STRIDE 和 DREAD

STRIDE 和 DREAD

[TOC]

背景

STRIDE 和 DREAD 是最常用也是最好用的安全模型

STRIDE 主要负责对安全风险分类
DREAD 主要为安全风险评级

STRIDE

这个单词的来源是所有步骤的首字母

[^table_stride]table

Type	Examples Security Control	summary
Spoofing	Threat action aimed to illegally access and use another user's credentials, such as username and password.	Authentication
Tampering	Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet.	Integrity
Repudiation	Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations.	Non-Repudiation
Information	disclosure Threat action to read a file that one was not granted access to, or to read data in transit.	Confidentiality
Denial	of service Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable.	Availability
Elevation of privilege	Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system.	Authorization

DREAD

这个单词的来源和上面STRIDE 一样
但核心其实很容易明白
主要包括了

• Damage
• Exploitability
• Affected Users
• Discoverability

这里定义了 Thread

For Damage: How big would the damage be if the attack succeeded?
For Reproducibility: How easy is it to reproduce an attack to work?
For Exploitability: How much time, effort, and expertise is needed to exploit the threat?
For Affected Users: If a threat were exploited, what percentage of users would be affected?
For Discoverability: How easy is it for an attacker to discover this threat?
By referring to the college library website it is possible to document sample threats related to the use cases such as:

Threat: For example that malicious user views confidential information of students, faculty members and librarians.
风险：恶意的用户能够看见普通用户的机密信息。

这里有如何计算这个数值（例子）
Damage potential: Threat to reputation as well as financial and legal liability:8
Reproducibility: Fully reproducible:10
Exploitability: Require to be on the same subnet or have compromised a router:7
Affected users: Affects all users:10
Discoverability: Can be found out easily:10
Overall DREAD score: (8+10+7+10+10) / 5 = 9

In this case having 9 on a 10 point scale is certainly a high risk threat

注释