Threat Modeling

Overview

The purpose of this activity is to help you enumerate and model the security of your system architecture by looking at it from the point of view of threats. According to the Microsoft Threat Modeling methodology, we treat the word "threat" as a class of exploits. They fall into the following categories (STRIDE):

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Today, let's model Dropbox. Dropbox is a cloud-based storage system for your desktop and mobile devices. Store a file in a folder on your desktop, and it gets immediately uploaded to the server, and synchronized across all of your registered devices. Users can share folders in their Dropbox, allowing other users or the public view the files. Also, each change to a file is kept in a version history, so that users can revert to old copies of their files. All of this can be managed via a desktop client, a mobile client, and a webapp.

One feature you may not know about Dropbox is their de-duplication engine. The clients maintain a local list of hashes of the files in your folder. When a file is changed, Dropbox re-computes the hash, and sends all of the hashes to the server. The server then uses this logic on each hash:

New change. If the server doesn't have the hash, upload the file.
No change. If the server has the hash associated with the user's account already, and no files are uploaded.
De-duplicate. If the server has the hash already, but another user owns it, then make a record that a user is storing a copy of the file associated with that hash (i.e. no files are uploaded, just some bookkeeping)

De-duplication can provide a huge speedup in upload times and a gives big savings in storage for Dropbox.

Addtionally, Dropbox servers are spread across multiple physical sites, and data is replicated across those sites for reliability and performance. This replication is handled by a single database management system. Mobile and desktop clients (even the webapp) all interact with a common API.

Note: you may make reasonable assumptions about the features of the system for the sake of this exercise.

Setup

This activity is for groups of 2-3.

Discuss as a group briefly what the architecture of the system will look like.
Fire up the Microsoft Threat Modeling tool. Before going further, save your file, calling it Dropbox.tms
Start your architecture with data stores, processes, and external interactors.
Next, add data flow relationships. Be sure to name every relationship with a verb (e.g. "Upload Files"). Note: you can, and are encouraged, to have multiple dataflows from one primitive to another.
Next, add machine boundaries and trust boundaries.
In the lower left, go to Analyze Model.
Expand a few of the items in the upper-left. Notice the vast number of potential threats that can arise.
Let's eliminiate some threats to be generated with some assumptions. Discuss as a group which threat categories you believe are not possible in Dropbox. Right-click on those data flows and select "Do not generate threats". Be ready to discuss your choice with the class.
Now let's make a threat, getting our inspiration from the diagram. Start with DenialOfService on a data store. Read the questions. Fill in a potential impact, and a solution.
Now let's also test your model. Try to think of a security concern in your system. This can be a design concern or domain-specific vulnerability. Where does it fit in your model? If it doesn't, revise the model a bit.
Pick three more elements, and come up with a threat for each of those (just pick one category of threat).
At this point, check the report by going to Generate Reports in the lower-left. Note anything you believe is missing.
Continue adding threats to the system. Be ready to discuss your results with the class.

Activity

Submission & Grading

Your instructor will grade your Threat Model. This activity is worth 10 points. Grading breakdown is as follows:

6 points. A complete diagram of Dropbox
2 points. At least five total threats.
2 points. Thoughtful analysis of the risks