Threat Modeling again. Drawing the diagram.

re: Threat Modeling again. Drawing the diagram.

Stuart Ballard — Fri, 31 Aug 2007 20:38:17 GMT

The fact that audio playback APIs are left so fuzzy leaves me wondering if there's a piece missing from this diagram that's still relevant to PlaySound itself. On what basis does PlaySound decide *which* API to use? Since that decision is presumably driven by some kind of external factor, it sounds like that piece of data is on the other side of a trust boundary. Could PlaySound be attacked by trying to persuade it to use a different playback API - which (for the purposes of this diagram) PlaySound treats as completely trusted...

re: Threat Modeling again. Drawing the diagram.

LarryOsterman — Fri, 31 Aug 2007 20:44:17 GMT

Stuart, that's only if Playsound can be configured to use different playback APIs. Since it doesn't (it currently only uses the waveOutXxx APIs), I didn't include it.

In the future, PlaySound might be changed to use a different set of APIs, that's why I left it ambiguous.

re: Threat Modeling again. Drawing the diagram.

LarryOsterman — Fri, 31 Aug 2007 20:45:26 GMT

Btw, PlaySound treats the audio APIs as totally trusted is because they're running in-proc.

In general, you treat code that run in the same process as you as being fully trusted - after all, there's nothing that this code could do that would compromise the machine/process.

re: Threat Modeling again. Drawing the diagram.

Stuart Ballard — Fri, 31 Aug 2007 20:55:02 GMT

Fair enough :) Am I right that if it *was* possible to configure which API was used, then the source of that configuration should appear on the diagram?

re: Threat Modeling again. Drawing the diagram.

LarryOsterman — Fri, 31 Aug 2007 21:37:42 GMT

Stuart: Possibly. It depends on the mechanism used to determine the output.

For instance, consider what would happen if PlaySound was augmented to play WMA files (NOTE: 'm explicitly not saying that's going to happen, it's just an example that would involve using multiple render paths). In that case, we'd rename "WAV file" in the diagram to "Audio file" and we'd add a new external interactor "Media Foundation Playback APIs" and have data flows going to that external interactor.

re: Threat Modeling again. Drawing the diagram.

Daniele Muscetta — Fri, 31 Aug 2007 22:48:15 GMT

"[...] Here's what it looks like (I drew this in Visio, obviously you could use any tool to draw it (I know one group that literally draws their diagrams on the whiteboard then takes a picture of it with a cell phone camera and then pastes the picture into a Word document)) [...]"

I use to draw on black- or white- boards or paper a lot.

I don't always take pictures of those, because most of the times they are not meant to be shared. But I certainly would if I had to share those diagrams. I remember at least one time when I really did that (take a picture of) a drawing a customer made on a blackboard, to "take note" of what he explained to me, so that I could take his explanation with me and do some background-thinking about his architecture....

re: Threat Modeling again. Drawing the diagram.

Dan — Sat, 01 Sep 2007 07:11:38 GMT

I'm not a programmer, but couldn't help noticing that one block is missing: DRM. The article talks about trust and relations and this was not mentioned (i hope it would be in the next article in the series, maybe).

I think ( I'm not sure, and don't have any links at hand, and I think random googling would be pointles due to credibility of the sources ) that *protected path is mandatory for HD playback on certified devices, including Vista ( or only Vista 64bit ? ) - proscribed by the consortium that invented HD-DVD or Bluray or both* (again, the text between the asterisks is from memory and very innacurate, but it was all over the web for quite some time and is often quoted.

So, any thoughts on this? I realize Larry might be bound by NDAs and similar, and I wouldn't mind if he doesn't respond or deletes this post, but I would be happy if anyone sheds some light on this directly from the source. :)

Dan

re: Threat Modeling again. Drawing the diagram.

orcmid — Mon, 03 Sep 2007 05:41:42 GMT

"Btw, PlaySound treats the audio APIs as totally trusted is because they're running in-proc.

In general, you treat code that run in the same process as you as being fully trusted - after all, there's nothing that this code could do that would compromise the machine/process."

I was originally concerned that there could be threats that involved contaminating PlaySound from the Audio Playback component (which might not be possible in the actual arrangement and I don't know what the assumption on acceptance of those components is).

But the above remark left me even more confused. I don't buy that as a generality. What additional conditions occur in Playsound that makes that a safe observation.

re: Threat Modeling again. Drawing the diagram.

Girish — Mon, 03 Sep 2007 11:51:10 GMT

"I know one group that literally draws their diagrams on the whiteboard then takes a picture of it with a cell phone camera and then pastes the picture into a Word document".

Larry, this is actually recommended in the much acclaimed book "Applying UML and Patterns" by Craig Larman. I think it makes sense, too - if you draw well enough on the board and the picture is good, it can be added to a document.

re: Threat Modeling again. Drawing the diagram.

LarryOsterman — Mon, 03 Sep 2007 17:16:29 GMT

Dan: DRM? Why would DRM matter? There's no DRM involved in playing WAV files. Heck, the audio engine threat model diagram doesn't include DRM either, because the DRM system doesn't functionally change the data flow for the audio system.

Threat modeling is about modeling data flow through a system. It's not about describing all the features and possible features of a system.

Threat Modeling Again, STRIDE per Element

Larry Osterman's WebLog — Mon, 10 Sep 2007 20:31:07 GMT

As I mentioned the other day , we had three huge big realizations as we've been doing more and more threat

Threat Modeling Again, STRIDE per Element

Noticias externas — Mon, 10 Sep 2007 20:54:32 GMT

As I mentioned the other day , we had three huge big realizations as we've been doing more and more

STRIDE chart

The Security Development Lifecycle — Wed, 12 Sep 2007 03:05:02 GMT

Adam Shostack here. I've been meaning to talk more about what I actually do, which is help the teams

Threat Modeling Again, Threat Modeling in Practice

Larry Osterman's WebLog — Wed, 19 Sep 2007 01:48:54 GMT

I've been writing a LOT about threat modeling recently but one of the things I haven't talked about is

Some final thoughts on Threat Modeling...

Larry Osterman's WebLog — Mon, 01 Oct 2007 19:54:06 GMT

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah,

Some final thoughts on Threat Modeling...

Noticias externas — Mon, 01 Oct 2007 19:55:50 GMT

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah