffer, the attack could take significantly less than 10^8 attemptsDescription
A user takes advantage of the password ring bufferName2ID
Vulnerability
Vulnerabilities
7272
Applying RiskApplying Risk
-
8/8/2019 02 Threat Modeling
72/85
Copyright Microsoft Corp. 2004
Applying RiskApplying Risk
Threat
Condition Condition
Condition Condition
Condition Condition Condition
Damage potential
Affected Users
-or-
Damage
Reproducibility
Exploitability
Discoverability
-or-Chance
V l biliti R l
-
8/8/2019 02 Threat Modeling
73/85
Vulnerabilities: Relevance Who uses the information? Vulnerabilities are
entered as bugs for the system. Designers andimplementers must fix or mitigate these bugs.Security testers can use vulnerabilities to look forsimilar problems, or create regression tests.
How is the information collected?Vulnerabilities are collected by analyzing theenumerated threats, and determining which threatshave insufficient mitigation. This can be done usingthreat trees or other techniques.
How is it used in the rest of the ThreatModel? Vulnerabilities are an output of the threatmodeling process.
7474
Knowing when you are doneKnowing when you are done
-
8/8/2019 02 Threat Modeling
74/85
Copyright Microsoft Corp. 2004
Knowing when you are doneKnowing when you are done
A complete model is one that explores all entryA complete model is one that explores all entrypoints.points.
The model should also consider externalThe model should also consider externaldependencies (i.e., are you dependent on filedependencies (i.e., are you dependent on filesystem normalization matching your internalsystem normalization matching your internalnormalization).normalization).
Threat models should include participation andThreat models should include participation andreview by persons not familiar with thereview by persons not familiar with thecomponents.components.
7575
Knowing when you are doneKnowing when you are done
-
8/8/2019 02 Threat Modeling
75/85
Copyright Microsoft Corp. 2004
Knowing when you are doneKnowing when you are done
If the component is not yet implemented,If the component is not yet implemented,an update to the threat model should bean update to the threat model should bedone post-implementation.done post-implementation.
Finally, models are done when there areFinally, models are done when there areno more threats left that require furtherno more threats left that require furtherinvestigation. It does not depend on theinvestigation. It does not depend on the
number of vulnerabilities found.number of vulnerabilities found.
7676
ConclusionConclusion
-
8/8/2019 02 Threat Modeling
76/85
Copyright Microsoft Corp. 2004
ConclusionConclusion
Analyzing the security of an application is not simplyAnalyzing the security of an application is not simplyabout finding security bugs.about finding security bugs.
Methodologies for analyzing the security in anMethodologies for analyzing the security in an
application are only recently appearing.application are only recently appearing.
Threat Modeling takes into account all types of attacksThreat Modeling takes into account all types of attacks
against the system.against the system.
While this sounds like an extensive amount of work andWhile this sounds like an extensive amount of work and
that it would be easier to just look for vulnerabilities,that it would be easier to just look for vulnerabilities,such an approach would not only be incomplete, butsuch an approach would not only be incomplete, butwould not be able to characterize thewould not be able to characterize the security strengthssecurity strengths
of a system.of a system.
7777
Additional ResourcesAdditional Resources
-
8/8/2019 02 Threat Modeling
77/85
Copyright Microsoft Corp. 2004
Additional ResourcesAdditional Resources
http://www.microsoft.com/downloads/details.aspx?FamilyID
=62830f95-0e61-4f87-88a6-e7c663444ac1&displaylang=en
7878
Questions?Questions?
-
8/8/2019 02 Threat Modeling
78/85
Copyright Microsoft Corp. 2004
Questions?Questions?
7979
DefinitionsDefinitions
-
8/8/2019 02 Threat Modeling
79/85
Copyright Microsoft Corp. 2004
DefinitionsDefinitions
8080
DefinitionsDefinitions
-
8/8/2019 02 Threat Modeling
80/85
Copyright Microsoft Corp. 2004
DefinitionsDefinitions
System: Anything that exposes functionality toSystem: Anything that exposes functionality toan end user. It can describe anything from aan end user. It can describe anything from asingle feature to a web application and itssingle feature to a web application and itssupporting infrastructure.supporting infrastructure.
Entry Point: A location where an external entityEntry Point: A location where an external entityinterfaces with the component and componentinterfaces with the component and componentprocessing begins. Examples include anyprocessing begins. Examples include anyaccessible API, or a socket endpoint.accessible API, or a socket endpoint.
8181
DefinitionsDefinitions
-
8/8/2019 02 Threat Modeling
81/85
Copyright Microsoft Corp. 2004
DefinitionsDefinitions
Asset: Those things, both concrete andAsset: Those things, both concrete andabstract, that could be targets of an attack byabstract, that could be targets of an attack byan adversary.an adversary.
Trust Level: A classification for an externalTrust Level: A classification for an external
entity that interfaces to a component orentity that interfaces to a component orsupplies it with data. It describes thesupplies it with data. It describes thecharacteristics of that entity that are relevant tocharacteristics of that entity that are relevant tosecurity processing, such as credentials andsecurity processing, such as credentials andassumptions.assumptions.
8282
DefinitionsDefinitions
-
8/8/2019 02 Threat Modeling
82/85
Copyright Microsoft Corp. 2004
DefinitionsDefinitions
Threat Path: A data or processing flow thatThreat Path: A data or processing flow thatstarts at an Entry Point. Threat Paths diagramstarts at an Entry Point. Threat Paths diagramthe critical processing that an external entitythe critical processing that an external entitycan cause to execute. Threat Paths alsocan cause to execute. Threat Paths alsocontain security-specific information, such ascontain security-specific information, such as
process and trust boundaries.process and trust boundaries.
Threat: What a malicious external entity boundThreat: What a malicious external entity boundto a specific Access Category might try to do toto a specific Access Category might try to do toattack the processing along a threat path. Aattack the processing along a threat path. A
Threat does not constitute a VulnerabilityThreat does not constitute a Vulnerability
8383
DefinitionsDefinitions
-
8/8/2019 02 Threat Modeling
83/85
Copyright Microsoft Corp. 2004
DefinitionsDefinitions
Effect Classification: Categorization ofEffect Classification: Categorization ofthe result of an adversary realizing athe result of an adversary realizing aThreat. Example: STRIDEThreat. Example: STRIDE
Vulnerability: A weakness in a systemVulnerability: A weakness in a system
that can be exploited by an externalthat can be exploited by an externalentity. A Vulnerability exists when thereentity. A Vulnerability exists when thereis a Threat that goes unmitigated.is a Threat that goes unmitigated.
8484
DefinitionsDefinitions
-
8/8/2019 02 Threat Modeling
84/85
Copyright Microsoft Corp. 2004
DefinitionsDefinitions
Attack Path: In a threat tree, an attackAttack Path: In a threat tree, an attackpath is a path from a leaf condition to thepath is a path from a leaf condition to theroot threat, inclusive of any andedroot threat, inclusive of any andedconditions.conditions.
Threat Profile: An enumeration of allThreat Profile: An enumeration of allpotential threats to a system, regardlesspotential threats to a system, regardlessof whether that system is vulnerable toof whether that system is vulnerable tothem.them.
8585
-
8/8/2019 02 Threat Modeling
85/85