-
Notifications
You must be signed in to change notification settings - Fork 175
Object Model (v1.x) (WIP)
-
TM
-
Server
-
ExternalEntity
-
DataFlow
-
Datastore
-
Actor
-
Process
-
SetOfProcesses
-
Boundary
-
Lambda
-
Data
-
CredentialsLife
-
Classification
-
-
Threat
-
Threats
-
Finding
The TM object is used by pytm internally to manage all the data associated with a model (for drawing and threat analysis). https://github.com/izar/pytm/blob/59822fe2b2f562d2903dfb4c7a8edf72b996d322/pytm/pytm.py#L603
The Data object represents a single piece of data that traverses the system. https://github.com/izar/pytm/blob/59822fe2b2f562d2903dfb4c7a8edf72b996d322/pytm/pytm.py#L1122
| Attribute | Meaning | Used in Threats | Notes |
|---|---|---|---|
Name |
|||
Description |
|||
Classification |
What is the classification of this data |
||
isPII |
Is this data considered personally identifiable information |
||
isCredentials |
Is this data representing credentials |
||
credentialsLife |
If credentials, what is the ''lifetime'' of the data |
See Enumerations section |
|
isStored |
Is this data going to be stored by the destination target |
If only derived data is stored, this should be False |
|
isDestEncryptedAtRest |
Is this data encrypted at rest by the destination target |
||
isSourceEncryptedAtRest |
Is this data encrypted at rest by the source object |
||
carriedBy |
Which DataFlow objects ''carry'' this data |
||
processedBy |
Which objects will store or process this data |
| Attribute | Meaning | Used in Threats | Notes |
|---|---|---|---|
name |
Name of element |
||
description |
Description of element |
||
inBoundary |
The trust boundary this element resides |
||
inScope |
Boolean If this element is within the scope of the model |
||
maxClassification |
Maximum data sensitivity this element can "handle" |
For some definition of "handle" |
|
findings |
Threats that apply to this element |
Populated by pytm |
|
overrides |
Overrides set on findings |
||
levels |
List of levels to draw in the model for this element |
An Asset is an Element (i.e. inherits all attributes from Element) that has incoming or outgoing data flows, and represents
a single process or component.
https://github.com/izar/pytm/blob/59822fe2b2f562d2903dfb4c7a8edf72b996d322/pytm/pytm.py#L1182
| Attribute | Meaning | Used in Threats | Notes |
|---|---|---|---|
port |
Default incoming port |
Assumes TCP only, and single listening service |
|
isEncrypted |
Boolean If the incoming data flow is encrypted |
Presumably by TLS (?) |
|
protocol |
Default protocol for incoming data flow |
||
data |
Default data type for incoming flow |
||
inputs |
Incoming `Dataflow`s |
||
outputs |
Outbound `Dataflow`s |
||
onAWS |
Boolean If the Asset resides on AWS |
If you want to model non-AWS cloud services, subclass this. |
|
isHardened |
Boolean If the Asset is hardened |
For some definition of "hardened" |
|
implementsAuthenticationScheme |
Boolean If the Asset performs some form of authentication |
||
implementsNonce |
Boolean If the Asset creates nonces for any reason |
||
handlesResources |
Boolean |
(?) |
|
definesConnectionTimeout |
Boolean |
(?) |
|
authenticatesDestination |
Boolean Asset verifies the target of the outbound data flow in some way |
||
checksDestinationRevocation |
Boolean If verification of target outbound flow involves certs, checks if the cert is revoked |
||
authenticatesSource |
Boolean |
May be used for Mutual TLS (?) |
|
authorizesSource |
Boolean |
(?) |
|
hasAccessControl |
Boolean If Asset performs any form of access control |
||
validatesInput |
Boolean If Asset validates incoming data |
||
sanitizesInput |
Boolean If Asset performs data sanitization on incoming data |
||
checksInputBounds |
Boolean If Asset checks any input data |
Duplicate with |
|
encodesOutput |
Boolean If Asset performs any data encoding on outbound data |
||
handlesResourceConsumption |
Boolean |
(?) |
|
authenticationScheme |
(?) |
||
usesEnvironmentVariables |
Boolean If Asset uses any environment variables |
||
OS |
Which OS this Asset runs on or uses |
||
providesIntegrity |
Boolean |
(?) |
An ExternalEntity is an Asset that represents a process or system external to the model (but with a connection to something
in the model).
https://github.com/izar/pytm/blob/59822fe2b2f562d2903dfb4c7a8edf72b996d322/pytm/pytm.py#L1313
| Attribute | Meaning | Used in Threats | Notes |
|---|---|---|---|
hasPhysicalAccess |
Boolean |
(?) |
The Server object is an Asset that processes data. While this object can be used generically as a data connection unit, it is geared more for a web server of some time than a generic thing. https://github.com/izar/pytm/blob/59822fe2b2f562d2903dfb4c7a8edf72b996d322/pytm/pytm.py#L1274
| Attribute | Meaning | Used in Threats | Notes |
|---|---|---|---|
providesConfidentiality |
Boolean |
(?) |
|
providesIntegrity |
Boolean |
(?) |
|
validatesHeaders |
Boolean If Server validates headers in some communications |
||
encodesHeaders |
Boolean If Server encodes headers in some commnunications |
||
implementsCSRFToken |
Boolean If Server implements CSRF tokens |
||
isResilient |
Boolean |
(?) |
|
usesSessionTokens |
Boolean If Server supports sessions |
||
usesEncryptionAlgorithm |
The encryption algorithm used (if any) |
||
usesCache |
Boolean |
(?) |
|
usesVPN |
Boolean |
(?) |
|
usesCodeSigning |
Boolean If Server artifact is digitally signed |
||
validatesContentType |
Boolean If Server validates Content-Type values |
||
invokesScriptFilters |
Boolean |
(?) |
|
usesStrongSessionIdentifiers |
Boolean If Server implements strong session ids |
For some definition of "strong" |
|
usesLatestTLSversion |
Boolean If Server uses the latest TLS version |
TLS 1.2 and 1.3 are "latest" |
|
implementsServerSideValidation |
Boolean If Server implements validation on the server |
Should be |
|
usesXMLParser |
Boolean If Server supports the parsing of XML |
||
disablesDTD |
Boolean |
(?) |
|
implementsStrictHTTPValidation |
Boolean |
(?) |
|
implementsPOLP |
Boolean If Server implements the Principle of Least Privilege |
Contributes to isHardened (?) |
The Process object is an Asset that is similar to Server in that it processes data and has some common attributes.
Process contains attributes commonly found in web servers, among other process types.
https://github.com/izar/pytm/blob/59822fe2b2f562d2903dfb4c7a8edf72b996d322/pytm/pytm.py#L1397
| Attribute | Meaning | Used in Threats | Notes |
|---|---|---|---|
codeType |
String Type of code |
"Unmanaged" is default |
|
implementsCommunicationProtocol |
Boolean |
(?) |
|
providesConfidentiality |
Boolean |
(?) |
|
providesIntegrity |
Boolean |
(?) |
|
isResilient |
Boolean |
(?) |
|
tracksExecutionFlow |
Boolean |
(?) |
|
implementsCSRFToken |
Boolean If Server implements CSRF tokens |
||
handlesResourceConsumption |
Boolean |
(?) |
|
handlesCrashes |
Boolean |
(?) |
|
handlesInterruptions |
Boolean |
(?) |
|
implementsAPI |
Boolean If Process implements an API |
||
usesSecureFunctions |
Boolean |
(?) |
|
environment |
(?) |
||
disablesiFrames |
Boolean If Process disables iFrames |
||
usesParameterizedInput |
Boolean |
(?) |
|
allowsClientSideScripting |
Boolean |
(?) |
|
encryptsCookies |
Boolean If Process encrypts cookies that it sets |
||
usesMFA |
Boolean If Process uses multi-factor authentication for incoming requests or session establishment |
||
encryptsSessionData |
Boolean If Process encrypts session data it sets |
||
verifySessionIdentifiers |
Boolean If Process verifies session ids it sets |
||
usesStrongSessionIdentifiers |
Boolean If Server implements strong session ids |
For some definition of "strong" |
|
implementsPOLP |
Boolean If Server implements the Principle of Least Privilege |
Contributes to isHardened (?) |
The CredentialsLife attribute represents the lifetime or revocation process for data that are credentials, and uses the Lifetime enum.
| Attribute | Meaning | Used in Threats | Notes |
|---|---|---|---|
NONE |
Not Applicable |
||
UNKNOWN |
Unknown lifetime or revocation process |
||
SHORT |
Short lived (for some definition of short) |
||
LONG |
Long lived (for some definition of long) |
If forever (equivalent to HARDCODED?) |
|
AUTO |
Long lived with no expiration but can be invalidated by some automatic process |
||
MANUAL |
Long lived with no expiration but can be invalidated by some manual process |
||
HARDCODED |
Long lived - forever, cannot be invalidated |
The Classification enum represents the sensitivity of Data, based some understanding of the user as to the relative sensitivity levels defined by pytm. For example, "Public" data may be still kept within the confines of a certain set of users, or may be for general consumption (aka "public facing").
| Attribute | Meaning | Used in Threats | Notes |
|---|---|---|---|
UNKNOWN |
Unknown sensitivity |
Default |
|
PUBLIC |
Information which can be shared for "public" consumption |
User defines what "public" represents to them |
|
RESTRICTED |
|||
SENSITIVE |
|||
SECRET |
|||
TOP_SECRET |