Using Microsoft's Threat Analysis and Modeling Tool


Andy Meneely, Ben Smith, and Laurie Williams
CSC 326 - Software Engineering
Department of Computer Science
North Carolina State University

Back to Software Engineering Tutorials


0.0 Contents
1.0 What is the Threat Analysis and Modeling Tool?
2.0 Creating a Threat Model using the Wizard
3.0 Adding a New Piece Without the Wizard
4.0 Creating a Diagram of the Threat Model
5.0 Creating a Comprehensive Report of the Threat Model
6.0 Resources

1.0 What is the Threat Analysis and Modeling Tool?

Threat modeling ensures that your application is as secure as possible by iteratively assessing the vulnerabilities in your application to find those that are most dangerous. In this way, you can create a prioritized set of countermeasures to measure and contain the risks.

Microsoft Threat Analysis & Modeling Tool (TAM) allows you to enter application-specifc information and to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

  • Data access control matrix
  • Component access control matrix
  • Subject-object matrix
  • Data Flow
  • Call Flow
  • Trust Flow
  • Attack Surface
  • Focused reports

In this tutorial, we will be using TAM to perform threat modeling for OpenMRS.

Top | Contents

2.0 Creating a Threat Model using the Wizard

In this tutorial, we assume that you already have TAM v2.1.26. If you are using this tutorial for a class (e.g. CSC 591-003 for NCSU Fall 2009) consult your lab instructors on how to access and start TAM.

In this section, we will use TAM's creation wizard to generate a sample threat model for the open web healthcare application OpenMRS and demonstrate the capabilities of TAM.

  1. To begin, open TAM.
  2. The welcome screen appears. Click New Threat Model From Wizard.
  3. This should present the image shown below. Click Next.

    Figure 2.1: The Wizard Start Screen
  4. The following screen will ask you to define each user role on a new line. For this demonstration with OpenMRS, let's use two roles: administrator and patient. Enter these two roles on separate lines in the text box that appears and press Next.

  5. Figure 2.2: The Roles Page
  6. Now, the screen will ask you for the data handled by OpenMRS. For this example, let's use two simple data types: patient personal information and message. Enter these two data types on separate lines in the text box that appears and press Next.
  7. Then, the next screen will ask you to create an access control matrix for your users and data types. Ensure the Data tab has patient personal information and the Role tab has administrator. Then check the boxes labeled create, read, update and delete are all checked as shown in the figure below.

    Figure 2.3: The Access Control Matrix Page
  8. Click Add. You should see administrator - C R U D appear in the box below the form as shown in the figure below.

    Figure 2.4: The Access Control Matrix Page Filled Out
  9. Repeat the previous steps for the following access control information. Note that we have already finished the first row, so you do not need to enter it again. Also please note that the permissions you have entered will disappear when you switch Data types. This is fine; they are still entered in the threat model.

    DataRolePermissions
    patient personal information administrator Create, Read, Update, Delete
    patient personal information patient Read, Update
    message administrator Create, Read, Delete
    message patient Create, Read, Delete

    When you have finished, your message sheet should look like this,


    Figure 2.5: Messages on the Control Matrix Page
    and your patient personal information sheet should look like this.

    Figure 2.6: Patient Personal Information on the Control Matrix Page
    Click Next to continue creating the threat model.
  10. The following page will display a list of all the permissions, user, data tuples you have created. Yours should look like the figure below.

    Figure 2.7: The Generated Use Cases
    Click Next to continue creating your threat model.
  11. The following page will ask you to specify a set of components that comprise your application. Let's use three simple examples: Tomcat, MySQL, Servlets. Enter these three technology types in the sheet which appears. When finished, yours should look like the following figure:

    Figure 2.8: The Components Page
    Click Next.
  12. The following page will ask you to add component relevancies. A relevancy is a set of attributes for a given component. Essentially, it tells TAM what the vulnerabilities the component may posses. Ensure that Tomcat is selected and then click the plus sign () to the upper-right hand corner of the Relevancies box.
  13. A box like the one shown below will appear. For Tomcat, select the following items: component... utilizes HTTP, utilizes a network protocol, exposes a Web browser interface. Hold Control (Windows) or Command (Mac) to select multiple items. When finished, the box should look like the following figure.

    Figure 2.9: Selecting Relevancies for the Tomcat Component
    Click OK.
  14. The page should now look like the following figure.

    Figure 2.10: The Completed Components Page

    Go through and add the following relevancies to your components. Again, the relevancies for a given component will disappear when you change to a new component but they are still in the threat model. Note that we have already finished Tomcat, so you do not need to add its relevancies again.

    ComponentRelevancies
    Tomcat exposes a Web browser interface, utilizes HTTP, utilizes a network protocol.
    MySQL utilizes a network protocol
    Servlets exposes a web browser interface, utilizes HTTP, performs arithmetic operations, constructs SQL queries

    Note here that there are missing relevancies in this model. For example, Tomcat and MySQL both perform I/O and all three components here perform arithmetic operations. Can you name any others? We have kept the relevancies lists short for the sake of simplicity, but when modeling applications, you should include as many relevancies as you think apply. After you have entered all the relevancies, click Next.

  15. The following page will ask you to create a series of calls for your threat model. A call can be vocalized like this: "A |CALLER| |ACTION(s)| |DATA SENT| with the |COMPONENT| and receives |DATA RECEIVED|. For our example, let's enter the following call: An administrator edits patient personal information with the Servlets and receives patient personal information. Also, please enter the call: A patient sends a message with the servlets and receives nothing. To add a new line, select a caller on the second line with the *. After you have entered these two calls, your page should look like the following figure.

    Figure 2.11: The Finished Calls Page
    Click Next.
  16. TAM should reveal threats that have been identified as shown in the figure below.

    Figure 2.12: The Identified Threats with the Created Threat Model
    Click Next.
  17. A message will appear which says "a new threat model has been created. Click Finish.

Now your threat model's pieces are accessible to you. Explore the threat tree and see what has been generated. Consider the following questions:

  • Is this an accurate model of the components in OpenMRS? If not, why not?
  • Is this an accurate representation of the data model for OpenMRS? Why or why not?
  • Many people say that threat modeling is exponentially expensive; can the entire system be threat modeled? If not, how would you objectively decide which parts of the system to model?
Top | Contents

3.0 Adding a New Piece Without the Wizard

Now that you have added a sample threat model, this section will describe how to add a new user role to the model. The procedure is similar for the other pieces of the threat model.

We will now add a new user role to the OpenMRS threat model.

  1. In the threat model panel on the left hand side of the screen, go to Threat Model -> Application Decomposition -> Roles -> User Roles. Your screen should appear like the figure below.

    Figure 3.1: Adding a New Item to the Threat Model
  2. Click the plus () symbol to the upper-right of the user roles box.
  3. A user role screen will appear. Enter healthcare practitioner for the Name. When finished, your entry will appear in the threat model as shown below.

    Figure 3.2: The Newly Added User
Top | Contents

4.0 Creating a Diagram of the Threat Model

Next, we will create a diagram of the threats for a specific use case.

  1. Go to the Visualizations Menu -> Threat Tree. A box will appear that looks like the following figure.

    Figure 4.1: A Blank Threat Tree
  2. Click the plus next to the Threat box and select Unauthorized disclosure of <edits> using <Servlets> by <administrator> as shown in the figure below.

    Figure 4.2: Selecting the Threat to Model
  3. A diagram will appear in the graph as shown below.

    Figure 4.3: The Finished Image
  4. To save it, click Image beneath the graph tab and save the image.

In this diagram,

  • the root node is the threat in question (for example. unauthorized disclosure of edits using Servlets by administrator).
  • Then, its children are the vulnerability types (for example, Cross-Site Scripting).
  • Each vulnerability type has an underlying cause (for example, Ineffective or lacking input validation).
  • Then, each underlying cause has a mitigation technique (for example, create and test input validation).

Now, please take a few moments to answer the following questions:

  • What could this threat tree be used for?
  • Who would be interested in the threat tree?
  • What happens if a new type of attack is invented tomorrow, how would this model change?
  • How does the model help you mitigate unknown attack types?
Top | Contents

5.0 Creating a Comprehensive Report of the Threat Model

As the threat modeler, you may want to export your analysis to a stakeholder that can do something about it. This section shows you how to create a webpage containing the results of your analysis.

  1. Go to Reports Menu -> Comprehensive Report. A report will appear like the following.

    Figure 5.1: The Generated Comprehensive Report
  2. Scroll through and examine the report. Note that you can also expose other reports using the Repors Menu
  3. Now export the report by clicking on the Save icon .

Now take a moment to answer the following questions:

  • Who is this report intended for?
  • Who would benefit the most from looking at this report?
  • Scroll down in this report until you find the checklist of threats. Can you think of another threat in this call that did not make it to this list?
  • What is this list used for?
  • Generate another report of the type of your choosing (not the comprehensive report) and illustrate how it is different than the comprehensive report.
Top | Contents

6.0 Resources
Top | Contents


Using Microsoft's Threat Analysis and Modeling Tool ©2009 North Carolina State University, Andy Meneely, Ben Smith, and Laurie Williams
Email the authors with any questions or comments about this tutorial.
Last Updated: Tuesday, September 15, 2009 10:53 AM