# Chapter 11: Threat Modeling

## 🎯 Learning Objectives
- Adopt an adversarial mindset for security analysis
- Apply systematic threat modeling approaches
- Master the STRIDE methodology
- Identify attack vectors through abstraction layers

In [1]:
# Setup for Chapter 11 threat modeling examples
import sys
import platform
from datetime import datetime
from enum import Enum

print("Chapter 11: Threat Modeling")
print("=" * 30)
print(f"Platform: {platform.system()}")
print(f"Python Version: {sys.version.split()[0]}")
print("Ready for adversarial thinking!")

Chapter 11: Threat Modeling
Platform: Windows
Python Version: 3.13.5
Ready for adversarial thinking!


## 1. Three Areas of Focus

The CourseGuide outlines three ways to approach threat modeling:
- **Assets**: Things to protect, things attackers want, stepping stones
- **Attackers**: Types and goals of potential adversaries  
- **Systems**: Components, interfaces, and trust boundaries

In [None]:
# Demonstrate different threat modeling approaches
print("1. THREAT MODELING APPROACHES")
print("-" * 35)

class ThreatModelingFocus(Enum):
    ASSETS = "assets"
    ATTACKERS = "attackers"
    SYSTEMS = "systems"

# Example: Web application threat model
web_app_threats = {
    ThreatModelingFocus.ASSETS: [
        "Customer personal data (high value)",
        "Payment information (attacker target)", 
        "Session tokens (stepping stone)",
        "Admin credentials (stepping stone)"
    ],
    ThreatModelingFocus.ATTACKERS: [
        "Script kiddies (automated attacks)",
        "Organized criminals (financial gain)",
        "Competitors (business intelligence)",
        "Disgruntled employees (insider threats)"
    ],
    ThreatModelingFocus.SYSTEMS: [
        "Web server ↔ Database (trust boundary)",
        "Client ↔ Web server (untrusted input)", 
        "Internal APIs (assumed trusted)",
        "Third-party services (external trust)"
    ]
}

for focus, threats in web_app_threats.items():
    print(f"\n🎯 {focus.value.upper()} Focus:")
    for threat in threats:
        print(f"   • {threat}")

print("\n💡 Choose focus based on project context and stakeholder concerns")

## 2. Peeling Back Layers (Abstraction Analysis)

**CourseGuide Concept**: "Dropping down a level" to see through metaphors to underlying implementation

In [None]:
# Demonstrate "peeling back layers" concept
print("2. PEELING BACK ABSTRACTION LAYERS")
print("-" * 40)

abstraction_layers = {
    "Developer View": "strcpy() copies a string",
    "Attacker View": "strcpy() copies bytes without bounds checking",
    "Attack Vector": "Buffer overflow via oversized input"
}

print("📝 Example: String Copy Function")
for level, description in abstraction_layers.items():
    print(f"   {level}: {description}")

# Demonstrate with actual code
print("\n🔍 Practical Example:")

def vulnerable_string_processor(user_input):
    """High-level: Process and display user string"""
    print(f"Processing: {user_input}")
    
    # Low-level reality: What actually happens
    print(f"  • Input length: {len(user_input)} characters")
    print(f"  • Memory usage: ~{len(user_input.encode('utf-8'))} bytes")
    print(f"  • Character encoding: {user_input.encode('utf-8')[:20]}...")
    
    # Attacker perspective: What could go wrong?
    if len(user_input) > 1000:
        print("  ⚠️  THREAT: Potential memory exhaustion")
    if '%' in user_input:
        print("  ⚠️  THREAT: Potential format string attack")
    if any(ord(c) > 127 for c in user_input):
        print("  ⚠️  THREAT: Potential encoding confusion")

# Test with different inputs
test_inputs = [
    "Hello World",
    "%x %x %x %s",  # Format string attack attempt
    "A" * 1500,      # Large input
    "Test\x00hidden" # Null byte injection
]

for test_input in test_inputs:
    print("\n" + "="*50)
    display_input = test_input[:50] + "..." if len(test_input) > 50 else test_input
    vulnerable_string_processor(display_input)

## 3. STRIDE Methodology

**CourseGuide**: Microsoft's STRIDE approach for systematic threat identification:
- **S**poofing, **T**ampering, **R**epudiation, **I**nformation Breach, **D**enial of Service, **E**levation of Privilege

In [None]:
# Implement STRIDE threat analysis
print("3. STRIDE THREAT ANALYSIS")
print("-" * 30)

class StrideCategory(Enum):
    SPOOFING = "Spoofing"
    TAMPERING = "Tampering"
    REPUDIATION = "Repudiation"
    INFORMATION = "Information Breach"
    DENIAL = "Denial of Service"
    ELEVATION = "Elevation of Privilege"

def stride_analysis(system_name, threats):
    """Perform STRIDE analysis on a system"""
    print(f"\n🎯 STRIDE Analysis: {system_name}")
    print("-" * (20 + len(system_name)))
    
    for category in StrideCategory:
        if category in threats:
            print(f"\n{category.value[0]} - {category.value}:")
            for threat in threats[category]:
                print(f"   • {threat}")
        else:
            print(f"\n{category.value[0]} - {category.value}: ✅ No significant threats")

# Example: Web login system STRIDE analysis
login_threats = {
    StrideCategory.SPOOFING: [
        "Credential stuffing attacks",
        "Phishing sites mimicking login page",
        "Session hijacking via stolen cookies"
    ],
    StrideCategory.TAMPERING: [
        "Password reset token manipulation",
        "SQL injection in login form",
        "Man-in-the-middle request modification"
    ],
    StrideCategory.REPUDIATION: [
        "Failed login attempts not logged",
        "Successful logins without audit trail"
    ],
    StrideCategory.INFORMATION: [
        "Username enumeration via response timing",
        "Password policy exposed in error messages",
        "User session data in URL parameters"
    ],
    StrideCategory.DENIAL: [
        "Account lockout after failed attempts",
        "Resource exhaustion via login flooding"
    ],
    StrideCategory.ELEVATION: [
        "Admin role assumed via parameter tampering",
        "Privilege escalation through role confusion"
    ]
}

stride_analysis("Web Login System", login_threats)

print("\n💡 STRIDE provides systematic coverage of threat categories")

## 4. Exercise 1: String Processing Analysis

**CourseGuide Exercise**: *A program "accepts strings from the user and prints them on the screen in triplicate". What attacks does dropping down a level suggest?*

In [None]:
# Exercise 1: String processing threat analysis
print("4. EXERCISE 1: STRING PROCESSING THREATS")
print("-" * 45)

# High-level description
print("📝 High-Level: 'Accept strings and print in triplicate'")

# Low-level reality
print("\n🔍 Low-Level Reality:")
low_level_operations = [
    "Reading bytes from input stream until delimiter",
    "Allocating memory buffer for string storage", 
    "Copying bytes into memory structure",
    "Writing bytes to output stream three times",
    "Managing memory allocation/deallocation"
]

for i, operation in enumerate(low_level_operations, 1):
    print(f"   {i}. {operation}")

# Attack vectors revealed
print("\n⚠️  Attack Vectors Revealed:")
attack_vectors = {
    "Buffer Overflow": "Input longer than allocated buffer size",
    "Format String Attack": "User input used directly in printf-style function",
    "Memory Exhaustion": "Extremely long inputs or many concurrent requests",
    "Encoding Attacks": "Unicode, multi-byte, or character set confusion",
    "Injection Attacks": "Embedded control characters or escape sequences"
}

for attack, description in attack_vectors.items():
    print(f"   • {attack}: {description}")

# Demonstrate vulnerable vs secure implementation
print("\n🛡️ Secure Implementation Considerations:")
secure_practices = [
    "Input length validation before processing",
    "Safe string handling functions (bounds checking)",
    "Output encoding to prevent injection",
    "Resource limits (memory, CPU time)",
    "Input sanitization and validation"
]

for practice in secure_practices:
    print(f"   ✅ {practice}")

print("\n💡 Abstraction hiding reveals new attack surfaces")

## 5. Exercise 2: Poker Site Threat Model

**CourseGuide Exercise**: *An online poker-playing site - what threats can be brainstormed against it?*

In [None]:
# Exercise 2: Online poker site threat analysis
print("5. EXERCISE 2: POKER SITE THREAT MODEL")
print("-" * 40)

# Apply STRIDE to poker site
poker_threats = {
    StrideCategory.SPOOFING: [
        "Players creating multiple accounts (multi-accounting)",
        "Bots impersonating human players", 
        "Account takeover via credential theft",
        "Fake payment methods for deposits"
    ],
    StrideCategory.TAMPERING: [
        "Card deck manipulation or prediction",
        "Bet amount modification during transmission",
        "Game state tampering (stack sizes, positions)",
        "Random number generator compromise"
    ],
    StrideCategory.REPUDIATION: [
        "Players denying they made specific bets",
        "Disputes over tournament results",
        "Claims of system malfunction during losses"
    ],
    StrideCategory.INFORMATION: [
        "Hole card information leaked to other players",
        "Player statistics and betting patterns exposed",
        "Financial information disclosure",
        "Real-time game state leaked to observers"
    ],
    StrideCategory.DENIAL: [
        "DDoS attacks during major tournaments",
        "Selective connection drops to avoid losses", 
        "Server overload during peak hours",
        "Payment system disruption"
    ],
    StrideCategory.ELEVATION: [
        "Regular player gaining admin privileges",
        "Tournament director accessing restricted functions",
        "Customer service rep modifying player balances"
    ]
}

stride_analysis("Online Poker Site", poker_threats)

# Additional poker-specific concerns
print("\n🃏 Poker-Specific Security Concerns:")
poker_specific = [
    "Collusion between players (hard to detect)",
    "Real-time assistance tools (HUDs, solvers)",
    "Angle shooting and rule exploitation",
    "Money laundering through chip transfers",
    "Regulatory compliance (different jurisdictions)"
]

for concern in poker_specific:
    print(f"   • {concern}")

print("\n💡 High-stakes environment increases attacker motivation")

## 6. Threat Modeling Process Summary

Key takeaways from threat modeling methodology

In [None]:
# Chapter 11 Summary
print("6. THREAT MODELING PROCESS SUMMARY")
print("-" * 40)

threat_modeling_steps = {
    "1. Choose Focus": [
        "Assets (what to protect)",
        "Attackers (who and why)", 
        "Systems (components and boundaries)"
    ],
    "2. Peel Back Layers": [
        "Look beyond high-level descriptions",
        "Understand underlying implementations",
        "Think like an attacker"
    ],
    "3. Apply STRIDE": [
        "Systematic threat category coverage",
        "Structured analysis approach",
        "Comprehensive threat identification"
    ],
    "4. Document & Mitigate": [
        "Record identified threats",
        "Prioritize by risk level",
        "Implement appropriate controls"
    ]
}

for step, details in threat_modeling_steps.items():
    print(f"\n🎯 {step}:")
    for detail in details:
        print(f"   • {detail}")

# Key mindset shifts
print("\n🧠 Essential Mindset Shifts:")
mindset_shifts = [
    "From 'happy path' to 'unhappy paths'",
    "From 'functional' to 'adversarial' thinking", 
    "From 'intended use' to 'abuse cases'",
    "From 'features' to 'attack surface'"
]

for shift in mindset_shifts:
    print(f"   🔄 {shift}")

print("\n💡 Threat modeling is structured paranoia - it helps you think like an attacker")
print("✅ Chapter 11 Complete - Ready for Chapter 12!")