Pytm：一款Python风格的威胁建模框架！

 

Pytm是一款Python风格的威胁建模框架，它可以帮助我们以Python语言风格的形式并使用pytm框架中的元素和属性来定义你的系统。根据我们的定义参数，pytm可以针对你的系统生成数据流图（DFD）、序列图以及威胁模型。

工具要求
  

1. Linux/MacOS

2.  

3. Python 3.x

4.  

5. Graphviz package

6.  

7. Java (OpenJDK 10 or 11)

8.  

9. plantuml.jar

 

工具下载

广大研究人员可以使用下列命令将该项目源码克隆至本地：
 

1. git clone https://github.com/izar/pytm.git

 

工具使用
 

1. tm.py [-h] [--debug] [--dfd] [--report REPORT] [--exclude EXCLUDE] [--seq] [--list] [--describe DESCRIBE]

2.  

3.  

4.  

5. optional arguments:

6.  

7.   -h, --help           show this help message and exit

8.  

9.   --debug              print debug messages

10.  

11.   --dfd                output DFD (default)

12.  

13.   --report REPORT      output report using the named template file (sample template file is under docs/template.md)

14.  

15.   --exclude EXCLUDE    specify threat IDs to be ignored

16.  

17.   --seq                output sequential diagram

18.  

19.   --list               list all available threats

20.  

21.   --describe DESCRIBE  describe the properties available for a given element

 

当前该工具可用的元素包括：TM、服务器、外部实体、数据存储、Actor、进程、进程集、数据边界和Lambda。

除此之外，我们也可以使用命令“–describe”来查看每一个元素的可用属性：

1. (pytm) ?  pytm git:(master) ? ./tm.py --describe Element

2.  

3. Element

4.  

5.         OS

6.  

7.         check

8.  

9.         definesConnectionTimeout

10.  

11.         description

12.  

13.         dfd

14.  

15.         handlesResources

16.  

17.         implementsAuthenticationScheme

18.  

19.         implementsNonce

20.  

21.         inBoundary

22.  

23.         inScope

24.  

25.         isAdmin

26.  

27.         isHardened

28.  

29.         name

30.  

31.         onAWS

 

如果你是安全从业人员的话，你也可以向“threatlib/threats.json”文件中添加新的威胁属性：

1. {

2.  

3.    "SID":"INP01",

4.  

5.    "target": ["Lambda","Process"],

6.  

7.    "description": "Buffer Overflow via Environment Variables",

8.  

9.    "details": "This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.",

10.  

11.    "Likelihood Of Attack": "High",

12.  

13.    "severity": "High",

14.  

15.    "condition": "target.usesEnvironmentVariables is True and target.sanitizesInput is False and target.checksInputBounds is False",

16.  

17.    "prerequisites": "The application uses environment variables.An environment variable exposed to the user is vulnerable to a buffer overflow.The vulnerable environment variable uses untrusted data.Tainted data used in the environment variables is not properly validated. For instance boundary checking is not done before copying the input data to a buffer.",

18.  

19.    "mitigations": "Do not expose environment variable to the user.Do not use untrusted data in your environment variables. Use a language or compiler that performs automatic bounds checking. There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.",

20.  

21.    "example": "Attack Example: Buffer Overflow in $HOME A buffer overflow in sccw allows local users to gain root access via the $HOME environmental variable. Attack Example: Buffer Overflow in TERM A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.",

22.  

23.    "references": "https://capec.mitre.org/data/definitions/10.html, CVE-1999-0906, CVE-1999-0046, http://cwe.mitre.org/data/definitions/120.html, http://cwe.mitre.org/data/definitions/119.html, http://cwe.mitre.org/data/definitions/680.html"

24.  

25. }

注意事项

“threats.json”文件中包含的字符串可以通过eval()函数来运行，它可以确保文件拥有正确的权限并确保代码能够正确执行。

下面的样本是tm.py文件，它描述了一个简单的应用程序，其中一名用户“User”登录进了应用程序，然后在App上发布了评论。App服务器将这些评论存储进了数据库，服务器中有一个AWS Lambda会定期清理数据库。

1. #!/usr/bin/env python3

2.  

3.  

4.  

5. from pytm.pytm import TM, Server, Datastore, Dataflow, Boundary, Actor, Lambda

6.  

7.  

8.  

9. tm = TM("my test tm")

10.  

11. tm.description = "another test tm"

12.  

13.  

14.  

15. User_Web = Boundary("User/Web")

16.  

17. Web_DB = Boundary("Web/DB")

18.  

19.  

20.  

21. user = Actor("User")

22.  

23. user.inBoundary = User_Web

24.  

25.  

26.  

27. web = Server("Web Server")

28.  

29. web.OS = "CloudOS"

30.  

31. web.isHardened = True

32.  

33.  

34.  

35. db = Datastore("SQL Database (*)")

36.  

37. db.OS = "CentOS"

38.  

39. db.isHardened = False

40.  

41. db.inBoundary = Web_DB

42.  

43. db.isSql = True

44.  

45. db.inScope = False

46.  

47.  

48.  

49. my_lambda = Lambda("cleanDBevery6hours")

50.  

51. my_lambda.hasAccessControl = True

52.  

53. my_lambda.inBoundary = Web_DB

54.  

55.  

56.  

57. my_lambda_to_db = Dataflow(my_lambda, db, "(λ)Periodically cleans DB")

58.  

59. my_lambda_to_db.protocol = "SQL"

60.  

61. my_lambda_to_db.dstPort = 3306

62.  

63.  

64.  

65. user_to_web = Dataflow(user, web, "User enters comments (*)")

66.  

67. user_to_web.protocol = "HTTP"

68.  

69. user_to_web.dstPort = 80

70.  

71. user_to_web.data = 'Comments in HTML or Markdown'

72.  

73. user_to_web.order = 1

74.  

75.  

76.  

77. web_to_user = Dataflow(web, user, "Comments saved (*)")

78.  

79. web_to_user.protocol = "HTTP"

80.  

81. web_to_user.data = 'Ack of saving or error message, in JSON'

82.  

83. web_to_user.order = 2

84.  

85.  

86.  

87. web_to_db = Dataflow(web, db, "Insert query with comments")

88.  

89. web_to_db.protocol = "MySQL"

90.  

91. web_to_db.dstPort = 3306

92.  

93. web_to_db.data = 'MySQL insert statement, all literals'

94.  

95. web_to_db.order = 3

96.  

97.  

98.  

99. db_to_web = Dataflow(db, web, "Comments contents")

100.  

101. db_to_web.protocol = "MySQL"

102.  

103. db_to_web.data = 'Results of insert op'

104.  

105. db_to_web.order = 4

106.  

107.  

108.  

109. tm.process()

图表将以Dot或PlantUML的形式输出。

如果在运行tm.py文件时使用了“--dfd”参数，那么它将会向stdout生成输出文件：

1. tm.py --dfd | dot -Tpng -o sample.png

 

生成的图表如下：
 


下列命令可以生成一份序列图：

1. tm.py --seq | java -Djava.awt.headless=true -jar plantuml.jar -tpng -pipe > seq.png

 

 


生成的图表和数据可以引入到模板文件中来创建最终的报告：
 

1. tm.py --report docs/template.md | pandoc -f markdown -t html > report.html

用于生成报告的模板格式如下：

1. # Threat Model Sample

2.  

3. ***

4.  

5.  

6.  

7. ## System Description

8.  

9.  

10.  

11. {tm.description}

12.  

13.  

14.  

15. ## Dataflow Diagram

16.  

17.  

18.  

19. 

20.  

21.  

22.  

23. ## Dataflows

24.  

25.  

26.  

27. Name|From|To |Data|Protocol|Port

28.  

29. ----|----|---|----|--------|----

30.  

31. {dataflows:repeat:{{item.name}}|{{item.source.name}}|{{item.sink.name}}|{{item.data}}|{{item.protocol}}|{{item.dstPort}}

32.  

33. }

34.  

35.  

36.  

37. ## Findings

38.  

39.  

40.  

41. {findings:repeat:* {{item.description}} on element "{{item.target}}"

42.  

43. }

 

当前支持的威胁如下：

 

1. INP01 - Buffer Overflow via Environment Variables

2.  

3. INP02 - Overflow Buffers

4.  

5. INP03 - Server Side Include (SSI) Injection

6.  

7. CR01 - Session Sidejacking

8.  

9. INP04 - HTTP Request Splitting

10.  

11. CR02 - Cross Site Tracing

12.  

13. INP05 - Command Line Execution through SQL Injection

14.  

15. INP06 - SQL Injection through SOAP Parameter Tampering

16.  

17. SC01 - JSON Hijacking (aka JavaScript Hijacking)

18.  

19. LB01 - API Manipulation

20.  

21. AA01 - Authentication Abuse/ByPass

22.  

23. DS01 - Excavation

24.  

25. DE01 - Interception

26.  

27. DE02 - Double Encoding

28.  

29. API01 - Exploit Test APIs

30.  

31. AC01 - Privilege Abuse

32.  

33. INP07 - Buffer Manipulation

34.  

35. AC02 - Shared Data Manipulation

36.  

37. DO01 - Flooding

38.  

39. HA01 - Path Traversal

40.  

41. AC03 - Subverting Environment Variable Values

42.  

43. DO02 - Excessive Allocation

44.  

45. DS02 - Try All Common Switches

46.  

47. INP08 - Format String Injection

48.  

49. INP09 - LDAP Injection

50.  

51. INP10 - Parameter Injection

52.  

53. INP11 - Relative Path Traversal

54.  

55. INP12 - Client-side Injection-induced Buffer Overflow

56.  

57. AC04 - XML Schema Poisoning

58.  

59. DO03 - XML Ping of the Death

60.  

61. AC05 - Content Spoofing

62.  

63. INP13 - Command Delimiters

64.  

65. INP14 - Input Data Manipulation

66.  

67. DE03 - Sniffing Attacks

68.  

69. CR03 - Dictionary-based Password Attack

70.  

71. API02 - Exploit Script-Based APIs

72.  

73. HA02 - White Box Reverse Engineering

74.  

75. DS03 - Footprinting

76.  

77. AC06 - Using Malicious Files

78.  

79. HA03 - Web Application Fingerprinting

80.  

81. SC02 - XSS Targeting Non-Script Elements

82.  

83. AC07 - Exploiting Incorrectly Configured Access Control Security Levels

84.  

85. INP15 - IMAP/SMTP Command Injection

86.  

87. HA04 - Reverse Engineering

88.  

89. SC03 - Embedding Scripts within Scripts

90.  

91. INP16 - PHP Remote File Inclusion

92.  

93. AA02 - Principal Spoof

94.  

95. CR04 - Session Credential Falsification through Forging

96.  

97. DO04 - XML Entity Expansion

98.  

99. DS04 - XSS Targeting Error Pages

100.  

101. SC04 - XSS Using Alternate Syntax

102.  

103. CR05 - Encryption Brute Forcing

104.  

105. AC08 - Manipulate Registry Information

106.  

107. DS05 - Lifting Sensitive Data Embedded in Cache

 

项目地址

Pytm：

【GitHub传送门】