skip to main content
10.1145/3555776.3577668acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

Expressive and Systematic Risk Assessments with Instance-Centric Threat Models

Published: 07 June 2023 Publication History

Abstract

A threat modeling exercise involves systematically assessing the likelihood and potential impact of diverse threat scenarios. As threat modeling approaches and tools act at the level of a software architecture or design (e.g., a data flow diagram), they consider threat scenarios at the level of classes or types of system elements. More fine-grained analyses in terms of concrete instances of these elements are typically not conducted explicitly nor rigorously. This hinders (i) expressiveness, as threats that require articulation at the level of instances can not be expressed nor managed properly, and (ii) systematic risk calculation, as risk cannot be expressed and estimated with respect to instance-level properties.
In this paper, we present a novel threat modeling approach that acts on two layers: (i) the design layer defines the classes and entity types in the system, and (ii) the instance layer models concrete instances and their properties. This, in turn, allows both rough risk estimates at the design-level, and more precise ones at the instance-level. Motivated by a connected vehicles application, we present the key challenges, the modeling approach and a tool prototype. The presented approach is a key enabler for more continuous and frequent threat (re-)assessment, the integration of threat analysis models in CI/CD pipelines and agile development environments on the one hand (development perspective), and in risk management approaches at run-time (operations perspective).

References

[1]
Paolo Arcaini, Elvinia Riccobene, and Patrizia Scandurra. 2015. Modeling and analyzing MAPE-K feedback loops for self-adaptation. In IEEE/ACM 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems.
[2]
Zoe Braiterman, Adam Shostack, Jonathan Marcil, Stephen de de Vries, Irene Michlin, Kim Wuyts, Robert Hurlbut, Brook S.E. Schoenfield, Fraser Scott, Matthew Coles, Chris Romeo, Alyssa Miller, Izar Tarandach, Avi Douglen, and Marc French. 2020. Threat Modeling Manifesto. https://www.threatmodelingmanifesto.org/.
[3]
Christian Schneider. 2021. Threagile. https://threagile.io/.
[4]
Jack Freund and Jack Jones. 2014. Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann. Google-Books-ID: oAR0AwAAQBAJ.
[5]
Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman. 2014. Green Lights Forever: Analyzing the Security of Traffic Infrastructure. In 8th USENIX Workshop on Offensive Technologies.
[6]
Pronab Ghosh, Md. Zahid Hasan, Syeda Tanjila Atik, and Md. Ismail Jabiullah. 2019. A Variable Length Key Based Cryptographic Approach on Cloud Data. In 2019 International Conference on Information Technology. 285--290.
[7]
Daniele Granata, Massimiliano Rak, and Giovanni Salzillo. 2022. Automated Threat Modeling Approaches: Comparison of Open Source Tools. In International Conference on the Quality of Information and Communications Technology.
[8]
Maanak Gupta and Ravi Sandhu. 2018. Authorization framework for secure cloud assisted connected cars and vehicular internet of things. In Proceedings of the 23nd ACM on symposium on access control models and technologies. 193--204.
[9]
Alzubair Hassan, Dimitri Van Landuyt, Liliana Pasquale, Manuel Cheminod, Marko Kompara, Panayiotis Kotzanikolaou, Romain Laborde, and Susana Gonzalez. 2022. CyberSec4Europe D3. 21-Framework to design and implement adaptive security systems. Technical Report.
[10]
Shawn Hernan, Scott Lambert, Tomasz Ostwald, and Adam Shostack. 2006. Threat Modeling: Uncover Security Design Flaws Using the STRIDE Approach. MSDN Magazine 6. https://msdn.microsoft.com/en-us/magazine/cc163519.aspx.
[11]
Michael N Johnstone. 2010. Threat modelling with STRIDE and UML.
[12]
Jan Jürjens. 2002. UMLsec: Extending UML for secure systems development. In International Conference on The Unified Modeling Language. Springer, 412--425.
[13]
Narges Khakpour, Charilaos Skandylas, Goran Saman Nariman, and Danny Weyns. 2019. Towards Secure Architecture-Based Adaptations. In 2019 IEEE/ACM 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS). 114--125.
[14]
Jun Kong, Dianxiang Xu, and Xiaoqin Zeng. 2010. UML-based modeling and analysis of security threats. International Journal of Software Engineering and Knowledge Engineering 20, 06, 875--897.
[15]
Mass Soldal Lund, Bjørnar Solhaug, and Ketil Stølen. 2011. A Guided Tour of the CORAS Method. Springer Berlin Heidelberg, Berlin, Heidelberg, 23--43.
[16]
Microsoft Corporation. 2020. Microsoft Threat Modeling Tool 7. https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
[17]
Inah Omoronyia, Luca Cavallaro, Mazeiar Salehie, Liliana Pasquale, and Bashar Nuseibeh. 2013. Engineering adaptive privacy: on the role of privacy awareness requirements. In 35th International Conference on Software Engineering. 632--641.
[18]
OWASP. 2021. Threat Dragon. https://owasp.org/www-project-threat-dragon/.
[19]
Sven Peldszus, Daniel Strüber, and Jan Jürjens. 2018. Model-Based Security Analysis of Feature-Oriented Software Product Lines. In Proceedings of the 17th ACM SIGPLAN International Conference on Generative Programming: Concepts and Experiences. 93--106.
[20]
Mazeiar Salehie, Liliana Pasquale, Inah Omoronyia, Raian Ali, and Bashar Nuseibeh. 2012. Requirements-driven adaptive security: Protecting variable assets at runtime. In 20th IEEE international requirements engineering conference. 111--120.
[21]
Bruce Schneier. 1999. Attack trees. Dr. Dobb's journal 24, 12, 21--29.
[22]
Nataliya Shevchenko, Timothy A Chick, Paige O'Riordan, Thomas P Scanlon, and Carol Woody. 2018. Threat modeling: a summary of available methods. Technical Report.
[23]
Nataliya Shevchenko, Brent R Frye, and Carol Woody. 2018. Threat Modeling: Evaluation and Recommendations. Technical Report.
[24]
Adam Shostack. 2014. Threat Modeling: Designing for Security. 590 pages.
[25]
Laurens Sion, Dimitri Van Landuyt, Koen Yskout, and Wouter Joosen. 2018. SPARTA: Security & Privacy Architecture through Risk-Driven Threat Assessment. In IEEE International Conference on Software Architecture.
[26]
Laurens Sion, Koen Yskout, Dimitri Van Landuyt, and Wouter Joosen. 2018. Risk-Based Design Security Analysis. In Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment. 11--18.
[27]
Laurens Sion, Koen Yskout, Dimitri Van Landuyt, and Wouter Joosen. 2018. Solution-Aware Data Flow Diagrams for Security Threat Modeling. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing. 1425--1432.
[28]
Kristen Tan and Vaibhav Garg. 2022. An Analysis of Open-source Automated Threat Modeling Tools and Their Extensibility from Security into Privacy. USENIX.
[29]
ThreatModeler. 2018. Threat Modeling Methodologies: What is VAST? https://threatmodeler.com/threat-modeling-methodologies-vast/
[30]
Oleksandr Tomashchuk, Dimitri Van Landuyt, and Wouter Joosen. 2021. The architectural divergence problem in security and privacy of eHealth IoT product lines. In Proceedings of the 25th ACM International Systems and Software Product Line Conference-Volume A. 114--119.
[31]
Katja Tuma. 2021. Efficiency and Automation in Threat Analysis of Software Systems. Doctoral thesis. https://research.chalmers.se/en/publication/520907
[32]
K. Tuma, G. Calikli, and R. Scandariato. 2018. Threat analysis of software systems: A systematic literature review. Journal of Systems and Software 144.
[33]
Tony UcedaVelez and Marco M Morana. 2015. Risk Centric Threat Modeling: process for attack simulation and threat analysis.
[34]
Dimitri Van Landuyt and Wouter Joosen. 2021. A descriptive study of assumptions in STRIDE security threat modeling. Software and Systems Modeling, 1--18.
[35]
Dimitri Van Landuyt, Liliana Pasquale, Laurens Sion, and Wouter Joosen. 2021. Threat models at run time: the case for reflective and adaptive threat management (NIER track). Proceedings of the 16th International Symposium on Software Engineering for Adaptive and Self-Managing Systems.
[36]
Dimitri Van Landuyt, Laurens Sion, Emiel Vandeloo, and Wouter Joosen. 2019. On the applicability of security and privacy threat modeling for blockchain applications. In Computer Security. Springer, 195--203.
[37]
Stef Verreydt, Laurens Sion, Koen Yskout, and Wouter Joosen. 2022. Relationship-Based Threat Modeling. In 2022 IEEE/ACM 3rd International Workshop on Engineering and Cybersecurity of Critical Systems. 41--48.
[38]
Kim Wuyts, Dimitri Van Landuyt, Aram Hovsepyan, and Wouter Joosen. 2018. Effective and efficient privacy threat modeling through domain refinements. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing.
[39]
Eric Yuan, Naeem Esfahani, and Sam Malek. 2014. A systematic survey of self-protecting software systems. Transactions on Autonomous and Adaptive Systems.
[40]
Eric Yuan and Sam Malek. 2012. A taxonomy and survey of self-protecting software systems. In 2012 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS). IEEE, 109--118.

Cited By

View all
  • (2024)Run-time threat models for systematic and continuous risk assessmentSoftware and Systems Modeling10.1007/s10270-024-01242-5Online publication date: 6-Dec-2024
  • (2023)Ontological analysis in the problems of container applications threat modellingInformatics10.37661/1816-0301-2023-20-4-69-8620:4(69-86)Online publication date: 29-Dec-2023

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SAC '23: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing
March 2023
1932 pages
ISBN:9781450395175
DOI:10.1145/3555776
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2023

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. threat modeling
  2. security-by-design
  3. risk management

Qualifiers

  • Research-article

Funding Sources

Conference

SAC '23
Sponsor:

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25
The 40th ACM/SIGAPP Symposium on Applied Computing
March 31 - April 4, 2025
Catania , Italy

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)29
  • Downloads (Last 6 weeks)6
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Run-time threat models for systematic and continuous risk assessmentSoftware and Systems Modeling10.1007/s10270-024-01242-5Online publication date: 6-Dec-2024
  • (2023)Ontological analysis in the problems of container applications threat modellingInformatics10.37661/1816-0301-2023-20-4-69-8620:4(69-86)Online publication date: 29-Dec-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media