Andy Meneely, Ben Smith, and Laurie Williams
CSC 326 - Software Engineering
Department of Computer Science
North Carolina State University

Back to Software Engineering Tutorials

Threat modeling ensures that your application is as secure as possible by iteratively assessing the vulnerabilities in your application to find those that are most dangerous. In this way, you can create a prioritized set of countermeasures to measure and contain the risks.

Microsoft Threat Analysis & Modeling Tool (TAM) allows you to enter application-specifc information and to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

• Data access control matrix
• Component access control matrix
• Subject-object matrix
• Data Flow
• Call Flow
• Trust Flow
• Attack Surface
• Focused reports

In this tutorial, we will be using TAM to perform threat modeling for OpenMRS.

In this tutorial, we assume that you already have TAM v2.1.26. If you are using this tutorial for a class (e.g. CSC 591-003 for NCSU Fall 2009) consult your lab instructors on how to access and start TAM.

In this section, we will use TAM's creation wizard to generate a sample threat model for the open web healthcare application OpenMRS and demonstrate the capabilities of TAM.

1. To begin, open TAM.
2. The welcome screen appears. Click New Threat Model From Wizard.
3. This should present the image shown below. Click Next.
   
   Figure 2.1: The Wizard Start Screen
4. The following screen will ask you to define each user role on a new line. For this demonstration with OpenMRS, let's use two roles: administrator and patient. Enter these two roles on separate lines in the text box that appears and press Next.

Figure 2.2: The Roles Page
5. Now, the screen will ask you for the data handled by OpenMRS. For this example, let's use two simple data types: patient personal information and message. Enter these two data types on separate lines in the text box that appears and press Next.
6. Then, the next screen will ask you to create an access control matrix for your users and data types. Ensure the Data tab has patient personal information and the Role tab has administrator. Then check the boxes labeled create, read, update and delete are all checked as shown in the figure below.
   
   Figure 2.3: The Access Control Matrix Page
7. Click Add. You should see administrator - C R U D appear in the box below the form as shown in the figure below.
   
   Figure 2.4: The Access Control Matrix Page Filled Out
8. Repeat the previous steps for the following access control information. Note that we have already finished the first row, so you do not need to enter it again. Also please note that the permissions you have entered will disappear when you switch Data types. This is fine; they are still entered in the threat model.

   Data	Role	Permissions
   patient personal information	administrator	Create, Read, Update, Delete
   patient personal information	patient	Read, Update
   message	administrator	Create, Read, Delete
   message	patient	Create, Read, Delete

   When you have finished, your message sheet should look like this,

   
   Figure 2.5: Messages on the Control Matrix Page
   and your patient personal information sheet should look like this.
   
   Figure 2.6: Patient Personal Information on the Control Matrix Page
   Click Next to continue creating the threat model.
9. The following page will display a list of all the permissions, user, data tuples you have created. Yours should look like the figure below.
   
   Figure 2.7: The Generated Use Cases
   Click Next to continue creating your threat model.
10. The following page will ask you to specify a set of components that comprise your application. Let's use three simple examples: Tomcat, MySQL, Servlets. Enter these three technology types in the sheet which appears. When finished, yours should look like the following figure:
    
    Figure 2.8: The Components Page
    Click Next.
11. The following page will ask you to add component relevancies. A relevancy is a set of attributes for a given component. Essentially, it tells TAM what the vulnerabilities the component may posses. Ensure that Tomcat is selected and then click the plus sign () to the upper-right hand corner of the Relevancies box.
12. A box like the one shown below will appear. For Tomcat, select the following items: component... utilizes HTTP, utilizes a network protocol, exposes a Web browser interface. Hold Control (Windows) or Command (Mac) to select multiple items. When finished, the box should look like the following figure.
    
    Figure 2.9: Selecting Relevancies for the Tomcat Component
    Click OK.
13. The page should now look like the following figure.
    
    Figure 2.10: The Completed Components Page

    Go through and add the following relevancies to your components. Again, the relevancies for a given component will disappear when you change to a new component but they are still in the threat model. Note that we have already finished Tomcat, so you do not need to add its relevancies again.

    Component	Relevancies
    Tomcat	exposes a Web browser interface, utilizes HTTP, utilizes a network protocol.
    MySQL	utilizes a network protocol
    Servlets	exposes a web browser interface, utilizes HTTP, performs arithmetic operations, constructs SQL queries

    Note here that there are missing relevancies in this model. For example, Tomcat and MySQL both perform I/O and all three components here perform arithmetic operations. Can you name any others? We have kept the relevancies lists short for the sake of simplicity, but when modeling applications, you should include as many relevancies as you think apply. After you have entered all the relevancies, click Next.

14. The following page will ask you to create a series of calls for your threat model. A call can be vocalized like this: "A |CALLER| |ACTION(s)| |DATA SENT| with the |COMPONENT| and receives |DATA RECEIVED|. For our example, let's enter the following call: An administrator edits patient personal information with the Servlets and receives patient personal information. Also, please enter the call: A patient sends a message with the servlets and receives nothing. To add a new line, select a caller on the second line with the *. After you have entered these two calls, your page should look like the following figure.
    
    Figure 2.11: The Finished Calls Page
    Click Next.
15. TAM should reveal threats that have been identified as shown in the figure below.
    
    Figure 2.12: The Identified Threats with the Created Threat Model
    Click Next.
16. A message will appear which says "a new threat model has been created. Click Finish.

Now your threat model's pieces are accessible to you. Explore the threat tree and see what has been generated. Consider the following questions:

• Is this an accurate model of the components in OpenMRS? If not, why not?
• Is this an accurate representation of the data model for OpenMRS? Why or why not?
• Many people say that threat modeling is exponentially expensive; can the entire system be threat modeled? If not, how would you objectively decide which parts of the system to model?

Now that you have added a sample threat model, this section will describe how to add a new user role to the model. The procedure is similar for the other pieces of the threat model.

We will now add a new user role to the OpenMRS threat model.

1. In the threat model panel on the left hand side of the screen, go to Threat Model -> Application Decomposition -> Roles -> User Roles. Your screen should appear like the figure below.
   
   Figure 3.1: Adding a New Item to the Threat Model
2. Click the plus () symbol to the upper-right of the user roles box.
3. A user role screen will appear. Enter healthcare practitioner for the Name. When finished, your entry will appear in the threat model as shown below.
   
   Figure 3.2: The Newly Added User

Next, we will create a diagram of the threats for a specific use case.

1. Go to the Visualizations Menu -> Threat Tree. A box will appear that looks like the following figure.
   
   Figure 4.1: A Blank Threat Tree
2. Click the plus next to the Threat box and select Unauthorized disclosure of <edits> using <Servlets> by <administrator> as shown in the figure below.
   
   Figure 4.2: Selecting the Threat to Model
3. A diagram will appear in the graph as shown below.
   
   Figure 4.3: The Finished Image
4. To save it, click Image beneath the graph tab and save the image.

In this diagram,

• the root node is the threat in question (for example. unauthorized disclosure of edits using Servlets by administrator).
• Then, its children are the vulnerability types (for example, Cross-Site Scripting).
• Each vulnerability type has an underlying cause (for example, Ineffective or lacking input validation).
• Then, each underlying cause has a mitigation technique (for example, create and test input validation).

Now, please take a few moments to answer the following questions:

• What could this threat tree be used for?
• Who would be interested in the threat tree?
• What happens if a new type of attack is invented tomorrow, how would this model change?
• How does the model help you mitigate unknown attack types?

As the threat modeler, you may want to export your analysis to a stakeholder that can do something about it. This section shows you how to create a webpage containing the results of your analysis.

1. Go to Reports Menu -> Comprehensive Report. A report will appear like the following.
   
   Figure 5.1: The Generated Comprehensive Report
2. Scroll through and examine the report. Note that you can also expose other reports using the Repors Menu
3. Now export the report by clicking on the Save icon .

Now take a moment to answer the following questions:

• Who is this report intended for?
• Who would benefit the most from looking at this report?
• Scroll down in this report until you find the checklist of threats. Can you think of another threat in this call that did not make it to this list?
• What is this list used for?
• Generate another report of the type of your choosing (not the comprehensive report) and illustrate how it is different than the comprehensive report.

• Download TAM
• MSDN: The Microsoft SDL Threat Modeling Tool
• Threat Modeling Blog
• MSDN: Threat Modeling
• OpenSeminar: Security
• OpenSeminar: RBAC