def test_responses(self): tm = TM("my test tm", description="aa", isOrdered=True) user = Actor("User") web = Server("Web Server") db = Datastore("SQL Database") http_req = Dataflow(user, web, "http req") insert = Dataflow(web, db, "insert data") query = Dataflow(web, db, "query") query_resp = Dataflow(db, web, "query results", responseTo=query) http_resp = Dataflow(web, user, "http resp") http_resp.responseTo = http_req self.assertTrue(tm.check()) self.assertEqual(http_req.response, http_resp) self.assertIs(http_resp.isResponse, True) self.assertIs(query_resp.isResponse, True) self.assertEqual(query_resp.responseTo, query) self.assertEqual(query.response, query_resp) self.assertIsNone(insert.response) self.assertIs(insert.isResponse, False)
def test_defaults(self): tm = TM("my test tm", description="aa", isOrdered=True) internet = Boundary("Internet") cloud = Boundary("Cloud") user = Actor("User", inBoundary=internet) server = Server("Server") db = Datastore("DB", inBoundary=cloud) db.type = DatastoreType.SQL func = Datastore("Lambda function", inBoundary=cloud) request = Dataflow(user, server, "request") response = Dataflow(server, user, "response", isResponse=True) user_query = Dataflow(user, db, "user query") server_query = Dataflow(server, db, "server query") func_query = Dataflow(func, db, "func query") default_target = ["Actor", "Boundary", "Dataflow", "Datastore", "Server"] testCases = [ {"target": server, "condition": "target.oneOf(Server, Datastore)"}, {"target": server, "condition": "not target.oneOf(Actor, Dataflow)"}, {"target": request, "condition": "target.crosses(Boundary)"}, {"target": user_query, "condition": "target.crosses(Boundary)"}, {"target": server_query, "condition": "target.crosses(Boundary)"}, {"target": func_query, "condition": "not target.crosses(Boundary)"}, {"target": func_query, "condition": "not target.enters(Boundary)"}, {"target": func_query, "condition": "not target.exits(Boundary)"}, {"target": request, "condition": "not target.enters(Boundary)"}, {"target": request, "condition": "target.exits(Boundary)"}, {"target": response, "condition": "target.enters(Boundary)"}, {"target": response, "condition": "not target.exits(Boundary)"}, {"target": user, "condition": "target.inside(Boundary)"}, {"target": func, "condition": "not any(target.inputs)"}, { "target": server, "condition": "any(f.sink.oneOf(Datastore) and f.sink.type == DatastoreType.SQL " "for f in target.outputs)", }, ] self.assertTrue(tm.check()) for case in testCases: t = Threat(SID="", target=default_target, condition=case["condition"]) self.assertTrue( t.apply(case["target"]), "Failed to match {} against {}".format( case["target"], case["condition"], ), )
#!/usr/bin/env python3 from pytm.pytm import TM, Server, Datastore, Dataflow, Boundary, Actor, Lambda tm = TM("my test tm") tm.description = "another test tm" Web = Boundary("Internal Web") external_web = Boundary("External Web") user = Actor("App-y-Tenant") app = Server("Mobile App") buy_api = Server("Buy<br/>API-y") buy_api.inBoundary = Web rent_api = Server("Rent<br/>API-y") rent_api.inBoundary = Web alert_api = Server("Alert<br/>API-y") alert_api.inBoundary = Web cloud = Server("Phone Provider Cloud") cloud.inBoundary = external_web alert_api_to_cloud = Dataflow(alert_api, cloud, "push") cloud_to_app = Dataflow(cloud, app, " ") db_b = Datastore("Oracle Table B") db_b.inBoundary = Web buy_api_to_db = Dataflow(buy_api, db_b, " ")
def test_defaults(self): tm = TM("TM") user = Actor("User", data="HTTP", authenticatesDestination=True) server = Server("Server", port=443, protocol="HTTPS", isEncrypted=True, data="JSON") db = Datastore( "PostgreSQL", isSQL=True, port=5432, protocol="PostgreSQL", isEncrypted=False, data="SQL resp", ) worker = Process("Task queue worker") req_get = Dataflow(user, server, "HTTP GET") server_query = Dataflow(server, db, "Query", data="SQL") result = Dataflow(db, server, "Results", isResponse=True) resp_get = Dataflow(server, user, "HTTP Response", isResponse=True) req_post = Dataflow(user, server, "HTTP POST", data="JSON") resp_post = Dataflow(server, user, "HTTP Response", isResponse=True) worker_query = Dataflow(worker, db, "Query", data="SQL") Dataflow(db, worker, "Results", isResponse=True) cookie = Data("Auth Cookie", carriedBy=[req_get, req_post]) self.assertTrue(tm.check()) self.assertEqual(req_get.srcPort, -1) self.assertEqual(req_get.dstPort, server.port) self.assertEqual(req_get.isEncrypted, server.isEncrypted) self.assertEqual(req_get.authenticatesDestination, user.authenticatesDestination) self.assertEqual(req_get.protocol, server.protocol) self.assertTrue(user.data.issubset(req_get.data)) self.assertEqual(server_query.srcPort, -1) self.assertEqual(server_query.dstPort, db.port) self.assertEqual(server_query.isEncrypted, db.isEncrypted) self.assertEqual(server_query.authenticatesDestination, server.authenticatesDestination) self.assertEqual(server_query.protocol, db.protocol) self.assertTrue(server.data.issubset(server_query.data)) self.assertEqual(result.srcPort, db.port) self.assertEqual(result.dstPort, -1) self.assertEqual(result.isEncrypted, db.isEncrypted) self.assertEqual(result.authenticatesDestination, False) self.assertEqual(result.protocol, db.protocol) self.assertTrue(db.data.issubset(result.data)) self.assertEqual(resp_get.srcPort, server.port) self.assertEqual(resp_get.dstPort, -1) self.assertEqual(resp_get.isEncrypted, server.isEncrypted) self.assertEqual(resp_get.authenticatesDestination, False) self.assertEqual(resp_get.protocol, server.protocol) self.assertTrue(server.data.issubset(resp_get.data)) self.assertEqual(req_post.srcPort, -1) self.assertEqual(req_post.dstPort, server.port) self.assertEqual(req_post.isEncrypted, server.isEncrypted) self.assertEqual(req_post.authenticatesDestination, user.authenticatesDestination) self.assertEqual(req_post.protocol, server.protocol) self.assertTrue(user.data.issubset(req_post.data)) self.assertEqual(resp_post.srcPort, server.port) self.assertEqual(resp_post.dstPort, -1) self.assertEqual(resp_post.isEncrypted, server.isEncrypted) self.assertEqual(resp_post.authenticatesDestination, False) self.assertEqual(resp_post.protocol, server.protocol) self.assertTrue(server.data.issubset(resp_post.data)) self.assertListEqual(server.inputs, [req_get, req_post]) self.assertListEqual(server.outputs, [server_query]) self.assertListEqual(worker.inputs, []) self.assertListEqual(worker.outputs, [worker_query]) self.assertListEqual(cookie.carriedBy, [req_get, req_post]) self.assertSetEqual(set(cookie.processedBy), set([user, server])) self.assertIn(cookie, req_get.data) self.assertSetEqual(set([d.name for d in req_post.data]), set([cookie.name, "HTTP", "JSON"]))
def test_write_once(self): user = Actor("User") with self.assertRaises(ValueError): user.name = "Computer"
from pytm.pytm import TM, Actor, Boundary, Dataflow, Datastore, Lambda, Server # make sure generated diagrams do not change, makes sense if they're commited random.seed(0) tm = TM("my test tm") tm.description = "This is a sample threat model of a very simple system - a web-based comment system. The user enters comments and these are added to a database and displayed back to the user. The thought is that it is, though simple, a complete enough example to express meaningful threats." tm.isOrdered = True tm.mergeResponses = True internet = Boundary("Internet") server_db = Boundary("Server/DB") vpc = Boundary("AWS VPC") user = Actor("User") user.inBoundary = internet web = Server("Web Server") web.OS = "Ubuntu" web.isHardened = True web.sanitizesInput = False web.encodesOutput = True web.authorizesSource = False db = Datastore("SQL Database") db.OS = "CentOS" db.isHardened = False db.inBoundary = server_db db.isSQL = True db.inScope = True
def test_defaults(self): tm = TM("TM") user = Actor("User", data="HTTP") server = Server("Server", port=443, protocol="HTTPS", isEncrypted=True, data="JSON") db = Datastore( "PostgreSQL", isSQL=True, port=5432, protocol="PostgreSQL", isEncrypted=False, data="SQL resp", ) req_get = Dataflow(user, server, "HTTP GET") query = Dataflow(server, db, "Query", data="SQL") result = Dataflow(db, server, "Results", isResponse=True) resp_get = Dataflow(server, user, "HTTP Response", isResponse=True) req_post = Dataflow(user, server, "HTTP POST", data="JSON") resp_post = Dataflow(server, user, "HTTP Response", isResponse=True) tm.check() self.assertEqual(req_get.srcPort, -1) self.assertEqual(req_get.dstPort, server.port) self.assertEqual(req_get.isEncrypted, server.isEncrypted) self.assertEqual(req_get.protocol, server.protocol) self.assertEqual(req_get.data, user.data) self.assertEqual(query.srcPort, -1) self.assertEqual(query.dstPort, db.port) self.assertEqual(query.isEncrypted, db.isEncrypted) self.assertEqual(query.protocol, db.protocol) self.assertNotEqual(query.data, server.data) self.assertEqual(result.srcPort, db.port) self.assertEqual(result.dstPort, -1) self.assertEqual(result.isEncrypted, db.isEncrypted) self.assertEqual(result.protocol, db.protocol) self.assertEqual(result.data, db.data) self.assertEqual(resp_get.srcPort, server.port) self.assertEqual(resp_get.dstPort, -1) self.assertEqual(resp_get.isEncrypted, server.isEncrypted) self.assertEqual(resp_get.protocol, server.protocol) self.assertEqual(resp_get.data, server.data) self.assertEqual(req_post.srcPort, -1) self.assertEqual(req_post.dstPort, server.port) self.assertEqual(req_post.isEncrypted, server.isEncrypted) self.assertEqual(req_post.protocol, server.protocol) self.assertNotEqual(req_post.data, user.data) self.assertEqual(resp_post.srcPort, server.port) self.assertEqual(resp_post.dstPort, -1) self.assertEqual(resp_post.isEncrypted, server.isEncrypted) self.assertEqual(resp_post.protocol, server.protocol) self.assertEqual(resp_post.data, server.data)
def test_defaults(self): internet = Boundary("Internet") cloud = Boundary("Cloud") user = Actor("User", inBoundary=internet) server = Server("Server") db = Datastore("DB", inBoundary=cloud) func = Datastore("Lambda function", inBoundary=cloud) request = Dataflow(user, server, "request") response = Dataflow(server, user, "response") user_query = Dataflow(user, db, "user query") server_query = Dataflow(server, db, "server query") func_query = Dataflow(func, db, "func query") default = { "SID": "", "description": "", "condition": "", "target": ["Actor", "Boundary", "Dataflow", "Datastore", "Server"], "details": "", "severity": "", "mitigations": "", "example": "", "references": "", } testCases = [ { "target": server, "condition": "target.oneOf(Server, Datastore)" }, { "target": server, "condition": "not target.oneOf(Actor, Dataflow)" }, { "target": request, "condition": "target.crosses(Boundary)" }, { "target": user_query, "condition": "target.crosses(Boundary)" }, { "target": server_query, "condition": "target.crosses(Boundary)" }, { "target": func_query, "condition": "not target.crosses(Boundary)" }, { "target": func_query, "condition": "not target.enters(Boundary)" }, { "target": func_query, "condition": "not target.exits(Boundary)" }, { "target": request, "condition": "not target.enters(Boundary)" }, { "target": request, "condition": "target.exits(Boundary)" }, { "target": response, "condition": "target.enters(Boundary)" }, { "target": response, "condition": "not target.exits(Boundary)" }, { "target": user, "condition": "target.inside(Boundary)" }, ] for case in testCases: t = Threat({**default, **{"condition": case["condition"]}}) self.assertTrue( t.apply(case["target"]), "Failed to match {} against {}".format(case["target"], case["condition"]), )
from pytm.pytm import TM, Boundary, Server, Actor, Datastore, Dataflow, SetOfProcesses tm = TM("App-y-ness") tm.description = "This is a sample threat model for the Threat Modeling Workshop." internet = Boundary("Internet") user = Actor("App-y-tenant") app = Server("Mobile App") buyApi = Server("Buy<br/>API-y") buyApi.inBoundary = internet rentApi = Server("Rent<br/>API-y") rentApi.inBoundary = internet market = SetOfProcesses("Market-y") market.inBoundary = internet alertApi = Server("Alert<br/>API-y") alertApi.inBoundary = internet authApi = Server("Auth<br/>API-y") authApi.inBoundary = internet allAuth = Server("All Auth") allAuth.inBoundary = internet phoneCloud = Server("Phone<br/>Provider<br/>Cloud")
tm = TM("Kubernetes Threat Model") tm.description = "a deep-dive threat model of Kubernetes" # Boundaries inet = Boundary("Internet") mcdata = Boundary("Master Control Data") apisrv = Boundary("API Server") mcomps = Boundary("Master Control Components") worker = Boundary("Worker") contain = Boundary("Container") # Actors miu = Actor("Malicious Internal User") ia = Actor("Internal Attacker") ea = Actor("External Actor") admin = Actor("Administrator") dev = Actor("Developer") eu = Actor("End User") # Server & OS Components etcd = Datastore("N-ary etcd servers") apiserver = Server("kube-apiserver") kubelet = Server("kubelet") kubeproxy = Server("kube-proxy") scheduler = Server("kube-scheduler") controllers = Server("CCM/KCM") pods = Server("Pods")
def test_defaults(self): internet = Boundary("Internet") cloud = Boundary("Cloud") user = Actor("User", inBoundary=internet) server = Server("Server") db = Datastore("DB", inBoundary=cloud) func = Datastore("Lambda function", inBoundary=cloud) request = Dataflow(user, server, "request") response = Dataflow(server, user, "response") user_query = Dataflow(user, db, "user query") server_query = Dataflow(server, db, "server query") func_query = Dataflow(func, db, "func query") default_target = [ "Actor", "Boundary", "Dataflow", "Datastore", "Server" ] testCases = [ { "target": server, "condition": "target.oneOf(Server, Datastore)" }, { "target": server, "condition": "not target.oneOf(Actor, Dataflow)" }, { "target": request, "condition": "target.crosses(Boundary)" }, { "target": user_query, "condition": "target.crosses(Boundary)" }, { "target": server_query, "condition": "target.crosses(Boundary)" }, { "target": func_query, "condition": "not target.crosses(Boundary)" }, { "target": func_query, "condition": "not target.enters(Boundary)" }, { "target": func_query, "condition": "not target.exits(Boundary)" }, { "target": request, "condition": "not target.enters(Boundary)" }, { "target": request, "condition": "target.exits(Boundary)" }, { "target": response, "condition": "target.enters(Boundary)" }, { "target": response, "condition": "not target.exits(Boundary)" }, { "target": user, "condition": "target.inside(Boundary)" }, ] for case in testCases: t = Threat(SID="", target=default_target, condition=case["condition"]) self.assertTrue( t.apply(case["target"]), "Failed to match {} against {}".format(case["target"], case["condition"]), )
from pytm.pytm import TM, Boundary, Server, Actor, Datastore, Dataflow, SetOfProcesses tm = TM("Generic CMS example") tm.description = "This is a sample threat model for the Threat Model Cookbook." internet = Boundary("Internet") user = Actor("Generic/Privilege User") webserver = Server("Web Server") webserver.inBoundary = internet user_to_webserver = Dataflow(user, webserver, "HTTPS") db = Datastore("db") db.inBoundary = internet db_to_webserver = Dataflow(webserver, db, " ") adminuser = Actor(" admin ") admin_to_webserver = Dataflow(adminuser, db, "unsecure<br/>mysql<br/>connection") cdn = SetOfProcesses("CDN network") user_to_cdn = Dataflow(user, cdn, "HTTP") webserver_to_cdn = Dataflow(webserver, cdn, "Push to Bucket") tm.process()