Threat Modeling
James Walden
Topics
1.
2.
3.
4.
5.
Threat Generation.
Data Flow Diagrams.
Attack Trees.
Risk Modeling.
Threat Modeling Exercise.
Requirements

Actors


Assets


People (roles) who interact with system.
Specific pieces of data attacker wants.
Actions


What Actors do to Assets.
Ex: Create, Read, Update, Delete.
Trike7: Actors
Trike7: Actor-Asset-Action Matrix
Rules

Rules apply to each Action.



Limit circumstances in which Actions can
occur.
Boolean tree of conditionals.
Actors are represented as rule:

User is in Role
Trike7: Part of Rules Tree
Threat Generation


Use Actor-Asset-Action matrix.
Two types of threats via Rules:


Denial of Service: Actor prevented from
performing allowed Action.
Elevation of Privilege: Actor performs an
action which is prohibited by matrix.
Data Flow Diagrams

Visual model of system data flow.






Rectangles: External actors.
Circles: Processes.
Double Lines: Data stores.
Lines: Data flows.
Dotted Lines: Trust boundaries.
Hierarchical decomposition

Until no process crosses trust boundaries.
Trike3 Example: Data Flow
Context Diagram
Anonymous
Blog
User
Administrator
Trike3 Example: Data Flow
Diagram Level 0
HTTP/HTTPS over
public internet, form
logins
Anonymous
Web
Server
User
Administrator
Apache 2.0.54 on
OpenBSD 3.7 with
mod_lisp and
CMUCL
Firewall
Local
Filesystem
PostgreSQL 8.0.3
on OpenBSD 3.7
Database
ODBC over SSL on
switched 100bT,
user/pass login
Machine
Boundary
Logs
Flat text file
on OpenBSD
3.7
Trike3 Example: Data Flow
Diagram Level 1
SSL
Only
Account
Creation
Module with log &
account creation privs
Firewall
Anonymous
Module with
password hash
access
Login
Machine
Boundary
Content
viewer
User
Content
Creation
Administrator
SSL
Only
Admin
Database
Module with DB
write access
Module with log &
DB admin privs
Logs
Attack Trees


Root node is a threat.
Subnodes are attacks to realize threat.


Attacks may be re-used in other trees.
Hierarchical decomposition

Until determine risk is acceptable or not.
Trike7 Attack Tree Example
Attack Graph

Encompasses all attacks vs system.


Set of interlinked attack trees.
Auto-generation


High-level attack skeleton.
Attack libraries



Many sub-trees re-appear.
Attached to tagged technologies in DFD.
Need security expertise for full tree.
Risk Modeling
Business assigns values($) to Assets.
Rate Actions on each Asset.
1.
2.


3.
1-5 relative scale, with 5 being worst.
Ranked twice: denial, elevation
Assign each Actor a risk level 1-5.
Risk = Value of Asset * Action risk.
Trike7 Threat Risk Grid
Threat Modeling Process

Preparation.


Brainstorming.




Brainstorm possible threats.
Drafting.
Review.
Verification.


Develop requirements, DFDs.
QA team develops tests.
Closure.
Exercise: Online news site.

Actors


Data Stores



Authors, Editors, Readers.
Database: articles, comments, users.
Logs
Processes

Web server
Exercise: Rules.







Authors can submit Articles for publish.
Editors can publish Articles.
Editors can C, R, U, D Articles, Comments.
Readers can read Articles, Comments.
Readers can C, R, U, D their own Comments
to Articles.
Anonymous can create Reader accounts.
Editors can C, R, U, D accounts.
Exercise: Deliverables





Actor-Asset-Action Matrix
Rules Tree
DFDs
Attack Tree
Risk Model
References
1.
2.
3.
4.
5.
6.
7.
Ben Hickman, “Application Security and Threat Modeling,”
http://cpd.ogi.edu/seminars04/hickmanthreatmodeling.pdf,
2004.
Michael Howard and David LeBlanc, Writing Secure Code, 2nd
edition, Microsoft Press, 2003.
Paul Saitta, Brenda Larcom, and Michael Eddington, “Trike v.1
Methodology Document [draft],” http://dymaxion.org/trike/,
2005.
Frank Swiderski and Window Snyder, Threat Modeling,
Microsoft Press, 2004.
Peter Torr, “Demystifying the Threat-Modeling Process,” IEEE
Security & Privacy, Oct/Nov 2005.
Peter Torr, “Guerilla Threat Modeling,”
http://blogs.msdn.com/ptorr/archive/2005/02/22/GuerillaThrea
tModelling.aspx, 2005.
Trike Threat Modeling Tool, http://www.octotrike.org/, 2005.