Trike's Automatic Threat Generation

Presented at ShmooCon I (2005), Feb. 6, 2005, noon (60 minutes).

If you have ever tried to completely & accurately describe the insecurities (at every level of abstraction) in a system, you have probably noticed that there is no widely known, repeatable, and reasonably doable method for doing so. You could easily conclude that whole halting problem thing is stopping people. ;) The thing about undecidable problems is that there exist algorithms which will solve particular cases, there exist algorithms which can make good predictions or approximations for particular cases, and there exist algorithms which can solve pieces of the problem. Essentially, by approaching the problem from different angles, you can move the insolubility around. For example, formal verification can be used in some situations, to prove or disprove a program's adherence to a formal specification. This moves some security-related insolubility from the program to the specification. Brenda will present a brief overview of Trike (the way she, Paul Saitta and Michael Eddington are currently organizing this problem), the key differences between Trike and previous threat modeling work, the algorithm Trike uses to automatically generate all the top-level threats for a system, some assumptions that make this possible, and a description of where she thinks the insolubility will end up when the problem is organized this way.

Presenters:

  • Brenda
    Brenda has been working in various IT-related capacities (programming, system administration and software security, usually simultaneously) since 1993 or so. The pattern is clear: she gets in, determines the lay of the land, identifies the ridiculously large human/computer collaboration which would run _much_ better with a different division of labor, converts her audience and a few collaborators, and whips up some software to automate the problem into submisssion. Recently, she has been analyzing the security of software systems on behalf of a Seattle-based consulting firm, with predictable results: analysis techniques that take the respective strengths and weaknesses of humans and computers into account, dividing labor accordingly.

Links:

Similar Presentations: