Notes on facilitation of threat modelling

The traditional way of doing threat modelling, if it was done at all, was to sit down and think up attacks until bored (often ones that applications defended against anyway) and then declare victory.

  • If we have only non-security geeks doing the threat modelling then many attacks get missed or misidentified. A set of up-to-date attack trees and a facilitator with experience in hacking and security practices can catch those.
  • If we have only security geeks involved then there tends to be a focus on attacks like sending a server custom-crafted messages that take advantage of the unusual mathematical properties of specially-formatted PKCS #1 message padding in RSA-encrypted data blocks and ignore the fact that the server’s private-key file is world-readable and indexed by Google. ~Peter Gutmann (yes, the professional paranoid guy, inventor of the Gutmann method, an algorithm for securely erasing the contents of computer hard drives by writing a series of 35 patterns over the region to be erased, and presented in the paper Secure Deletion of Data from Magnetic and Solid-State Memory in July 1996.)
  • The problem with checklist-based approaches is that they only work when the attacker is using the same checklist as we are, and isn’t aware that a particular type of attack isn’t supposed to work, then they can walk right past the checklist-standardised defences.
  • A variation of checklist-based threat modelling is risk mitigation: documenting every risk we can think of. As a defence strategy, this is even less effective. But, more job-security oriented.
  • Even more job-security oriented is an obfuscated checklist in a notation called Common Criteria, that was recovered from an UFO crash site . Don't allow people understanding it near sharp objects.

In the past this has delivered vulnerabilities and measures that provide the best (theoretical) security but very little effective security:

  • The Internet Threat Model: I’m OK, you’re OK, and eavesdropping on credit card information sent over the Internet is the threat. Then we build something that people without a phone can not use (while ignoring all other threats).
  • Inside-out Threat Model: A wonderful piece of circular reasoning which states that the threat model is whatever the security design is capable of defending against (anything that’s hard to defend against is excluded from the threat model).
  • Provable Security for cryptographic algorithms: algorithms being proven secure against the threats that are defined by the provers (the attacker is transformed into some theoretical bogey man capable of doing anything that we know how to protect against).