1

I am doing a piece of work on a imaginary device which allows the user to lock/unlock their vehicle and access a wireless hotspot in their car using an application on their smartphone via bluetooth.

I am doing the threat modelling for this and am currently stuck on the application decomposition.

enter image description here

It is only meant to be a simple representation, can anyone see if this would be roughly correct or whether there would be a better way to represent it?

h1h1
  • 111
  • 1
  • Is this a school project? – schroeder Apr 30 '15 at 18:12
  • Yeah it is for school – h1h1 Apr 30 '15 at 18:20
  • Nice project! Which school? And for which class? – Rahil Arora Apr 30 '15 at 18:30
  • 1
    Hi @h1h1, welcome to [security.se]! I'm not sure how well this question fits our site as it is, but I'll leave it for now... – AviD Apr 30 '15 at 19:48
  • Just a general comment, you should separate the authentication process from the other processes (you have the other 2 flowing through the "Check Password" process), whereas the authentication itself is really a single process. If you need to, you can model it a layer deeper (but I don't think you do) - at each layer you want to be keeping it as simple and direct as possible. Also remember you need to be focusing on flows - "wifi data" doesn't flow through the password check... – AviD Apr 30 '15 at 19:51

1 Answers1

1

Your drawing above is kind of a mix of activities, states, and actors, but not of hardware systems or network interconnections.

I'd start by modeling the system, not the threats. Perhaps consider creating a UML Communication Diagram showing each of the devices. Then you can start filling in details how data flows from system to system, and how each is initially intended to be protected in whatever ways might make sense (TLS for traffic going over the internet, that kind of thing.)

After you've described how the system is intended to be built, then redraw your model in the Threat Modeling tool. You can then wrap the car in a trust boundary, the bluetooth smartphone device in a different boundary, etc. Your logical borders and your physical borders should start coming together much better then.

The Threat Modeling tool is intended to help analyze a system for security vulnerabilities, it is not really intended to help you initially create the design for a secure system.

John Deters
  • 34,205
  • 3
  • 61
  • 113
  • 1
    John makes solid points about modeling the system, and having less of a mix of states and actors. (For example, when I think about it, how does a user make an HTTPS connection? Is this via a browser on their desktop?) Unless you're already familiar with UML, I wouldn't spend time learning it for this project. As a common starting point, I often like having boxes for code ("processes") and data stores, as well as something to represent the person. point about the boundaries being the device boundaries is excellent. – Adam Shostack May 01 '15 at 14:46
  • 1
    I did want to jump in on your "correctness" question. Your model will never be perfect, the question you should ask is "is this useful?" Can you tell stories about it? Does it help you find threats? If so, great! If not, you might need to add elements which help you tell the story, and those can help you find threats, using STRIDE or attack trees or some other method. – Adam Shostack May 01 '15 at 14:46
  • @AdamShostack, that's why I posted my answer. I found his diagram hard to use because it isn't looking at actual boundaries, but only ideas about where boundaries might be, and those ideas may or may not be correct (as in what lies between his HTTPS and database boundaries? A web server, an app server, or both?) Starting from the system architecture, I would know where to draw those lines. – John Deters May 15 '15 at 20:07