There are three methods commonly used for uncovering security vulnerabilities and threats in a system: threat modeling, attack modeling, protocol analysis. Additionally, Ole Kasper Olsen proposed a framework for adversary modeling in his master thesis from 2005 [34].
5.1.1 Threat modeling
Threat modeling [51] is an approach much used in software engineering and system de- velopments projects. This method focuses on uncovering and understanding the goals an attacker might have for attacking the system. There are several different ways of conduct- ing threat modeling each using different notations for visually modeling the system. One such framework is CORAS. This is a fully based UML framework which aims to provide a good overview of the system’s threats and vulnerabilities.
5.1.2 Attack modeling
Attack modeling [46], [49] and [24] is somewhat different from threat modeling. This method tries to identify the attackers full attack path. The attack path will be broken into small attack goals. Threat modeling as described in the previous section is primarily used in the software development phase. Attack modeling on the other hand, is performed when the system is complete. This method is used to do penetration tests on the finished system. This penetration test will asses the level of security in the system when it is complete. The main focus of this method is on analyzing the capabilities and resources of the adversary.
5.1.3 Protocol analysis
Protocol analysis is somewhat different from the other two approaches because it focuses on the details of the communication between entities in the system and not the system as a whole. Also, this method uses a totally different level of abstraction. For example a system may look secure enough in a threat model analysis, but specific communication issues might be uncovered in a protocol analysis.
A mobile single sign-on system
Several formal methods for conducting protocol analysis have been developed, such as [25], [4] and [17]. The protocol analysis method is very good at analyzing possible attacks on a specific protocol. However for the prototype developed in this thesis, no specific protocol is chosen yet. Therefore it is not possible to use this method.
5.1.4 Adversary modeling
The adversary modeling [34] method also focuses on information flow, but on a higher level of abstraction then the protocol analysis approach. This approach uses a formal framework consisting of the key properties shown below.
Principals are persons, computers and processes that are participating and interact- ing with the system. Every principal in the system can be subject to attacks from adversaries.
Channels are the means of information flow between the principals. The principals interact with each other through the channels. There are several different types of channels ranging from speech and written messages to data flow in a network cable. The channels are described with parameters such as bandwidth and direction of the information flow.
Protected Asset is what the security measures in a system are supposed to protect. That is, the asset is what the adversary is trying to get access to. The asset is something that has a certain value for the owner. A breach in the security measures will usually lead to a decreased value of the asset. If the confidentiality is compromised, the adversary will have access to the protected information. If the integrity of the asset is compromised, the adversary has tainted the information. The adversary can also prevent legitimate users timely access to the asset by compromising it’s availability. The adversarial setting:
Adversaries. An adversarial setting may consist of several adversaries.
Channel operations. Each adversary has it’s own set of operations he can per- form on the channel itself or on the information traveling within the channel. There are three main operations specified, intercept (eavesdrop), write and block1. Intercept means that the adversary can monitor data being transmit- ted over the channel, i.e he intercepts a package and reads it’s contents. An adversary with write capabilities is able to inject data on to the channel. Block means that the adversary has the ability to block data transmitted on a chan- nel. Often, an adversary has the ability of combining these operations. E.g. combining the intercept, write and block operations to perform a man-in-the- middle attack.2
1The adversary modeling approach used in this thesis is somewhat different then the method proposed in
Olsen’s thesis [34]. The changes made to the method was proposed by professor Einar Snekkenes and were meant to clarify some issues that could be subject to misunderstanding in Olsen’s thesis. For example the channel operations in his thesis are read, write and intercept.
2"A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify
at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims." taken from Wikipedia.org
Capabilities dictates what the adversary may compute or deduce. The capabilities of the adversary falls in to one of these categories; guaranteed capabilities, probabilistic capabilities or possible capabilities.
Resources are the objects an adversary controls or have in his possession. This includes everything from exploitable persons to access to computational hard- ware and time available to the adversary.
Intra-adversary channels are channels between cooperating adversaries. The adversary produced when combining adversaries through intra-adversary channels will be much more dangerous then an adversary operating alone.
When creating an adversary model, the notation shown i figure83is used.
Figure 8: Notation used in the adversary modeling framework
5.1.5 Choosing a method to use in the security analysis
The attack modeling and threat modeling methods are mostly used in the development stages of the system. These methods are not so well suited for evaluating existing systems resilience against adversaries. The protocol analysis method can be applied to existing systems. However, this method does not consider the system as a whole. The method will only analyze the strength of a specific protocol and in this system, no specific protocol is chosen. Taking these facts into consideration, adversary modeling is the most logical choice of method for the security analysis of the solution developed in this thesis. Also the framework is considered fairy light weight and rapid to use. Adversary modeling will help identify and visualize potential adversaries the system may face.