Threat Modeling Again, Threat Modeling PlaySound

STRIDE chart

The Security Development Lifecycle — Wed, 12 Sep 2007 21:09:18 GMT

Adam Shostack here. I've been meaning to talk more about what I actually do, which is help the teams

re: Threat Modeling Again, Threat Modeling PlaySound

Norman Diamond — Thu, 13 Sep 2007 11:39:07 GMT

Hypothetical question here. Suppose the design of the throttler were reversed, so that opening a network socket would impose a Denial of Service on PlaySound. Would that be #7 in your list? Do you have a way to distinguish intended threats from unintended threats?

re: Threat Modeling Again, Threat Modeling PlaySound

LarryOsterman — Thu, 13 Sep 2007 16:09:14 GMT

Norman, I don't believe so. There's a huge difference between a denial of service and a reduction in service (IMHO). A Denial of Service issue might result in a MSRC bulletin (depending on the DoS issue - in some components like the shell or ie, they doesn't necessarily result in bulletins, instead DoS issues often are deferred to the next service pack (it all depends on the individual circumstances)). But a slowdown is highly unlikely to result in a MSRC bulletin (although it might result in a QFE (like the recent performance and reliability hotfixes)).

But that IS a very good question.

Threat Modeling Again, Analyzing the threats to PlaySound

Larry Osterman's WebLog — Thu, 13 Sep 2007 18:02:41 GMT

In my last post , I enumerated a bewildering array of threats that the PlaySound API is subject to, today

re: Threat Modeling Again, Threat Modeling PlaySound

Norman Diamond — Fri, 14 Sep 2007 04:51:31 GMT

My question

>> Do you have a way to distinguish intended threats from

>> unintended threats?

meant in the design of the threat model, not in Microsoft's decision whether to issue a bulletin about it.

On the other issue

> There's a huge difference between a denial of service and a

> reduction in service (IMHO).

For PlaySound maybe it wouldn't often matter, though if we want to play an alarm warning that a hard drive is overheating then it would matter. But in general I think it depends on how huge the difference is. If a reduction in service means that a bank's web site can process 50% of customer payments that it was supposed to process, I think the difference between 50% and 100% is huger than the difference between 50% and 0%.

re: Threat Modeling Again, Threat Modeling PlaySound

LarryOsterman — Fri, 14 Sep 2007 09:04:50 GMT

Norman, threats are. Your analysis may indicate whether a threat is relevant (or not), whether you want to mitigate it (or not). But there is no such thing as an "intended" or "unintended" threat.

For some components, resiliance against DoS threats takes many forms - As I mentioned in my post about mitigations, if your particular component is vulnerable to DoS threats, there are many strategies you can use to mitigate the vulnerability.

Some final thoughts on Threat Modeling...

Larry Osterman's WebLog — Tue, 02 Oct 2007 21:54:46 GMT

I want to wrap up the threat modeling posts with a summary and some comments on the entire process. Yeah,