Threat Modeling

James Walden

Topics

1. Threat Generation.2. Data Flow Diagrams.3. Attack Trees.4. Risk Modeling.5. Threat Modeling Exercise.

Requirements

Actors People (roles) who interact with system.

Assets Specific pieces of data attacker wants.

Actions What Actors do to Assets. Ex: Create, Read, Update, Delete.

Trike7: Actors

Trike7: Actor-Asset-Action Matrix

Rules

Rules apply to each Action. Limit circumstances in which Actions

can occur. Boolean tree of conditionals.

Actors are represented as rule: User is in Role

Trike7: Part of Rules Tree

Threat Generation

Use Actor-Asset-Action matrix. Two types of threats via Rules:

Denial of Service: Actor prevented from performing allowed Action.

Elevation of Privilege: Actor performs an action which is prohibited by matrix.

Data Flow Diagrams Visual model of system data flow.

Rectangles: External actors. Circles: Processes. Double Lines: Data stores. Lines: Data flows. Dotted Lines: Trust boundaries.

Hierarchical decomposition Until no process crosses trust

boundaries.

Trike3 Example: Data Flow Context Diagram

Anonymous Administrator

User

Blog

Trike3 Example: Data Flow Diagram Level 0

Anonymous

Administrator

Database

Logs

UserWeb

Server

HTTP/HTTPS over public internet, form

logins

Apache 2.0.54 on

OpenBSD 3.7 with

mod_lisp and

CMUCL

FirewallLocal

Filesystem

Machine

Boundary

ODBC over SSL on

switched 100bT,

user/pass login

Flat text file

on OpenBSD

3.7

PostgreSQL 8.0.3

on OpenBSD 3.7

Trike3 Example: Data Flow Diagram Level 1

Anonymous

Administrator

Content viewer

User Database Logs

Account Creation

Login

Admin

Content Creation

SSL

Only

SSL Only

Module with log & account creation privs

Module with

password hash access

Machine

Boundary

Firewall

Module with DB

write access

Module with log &

DB admin privs

Attack Trees

Root node is a threat. Subnodes are attacks to realize

threat. Attacks may be re-used in other

trees. Hierarchical decomposition

Until determine risk is acceptable or not.

Trike7 Attack Tree Example

Attack Graph

Encompasses all attacks vs system. Set of interlinked attack trees.

Auto-generation High-level attack skeleton. Attack libraries

Many sub-trees re-appear. Attached to tagged technologies in DFD.

Need security expertise for full tree.

Risk Modeling

1. Business assigns values($) to Assets.

2. Rate Actions on each Asset. 1-5 relative scale, with 5 being worst. Ranked twice: denial, elevation

3. Assign each Actor a risk level 1-5.

Risk = Value of Asset * Action risk.

Trike7 Threat Risk Grid

Threat Modeling Process Preparation.

Develop requirements, DFDs. Brainstorming.

Brainstorm possible threats. Drafting. Review. Verification.

QA team develops tests. Closure.

Exercise: Online news site.

Actors Authors, Editors, Readers.

Data Stores Database: articles, comments, users. Logs

Processes Web server

Exercise: Rules. Authors can submit Articles for publish. Editors can publish Articles. Editors can C, R, U, D Articles, Comments. Readers can read Articles, Comments. Readers can C, R, U, D their own

Comments to Articles. Anonymous can create Reader accounts. Editors can C, R, U, D accounts.

Exercise: Deliverables

Actor-Asset-Action Matrix Rules Tree DFDs Attack Tree Risk Model

References1. Ben Hickman, “Application Security and Threat Modeling,”

http://cpd.ogi.edu/seminars04/hickmanthreatmodeling.pdf, 2004.

2. Michael Howard and David LeBlanc, Writing Secure Code, 2nd edition, Microsoft Press, 2003.

3. Paul Saitta, Brenda Larcom, and Michael Eddington, “Trike v.1 Methodology Document [draft],” http://dymaxion.org/trike/, 2005.

4. Frank Swiderski and Window Snyder, Threat Modeling, Microsoft Press, 2004.

5. Peter Torr, “Demystifying the Threat-Modeling Process,” IEEE Security & Privacy, Oct/Nov 2005.

6. Peter Torr, “Guerilla Threat Modeling,” http://blogs.msdn.com/ptorr/archive/2005/02/22/GuerillaThreatModelling.aspx, 2005.

7. Trike Threat Modeling Tool, http://www.octotrike.org/, 2005.