In this tutorial, we assume that you already have
TAM v2.1.26. If you are using this
tutorial for a class (e.g. CSC 591-003 for NCSU Fall 2009) consult
your lab instructors on how to access and start TAM.
In this section, we will use TAM's creation wizard to generate a sample threat model for the open web healthcare application OpenMRS and demonstrate the capabilities of TAM.
- To begin, open TAM.
- The welcome screen appears. Click New Threat Model From Wizard.
- This should present the image shown below. Click Next.
Figure 2.1: The Wizard Start Screen
- The following screen will ask you to define each user role on a new line. For this demonstration with OpenMRS, let's use two roles:
patient. Enter these two roles on separate lines in the text box that appears and press Next.
Figure 2.2: The Roles Page
- Now, the screen will ask you for the data handled by OpenMRS. For this example, let's use two simple data types:
patient personal information and
message. Enter these two data types on separate lines in the text box that appears and press Next.
- Then, the next screen will ask you to create an access control matrix for your users and data types. Ensure the
Data tab has
patient personal information and the
Role tab has administrator. Then check the boxes labeled
delete are all checked as shown in the figure below.
Figure 2.3: The Access Control Matrix Page
Add. You should see
administrator - C R U D appear in the box below the form as shown in the figure below.
Figure 2.4: The Access Control Matrix Page Filled Out
- Repeat the previous steps for the following access control information. Note that we have already finished the first row, so you do not need to enter it again. Also please note that the permissions you have entered will disappear when you switch Data types. This is fine; they are still entered in the threat model.
When you have finished, your message sheet should look like this,
|patient personal information
||Create, Read, Update, Delete
|patient personal information
||Create, Read, Delete
||Create, Read, Delete
|Figure 2.5: Messages on the Control Matrix Page
and your patient personal information sheet should look like this.
Figure 2.6: Patient Personal Information on the Control Matrix Page
Click Next to continue creating the threat model.
- The following page will display a list of all the permissions, user, data tuples you have created. Yours should look like the figure below.
Figure 2.7: The Generated Use Cases
Click Next to continue creating your threat model.
- The following page will ask you to specify a set of components that comprise your application. Let's use three simple examples:
Servlets. Enter these three technology types in the sheet which appears. When finished, yours should look like the following figure:
Figure 2.8: The Components Page
- The following page will ask you to add component relevancies. A relevancy is a set of attributes for a given component. Essentially, it tells TAM what the vulnerabilities the component may posses. Ensure that
Tomcat is selected and then click the plus sign () to the upper-right hand corner of the
- A box like the one shown below will appear. For Tomcat, select the following items: component...
utilizes a network protocol,
exposes a Web browser interface. Hold Control (Windows) or Command (Mac) to select multiple items. When finished, the box should look like the following figure.
Figure 2.9: Selecting Relevancies for the Tomcat Component
- The page should now look like the following figure.
Figure 2.10: The Completed Components Page
Go through and add the following relevancies to your components. Again, the relevancies for a given component will disappear when you change to a new component but they are still in the threat model. Note that we have already finished Tomcat, so you do not need to add its relevancies again.
Note here that there are missing relevancies in this model. For example, Tomcat and MySQL both perform I/O and all three components here perform arithmetic operations. Can you name any others? We have kept the relevancies lists short for the sake of simplicity, but when modeling applications, you should include as many relevancies as you think apply. After you have entered all the relevancies, click Next.
||exposes a Web browser interface, utilizes HTTP, utilizes a network protocol.
||utilizes a network protocol
||exposes a web browser interface, utilizes HTTP, performs arithmetic operations, constructs SQL queries
- The following page will ask you to create a series of calls for your threat model. A call can be vocalized like this: "A
|DATA SENT| with the
|COMPONENT| and receives
|DATA RECEIVED|. For our example, let's enter the following call: An
administrator edits patient personal information with the
Servlets and receives
patient personal information. Also, please enter the call: A
patient sends a message with the
servlets and receives
nothing. To add a new line, select a caller on the second line with the *. After you have entered these two calls, your page should look like the following figure.
Figure 2.11: The Finished Calls Page
- TAM should reveal threats that have been identified as shown in the figure below.
Figure 2.12: The Identified Threats with the Created Threat Model
- A message will appear which says "a new threat model has been created. Click Finish.
Now your threat model's pieces are accessible to you. Explore the threat tree and see what has been generated. Consider the following questions:
- Is this an accurate model of the components in OpenMRS? If not, why not?
- Is this an accurate representation of the data model for OpenMRS? Why or why not?
- Many people say that threat modeling is exponentially expensive; can the entire system be threat modeled? If not, how would you objectively decide which parts of the system to model?