Example of threat modeling for Ceph RBD

Example of threat modeling for Ceph RBD

The example presents a threat modeling process for Ceph RBD. You can use the Microsoft Threat Modeling Tool to draw a data flow diagram (DFD) and run threat modeling using the STRIDE threat model described in this document.

../../_images/image12.png

After modeling is completed, the tool suggests a list of potential threats to be mitigated. The tool distributes the discovered threats between interactions. Therefore, the report suggests the list of threats by categories connected to a particular interaction (data flow) on the diagram. Below you can find modeling information by the Microsoft Threat Modeling Tool for each interaction.

An example of threat modeling for the Monitor Data Flow interaction:

../../_images/image13.png
  1. Spoofing of Destination Data Store Generic Data Store [State: Not Started] [Priority: High]

    Category:

    Spoofing

    Description:

    Ceph Monitor (controller) may be spoofed by an attacker and this may lead to data being written to the attacker’s target instead of Ceph Monitor (controller). Consider using a standard authentication mechanism to identify the destination data store.

    Justification:

    <no mitigation provided>

  2. Data Store Inaccessible [State: Not Started] [Priority: High]

    Category:

    Denial Of Service

    Description:

    An external agent prevents access to a data store on the other side of the trust boundary.

    Justification:

    <no mitigation provided>

  3. Data Flow Generic Data Flow Is Potentially Interrupted [State: Not Started] [Priority: High]

    Category:

    Denial Of Service

    Description:

    An external agent interrupts data flowing across a trust boundary in either direction.

    Justification:

    <no mitigation provided>

  4. Potential Excessive Resource Consumption for OS Process or Generic Data Store [State: Not Started] [Priority: High]

    Category:

    Denial Of Service

    Description:

    Does Qemu Process or Ceph Monitor (controller) take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don’t deadlock, and that they do timeout.

    Justification:

    <no mitigation provided>

  5. Data Flow Sniffing [State: Not Started] [Priority: High]

    Category:

    Information Disclosure

    Description:

    Data flowing across Monitor Data Flow may be sniffed by an attacker. Depending on what type of data an attacker can read, it may be used to attack other parts of the system or simply be a disclosure of information leading to compliance violations. Consider encrypting the data flow.

    Justification:

    <no mitigation provided>

  6. Data Store Denies Generic Data Store Potentially Writing Data [State: Not Started] [Priority: High]

    Category:

    Repudiation

    Description:https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx

    Ceph Monitor (controller) claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.

    Justification:

    <no mitigation provided>

  7. The Generic Data Store Data Store Could Be Corrupted [State: Not Started] [Priority: High]

    Category:

    Tampering

    Description:

    Data flowing across Monitor Data Flow may be tampered with by an attacker. This may lead to corruption of Ceph Monitor (controller). Ensure the integrity of the data flow to the data store.

    Justification:

    <no mitigation provided>

  8. Authenticated Data Flow Compromised [State: Not Started] [Priority: High]

    Category:

    Tampering

    Description:

    An attacker can read or modify data transmitted over an authenticated dataflow.

    Justification:

    <no mitigation provided>