a contract oriented view on threat modelling
play

A contract-oriented view on threat modelling Ketil Stlen SINTEF - PowerPoint PPT Presentation

Nov 27, 2023 •424 likes •805 views

A contract-oriented view on threat modelling Ketil Stlen SINTEF ICT and University of Oslo Joint work with Gyrd Brndeland, Heidi Dahl, Olav Ligaarden FLACOS Malta, November 27, 2008 ICT Motivation How to modularize threat modelling

  1. A contract-oriented view on threat modelling Ketil Stølen SINTEF ICT and University of Oslo Joint work with Gyrd Brændeland, Heidi Dahl, Olav Ligaarden FLACOS Malta, November 27, 2008 ICT

  2. Motivation � How to modularize threat modelling � How to deal with mutual dependencies in threat modeling of complex systems � We need a notion of contract at the abstraction level of threat models ICT 2

  3. Problem of risk analysis � Systems � are complex � mutually dependent � cross national borders � are continuously updated � You never have full access to all documentation � And, if you had, there would just be too much of it ICT 3

  4. There is only one way forward � We need a reductionistic approach to risk analysis � Decomposing analyses into smaller parts � Composing (already completed) analyses into an overall risk picture � Methodological reductionism is the idea that developing an understanding of a complex system's constituent parts (and their interactions) is the best way to develop an understanding of the system as a whole ICT 4

  5. Reductionistic approach to the modeling of threat scenarios � I will illustrate the approach on CORAS � CORAS is � a method for model-driven security risk analysis � a graphical language � for structured brainstorming and analysis � semantics defined as schematic translation of diagrams into English � a tool � You may do likewise with your favorite threat scenario modeling language – (or your favorite risk table) ICT 5

  6. Approach � Extend the graphical CORAS language to cope with context dependencies � We refer to the extended language as Dependent CORAS � Update the semantics of the CORAS language to deal with context dependencies � Define rules to reason about context dependencies � Define rules for simplifying composed scenarios ICT 6

  7. One Step Back: What is Security Risk Analysis? Analysis context Vulnerability Treatment Target Threat Risk Asset Likelihood Unwanted incident Consequence ICT 7

  8. The CORAS security risk modeling language human threat (accidental) unwanted threat incident scenario asset vulnerability non-human threat treatment human threat (deliberate) ICT 8

  9. Threat Diagram Power supply in Sweden breaks down [1:5 years] 0.1 Blackout in [1:100 years] 1.0 critical Power supply in Norway Power Norway breaks down [3:100 years] production Hacker in Norway Threat Threat scenario Unwanted incident Asset ICT 9

  10. Semantics: Translation into English � Vertices � ”Hacker” is a deliberate threat. � Threat scenario ”Power supply in Norway breaks down” occurs with undefined likelihood. � Threat scenario ”Power supply in Sweden breaks down” occurs with likelihood ”1:5 years”. � Unwanted incident ”Blackout in Norway” occurs with likelihood ”3:100 years”. � ”Power production in Norway” is an asset. � Relations � Hacker initiates ”Power supply in Norway breaks down” with likelihood ”1:100” years. � ”Power supply in Norway breaks down” leads to ”Blackout in Norway” with conditional likelihood ”1.0”. � ”Power supply in Sweden breaks down” leads to ”Blackout in Norway” with conditional likelihood ”0.1”. � ”Power supply in Norway breaks down” impacts ”Power production in Norway” with consequence ”critical”. ICT 10

  11. Checking Likelihoods Power supply in Sweden breaks down [1:5 years] 0.1 Blackout in [1:100 years] 1.0 critical Power supply in Norway Power Norway breaks down [3:100 years] production Hacker in Norway [1:5 years] * 0.1 = [1:50 years] [1:100 years] + [1:50 years] = [3:100 years] ICT 11

  12. Dependent Diagram C ONTEXT SCENARIO Power supply in Sweden breaks down [1:5 years] 0.1 Norwegian Power Supply T ARGET SCENARIO Blackout in [1:100 years] Power supply in 1.0 critical Norway Power Norway breaks down [3:100 years] production Hacker in Norway ICT 12

  13. Semantics of Dependent Diagram � [[ ]] := [[ T ]] assuming [[ C ]] to the extent there are explicit dependencies Power supply in Sweden breaks down [1:5 years] 0.1 Norwegian Power Supply Blackout in [1:100 years] Power supply in 1.0 critical Norway Power Norway breaks down [3:100 years] production Hacker in Norway ICT 13

  14. Independence of Context : T is independent of C if there are no paths from C to T ICT 14

  15. Rule of Independence Power supply in Sweden breaks down [1:5 years] 0.1 Norwegian Power Supply Blackout in [1:100 years] Power supply in 1.0 critical Norway Power Norway breaks down [3:100 years] production Hacker in Norway ICT 15

  16. Modus Ponens ICT 16

  17. Applying the Deduction Rules Power supply in Sweden breaks down [1:5 years] 0.1 Norwegian Power Supply Blackout in [1:100 years] Power supply in 1.0 critical Norway Power Norway breaks down [3:100 years] production Hacker in Norway Power supply in Norway breaks down [1:100 years] 1.0 Swedish Power Supply Power supply in Blackout in 1.0 critical Sweden breaks down Sweden Power [21:100 years] [1:5 years] Operator production error in Sweden ICT 17

  18. The Combined Diagram ICT 18

  19. ICT 19

  20. Blackout in southern Sweden and Norway Grid overload Minor export High export causes multiple Transmission 1.0 0.1 0.5 area blackout from area line outage outages in export in Norway Power [1:1years] area [1:1year] High load on Protection [1:20years] market [1:10years] transmission failure corridor moderate Grid 0.4 overload causes critical 0.5 multiple outages High import Low hydro Failed area Lack of High load on Power [1:10years] 1.0 Total area availability from Sweden protection transmission rain in production blackout [1:5years] [1:5years] Norway corridor in Norway [1:20years] 0.4 0.1 Grid overload causes 0.4 multiple outages Blackout in 0.5 [1:10years] Hacker southern Sweden 0.07 Outage of two [1:20years] Failed load Failed area or more transmission lines in protection shedding the north/south corridor Interface critical [1: 1year] bottleneck Operator 0.01 moderate Power error Reduced production nuclear availability in Sweden Minor area [1:20years] 1.0 blackout 0.2 [1:20years] Low hydro Capacity Unstable 0.4 1.0 Lack of availability shortage network rain in [1:5years] [1:4years] [1:10years] Sweden ICT 20

  21. Horizontal Composition Grid overload High export causes multiple Transmission 0.5 1.0 0.1 from area outages in export line outage [1:1years] area High load on [1:1year] Protection [1:10years] transmission failure corridor ICT 21

  22. Blackout in southern Sweden and Norway High export Minor export leads to grid overload 0.5 area blackout in Norway in Norway Power [1:10years] [1:20years] market moderate Grid 0.4 overload causes critical 0.5 multiple outages Low hydro High import Failed area Lack of High load on Power [1:10years] 1.0 Total area from Sweden availability protection transmission rain in production blackout [1:5years] [1:5years] Norway corridor in Norway [1:20years] 0.4 0.1 Grid 0.4 overload causes multiple outages Blackout in 0.5 [1:10years] Hacker southern Sweden 0.07 Outage of two [1:20years] Failed area Failed load or more transmission lines in protection shedding the north/south corridor Interface critical [1: 1year] bottleneck 0.01 Operator moderate Power Reduced error production nuclear availability in Sweden Minor area [1:20years] blackout 1.0 0.2 [1:20years] Low hydro Capacity Unstable 0.4 1.0 Lack of availability shortage network rain in [1:5years] [1:4years] [1:10years] Sweden ICT 22

  23. Horizontal Composition 0.2 Total area critical blackout [1:20years] 0.2 ICT 23

  24. Blackout in southern Sweden and Norway High export Minor export leads to grid overload 0.5 area blackout in Norway in Norway Power [1:10years] [1:20years] market moderate Total area critical 0.2 blackout [1:20years] Low hydro High import Lack of High load on Power 1.0 availability from Sweden transmission rain in production [1:5years] [1:5years] corridor Norway in Norway 0.2 0.1 Grid 0.4 overload causes multiple outages Blackout in 0.5 [1:10years] Hacker southern Sweden 0.07 Outage of two [1:20years] Failed area Failed load or more transmission lines in protection shedding the north/south corridor Interface critical [1: 1year] bottleneck Operator 0.01 moderate Power Reduced error production nuclear availability in Sweden Minor area [1:20years] blackout 1.0 0.2 [1:20years] Low hydro Capacity Unstable 0.4 1.0 Lack of availability shortage network rain in [1:5years] [1:4years] [1:10years] Sweden ICT 24

  25. Horizontal Composition Total area critical 0.2 blackout [1:20years] critical Total area blackout 0.1 in southern Sweden and Norway critical [1:100years] ICT 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance, operational security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt

986 views • 47 slides
Identifying Changes in the Cybersecurity Threat Landscape using the LDA-Web Topic Modelling Data

Identifying Changes in the Cybersecurity Threat Landscape using the LDA-Web Topic Modelling Data

Identifying Changes in the Cybersecurity Threat Landscape using the LDA-Web Topic Modelling Data Search Engine Thursday 13 th July 2017 Multidisciplinary approaches to Cloud Crime HCII 2017, Vancouver Canada Noura Al Moubayed, David Wall, and

544 views • 9 slides
Hierarchical Multidimensional Modelling Hierarchical Multidimensional Modelling in the Concept-

Hierarchical Multidimensional Modelling Hierarchical Multidimensional Modelling in the Concept-

Hierarchical Multidimensional Modelling Hierarchical Multidimensional Modelling in the Concept- -Oriented Data Model Oriented Data Model in the Concept Alexandr Savinov Fraunhofer Institute for Autonomous Intelligent Systems Knowledge

411 views • 23 slides
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 5:

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 5:

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 5: Modelling with Classes Lecture 5 5.1 What is UML? The Unied Modelling Language is a standard graphical language for modelling object oriented

566 views • 32 slides
An Operators View on Approaches to MIC Threat and Failure Assessment Presentation by: Trevor

An Operators View on Approaches to MIC Threat and Failure Assessment Presentation by: Trevor

An Operators View on Approaches to MIC Threat and Failure Assessment Presentation by: Trevor Place, Senior Eng. Specialist Enbridge Pipelines Thursday, Feb 7, 2019 from 8:45AM - 11:30AM Forum on Assessment of Microbiologically Influenced

428 views • 9 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
IGES view on new market IGES view on new market- IGES view on new market IGES view on new market

IGES view on new market IGES view on new market- IGES view on new market IGES view on new market

Institute for Global Environmental Strategies Towards sustainable development - policy oriented, practical and strategic research on global environmental issues IGES view on new market IGES view on new market- IGES view on new market IGES view

164 views • 4 slides
Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design (COMP 304) 7 January 2005 Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and Design Lab (MSDL) School of Computer Science, McGill University, Montr eal, Canada

279 views • 17 slides
Contract Types and Contract Management Richard Foster VGSO Seminar 26 July 2007 Contract Types

Contract Types and Contract Management Richard Foster VGSO Seminar 26 July 2007 Contract Types

Contract Types and Contract Management Richard Foster VGSO Seminar 26 July 2007 Contract Types and Contract Management + Contract Types, Relationships and Enhancing Value + Contract Types A new view What does this mean for contract

753 views • 25 slides
FCAView Tab: Tab: FCAView A Concept- -Oriented View Generation Tool for Oriented View

FCAView Tab: Tab: FCAView A Concept- -Oriented View Generation Tool for Oriented View

FCAView Tab: Tab: FCAView A Concept- -Oriented View Generation Tool for Oriented View Generation Tool for A Concept Clinical Data Using Formal Concept Analysis Clinical Data Using Formal Concept Analysis Guoqian Jiang Jiang, Katsuhiko

725 views • 30 slides
Data Modelling with ASN.1 for Space Applications ESA/ESTEC frame contract n4000104809

Data Modelling with ASN.1 for Space Applications ESA/ESTEC frame contract n4000104809

Data Modelling with ASN.1 for Space Applications ESA/ESTEC frame contract n4000104809 Thanassis Tsiodras, Dr.-Ing NeuroPublic S.A. ASN.1? What is that? It's a "secret" weapon of the aeronautical, security and telecommunication

757 views • 26 slides
Improving test methods in the spirit of the 3Rs; the point of view of a contract research

Improving test methods in the spirit of the 3Rs; the point of view of a contract research

Rome, December 17 th , 2012 Serena Cinelli Improving test methods in the spirit of the 3Rs; the point of view of a contract research organization Why a CRO? CRO is the bridge between companies and a compliant dossier CROs have more

437 views • 25 slides
Requirements Checking for Object-Oriented Software Design with difgerent Unifjed Modelling

Requirements Checking for Object-Oriented Software Design with difgerent Unifjed Modelling

Requirements Checking for Object-Oriented Software Design with difgerent Unifjed Modelling Language (UML) notations Use Case Notation, Sequence Diagrams, Regular Expressions and State Automata Bart Meyers Hans Vangheluwe 1 requirements

299 views • 26 slides
Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design (COMP 304) Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and Design Lab (MSDL) School of Computer Science, McGill University, Montr eal, Canada Hans Vangheluwe

506 views • 22 slides
Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design (COMP 304) Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and Design Lab (MSDL) School of Computer Science, McGill University, Montr eal, Canada Hans Vangheluwe

785 views • 42 slides
Performance Modelling of Message-Oriented Middleware with Priority Queues Snigdha Singh, Larissa

Performance Modelling of Message-Oriented Middleware with Priority Queues Snigdha Singh, Larissa

Performance Modelling of Message-Oriented Middleware with Priority Queues Snigdha Singh, Larissa Schmid, Anne Koziolek ARCHITECTURE-DRIVEN REQUIREMENTS ENGINEERING GROUP, INSTITUTE FOR PROGRAM STRUCTURES AND DATA ORGANIZATION, KIT DEPARTMENT OF

495 views • 12 slides
Power Delivery 2 3 1 1/22/2019 Power Delivery 4 Transmission Asset Protection Territories -

Power Delivery 2 3 1 1/22/2019 Power Delivery 4 Transmission Asset Protection Territories -

1/22/2019 KAPS Ryan Daugherty- Asset Protection Specialist 1 Power Delivery 2 3 1 1/22/2019 Power Delivery 4 Transmission Asset Protection Territories - MW 5 Transmission Asset Protection Overview Video Play the video

275 views • 10 slides
Rediscovering Distributed Systems Steve Vinoski Basho Technologies Cambridge, MA USA

Rediscovering Distributed Systems Steve Vinoski Basho Technologies Cambridge, MA USA

Rediscovering Distributed Systems Steve Vinoski Basho Technologies Cambridge, MA USA http://basho.com @stevevinoski vinoski@ieee.org http://steve.vinoski.net/ Thursday, October 17, 13 1 Distributed Systems are Everywhere Thursday,

1.34k views • 116 slides
Home Front Hawai`i: a WWII Legacy Underneath the Sea (lessons from submerged social sciences)

Home Front Hawai`i: a WWII Legacy Underneath the Sea (lessons from submerged social sciences)

Home Front Hawai`i: a WWII Legacy Underneath the Sea (lessons from submerged social sciences) NOAA Educators Webinar, Thursday February 14, 2019 Hans Van Tilburg NOAA Office of National Marine Sanctuaries hans.vantilburg@noaa.gov Topics to

709 views • 33 slides
Visual/CSS Regression Testing with WebDriver.io/WebDriverCSS DrupalCamp Florida March 5, 2016

Visual/CSS Regression Testing with WebDriver.io/WebDriverCSS DrupalCamp Florida March 5, 2016

Visual/CSS Regression Testing with WebDriver.io/WebDriverCSS DrupalCamp Florida March 5, 2016 Who am I? Lisa Ridley, Director of Client Success, Savas Labs (savaslabs.com) Responsibilities: Project Manager and Lead Developer

357 views • 19 slides
Todays Agenda 05:00 Meet the presenter 75:00 Presentation Centennial History of the

Todays Agenda 05:00 Meet the presenter 75:00 Presentation Centennial History of the

Todays Agenda 05:00 Meet the presenter 75:00 Presentation Centennial History of the 10:00 Questions and Answers Raleigh Fire Department Presented by Mike Legeros August 2012 About These Slides Presenter Information

276 views • 27 slides
ENERGY STAR Connected Water Heaters Water Heaters Version 3.3 Draft 1 Abigail Daken, EPA Dan

ENERGY STAR Connected Water Heaters Water Heaters Version 3.3 Draft 1 Abigail Daken, EPA Dan

ENERGY STAR Connected Water Heaters Water Heaters Version 3.3 Draft 1 Abigail Daken, EPA Dan Baldewicz, ICF May 2, 2019 1 Agenda Welcome, Introductions Reminder: Specification Scope Proposed Connected Water Heater Criteria

343 views • 22 slides
Concurrency Bugs Nima Honarmand (Based on slides by Prof. Andrea Arpaci-Dusseau) Fall 2017 ::

Concurrency Bugs Nima Honarmand (Based on slides by Prof. Andrea Arpaci-Dusseau) Fall 2017 ::

Fall 2017 :: CSE 306 Concurrency Bugs Nima Honarmand (Based on slides by Prof. Andrea Arpaci-Dusseau) Fall 2017 :: CSE 306 Concurrency Bugs are Serious The Therac-25 incident (1980s) The accidents occurred when the high-power electron

297 views • 27 slides
RaceMob: Crowdsourced Data Race Detec,on Baris Kasikci, Cris,an

RaceMob: Crowdsourced Data Race Detec,on Baris Kasikci, Cris,an

RaceMob: Crowdsourced Data Race Detec,on Baris Kasikci, Cris,an Zamfir, and George Candea School of Computer & Communica3on Sciences Tuesday 12 November 13 Data Races

767 views • 25 slides

More recommend