BYU logo Computer Science
CS 465 Introduction to Security and Privacy

Threat modeling

Ungraded Quiz

Talk to your neighbor:

  1. What is a threat model?

  2. What is the difference between a data flow diagram and a user workflow diagram?

  3. What is STRIDE? How does it help us?

  4. What is defense in depth?

  5. What is the principle of least privilege?

Key Concepts

Threat Modeling

Wide variety of definitions:

  • Book: “A threat model identifies threats, threat agents, and attack vectors that the target system considers in scope to defend against”
  • Threat modeling manifesto: “Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics”
  • OWASP: “Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.""

Four questions from the threat modeling manifesto:

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good enough job?

Items included in a threat model, from OWASP:

  • Description of the subject to be modeled
  • Assumptions that can be checked or challenged in the future as the threat landscape changes
  • Potential threats to the system
  • Actions that can be taken to mitigate each threat
  • A way of validating the model and threats, and verification of success of actions taken

Diagram-driven threat modeling

  • Starts with an architectural representation of a system, including components and communication between those components

  • Identify where trust occurs

  • Focus on each each component and link and ask what could go wrong

  • Trace actions of users through the system

  • Identify where information is stored in the system and how access is granted to that information

  • Demonstrates how the task of threat modeling is open-ended — long list of questions, redrawing, reconsidering

  • See Figure 1.6 and 1.7, pages 12 and 13

Attack trees

STRIDE

  • Helpful for considering possible attacks

  • Includes:

    • Spoofing: attempts to impersonate a thing or an entity
    • Tampering: unauthorized altering of code, data, packets, etc.
    • Repudiation: denying responsibility for past actions
    • Information disclosure: unauthorized release of data
    • Denial of service: preventing access to services through malicious actions
    • Elevation of privilege: gaining unpermitted access to resources

Gaps in a threat model

  • Difficult to always anticipate threats

  • See hotel safebox example, page 16

  • Need to be sure to update threat model as adversaries, technology, system change

  • Consider Figure 1.9 again — what about a malicious browser extension?

Design Principles

  • Good, long list!

  • Some particularly important ones:

    • simplicity and necessity
    • safe defaults
    • open design
    • complete mediation
    • least privilege
    • defense in depth
    • security by design
    • design for evolution

Exercises

Discuss with a neighbor and then with a class:

  • Build a threat model for an ATM machine where users enter their PIN to access their accounts

  • Build a threat model for a smart home