Threat Modeling Tool Extension for Penetration Tester (TMTe4PT)
The extension adds the calculation of the Common Vulnerability Scoring System v2 for each threat generated by the TMT, as well as the option of bulk modifications. With the filtering and sorting of the tabular data, it is possible for a penetration tester to find the threats which match his/her criteria and therefore supports in prioritizing test activities (e.g., a tester wants to find the threats with the highest CVSS Score with Ethernet as Interaction and a Local (L) Access Vector).
- Adding CVSS calculation to threats generated by the Microsoft TMT 2016
- Import of the save (.tm7) and report (.htm) file of the TMT
- Filtering the threats with a simple query logic
- Bulk modification of threats
- Export of the data and/or query in json format
- For more information about the background and methodology see the blog post Threat Modeling with TMTe4PT
# install dependencies npm install # serve with hot reload at localhost:8080 npm run dev # build for production with minification npm run build # build static HTML file in the dist folder npm run static
There's a pre-built Docker image for this project. Please refer to the
docker folder for more information.
For easy usage, a static HTML file can be build and used in any modern browser without using a webserver or any other files. All JS and CSS code is bundled inside the HTML file.
This index.html file (in dist folder) can be generated with
npm run static. A version from December 2018 can be found in 'tmte4pt/testFiles/TMTe4PT.html' for fast testing.
Otherwise, the typical tools can be used. For example, launch the application with
npm run dev, or build it with
npm run build and run the files from the dist folder in a web server (e.g.
python -m SimpleHTTPServer in the dist folder).
After the application is started, the report file of the Microsoft Threat Modeling Tool (Example file at
tmte4pt/testFiles/ACC_Report.htm) and the save file (Example file at
tmte4pt/testFiles/ACC.tm7) can be loaded, using the appropriate buttons.
This project was created with
vue init webpack tmte4pt (vue-cli 2.9.6) which predefined the structure of a typical node project, with an index.html and package.json file in the root folder, and the actual code in the src directory. The other files and folders are auto created by the build script of
vue init and help with the project, like the eslint rules.
The code in the src folder is separated according to the vue guidelines. Everything used for rendering the view is bundled in a .vue file which can be reused among the project. Similarly, the JS logic and definition classes from the components were separated, so they may be reused in another JS Framework like React. The definition classes are only used to define types which import, store and convert data. These are simple ECMAScript 6 classes which contain only properties for the data and methods for importing or converting them.
All functional JS classes, which contain only logic (methods) and no properties are separated from the definition classes. Either primitive data types or the definition classes are used as arguments for the methods. Following the single responsibility principle (SRP), each distinct function has its own class.
The TMTe4PTs' root file is the index.html file, where the compiled app.js will be referenced or included. The program start is from the main.js file where the Vue VM will be created referencing the root component App.vue. The app component references the navbar and the router-view component which contain the rest of the application. Additionally, the State will be created. This special object is used to store data between the components and therefore will be created at the startup and filled/modified during the execution of TMTe4PT. If the user is saving the data into a .json file, basically the state gets dumped into a file. If the user imports data, the state gets filled or overwritten.
Implementing new Features
If a new feature will be added, a list of steps should be followed.
- Add the component in the components folder as a .vue file, define a name and write the code.
- Implement the JS code into the classes folder (or export it into this folder), and separate the logic from the data part.
- If the component should be an extra page/tab, create a route in the router.js file. If needed, an entry may be added to the Navbar.vue.
- If stuck or help is needed, read the documentation about Bootstrap-Vue for the UI.
The tool was developed by Michael Wolf as part of the Master Thesis "Combining Safety and Security Threat Modeling to Improve Automotive Penetration Testing". The work was sponsored by the BMBF project SecForCARs and created at SCHUTZWERK GmbH (supervisor Dr. Bastian Könings) in cooperation with the Institute of Distributed Systems at Ulm University (referee: Prof. Dr. Frank Kargl, supervisor Dr. Rens van der Heijden), and the Institute of Energy Efficient Mobility at University of Applied Sciences Karlsruhe (co-referee: Prof. Dr. Reiner Kriesten, supervisor Jürgen Dürrwang and Florian Sommer).
This project is licensed under the GPLv3.