def test_kwargs(self):
user = Actor("User", isAdmin=True)
self.assertEqual(user.isAdmin, True)
user = Actor("User")
self.assertEqual(user.isAdmin, False)
user.isAdmin = True
self.assertEqual(user.isAdmin, True)
def test_responses(self):
tm = TM("my test tm", description="aa", isOrdered=True)
user = Actor("User")
web = Server("Web Server")
db = Datastore("SQL Database")
http_req = Dataflow(user, web, "http req")
insert = Dataflow(web, db, "insert data")
query = Dataflow(web, db, "query")
query_resp = Dataflow(db, web, "query results", responseTo=query)
http_resp = Dataflow(web, user, "http resp")
http_resp.responseTo = http_req
self.assertTrue(tm.check())
self.assertEqual(http_req.response, http_resp)
self.assertIs(http_resp.isResponse, True)
self.assertIs(query_resp.isResponse, True)
self.assertEqual(query_resp.responseTo, query)
self.assertEqual(query.response, query_resp)
self.assertIsNone(insert.response)
self.assertIs(insert.isResponse, False)
def makeComponents(component_json, boundaryObj):
component_dict = copy.deepcopy(component_json)
component_cls = component_dict.pop('class')
name = component_dict.pop('name')
component = Element(name)
if component_cls == 'Actor':
component = Actor(name)
elif component_cls == 'Server':
component = Server(name)
elif component_cls == 'Datastore':
component = Datastore(name)
elif component_cls == 'Lambda':
component = Lambda(name)
elif component_cls == 'ExternalEntity':
component = ExternalEntity(name)
elif component_cls == 'Process':
component = Process(name)
else:
print(f"[WARNING] * Received weird class {component_cls} in makeComponents()")
return None
for k,v in component_dict.items():
# print(v)
if k == 'description':
component.description = v
elif k == 'inBoundary' and v is not '':
component.inBoundary = boundaryObj[v]
elif k == 'Options':
for option, v_ in v.items():
replaceAttribute(component, option, v_)
return component
def test_defaults(self):
tm = TM("my test tm", description="aa", isOrdered=True)
internet = Boundary("Internet")
cloud = Boundary("Cloud")
user = Actor("User", inBoundary=internet)
server = Server("Server")
db = Datastore("DB", inBoundary=cloud)
db.type = DatastoreType.SQL
func = Datastore("Lambda function", inBoundary=cloud)
request = Dataflow(user, server, "request")
response = Dataflow(server, user, "response", isResponse=True)
user_query = Dataflow(user, db, "user query")
server_query = Dataflow(server, db, "server query")
func_query = Dataflow(func, db, "func query")
default_target = ["Actor", "Boundary", "Dataflow", "Datastore", "Server"]
testCases = [
{"target": server, "condition": "target.oneOf(Server, Datastore)"},
{"target": server, "condition": "not target.oneOf(Actor, Dataflow)"},
{"target": request, "condition": "target.crosses(Boundary)"},
{"target": user_query, "condition": "target.crosses(Boundary)"},
{"target": server_query, "condition": "target.crosses(Boundary)"},
{"target": func_query, "condition": "not target.crosses(Boundary)"},
{"target": func_query, "condition": "not target.enters(Boundary)"},
{"target": func_query, "condition": "not target.exits(Boundary)"},
{"target": request, "condition": "not target.enters(Boundary)"},
{"target": request, "condition": "target.exits(Boundary)"},
{"target": response, "condition": "target.enters(Boundary)"},
{"target": response, "condition": "not target.exits(Boundary)"},
{"target": user, "condition": "target.inside(Boundary)"},
{"target": func, "condition": "not any(target.inputs)"},
{
"target": server,
"condition": "any(f.sink.oneOf(Datastore) and f.sink.type == DatastoreType.SQL "
"for f in target.outputs)",
},
]
self.assertTrue(tm.check())
for case in testCases:
t = Threat(SID="", target=default_target, condition=case["condition"])
self.assertTrue(
t.apply(case["target"]),
"Failed to match {} against {}".format(
case["target"],
case["condition"],
),
)
#!/usr/bin/env python3
from pytm.pytm import TM, Server, Datastore, Dataflow, Boundary, Actor, Lambda
tm = TM("my test tm")
tm.description = "another test tm"
Web = Boundary("Internal Web")
external_web = Boundary("External Web")
user = Actor("App-y-Tenant")
app = Server("Mobile App")
buy_api = Server("Buy<br/>API-y")
buy_api.inBoundary = Web
rent_api = Server("Rent<br/>API-y")
rent_api.inBoundary = Web
alert_api = Server("Alert<br/>API-y")
alert_api.inBoundary = Web
cloud = Server("Phone Provider Cloud")
cloud.inBoundary = external_web
alert_api_to_cloud = Dataflow(alert_api, cloud, "push")
cloud_to_app = Dataflow(cloud, app, " ")
db_b = Datastore("Oracle Table B")
db_b.inBoundary = Web
buy_api_to_db = Dataflow(buy_api, db_b, " ")
def test_defaults(self):
tm = TM("TM")
user = Actor("User", data="HTTP", authenticatesDestination=True)
server = Server("Server",
port=443,
protocol="HTTPS",
isEncrypted=True,
data="JSON")
db = Datastore(
"PostgreSQL",
isSQL=True,
port=5432,
protocol="PostgreSQL",
isEncrypted=False,
data="SQL resp",
)
worker = Process("Task queue worker")
req_get = Dataflow(user, server, "HTTP GET")
server_query = Dataflow(server, db, "Query", data="SQL")
result = Dataflow(db, server, "Results", isResponse=True)
resp_get = Dataflow(server, user, "HTTP Response", isResponse=True)
req_post = Dataflow(user, server, "HTTP POST", data="JSON")
resp_post = Dataflow(server, user, "HTTP Response", isResponse=True)
worker_query = Dataflow(worker, db, "Query", data="SQL")
Dataflow(db, worker, "Results", isResponse=True)
cookie = Data("Auth Cookie", carriedBy=[req_get, req_post])
self.assertTrue(tm.check())
self.assertEqual(req_get.srcPort, -1)
self.assertEqual(req_get.dstPort, server.port)
self.assertEqual(req_get.isEncrypted, server.isEncrypted)
self.assertEqual(req_get.authenticatesDestination,
user.authenticatesDestination)
self.assertEqual(req_get.protocol, server.protocol)
self.assertTrue(user.data.issubset(req_get.data))
self.assertEqual(server_query.srcPort, -1)
self.assertEqual(server_query.dstPort, db.port)
self.assertEqual(server_query.isEncrypted, db.isEncrypted)
self.assertEqual(server_query.authenticatesDestination,
server.authenticatesDestination)
self.assertEqual(server_query.protocol, db.protocol)
self.assertTrue(server.data.issubset(server_query.data))
self.assertEqual(result.srcPort, db.port)
self.assertEqual(result.dstPort, -1)
self.assertEqual(result.isEncrypted, db.isEncrypted)
self.assertEqual(result.authenticatesDestination, False)
self.assertEqual(result.protocol, db.protocol)
self.assertTrue(db.data.issubset(result.data))
self.assertEqual(resp_get.srcPort, server.port)
self.assertEqual(resp_get.dstPort, -1)
self.assertEqual(resp_get.isEncrypted, server.isEncrypted)
self.assertEqual(resp_get.authenticatesDestination, False)
self.assertEqual(resp_get.protocol, server.protocol)
self.assertTrue(server.data.issubset(resp_get.data))
self.assertEqual(req_post.srcPort, -1)
self.assertEqual(req_post.dstPort, server.port)
self.assertEqual(req_post.isEncrypted, server.isEncrypted)
self.assertEqual(req_post.authenticatesDestination,
user.authenticatesDestination)
self.assertEqual(req_post.protocol, server.protocol)
self.assertTrue(user.data.issubset(req_post.data))
self.assertEqual(resp_post.srcPort, server.port)
self.assertEqual(resp_post.dstPort, -1)
self.assertEqual(resp_post.isEncrypted, server.isEncrypted)
self.assertEqual(resp_post.authenticatesDestination, False)
self.assertEqual(resp_post.protocol, server.protocol)
self.assertTrue(server.data.issubset(resp_post.data))
self.assertListEqual(server.inputs, [req_get, req_post])
self.assertListEqual(server.outputs, [server_query])
self.assertListEqual(worker.inputs, [])
self.assertListEqual(worker.outputs, [worker_query])
self.assertListEqual(cookie.carriedBy, [req_get, req_post])
self.assertSetEqual(set(cookie.processedBy), set([user, server]))
self.assertIn(cookie, req_get.data)
self.assertSetEqual(set([d.name for d in req_post.data]),
set([cookie.name, "HTTP", "JSON"]))
def test_write_once(self):
user = Actor("User")
with self.assertRaises(ValueError):
user.name = "Computer"
from pytm.pytm import TM, Actor, Boundary, Dataflow, Datastore, Lambda, Server
# make sure generated diagrams do not change, makes sense if they're commited
random.seed(0)
tm = TM("my test tm")
tm.description = "This is a sample threat model of a very simple system - a web-based comment system. The user enters comments and these are added to a database and displayed back to the user. The thought is that it is, though simple, a complete enough example to express meaningful threats."
tm.isOrdered = True
tm.mergeResponses = True
internet = Boundary("Internet")
server_db = Boundary("Server/DB")
vpc = Boundary("AWS VPC")
user = Actor("User")
user.inBoundary = internet
web = Server("Web Server")
web.OS = "Ubuntu"
web.isHardened = True
web.sanitizesInput = False
web.encodesOutput = True
web.authorizesSource = False
db = Datastore("SQL Database")
db.OS = "CentOS"
db.isHardened = False
db.inBoundary = server_db
db.isSQL = True
db.inScope = True
def test_defaults(self):
tm = TM("TM")
user = Actor("User", data="HTTP")
server = Server("Server",
port=443,
protocol="HTTPS",
isEncrypted=True,
data="JSON")
db = Datastore(
"PostgreSQL",
isSQL=True,
port=5432,
protocol="PostgreSQL",
isEncrypted=False,
data="SQL resp",
)
req_get = Dataflow(user, server, "HTTP GET")
query = Dataflow(server, db, "Query", data="SQL")
result = Dataflow(db, server, "Results", isResponse=True)
resp_get = Dataflow(server, user, "HTTP Response", isResponse=True)
req_post = Dataflow(user, server, "HTTP POST", data="JSON")
resp_post = Dataflow(server, user, "HTTP Response", isResponse=True)
tm.check()
self.assertEqual(req_get.srcPort, -1)
self.assertEqual(req_get.dstPort, server.port)
self.assertEqual(req_get.isEncrypted, server.isEncrypted)
self.assertEqual(req_get.protocol, server.protocol)
self.assertEqual(req_get.data, user.data)
self.assertEqual(query.srcPort, -1)
self.assertEqual(query.dstPort, db.port)
self.assertEqual(query.isEncrypted, db.isEncrypted)
self.assertEqual(query.protocol, db.protocol)
self.assertNotEqual(query.data, server.data)
self.assertEqual(result.srcPort, db.port)
self.assertEqual(result.dstPort, -1)
self.assertEqual(result.isEncrypted, db.isEncrypted)
self.assertEqual(result.protocol, db.protocol)
self.assertEqual(result.data, db.data)
self.assertEqual(resp_get.srcPort, server.port)
self.assertEqual(resp_get.dstPort, -1)
self.assertEqual(resp_get.isEncrypted, server.isEncrypted)
self.assertEqual(resp_get.protocol, server.protocol)
self.assertEqual(resp_get.data, server.data)
self.assertEqual(req_post.srcPort, -1)
self.assertEqual(req_post.dstPort, server.port)
self.assertEqual(req_post.isEncrypted, server.isEncrypted)
self.assertEqual(req_post.protocol, server.protocol)
self.assertNotEqual(req_post.data, user.data)
self.assertEqual(resp_post.srcPort, server.port)
self.assertEqual(resp_post.dstPort, -1)
self.assertEqual(resp_post.isEncrypted, server.isEncrypted)
self.assertEqual(resp_post.protocol, server.protocol)
self.assertEqual(resp_post.data, server.data)
def test_defaults(self):
internet = Boundary("Internet")
cloud = Boundary("Cloud")
user = Actor("User", inBoundary=internet)
server = Server("Server")
db = Datastore("DB", inBoundary=cloud)
func = Datastore("Lambda function", inBoundary=cloud)
request = Dataflow(user, server, "request")
response = Dataflow(server, user, "response")
user_query = Dataflow(user, db, "user query")
server_query = Dataflow(server, db, "server query")
func_query = Dataflow(func, db, "func query")
default = {
"SID": "",
"description": "",
"condition": "",
"target": ["Actor", "Boundary", "Dataflow", "Datastore", "Server"],
"details": "",
"severity": "",
"mitigations": "",
"example": "",
"references": "",
}
testCases = [
{
"target": server,
"condition": "target.oneOf(Server, Datastore)"
},
{
"target": server,
"condition": "not target.oneOf(Actor, Dataflow)"
},
{
"target": request,
"condition": "target.crosses(Boundary)"
},
{
"target": user_query,
"condition": "target.crosses(Boundary)"
},
{
"target": server_query,
"condition": "target.crosses(Boundary)"
},
{
"target": func_query,
"condition": "not target.crosses(Boundary)"
},
{
"target": func_query,
"condition": "not target.enters(Boundary)"
},
{
"target": func_query,
"condition": "not target.exits(Boundary)"
},
{
"target": request,
"condition": "not target.enters(Boundary)"
},
{
"target": request,
"condition": "target.exits(Boundary)"
},
{
"target": response,
"condition": "target.enters(Boundary)"
},
{
"target": response,
"condition": "not target.exits(Boundary)"
},
{
"target": user,
"condition": "target.inside(Boundary)"
},
]
for case in testCases:
t = Threat({**default, **{"condition": case["condition"]}})
self.assertTrue(
t.apply(case["target"]),
"Failed to match {} against {}".format(case["target"],
case["condition"]),
)
from pytm.pytm import TM, Boundary, Server, Actor, Datastore, Dataflow, SetOfProcesses
tm = TM("App-y-ness")
tm.description = "This is a sample threat model for the Threat Modeling Workshop."
internet = Boundary("Internet")
user = Actor("App-y-tenant")
app = Server("Mobile App")
buyApi = Server("Buy<br/>API-y")
buyApi.inBoundary = internet
rentApi = Server("Rent<br/>API-y")
rentApi.inBoundary = internet
market = SetOfProcesses("Market-y")
market.inBoundary = internet
alertApi = Server("Alert<br/>API-y")
alertApi.inBoundary = internet
authApi = Server("Auth<br/>API-y")
authApi.inBoundary = internet
allAuth = Server("All Auth")
allAuth.inBoundary = internet
phoneCloud = Server("Phone<br/>Provider<br/>Cloud")
tm = TM("Kubernetes Threat Model")
tm.description = "a deep-dive threat model of Kubernetes"
# Boundaries
inet = Boundary("Internet")
mcdata = Boundary("Master Control Data")
apisrv = Boundary("API Server")
mcomps = Boundary("Master Control Components")
worker = Boundary("Worker")
contain = Boundary("Container")
# Actors
miu = Actor("Malicious Internal User")
ia = Actor("Internal Attacker")
ea = Actor("External Actor")
admin = Actor("Administrator")
dev = Actor("Developer")
eu = Actor("End User")
# Server & OS Components
etcd = Datastore("N-ary etcd servers")
apiserver = Server("kube-apiserver")
kubelet = Server("kubelet")
kubeproxy = Server("kube-proxy")
scheduler = Server("kube-scheduler")
controllers = Server("CCM/KCM")
pods = Server("Pods")
#!/usr/bin/env python3
from pytm.pytm import TM, Server, Datastore, Dataflow, Boundary, Actor
tm = TM("my test tm")
tm.description = "This is a sample threat model of a very simple system - a web-based comment system. The user enters comments and these are added to a database and displayed back to the user. The thought is that it is, though simple, a complete enough example to express meaningful threats."
User_Web = Boundary("User/Web")
Web_DB = Boundary("Web/DB")
user = Actor("User")
user.inBoundary = User_Web
web = Server("Web Server")
web.OS = "CloudOS"
web.isHardened = True
db = Datastore("SQL Database (*)")
db.OS = "CentOS"
db.isHardened = False
db.inBoundary = Web_DB
db.isSql = True
db.inScope = False
user_to_web = Dataflow(user, web, "User enters comments (*)")
user_to_web.protocol = "HTTP"
user_to_web.dstPort = 80
user_to_web.data = 'Comments in HTML or Markdown'
user_to_web.order = 1
user_to_web.note = "This is a note\nmulti-line"
def test_defaults(self):
internet = Boundary("Internet")
cloud = Boundary("Cloud")
user = Actor("User", inBoundary=internet)
server = Server("Server")
db = Datastore("DB", inBoundary=cloud)
func = Datastore("Lambda function", inBoundary=cloud)
request = Dataflow(user, server, "request")
response = Dataflow(server, user, "response")
user_query = Dataflow(user, db, "user query")
server_query = Dataflow(server, db, "server query")
func_query = Dataflow(func, db, "func query")
default_target = [
"Actor", "Boundary", "Dataflow", "Datastore", "Server"
]
testCases = [
{
"target": server,
"condition": "target.oneOf(Server, Datastore)"
},
{
"target": server,
"condition": "not target.oneOf(Actor, Dataflow)"
},
{
"target": request,
"condition": "target.crosses(Boundary)"
},
{
"target": user_query,
"condition": "target.crosses(Boundary)"
},
{
"target": server_query,
"condition": "target.crosses(Boundary)"
},
{
"target": func_query,
"condition": "not target.crosses(Boundary)"
},
{
"target": func_query,
"condition": "not target.enters(Boundary)"
},
{
"target": func_query,
"condition": "not target.exits(Boundary)"
},
{
"target": request,
"condition": "not target.enters(Boundary)"
},
{
"target": request,
"condition": "target.exits(Boundary)"
},
{
"target": response,
"condition": "target.enters(Boundary)"
},
{
"target": response,
"condition": "not target.exits(Boundary)"
},
{
"target": user,
"condition": "target.inside(Boundary)"
},
]
for case in testCases:
t = Threat(SID="",
target=default_target,
condition=case["condition"])
self.assertTrue(
t.apply(case["target"]),
"Failed to match {} against {}".format(case["target"],
case["condition"]),
)
from pytm.pytm import TM, Boundary, Server, Actor, Datastore, Dataflow, SetOfProcesses
tm = TM("Generic CMS example")
tm.description = "This is a sample threat model for the Threat Model Cookbook."
internet = Boundary("Internet")
user = Actor("Generic/Privilege User")
webserver = Server("Web Server")
webserver.inBoundary = internet
user_to_webserver = Dataflow(user, webserver, "HTTPS")
db = Datastore("db")
db.inBoundary = internet
db_to_webserver = Dataflow(webserver, db, " ")
adminuser = Actor(" admin ")
admin_to_webserver = Dataflow(adminuser, db,
"unsecure<br/>mysql<br/>connection")
cdn = SetOfProcesses("CDN network")
user_to_cdn = Dataflow(user, cdn, "HTTP")
webserver_to_cdn = Dataflow(webserver, cdn, "Push to Bucket")
tm.process()
